Before the amendments to the Privacy Act 1988 (Cth) on 11 December 2024, if your Australian business wanted to send personal data overseas — say, to a CRM hosted in the US or a support centre in Manila — you had to jump through a slightly vague hoop. Under APP 8.1, you were supposed to take “reasonable steps” to ensure the recipient wouldn’t do anything that would breach the Australian Privacy Principles. And if they did? Thanks to section 16C, you were still on the hook.
There were a couple of workarounds, one of which was found in APP 8.2(a) – this let you off the liability hook if you “reasonably believed” the recipient country had a law or binding scheme that was “substantially similar” to the APPs — and had real enforcement mechanisms. But what does “reasonable belief” mean in that context? And how similar is “substantially similar”? The vagueness of the whole thing often felt like a false sense of security.
The December amendments bring structure and at least some clarity. We now have APP 8.2(aa) and 8.3, which allow for the creation of a whitelist: a formal, government-endorsed list of countries and binding schemes deemed to have privacy protections and enforcement powers equivalent to ours. If your recipient is on the list, you don’t have to prove a thing — just document that the transfer aligns with the rules and you’re good to go.
This is huge. It streamlines compliance and brings us closer to the way other jurisdictions, like the UK and the EU under their respective GDPRs, handle cross-border data flows via “adequacy” decisions. It also gives businesses clarity about who’s in the safe zone, who’s not, and what conditions might apply. For instance, a country might only make the list for health data, or only for financial services entities. The flexibility is there — but so is the scrutiny.
One catch? At the time of publishing this post, the list doesn’t exist yet. It’ll be created via regulation, which means the real-world usefulness of this reform hinges on how quickly and smartly that list gets built. Until then, businesses still have to do the old assessment under APP 8.2(a), with all the murkiness that comes with it.
So if your infrastructure, vendors, or data processors are offshore, now’s the time to:
-
map your transfers,
-
review your contracts,
-
and prepare to align with the new safe-harbour system when it drops.
Because in the new privacy era, “we didn’t realise the US server was logging that” won’t fly anymore.
Next week in our Privacy 2.0 series: the enforcement overhaul — where civil penalties, infringement notices, and OAIC superpowers come roaring into view.