APP 8 — cross-border disclosure of personal information
Before disclosing personal info overseas, take reasonable steps so the recipient won't breach the APPs (or meet an exception).
Who must comply
APP entities disclosing personal information overseas (cloud hosting, parent company, vendors).
What triggers it
Sending personal information to an overseas recipient.
When due
Continuous.
Evidence required
Data flow mapping, contractual safeguards (DPA), legal opinion on overseas regime, consent records where relied upon.
Max penalty
Same penalty regime as broader Privacy Act breaches
Summary
APP 8.1 requires entities to take such steps as are reasonable in the circumstances to ensure overseas recipients do not breach the APPs. Section 16C makes the disclosing entity liable for the overseas recipient's acts in some cases. Exceptions include consent, similar laws, and lawful disclosure for permitted general/health situations.
Enforced by
Source legislation
Topics
Source: https://oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information. Rules Mate is not a law firm. Always verify against the live regulator source before acting.