APP 8 cross-border disclosure
Before disclosing personal information overseas, APP 8 requires reasonable steps so the recipient meets the APPs — unless an exception applies. Steps and exceptions.
Who must comply
APP entities disclosing personal information overseas (cloud hosting, parent company, vendors).
What triggers it
Sending personal information to an overseas recipient.
When due
Continuous.
Evidence required
Data flow mapping, contractual safeguards (DPA), legal opinion on overseas regime, consent records where relied upon.
Max penalty
Same penalty regime as broader Privacy Act breaches
Summary
APP 8.1 requires entities to take such steps as are reasonable in the circumstances to ensure overseas recipients do not breach the APPs. Section 16C makes the disclosing entity liable for the overseas recipient's acts in some cases. Exceptions include consent, similar laws, and lawful disclosure for permitted general/health situations.
Enforced by
Source legislation
Topics
Related obligations
- CWLTHAPP 3 collection of sensitive informationAPP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- CWLTHPublish a Privacy Policy compliant with APP 1Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- CWLTHProvide an APP 5 collection notice at or before collectionAPP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
- CWLTHAPP 12 & APP 13 access and correction requestsIndividuals can ask to access (APP 12) and correct (APP 13) the personal information you hold — the strict response times, allowable refusals and how to comply.
- CWLTHAPP 7 direct marketingAPP 7 restricts using or disclosing personal information for direct marketing and requires a simple opt-out — when it applies, the exceptions and penalties.
- CWLTHAPP 2 — anonymity + pseudonymity for individualsWhere reasonable, individuals must be able to deal with you anonymously or under a pseudonym.
Frequently asked questions
- Who must comply with APP 8 cross-border disclosure?
- APP entities disclosing personal information overseas (cloud hosting, parent company, vendors).
- What triggers APP 8 cross-border disclosure?
- Sending personal information to an overseas recipient.
- When is APP 8 cross-border disclosure due?
- Continuous.
- What is the maximum penalty for APP 8 cross-border disclosure?
- Same penalty regime as broader Privacy Act breaches
- What evidence is required for APP 8 cross-border disclosure?
- Data flow mapping, contractual safeguards (DPA), legal opinion on overseas regime, consent records where relied upon.
Source: https://oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information. Rules Mate is not a law firm. Always verify against the live regulator source before acting.