Overview: Cross-border transfers of personal data

Understanding personal data

The cross-border transfer of personal data is a complex and evolving area

In Europe, the commencement in May 2018 of the General Data Protection Regulation (GDPR) ushered in a new era of control and transparency for the greater benefit of data subjects but with that comes a regulatory and compliance impost on the collectors of personal data.

In Australia, the introduction in February 2018 of the Notifiable Data Breach scheme has some important ramifications for offshoring and outsourcing.

In this group of topics, therefore, we highlight key issues in the current regulatory landscape affecting cross-border transfers of personal data, starting with a consideration of what is meant by the term “personal data”.

Complying with transfer of personal data obligations under Australian law

As a general guide, personal data in Australia may be equated with the definition of “personal information” under the Privacy Act 1988 (Cth) (Privacy Act). The transfer of such data (and its collection) overseas by Australian-based organisations is primarily regulated by the Privacy Act, and within the Act the Australian Privacy Principles (APPs). APP 8 — Cross-border disclosure of personal information is the most relevant in respect of transferring data out of Australia.

Identifying requirements for transferring personal data overseas

Different regulatory regimes apply in China, Britain, the European Union and the United States in relation to the transfer of data into and out of those jurisdictions.

China has recently enacted legislation which creates a more restrictive regime around the transfer of certain types of personal information out of its territory.

Britain and the EU present their own issues in that Australian laws are not seen as “substantially equivalent” to the regimes in those jurisdictions. This may potentially hinder the transfer of data to Australia out of those jurisdictions. The introduction of the GDPR on 25 May 2018 will likely throw this disparity into greater relief. This is because the GDPR contains additional measures designed to foster transparent information handling practices and corporate accountability in relation to the collection, storage, processing and handling of personal data.

In the United States, the patchwork of state-based laws means that Australian businesses operating there or otherwise subject to data privacy laws in the US will have to consider the requirements of the particular state(s) or industries in which they conduct business.