What happens if a company based overseas handles my personal information?

In Plain English

If a company based overseas handles your personal information, several things can happen depending on the situation and the type of information involved.

• Australian Privacy Principles (APPs) still apply in some cases: If an Australian entity discloses your personal information to an overseas recipient, the Australian entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. In some cases, the Australian entity can be held accountable if the overseas recipient mishandles your information in a way that would breach the APPs.
• Cross-border data flows: There are some exceptions to this, such as when you consent to the disclosure after being informed that the APPs will not apply, or if the disclosure is required by Australian law.
• Enforcement: It can be tricky to enforce Australian privacy law overseas, but if an Australian entity is involved, you may be able to seek redress from them even if the actual mishandling occurred overseas.

Detailed Explanation

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the Privacy Act 1988 outline the rules for handling personal information, including when it's transferred overseas. Here's a breakdown:

• Australian Link: The Privacy Act 1988 extends to acts done outside of Australia by organizations or small business operators that have an "Australian link." This includes Australian citizens, permanent residents, partnerships formed in Australia, trusts created in Australia, bodies corporate incorporated in Australia, and unincorporated associations with central management and control in Australia (see section 5B of the Privacy Act 1988). It also applies to organizations or small business operators carrying on business in Australia or an external Territory.
• Australian Privacy Principle 8 (APP 8): This principle deals specifically with cross-border disclosure of personal information. Before an APP entity discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the recipient does not breach the APPs (other than APP 1) in relation to the information (see section 8.1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the Privacy Act 1988).
• Accountability: Under section 16C of the Privacy Act 1988, if an APP entity discloses personal information to an overseas recipient and the recipient then does something with that information that would breach the APPs, the APP entity can be held accountable for that breach.
• Exceptions to APP 8: There are exceptions to the requirement in APP 8.1. For example, it doesn't apply if the entity reasonably believes that the recipient is subject to a law or binding scheme that protects the information in a way that is substantially similar to the APPs, and there are mechanisms to enforce that protection. Another exception is if the entity informs the individual that APP 8.1 will not apply and the individual consents to the disclosure (see section 8.2 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the Privacy Act 1988).
• Enforcement: While the Privacy Act 1988 has extra-territorial operation, enforcing it against an overseas entity can be challenging. However, if an Australian entity is involved in the disclosure, they can be held responsible for breaches committed by the overseas recipient.
• Specific Scenarios:
  • International Money Transfers (IMTs): The Privacy (International Money Transfers) Public Interest Determination 2025 (No.1) and Privacy (International Money Transfers) Generalising Determination 2025 address situations where Australian financial institutions disclose personal information to overseas financial institutions during IMTs. These determinations acknowledge that it may be impracticable to ensure that overseas recipients comply with the APPs in all circumstances and provide exemptions to allow IMTs to continue.
  • Telecommunications: The Telecommunications (Integrated Public Number Database Scheme – Conditions for Authorisations) Determination 2017 imposes conditions on authorization holders, including restrictions on transferring IPND information outside of Australia and requirements to remain legally responsible for any misuse of that information by recipients.
• Data Breaches: The Privacy Amendment (Notifiable Data Breaches) Act 2017 outlines obligations for entities to notify individuals and the Commissioner about eligible data breaches, even if the breach occurs after information has been transferred overseas.
• Foreign Influence Transparency Scheme: The Foreign Influence Transparency Scheme Act 2018 requires registration and reporting of certain activities undertaken on behalf of foreign principals, which may involve handling personal information. This scheme also interacts with the Privacy Act 1988.
• Social Security: The Social Security (International Agreements) Act 1999 includes provisions for data protection when personal data is transferred between countries under social security agreements.