Identifying requirements for transferring personal data overseas

Different regulatory regimes apply in China, Britain, the European Union and the United States in relation to the transfer of data into and out of those jurisdictions.

China has recently enacted legislation which creates a more restrictive regime around the transfer of certain types of personal information out of its territory.

Britain and the EU present their own issues in that Australian laws are not seen as “substantially equivalent” to the regimes in those jurisdictions. This may potentially hinder the transfer of data to Australia out of those jurisdictions. The introduction of the GDPR on 25 May 2018 will likely throw this disparity into greater relief. This is because the GDPR contains additional measures designed to foster transparent information handling practices and corporate accountability in relation to the collection, storage, processing and handling of personal data.

In the United States, the patchwork of state-based laws means that Australian businesses operating there or otherwise subject to data privacy laws in the US will have to consider the requirements of the particular state(s) or industries in which they conduct business.