Australian Privacy Principle 8 deals with the cross-border disclosure of personal information.
For example if an Australian businesses outsources business processes to an overseas contractor (such as a cloud service provider) which involves disclosure of its customers’ data the Australian business must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.
Depending on the purpose for which the information is used other APPs may also apply.
The draft APP 8 guidelines discuss the effect of foreign laws:
“where an overseas recipient of personal information does an act or practice that is required by an applicable foreign law, this will not breach the APPs. The APP entity will also not be responsible for the act or practice under the accountability provision…For example, the Patriot Act (USA) may require the overseas recipient to disclose personal information to the Government of the United States of America. In these circumstances, the APP entity would not be responsible under the accountability provision for the disclosure required by that Act…. An APP entity should consider notifying an individual, if applicable, that the overseas recipient may be required to disclose their personal information under a foreign law. The entity could also explain that the disclosure will not breach the APPs. This information could be included in the APP entity’s APP 5 notice.”
With respect to the US Patriot Act Microsoft’s standard explanation is as follows:
“We will not disclose Customer Data to law enforcement unless required by law. Should enforcement contact us with a demand for Customer Data, we will attempt to redirect the law enforcement agency to request it directly from you. As part of this effort we may provide your basic contact information to the agency. If compelled to disclose Customer Data to law enforcement, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited.”
If your customers’ information is made available to overseas companies, for example to process purchases or provide technical and billing support, you need to understand where that information will be held, who else will be able to access the information and for what purposes, and what type of security measures will be used for the storage and management of the personal information so that you can tell your customers.
