Rules Mate

APP 8 cross-border disclosure

Before disclosing personal information overseas, APP 8 requires reasonable steps so the recipient meets the APPs — unless an exception applies. Steps and exceptions.

highcurrentongoing

Who must comply

APP entities disclosing personal information overseas (cloud hosting, parent company, vendors).

What triggers it

Sending personal information to an overseas recipient.

When due

Continuous.

Evidence required

Data flow mapping, contractual safeguards (DPA), legal opinion on overseas regime, consent records where relied upon.

Max penalty

Same penalty regime as broader Privacy Act breaches

Summary

APP 8.1 requires entities to take such steps as are reasonable in the circumstances to ensure overseas recipients do not breach the APPs. Section 16C makes the disclosing entity liable for the overseas recipient's acts in some cases. Exceptions include consent, similar laws, and lawful disclosure for permitted general/health situations.

Enforced by

Source legislation

Topics

privacyappcross-border

Related obligations

Frequently asked questions

Who must comply with APP 8 cross-border disclosure?
APP entities disclosing personal information overseas (cloud hosting, parent company, vendors).
What triggers APP 8 cross-border disclosure?
Sending personal information to an overseas recipient.
When is APP 8 cross-border disclosure due?
Continuous.
What is the maximum penalty for APP 8 cross-border disclosure?
Same penalty regime as broader Privacy Act breaches
What evidence is required for APP 8 cross-border disclosure?
Data flow mapping, contractual safeguards (DPA), legal opinion on overseas regime, consent records where relied upon.

Source: https://oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information. Rules Mate is not a law firm. Always verify against the live regulator source before acting.