Australia — International Data Transfers

Australian Privacy Principle 8.1 establishes the core obligation governing cross-border disclosures of personal information under the Privacy Act 1988. Before an APP entity (any Australian or foreign organisation or agency covered by the Act) discloses personal information about an individual to an overseas recipient, the entity must take "such steps as are reasonable in the circumstances" to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than APP 1) in relation to that information.

An overseas recipient is a recipient of personal information who is not in Australia or an external Territory at the time of the disclosure and who does not have an "Australian link" as defined in s 5B(2) of the Privacy Act. If the recipient has an Australian link — meaning they are an Australian citizen, a person whose continued presence in Australia is not subject to a time limitation, or a partnership or trust established in Australia, or a body corporate incorporated in Australia — they are directly covered by the Privacy Act and APP 8.1 does not apply.

The "reasonable steps" test is fact-specific. The Office of the Australian Information Commissioner (OAIC) guidance states that it is "generally expected" that an APP entity will enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs (other than APP 1). These contractual arrangements typically include: the types of personal information to be disclosed and the purpose of the disclosure; a requirement that the overseas recipient complies with the APPs in relation to collection, use, disclosure, storage, and destruction or de-identification; a requirement that the overseas recipient enter into similar contractual arrangements with any subcontractors or third parties; and the complaint-handling process for privacy complaints.

However, the OAIC acknowledges that the reasonableness of steps depends on practicability, the sensitivity of the information, the volume and frequency of disclosures, and the enforceability of remedies in the foreign jurisdiction. Where it is not reasonable to require full APP compliance by contract, the APP entity must consider what other steps might minimize the risk that the information will be mishandled.

Accountability under s 16C. Even after the APP entity has taken reasonable steps under APP 8.1, the entity remains accountable for any act or practice of the overseas recipient that would breach the APPs. This accountability is strict: the disclosing entity can be held liable under s 16C for the overseas recipient's conduct even if the recipient complies with a contractual undertaking and later accidentally breaches the APPs, or if the recipient further discloses the information to a subcontractor who breaches the APPs. When resolving complaints under s 16C, the OAIC will take into account the reasonable steps the disclosing entity actually took to comply with APP 8.1, but the strict liability remains.

Scope of APP 8. APP 8 applies only to disclosures — when the APP entity releases personal information from its effective control. It does not apply to mere "use" of personal information by the entity's own overseas operations or service providers who remain under the entity's control. The OAIC acknowledges that distinguishing "use" from "disclosure" can be difficult, particularly when an overseas cloud provider or data processor is involved. The practical guidance is that, where it is unclear, the best approach is to take reasonable steps to ensure APP compliance.

Interaction with APP 6.1. When an APP entity discloses personal information to an overseas recipient, it must also comply with APP 6.1, which permits disclosure only for the primary purpose for which the information was collected unless the individual has consented or an exception applies. APP 8.1 is an additional layer: it does not authorize a disclosure that would otherwise violate APP 6.

APP 8.2 sets out exceptions to both the reasonable-steps requirement in APP 8.1 and to the accountability provision in s 16C, including where the individual has consented after being expressly informed that APP 8.1 will not apply, where the disclosure is required or authorized by Australian law or a court/tribunal order, where the entity reasonably believes the overseas recipient is subject to a substantially similar law or binding scheme with enforceable mechanisms, and where the disclosure is authorized under certain international agreements. These exceptions are separately addressed in other sections of this guide.

Source: Privacy Act 1988, Schedule 1 (Australian Privacy Principles) Source: OAIC, Chapter 8: APP 8 — Cross-border disclosure of personal information (Australian Privacy Principles Guidelines, v1.3, October 2025)

Australian Privacy Principle 8.2(a) establishes the primary low-friction exception to the reasonable-steps requirement and accountability framework in APP 8.1. An APP entity may disclose personal information to an overseas recipient without taking reasonable steps to ensure APP compliance (and without liability under s 16C for the overseas recipient's subsequent acts or practices) where:

1. the APP entity reasonably believes that the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
2. there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.

Both limbs must be satisfied for the exception to apply.

## Reasonable belief standard

The "reasonably believes" threshold requires the APP entity to have a reasonable basis for its belief, not merely a genuine or subjective belief. The Office of the Australian Information Commissioner (OAIC) states that this might be based on independent legal advice. It is the responsibility of the APP entity to be able to justify its reasonable belief. Mere good faith is insufficient; the entity must objectively demonstrate why it concluded that the foreign law or binding scheme meets the substantial-similarity threshold.

## What constitutes a "law or binding scheme"

An overseas recipient may be subject to a "law or binding scheme" where, for example, it is:

• bound by a privacy or data protection law that applies in the jurisdiction of the recipient;
• required to comply with another law that imposes obligations in relation to the handling of personal information (for example, some taxation laws that expressly protect personal information);
• subject to an industry scheme or privacy code that is enforceable once entered into, irrespective of whether the recipient was obliged or volunteered to participate or subscribe to the scheme or code; or
• subject to Binding Corporate Rules (BCRs) — stringent, intra-corporate global privacy policies that satisfy EU data-protection standards and allow multinational corporations and groups of companies to make intra-organisational transfers of personal information across borders.

Conversely, an overseas recipient is not subject to a law or binding scheme where, for example, the overseas recipient is exempt from complying, or is authorised not to comply, with part or all of the privacy or data protection law in the jurisdiction.

## "Substantially similar" threshold

Whether the foreign law or binding scheme is "substantially similar" to the APPs is a question of fact. The OAIC guidance states that similarity is assessed on an overall basis, not clause-by-clause. The foreign law need not replicate every APP provision, but it must protect personal information to a comparable standard across the key privacy principles — collection, use, disclosure, storage, data quality, security, access, correction, and destruction or de-identification.

Factors that may indicate substantial similarity include whether the foreign law or binding scheme:

• grants individuals rights to access and seek correction of their personal information;
• limits the collection, use, and disclosure of personal information to purposes for which it was collected, or related purposes;
• requires that personal information be held securely; and
• allows individuals to complain about handling of their personal information.

The OAIC has acknowledged the GDPR and analogous data-protection regimes (for example, the UK GDPR, EU member-state implementations) as examples of laws that may satisfy the substantial-similarity threshold, although each assessment is fact-specific. The OAIC has noted that there is no Australian government-published whitelist of jurisdictions deemed to have substantially similar laws — unlike the European Commission adequacy-decision process — and that Australian entities are currently required to make this assessment based on their own due diligence. The OAIC has suggested that a formal adequacy-style whitelist could assist APP entities, but observed that the EU experience demonstrates practical difficulties in establishing such lists, with only a limited number of countries receiving adequacy decisions.

## Accessible and effective enforcement mechanisms

The second limb of APP 8.2(a) requires that mechanisms can be accessed by the individual to enforce the protection of the law or binding scheme. The enforcement mechanism must meet two key requirements:

1. Accessible to the individual whose personal information has been disclosed; and
2. Has effective powers to enforce the privacy or data protections in the law or binding scheme.

A range of mechanisms may satisfy those requirements, ranging from a regulatory body similar to the OAIC, to an accredited dispute resolution scheme, an independent tribunal, or a court with judicial functions and powers. Factors that may be relevant in deciding whether there is an accessible and effective enforcement mechanism include whether the mechanism:

• is independent of the overseas recipient that is required by the law or binding scheme to comply with the privacy or data protections;
• has authority to consider a breach of any of the privacy or data protections in the law or binding scheme; and
• has power to impose remedies (such as compensation orders, injunctions, or administrative penalties).

The mechanism may be a single mechanism or a combination of mechanisms. It may be established by the law or binding scheme that contains the privacy or data protections, or by another law or binding scheme. Alternatively, the mechanism may take effect through the operation of cross-border enforcement arrangements between the OAIC and an appropriate regulatory authority in the foreign jurisdiction.

## Practical implications

This exception is the foundation of most business-as-usual transfers to jurisdictions with mature data-protection regimes — particularly the European Union, United Kingdom, and EEA states under the GDPR; Canada (PIPEDA); New Zealand (Privacy Act 2020); and possibly Japan (APPI), South Korea (PIPA), and Singapore (PDPA), depending on the specific context and the APP entity's assessment. When relying on APP 8.2(a), the entity should document its assessment that the foreign law is substantially similar and that enforcement mechanisms exist — the OAIC expects entities to be able to justify the reasonable belief if a complaint or investigation arises.

Where an APP entity is uncertain whether a foreign jurisdiction's law satisfies APP 8.2(a), it should fall back on the APP 8.1 reasonable-steps framework — typically by entering into an enforceable contractual arrangement with the overseas recipient requiring APP compliance, as described in the APP 8.1 section of this guide.

Source: Privacy Act 1988, Schedule 1, Australian Privacy Principle 8.2 Source: OAIC, Chapter 8: APP 8 — Cross-border disclosure of personal information (Australian Privacy Principles Guidelines, v1.3, October 2025), paras 8.20–8.27

Australian Privacy Principle 8.2(b) establishes a consent-based exception to both the reasonable-steps requirement under APP 8.1 and the strict accountability framework under s 16C of the Privacy Act 1988. An APP entity may disclose personal information to an overseas recipient without taking reasonable steps to ensure APP compliance — and without liability if the overseas recipient subsequently mishandles the information — where:

1. the APP entity expressly informs the individual that if they consent to the disclosure, APP 8.1 will not apply to the disclosure; and
2. after being so informed, the individual consents to the disclosure.

Both limbs are mandatory. This exception is distinct from the general consent requirement under APP 6 for use and disclosure of personal information: APP 8.2(b) requires a specific form of notice tied to the cross-border nature of the disclosure and its accountability consequences.

## The "expressly informs" requirement

The Office of the Australian Information Commissioner (OAIC) states that an APP entity should provide the individual with a clear written or oral statement explaining the potential consequences of providing consent. At a minimum, this statement must explain that if the individual consents to the disclosure and the overseas recipient handles the personal information in breach of the APPs:

• the APP entity will not be accountable under the Privacy Act, and
• the individual will not be able to seek redress under the Privacy Act against the APP entity for the overseas recipient's conduct.

The phrase "expressly informs" is more stringent than merely disclosing the cross-border transfer in a privacy policy or collection notice under APP 5. The entity must actively and clearly communicate the specific legal consequence that APP 8.1 — and the s 16C accountability mechanism — will not apply if the individual consents. The OAIC guidance treats this as a threshold of informed consent higher than the general consent standard elsewhere in the APPs.

Practical delivery. The express information may be delivered through a dedicated consent banner, a separate consent form, or a stand-alone written notice presented at the point of collection or before the disclosure. It is not sufficient to bury this information in a multi-page privacy policy or to rely on constructive notice. The entity bears the burden of proving it expressly informed the individual if a complaint or investigation arises.

## Consent standard

Consent is defined in s 6(1) of the Privacy Act as "express consent or implied consent" and is discussed in detail in Chapter B (Key Concepts) of the OAIC's Australian Privacy Principles Guidelines. For APP 8.2(b), consent must satisfy the four key elements:

1. Adequately informed — the individual must be expressly informed of the consequences (as above).
2. Voluntary — the consent must be freely given without coercion, undue influence, or as a condition precedent for service where that condition is not reasonably necessary.
3. Current and specific — the consent must relate to the particular disclosure(s) contemplated, not to undefined future uses.
4. Capacity — the individual must have the legal and cognitive capacity to consent. The OAIC presumes individuals aged 15 or over have capacity to consent unless there is something to suggest otherwise, though entities may assess on a case-by-case basis.

Scope of consent. An APP entity does not need to obtain consent before every individual cross-border disclosure if the disclosures are repetitive and of the same type. The OAIC acknowledges that an entity may obtain an individual's consent to disclose a particular kind of personal information to the same overseas recipient for the same purpose on multiple occasions, provided it has expressly informed the individual of the potential consequences of that consent. However, the entity should not seek consent that is broader than necessary — for example, consent for "undefined future uses" or "all legitimate uses or disclosures" would be insufficiently specific.

Express (affirmative) consent is preferable. Implied consent mechanisms — such as opt-out checkboxes or continued use of a service after notice — may satisfy the technical definition of consent in s 6(1), but the OAIC expects that where an entity is relying on APP 8.2(b) to avoid APP 8.1 accountability, the consent should ordinarily be express and documented.

## Consequences of invoking APP 8.2(b)

When an APP entity relies on APP 8.2(b) and obtains valid consent after expressly informing the individual:

• APP 8.1 does not apply — the entity has no obligation to take reasonable steps to ensure the overseas recipient complies with the APPs.
• Section 16C accountability does not apply — the entity will not be held liable under the Privacy Act for any subsequent act or practice of the overseas recipient that would breach the APPs, even if that breach causes harm to the individual.
• The individual cannot seek redress under the Privacy Act against the disclosing entity for the overseas recipient's mishandling of the information. The individual's only recourse would be directly against the overseas recipient under the laws (if any) of the foreign jurisdiction.

This creates a material risk transfer from the APP entity to the individual. Because the individual assumes this risk, the OAIC interprets the "expressly informs" requirement strictly: the entity must ensure the individual genuinely understands that they will lose the protections of APP 8.1 and s 16C if they consent.

## When APP 8.2(b) is appropriate

The APP 8.2(b) exception is primarily used in three scenarios:

1. Consumer-driven cross-border services — where an individual affirmatively requests a service that necessarily involves an overseas disclosure (for example, booking international travel, remittances to an overseas account, or purchasing from an overseas merchant) and is willing to accept the risk that the foreign provider may not comply with the APPs.
2. Cloud or SaaS platforms in non-comparable jurisdictions — where an APP entity uses an overseas contractor or cloud service provider located in a jurisdiction that does not have a substantially similar law under APP 8.2(a), and it is not practicable to obtain enforceable APP-compliant contractual commitments under APP 8.1, the entity may offer the individual a choice to consent to the disclosure with full knowledge of the accountability gap.
3. Emergency or time-sensitive transfers — where obtaining contractual assurances or conducting a substantial-similarity assessment under APP 8.2(a) is impracticable due to urgency, and the individual's informed consent is the only viable pathway.

Not a substitute for due diligence. The OAIC does not encourage routine reliance on APP 8.2(b) as a substitute for the reasonable-steps framework under APP 8.1. Where an entity can reasonably enter into enforceable contractual arrangements with an overseas recipient requiring APP compliance, or where the overseas recipient is subject to a substantially similar law under APP 8.2(a), those pathways better protect the individual's privacy and should be preferred. APP 8.2(b) is a lawful exception, but it shifts privacy risk entirely onto the individual, and entities should be transparent about that trade-off.

## Interaction with other APP 8.2 exceptions

APP 8.2(b) is one of several exceptions to APP 8.1. An APP entity need only satisfy one exception; it is not required to stack multiple exceptions. However, an entity cannot rely on APP 8.2(b) if the disclosure is otherwise prohibited by another Australian law — APP 8.2 carves out the APP 8.1 reasonable-steps requirement and s 16C accountability, but it does not override statutory secrecy provisions, export control laws, or other legal prohibitions on disclosure.

Where an entity has obtained valid consent under APP 8.2(b), it must still comply with APP 6.1 — that is, the disclosure must be for the primary purpose for which the information was collected, or the individual must have separately consented to the secondary-purpose disclosure, or an APP 6.2 exception must apply. APP 8 is an additional layer on top of APP 6; it does not authorize a disclosure that would otherwise breach APP 6.

## Documentation and audit trail

Because the OAIC may investigate a complaint about a cross-border disclosure years after the event, and because the burden of proof rests on the APP entity to demonstrate that it expressly informed the individual and obtained valid consent, best practice is to:

• Retain a copy of the express-information statement provided to the individual, whether in the form of a banner, a notice, or a consent script.
• Document the consent mechanism — for example, a timestamped checkbox acceptance, a signed form, or a recorded oral consent.
• Maintain a record of when and how the individual was informed and when consent was given, in accordance with the entity's records of processing under APP 11.

The OAIC has acknowledged in enforcement and assessment contexts (for example, the 2022 cross-border disclosure assessment of the Department of Home Affairs regarding EU Passenger Name Record data) that entities relying on APP 8.2 exceptions should be able to demonstrate compliance when called upon.

Source: Privacy Act 1988, Schedule 1, Australian Privacy Principle 8.2(b) Source: OAIC, Chapter 8: APP 8 — Cross-border disclosure of personal information (Australian Privacy Principles Guidelines, v1.3, October 2025), paras 8.31–8.36

Australian Privacy Principle 8.2(c) establishes a compliance-driven exception to both the reasonable-steps requirement under APP 8.1 and the strict accountability framework under s 16C of the Privacy Act 1988. An APP entity may disclose personal information to an overseas recipient without taking reasonable steps to ensure APP compliance — and without liability if the overseas recipient subsequently mishandles the information — where the disclosure is required or authorised by or under an Australian law or a court/tribunal order.

This exception recognizes that APP entities are frequently compelled or empowered by statute or judicial order to disclose personal information cross-border for regulatory, law-enforcement, or legal-process purposes. Where such a legal requirement or authorization exists, the APP 8.1 reasonable-steps framework does not apply, and the disclosing entity is not held accountable under s 16C for any subsequent act or practice of the overseas recipient that would breach the APPs.

## Scope: "Australian law or a court/tribunal order" only

APP 8.2(c) applies only to requirements or authorizations under Australian law. An APP entity cannot rely on a requirement or authorization in an overseas jurisdiction to invoke this exception. The Office of the Australian Information Commissioner (OAIC) is explicit: even if a foreign law or foreign court order compels an APP entity in Australia to disclose personal information to an overseas recipient, the entity must still comply with APP 6 (use and disclosure) and APP 8 (cross-border disclosure). APP 8.2(c) does not create a carve-out for foreign legal compulsion.

The phrase "Australian law" is defined in s 6(1) of the Privacy Act to mean an Act of the Commonwealth or of a State or Territory, or an instrument (such as a regulation, legislative instrument, or order) made under such an Act. It does not include a contract. Consequently, a contractual obligation imposed on an APP entity to disclose information to an overseas recipient — even if the contract is enforceable under Australian law — does not satisfy APP 8.2(c). The entity must rely on APP 8.1 reasonable steps (typically an enforceable contractual arrangement requiring APP compliance by the overseas recipient) or another APP 8.2 exception.

"Court/tribunal order" is defined in s 6(1) as an order, direction, or other instrument made by a court, tribunal, judge, magistrate, person acting as a judge or magistrate, judge or magistrate acting in a personal capacity, or member or officer of a tribunal. The definition applies to Commonwealth, State, and Territory courts and tribunals, and includes orders of an interim or interlocutory nature. Examples include a subpoena, a warrant, a production order, or an injunction requiring the disclosure of personal information to an overseas law-enforcement agency or party to litigation.

## "Required" versus "authorised"

The OAIC's Chapter B (Key concepts) guidance explains the distinction:

• An APP entity is "required" by an Australian law or court/tribunal order where it has a legal obligation to disclose, and cannot choose to act differently. The obligation is typically indicated by words such as "must" or "shall," and may be accompanied by a sanction for non-compliance. For example, a statute that mandates reporting of specific financial transactions to an overseas regulator, or a court order compelling production of documents to a foreign court under mutual-assistance arrangements.

• An APP entity is "authorised" under an Australian law or court/tribunal order where it has discretion to disclose but is not obliged to do so. The entity is permitted to take the action but is not required. The authorization may be indicated by a word such as "may," but may also be implied rather than expressed in the law or order. The OAIC states that an APP entity may be impliedly authorized by law to handle personal information in a particular way where a law requires or authorizes a function or activity, and this directly entails the information-handling practice. For example, a statute that authorizes an APP entity to collect personal information about an individual from a third party implicitly authorizes the entity to disclose the individual's identity to that third party.

An act or practice is not "authorised" solely because there is no law or court/tribunal order prohibiting it. Nor can an act or practice rely solely on a general or incidental authority conferred by statute upon an agency to do anything necessary or convenient for, or incidental to or consequential upon, the specific functions and powers of the agency. The authorization must be specific and directly connected to the disclosure.

The burden of demonstrating that a disclosure is "required or authorised" rests on the APP entity. When the entity's discretion is broad, it should carefully document the basis for its conclusion that the disclosure is authorized, particularly if the entity later needs to justify the reliance on APP 8.2(c) in a complaint or investigation.

## Common statutory examples

The OAIC guidance provides two prominent examples of where an Australian law may require or authorize cross-border disclosure of personal information:

1. Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). This Act requires or authorizes APP entities (particularly financial institutions and other reporting entities) to disclose personal information to the government of a foreign country in specified circumstances. For example, disclosures to foreign financial intelligence units as part of international cooperation on AML/CTF enforcement.

1. Australian Federal Police Act 1979 (Cth) and Mutual Assistance in Criminal Matters Act 1987 (Cth). These Acts authorize agencies (particularly law-enforcement bodies) to disclose personal information to overseas recipients in connection with cross-border criminal investigations, mutual legal assistance requests, and international police cooperation.

In the OAIC's 2022 assessment of the Department of Home Affairs' cross-border disclosures of Passenger Name Record (PNR) data, the OAIC found that Home Affairs primarily relied on s 45 of the Australian Border Force Act 2015 (Cth) when disclosing EU PNR data to foreign countries, agencies, or public international organizations. Subsection 45(2) allows an authorized "entrusted person" to disclose personal information to an overseas recipient where the disclosure is for a purpose outlined in s 46 of the ABF Act (such as border protection, law enforcement, or national security). The OAIC confirmed that disclosures made under s 45 satisfied APP 8.2(c), provided the statutory elements were met — including that the overseas recipient was "a foreign country, an agency or authority of a foreign country or a public international organisation" as required by the ABF Act. The assessment also highlighted the high privacy risk if an entity listed as authorized under an internal instrument did not actually satisfy the statutory criteria: such a disclosure would not be authorized by law for the purposes of APP 8.2(c) and, unless the entity otherwise satisfied APP 8.1 or another APP 8.2 exception, would constitute a breach of the Privacy Act.

## Administrative arrangements and contractual measures — best practice even under APP 8.2(c)

Although APP 8.2(c) removes the APP 8.1 reasonable-steps requirement and the s 16C accountability provision, the OAIC recommends that an agency that intends to rely on this exception should consider establishing administrative arrangements, memorandums of understanding, or protocols with the overseas recipient that set out mutually agreed standards for the handling of personal information that provide privacy protections comparable to the APPs.

These arrangements do not alter the legal effect of APP 8.2(c) — the entity is still exempt from the reasonable-steps requirement and accountability — but they serve three purposes:

1. Risk mitigation. Even where the entity is not legally accountable under s 16C for the overseas recipient's conduct, mishandling of the information by the recipient may still expose the entity to reputational harm, regulatory scrutiny, or policy review. Proactive privacy protections reduce this risk.

1. International commitments. Where the disclosure is governed by an international agreement (for example, the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data), the OAIC considers compliance with the terms of that agreement to be a reasonable step under APP 8.1 even if APP 8.1 is not strictly required under APP 8.2(c) or APP 8.2(e). The OAIC's PNR assessment found that Home Affairs' compliance with the EU Agreement safeguarded EU PNR data and limited the risk of unauthorized cross-border disclosures.

1. Transparency and documentation. Establishing written protocols demonstrates due diligence and facilitates audit and review. The entity can point to the protocols if called upon to justify its handling of the disclosure in a later investigation.

The OAIC's guidance is careful to note that these administrative arrangements are discretionary and constitute best practice, not a legal requirement under APP 8.2(c). An entity that relies solely on the statutory authorization without any supplementary safeguards does not breach the Privacy Act, provided the statutory elements of APP 8.2(c) are satisfied.

## Interaction with APP 6 and other APP 8.2 exceptions

APP 8.2(c) is not a standalone authorization to disclose. The APP entity must still comply with APP 6.1, which permits disclosure of personal information only for the primary purpose for which the information was collected, unless an exception under APP 6.2 applies. In most cases where a disclosure is "required or authorised by or under an Australian law or a court/tribunal order" for the purposes of APP 8.2(c), the same law or order will also satisfy the APP 6.2(b) exception — disclosure for a secondary purpose is permitted where "required or authorised by or under an Australian law or a court/tribunal order." The two exceptions work in tandem: APP 6.2(b) authorizes the disclosure itself (overriding the primary-purpose limitation), and APP 8.2(c) exempts the entity from the APP 8.1 reasonable-steps requirement when the authorized disclosure is to an overseas recipient.

However, if the law or court order does not authorize the disclosure but merely authorizes some other function that does not directly entail disclosure, the entity may breach APP 6 if it chooses to disclose without another APP 6.2 exception (such as consent, a permitted general situation, or enforcement-related activities).

An APP entity need only satisfy one APP 8.2 exception to be exempt from APP 8.1 and s 16C accountability. It is not required to stack multiple exceptions. For example, if a disclosure is both required by an Australian law under APP 8.2(c) and also made to an overseas recipient subject to a substantially similar law under APP 8.2(a), the entity may rely on either exception. In practice, entities typically rely on the clearest and most defensible exception — and APP 8.2(c) is often the simplest to document, because the entity can point directly to the statutory provision or court order.

## Scope limitation: Acts or practices within Australia

Section 6A(4) of the Privacy Act provides that an act or practice required by an applicable law of a foreign country will not breach the APPs if it is done or engaged in outside Australia and the external Territories. The meaning of "required" is the same as in APP 8.2(c): a legal obligation, not merely authorization or permission. The effect of s 6A(4) is that where an overseas recipient of personal information does an act or practice that is required by an applicable foreign law (for example, a mandatory disclosure to a foreign government authority under that country's national-security or tax law), this act or practice will not breach the APPs.

However, this provision does not apply to acts or practices done or engaged in within Australia. If a foreign law requires an APP entity in Australia to disclose personal information to an overseas recipient, the entity must still comply with APP 6 (use and disclosure) and APP 8 (cross-border disclosure). The entity cannot invoke s 6A(4) as a defense, because the disclosure occurs within Australia. The entity may, however, be able to rely on APP 8.2(c) if there is a parallel Australian law that also requires or authorizes the disclosure — for example, where an Australian statute implements an international treaty obligation or mutual-assistance framework that aligns with the foreign requirement.

The OAIC guidance recommends that an APP entity that is subject to a foreign law compelling disclosure of personal information to an overseas recipient should notify the individual (if applicable) that the overseas recipient may be required to disclose their personal information under that foreign law, and explain that any disclosure made by the overseas recipient as required by the foreign law will not breach the APPs (by virtue of s 6A(4)). This notification may be included in the entity's APP 5 notice (collection notice) under APP 5.2(i) (countries in which overseas recipients are likely to be located and relevant circumstances) or in its APP privacy policy under APP 1.4(f)–(g).

## Practical application and documentation

When an APP entity intends to rely on APP 8.2(c), best practice is to:

1. Identify the specific Australian law or court/tribunal order that requires or authorizes the cross-border disclosure. Document the citation (Act, section, or order number) and the provision that confers the requirement or authorization.

1. Assess whether the requirement or authorization is express or implied. If implied, document the analysis demonstrating that the disclosure is directly entailed by the function or activity authorized by the law or order.

1. Confirm that the law or order is "Australian law" as defined in s 6(1) — not a contract, not a foreign law, and not a general incidental power.

1. Consider administrative arrangements or protocols with the overseas recipient to set mutually agreed privacy standards, even though these are not legally required under APP 8.2(c).

1. Notify individuals (if applicable) under APP 5.2(c) (that the collection is required or authorized by law) and APP 5.2(i)–(j) (that personal information is likely to be disclosed to overseas recipients and the relevant countries or circumstances).

1. Maintain records of the disclosure, the legal basis, and any administrative safeguards, in accordance with APP 11 (security of personal information) and the entity's records of processing under APP 1 (APP privacy policy and privacy-management practices).

The OAIC's enforcement and assessment history (particularly the 2022 PNR assessment) demonstrates that the OAIC expects APP entities relying on APP 8.2(c) to be able to justify the statutory basis for the disclosure when called upon. An entity that cannot substantiate its reliance on APP 8.2(c) will be assessed under APP 8.1 — and may be found to have breached the reasonable-steps requirement or the s 16C accountability provision if the overseas recipient subsequently mishandles the information.

Source: Privacy Act 1988, Schedule 1, Australian Privacy Principle 8.2(c) Source: OAIC, Chapter 8: APP 8 — Cross-border disclosure of personal information (Australian Privacy Principles Guidelines), paras 8.38–8.40 Source: OAIC, Chapter B: Key concepts (Australian Privacy Principles Guidelines) — "Required or authorised by or under an Australian law or a court/tribunal order"

Australian Privacy Principle 8.2(e) establishes a treaty-based exception to both the reasonable-steps requirement under APP 8.1 and the strict accountability framework under s 16C of the Privacy Act 1988. This exception applies only to agencies (not organisations). An agency may disclose personal information to an overseas recipient without taking reasonable steps to ensure APP compliance — and without liability if the overseas recipient subsequently mishandles the information — where the disclosure is required or authorised by or under an international agreement relating to information sharing to which Australia is a party.

This exception recognises that Australian government agencies frequently engage in cross-border information sharing under bilateral and multilateral treaties, conventions, memoranda of understanding, and official exchange-of-letters arrangements. Where such an international agreement exists and specifically provides for information sharing, APP 8.1 and s 16C do not apply to disclosures made in accordance with that agreement.

## Scope: agencies only

APP 8.2(e) is one of two APP 8.2 exceptions that apply exclusively to agencies as defined in s 6(1) of the Privacy Act — Commonwealth ministers, departments, authorities established by statute, and prescribed State and Territory bodies. Organisations (private-sector APP entities) cannot rely on APP 8.2(e). An organisation that is party to a cross-border information-sharing arrangement, even if that arrangement is contemplated or encouraged by an international agreement to which Australia is a party, must instead rely on APP 8.1 reasonable steps (typically by entering into enforceable contractual commitments with the overseas recipient) or another APP 8.2 exception (such as APP 8.2(a) substantially similar law, APP 8.2(b) consent, or APP 8.2(d) permitted general situations).

The Office of the Australian Information Commissioner (OAIC) has confirmed that APP 8.2(e) is an agency-only exception, reflecting the distinct role of government agencies in international relations and treaty implementation.

## Definition of "international agreement"

The term "international agreement" is not defined in the Privacy Act. The OAIC's Chapter 8: APP 8 — Cross-border disclosure of personal information (Australian Privacy Principles Guidelines, v1.3, October 2025) clarifies that the term includes:

1. Documents binding at international law — for example, treaties, conventions, and protocols ratified by Australia and formally incorporated into the Australian treaty series; and

1. Other formal written documents not binding at international law — for example, a memorandum of understanding (MoU) or an official exchange of letters between Australia (or a Commonwealth department or agency on behalf of Australia) and one or more foreign states.

The OAIC specifies that this exception applies only to such documents where the parties are Australia and one or more foreign states. The overseas recipient of the shared information may be a non-state entity (for example, a foreign regulatory authority, a law-enforcement agency of a foreign government, or an international organisation), but the agreement itself must be between Australia and a foreign state or states. A purely agency-to-agency MoU that is not concluded between governments at the state-to-state level may not satisfy APP 8.2(e), and the agency should carefully assess whether the agreement qualifies as an "international agreement" for the purposes of this exception.

The OAIC acknowledges that the scope of "international agreement" is intentionally broad to encompass the full spectrum of instruments used in contemporary international cooperation, from formal multilateral treaties registered with the United Nations to informal bilateral arrangements documented in an exchange of letters. The common feature is that the agreement is formal, written, and between states.

## "Required or authorised by or under" the agreement

The disclosure must be "required or authorised by or under" the international agreement. The distinction between "required" and "authorised" is the same as in APP 8.2(c) and is discussed in detail in Chapter B (Key concepts) of the OAIC's Australian Privacy Principles Guidelines:

• An agency is "required" to disclose where the international agreement imposes a legal obligation to disclose, and the agency cannot lawfully choose to act differently. The obligation is typically indicated by mandatory language in the treaty or implementing legislation.

• An agency is "authorised" to disclose where the international agreement permits the disclosure but does not compel it. The agency has discretion to disclose. The authorisation may be express or implied — an agency may be impliedly authorised by an international agreement to disclose personal information where the agreement requires or authorises a function or activity, and the disclosure is directly entailed by that function or activity.

An act or practice is not "authorised" solely because the international agreement does not prohibit it. The OAIC expects the agency to be able to point to a provision of the agreement that specifically provides for, contemplates, or enables the disclosure of personal information to the overseas recipient.

The phrase "by or under" the agreement means that the disclosure may be authorised directly by the text of the international agreement itself, or by an implementing statute or subordinate instrument made under the agreement. For example, the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data (concluded 2012, in force 2012) is a binding international agreement; disclosures of PNR data made in accordance with Article 3 and Article 19 of the EU PNR Agreement are "required or authorised by or under" that agreement for the purposes of APP 8.2(e).

## What constitutes "relating to information sharing"

The OAIC states that information sharing need not be the only or the primary subject of the international agreement, so long as the agreement makes provision for "information sharing". An international agreement may have multiple purposes — for example, mutual legal assistance in criminal matters, counter-terrorism cooperation, taxation transparency, customs facilitation, or trade regulation — and will satisfy APP 8.2(e) if one of those purposes or mechanisms is the cross-border disclosure of personal information.

However, the OAIC cautions that this exception is unlikely to apply to an agreement that contains only a general commitment by the parties to facilitate, or remove obstacles to, the disclosure or exchange of information. The agreement must make specific arrangements for disclosure of information to an overseas recipient, including identifying (or providing a framework for identifying):

• the agency authorised to disclose;
• the overseas recipient (or class of recipients);
• the categories of personal information that may be disclosed to the recipient under the agreement; and
• the circumstances in which or the purposes for which the information will be disclosed.

An agreement that merely states "the parties agree to cooperate and share information as appropriate" without further specification is unlikely to satisfy the "relating to information sharing" threshold. The OAIC expects the agency to be able to demonstrate that the agreement contemplates the particular disclosure.

## Examples of international agreements that may satisfy APP 8.2(e)

The OAIC's Chapter 8 guidance and the OAIC's 2022 Cross-border disclosures of personal information — Passenger Name Records assessment provide two leading examples of international agreements that satisfy APP 8.2(e):

1. Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data (concluded 29 September 2011, signed 29 September 2011, in force 1 June 2012). This bilateral treaty authorises the Department of Home Affairs (formerly the Australian Customs and Border Protection Service) to disclose PNR data received from EU air carriers to certain foreign countries, agencies, or public international organisations for specified purposes (border protection, law enforcement, national security) under Article 19 of the Agreement. The OAIC's 2022 PNR assessment confirmed that disclosures made in accordance with the EU PNR Agreement satisfy APP 8.2(e), provided the disclosure is to an entity that meets the criteria specified in the Agreement and Home Affairs' implementing instruments.

1. Mutual legal assistance treaties (MLATs) and bilateral law-enforcement cooperation agreements between Australia and foreign states. Where such an agreement specifically provides for the exchange of information (including personal information) for criminal-investigation, prosecution, or regulatory-enforcement purposes, an agency disclosure pursuant to that agreement may invoke APP 8.2(e). The OAIC notes that many MLATs are implemented through domestic legislation (for example, the Mutual Assistance in Criminal Matters Act 1987 (Cth)), and that the combined effect of the treaty and the implementing statute may satisfy the "required or authorised by or under an international agreement" test.

Other examples that may satisfy APP 8.2(e) (depending on the specific terms of each agreement) include:

• Bilateral tax-information exchange agreements (TIEAs) under which the Australian Taxation Office shares taxpayer information with a foreign revenue authority;
• The OECD Common Reporting Standard (CRS) multilateral competent authority agreement, implemented in Australia through domestic legislation, authorising cross-border exchange of financial-account information for tax-compliance purposes;
• Bilateral and multilateral arrangements for the exchange of customs and trade data, such as the World Customs Organization (WCO) frameworks and bilateral customs-cooperation agreements;
• International child-protection agreements (for example, under the Hague Convention on the Civil Aspects of International Child Abduction) that contemplate the sharing of personal information between central authorities;
• Counter-terrorism financing and anti-money laundering (AML/CTF) information-sharing arrangements under the Financial Action Task Force (FATF) framework and bilateral agreements with foreign financial intelligence units (FIUs).

The agency bears the burden of demonstrating that the agreement it relies upon qualifies as an "international agreement relating to information sharing to which Australia is a party" and that the particular disclosure is "required or authorised by or under" that agreement.

## Best practice: administrative safeguards even when APP 8.2(e) applies

Although APP 8.2(e) removes the APP 8.1 reasonable-steps requirement and the s 16C accountability provision, the OAIC recommends that an agency that intends to rely on this exception should consider establishing administrative arrangements, memorandums of understanding, or protocols with the overseas recipient that set out mutually agreed standards for the handling of personal information. These arrangements should provide privacy protections comparable to the APPs, where practicable.

The OAIC's 2022 PNR assessment of the Department of Home Affairs' cross-border disclosures of EU PNR data under the EU PNR Agreement found that Home Affairs' compliance with the terms of the EU Agreement — which includes detailed data-protection safeguards under Articles 5–18 — constituted a reasonable step to ensure privacy protection even though APP 8.1 was not strictly required under APP 8.2(e). The assessment highlighted that the EU Agreement imposes obligations on Australia (and on Home Affairs as the designated competent authority) that align with many of the APPs, including purpose limitation (Article 5), data quality and accuracy (Article 6), security safeguards (Article 9), retention periods (Article 10), transparency and individual access rights (Articles 13–14), and onward-disclosure restrictions (Article 19).

The OAIC considers compliance with the terms of an international agreement to be a reasonable step under APP 8.1 even if APP 8.1 is not legally required under APP 8.2(e) or APP 8.2(c). The agency should document its assessment and maintain an audit trail demonstrating that the disclosure was made in accordance with the agreement and any associated protocols.

Administrative arrangements do not alter the legal effect of APP 8.2(e) — the agency remains exempt from the reasonable-steps requirement and s 16C accountability — but they serve three purposes:

1. Risk mitigation. Even where the agency is not legally accountable under s 16C for the overseas recipient's conduct, mishandling of the information by the recipient may expose the agency to reputational harm, diplomatic consequences, regulatory scrutiny by the OAIC, or review by parliamentary oversight bodies (for example, the Parliamentary Joint Committee on Intelligence and Security). Proactive privacy protections reduce this risk.

1. International commitments. Many international agreements themselves impose data-protection obligations on Australia as a treaty party. Compliance with those obligations is not merely a matter of domestic privacy law under the Privacy Act; it is a matter of international-law compliance and Australia's treaty obligations. Failure to comply with the data-protection provisions of an international agreement may constitute a breach of the treaty, with consequences ranging from diplomatic protest to suspension of cooperation arrangements or (in some cases) referral to international dispute resolution.

1. Transparency and documentation. Establishing written protocols demonstrates due diligence and facilitates audit and review. The agency can point to the protocols if called upon to justify its handling of the disclosure in a later OAIC investigation, parliamentary inquiry, or freedom-of-information request.

The OAIC's PNR assessment is instructive: it found that Home Affairs' reliance on APP 8.2(e) was lawful, but that Home Affairs should strengthen its internal documentation and checklists to ensure that disclosures are consistently assessed against the criteria in the EU Agreement and that the agency's reliance on APP 8.2(e) is justified in each case. The OAIC made eight recommendations and four suggestions to address privacy risks, including recommendations to address two high privacy risks related to onward-disclosure controls and internal audit trails.

## Interaction with APP 6 and other APP 8.2 exceptions

APP 8.2(e) is not a standalone authorisation to disclose. The agency must still comply with APP 6.1, which permits disclosure of personal information only for the primary purpose for which the information was collected, unless an exception under APP 6.2 applies. In most cases where a disclosure is "required or authorised by or under an international agreement relating to information sharing" for the purposes of APP 8.2(e), the agency will also be able to rely on APP 6.2(b) — disclosure for a secondary purpose is permitted where "required or authorised by or under an Australian law or a court/tribunal order" — if the international agreement has been implemented into Australian law through statute (for example, the Mutual Assistance in Criminal Matters Act 1987 (Cth) or the Australian Border Force Act 2015 (Cth)).

However, not all international agreements are implemented by statute. Where an international agreement is a binding treaty but has not been enacted into domestic law (Australia is a dualist jurisdiction; treaties do not have direct effect unless implemented by legislation), the agency may need to rely on a different APP 6.2 exception to authorise the disclosure — for example, APP 6.2(e) (disclosure reasonably necessary for enforcement-related activities conducted by or on behalf of an enforcement body) or another applicable exception.

An agency need only satisfy one APP 8.2 exception to be exempt from APP 8.1 and s 16C accountability. It is not required to stack multiple exceptions. For example, if a disclosure is both required by an international agreement under APP 8.2(e) and also authorised by an Australian law under APP 8.2(c) (because the agreement has been implemented by statute), the agency may rely on either exception. In practice, agencies should rely on the clearest and most defensible exception — and where both APP 8.2(c) and APP 8.2(e) apply, either may be cited.

Where an agency has relied on APP 8.2(e), it must still comply with:

• APP 5.2(i) and (j) — at or before the time of collection, the agency must take reasonable steps to notify the individual (or ensure the individual is aware) that personal information is likely to be disclosed to overseas recipients, and the countries (or circumstances) in which those recipients are likely to be located. If the disclosure is under a standing international agreement, the agency may include this information in its collection notice or privacy policy.

• APP 1.4(f) and (g) — the agency's APP privacy policy must state whether the agency is likely to disclose personal information to overseas recipients, and if practicable, the countries in which such recipients are likely to be located. The policy may also explain that the agency discloses personal information under international agreements relating to information sharing.

• APP 11 — the agency must take reasonable steps to protect the personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure before and during the disclosure process.

## Documentation and justification

The OAIC's enforcement and assessment history (particularly the 2022 PNR assessment) demonstrates that the OAIC expects agencies relying on APP 8.2(e) to be able to justify the treaty basis for the disclosure when called upon. Best practice is to:

1. Identify the specific international agreement that authorises the disclosure. Document the treaty name, date of conclusion, date of entry into force, and the specific article or provision that provides for information sharing.

1. Assess whether the agreement qualifies as an "international agreement relating to information sharing to which Australia is a party" under APP 8.2(e). Confirm that the agreement is between Australia and one or more foreign states (not merely an agency-to-agency MoU), that it is formal and written, and that it makes specific provision for information sharing (not merely a general cooperation clause).

1. Confirm that the particular disclosure is "required or authorised by or under" the agreement. Document the provision of the agreement (or the implementing statute) that authorises or requires the disclosure, and confirm that the overseas recipient, the category of personal information, and the purpose of the disclosure fall within the scope of the agreement.

1. Consider administrative safeguards. Where the international agreement itself includes data-protection provisions (as the EU PNR Agreement does), document compliance with those provisions. Where the agreement is silent on data protection, consider whether the agency should seek supplementary administrative arrangements or protocols with the overseas recipient.

1. Maintain records of the disclosure, the treaty basis, and any administrative safeguards, in accordance with APP 11 (security of personal information) and the agency's records of processing under APP 1 (APP privacy policy and privacy-management practices).

An agency that cannot substantiate its reliance on APP 8.2(e) will be assessed under APP 8.1 — and may be found to have breached the reasonable-steps requirement or the s 16C accountability provision if the overseas recipient subsequently mishandles the information.

Source: Privacy Act 1988, Schedule 1, Australian Privacy Principle 8.2(e) Source: OAIC, Chapter 8: APP 8 — Cross-border disclosure of personal information (Australian Privacy Principles Guidelines, v1.3, October 2025), paras 8.51–8.55 Source: OAIC, Cross-border disclosures of personal information – Passenger Name Records (Privacy Assessment, August 2023)

Australian Privacy Principle 8.2(f) establishes a specialized exception to both the reasonable-steps requirement under APP 8.1 and the strict accountability framework under s 16C of the Privacy Act 1988, enabling Australian enforcement agencies to cooperate with foreign law-enforcement and regulatory counterparts without the friction of contractual APP-compliance frameworks. An agency may disclose personal information to an overseas recipient without taking reasonable steps to ensure APP compliance — and without liability if the overseas recipient subsequently mishandles the information — where:

1. the agency (not an organisation — this exception is available only to agencies) reasonably believes that the disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; and
2. the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

Both limbs must be satisfied for the exception to apply.

## Scope: Agencies disclosing for enforcement purposes only

APP 8.2(f) applies only to disclosures by agencies, not organisations. An "agency" is defined in s 6(1) of the Privacy Act to include a Minister, a Department of State of the Commonwealth, a prescribed authority of the Commonwealth, a Norfolk Island authority, a federal court, and certain other Commonwealth bodies. The distinction matters because organisations (private entities) cannot rely on this exception — they must instead use APP 8.2(a) (substantially similar law), APP 8.2(b) (consent), APP 8.2(c) (required or authorised by Australian law), or another exception.

The Office of the Australian Information Commissioner (OAIC) states that this exception is intended to enable an agency that is an enforcement body to cooperate with international counterparts for enforcement related activities. It facilitates information sharing with foreign police, regulators, revenue authorities, and analogous bodies for cross-border investigations, prosecutions, intelligence gathering, and regulatory enforcement — activities that are central to the operational functions of enforcement bodies but that historically faced friction under the APP 8.1 reasonable-steps framework when the foreign body was not subject to a substantially similar law under APP 8.2(a).

## What is an "enforcement body"?

"Enforcement body" is defined in s 6(1) of the Privacy Act as a list of specific bodies and is discussed in detail in Chapter B (Key concepts) of the OAIC's Australian Privacy Principles Guidelines. The list includes:

• Commonwealth enforcement bodies — the Australian Federal Police, Australian Prudential Regulation Authority (APRA), Australian Securities and Investments Commission (ASIC), Australian Competition and Consumer Commission (ACCC), Australian Taxation Office (when exercising enforcement-related functions), the Department of Home Affairs (when conducting immigration compliance and border-protection enforcement), and other Commonwealth bodies that are responsible for policing, criminal investigations, or administering laws to protect the public revenue or to impose penalties or sanctions.
• State and Territory enforcement bodies — police forces, revenue offices, and analogous regulatory agencies of each State and Territory that are responsible for policing, criminal investigations, or administering laws imposing penalties or sanctions.

An agency that is not an enforcement body — for example, an agency that provides health, education, or social services — may still rely on APP 8.2(f) if the disclosure is made on behalf of an enforcement body and the disclosure is reasonably necessary for enforcement related activities conducted by that enforcement body. The OAIC guidance does not require that the disclosing agency be an enforcement body, only that the disclosure be for enforcement-related activities of an enforcement body.

## "Reasonably necessary for enforcement related activities"

The phrase "reasonably necessary" is more demanding than "necessary" or "desirable." The OAIC's guidance states that an APP entity must have a reasonable basis for its belief that the disclosure is reasonably necessary — not merely a genuine or subjective belief. Factors relevant to the assessment include:

• the nature and severity of the suspected or established offence, breach, or misconduct;
• whether the personal information is directly relevant to the enforcement-related activity (as opposed to peripheral or speculative relevance);
• whether alternative, less privacy-intrusive sources of information are available; and
• whether the overseas recipient has a legitimate enforcement interest in the information.

"Enforcement related activity" is defined in s 6(1) of the Privacy Act to mean:

• the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;
• the conduct of surveillance activities, intelligence gathering activities or monitoring activities;
• the prevention, detection, investigation or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations;
• the preparation for, or conduct of, proceedings before any court or tribunal, or the implementation of court/tribunal orders.

This definition recognizes that enforcement-related activities can include lawful surveillance, intelligence gathering, or monitoring activities where there may not yet be an existing investigation — the activities are distinct but may overlap. Examples of surveillance activities include optical surveillance of an individual or property where information obtained from that surveillance may lead to an investigation. Examples of intelligence gathering include the collection of personal information about an individual to detect whether an offence has occurred, or to determine whether to initiate an investigation into that offence, or to ascertain whether an individual is planning to commit an offence and whether there are fellow criminal associates. Examples of monitoring activities include the monitoring by an enforcement body of a person who has presented themselves to that body in compliance with a court order.

The OAIC's guidance acknowledges that enforcement-related activities are not confined to post-offence investigation and prosecution; they extend to preventive and intelligence-led functions that are central to modern policing and regulatory practice — for example, cross-border money-laundering intelligence sharing, terrorism-financing analysis, organized-crime surveillance, and trans-Tasman regulatory cooperation on serious corporate misconduct.

## The overseas recipient must perform similar functions or exercise similar powers

The second limb of APP 8.2(f) requires that the overseas recipient be "a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body." The recipient need not be an Australian enforcement body — it must be a foreign body with analogous enforcement functions or powers. The OAIC guidance does not specify a threshold of similarity, but the policy intent is clear: the recipient must be a law-enforcement, regulatory, or revenue body (or analogous entity) rather than a private entity or a non-enforcement government agency.

Examples of overseas recipients that satisfy this limb include:

• foreign police services (the UK National Crime Agency, the US Federal Bureau of Investigation, INTERPOL member agencies, Europol participating agencies);
• foreign revenue and tax authorities (the US Internal Revenue Service, the UK HM Revenue & Customs, the New Zealand Inland Revenue Department);
• foreign securities and financial regulators (the US Securities and Exchange Commission, the UK Financial Conduct Authority, the Hong Kong Securities and Futures Commission);
• foreign competition and consumer-protection authorities (the New Zealand Commerce Commission, the European Commission Directorate-General for Competition, the Canadian Competition Bureau);
• foreign border-protection and immigration-enforcement agencies (the US Customs and Border Protection, the New Zealand Customs Service, the UK Border Force); and
• international law-enforcement or regulatory bodies exercising enforcement powers under treaties or international agreements (the International Criminal Police Organization, the Financial Action Task Force, the World Customs Organization).

The OAIC has not published a whitelist of qualifying foreign bodies, and Australian agencies are expected to assess on a case-by-case basis whether a particular overseas recipient satisfies the functional-similarity threshold. An agency relying on APP 8.2(f) should document the basis for its conclusion that the recipient performs similar enforcement functions or exercises similar enforcement powers.

## Interaction with APP 6 and other APP 8.2 exceptions

APP 8.2(f) is not a standalone authorization to disclose. The agency must still comply with APP 6.1, which permits disclosure of personal information only for the primary purpose for which the information was collected, unless an exception under APP 6.2 applies. In most cases where a disclosure is made under APP 8.2(f), the same disclosure will also satisfy the APP 6.2(e) exception — disclosure for a secondary purpose is permitted where the entity "reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body." The two exceptions work in tandem: APP 6.2(e) authorizes the disclosure itself (overriding the primary-purpose limitation), and APP 8.2(f) exempts the entity from the APP 8.1 reasonable-steps requirement and s 16C accountability when the authorized disclosure is to an overseas recipient.

Written note requirement under APP 6.5. If an agency discloses personal information in accordance with the enforcement-related activities exception in APP 6.2(e), the agency must make a written note of the disclosure (APP 6.5), unless a law prohibits the agency from making such a record. The OAIC recommends that the note include:

• the date of the disclosure;
• the nature of the personal information disclosed;
• to whom the personal information was disclosed (the overseas enforcement body); and
• the basis for the agency's reasonable belief that the disclosure was reasonably necessary for enforcement-related activities.

This record serves two purposes: it helps the agency assure itself that the exception applies, and it provides a useful reference if the agency later needs to justify its reasonable belief in a complaint, investigation, or audit.

An agency need only satisfy one APP 8.2 exception to be exempt from APP 8.1 and s 16C accountability. It is not required to stack multiple exceptions. For example, if a disclosure is both reasonably necessary for enforcement-related activities under APP 8.2(f) and also required by an Australian law under APP 8.2(c), the agency may rely on either exception. In practice, agencies typically rely on the clearest and most defensible exception — and APP 8.2(f) is often the most natural fit for operational law-enforcement and regulatory cooperation where no specific statutory compulsion or authorization exists but the disclosure is clearly within the agency's enforcement mandate.

## Practical application and documentation — OAIC 2022 Passenger Name Record assessment

The OAIC's 2022 assessment of the Department of Home Affairs' cross-border disclosures of European Union-sourced Passenger Name Record (PNR) data provides a detailed case study of APP 8.2(f) in practice. The OAIC assessed Home Affairs' processes governing cross-border disclosures of EU PNR data under APP 8, focusing on whether Home Affairs had taken reasonable steps under APP 8.1 or could rely on an APP 8.2 exception — particularly APP 8.2(c) (required or authorised by Australian law, specifically s 45 of the Australian Border Force Act 2015) and APP 8.2(f) (enforcement-related activities).

The OAIC confirmed that where Home Affairs disclosed EU PNR data to an overseas recipient — such as a foreign law-enforcement agency or a foreign border-protection authority — for a purpose under s 46 of the ABF Act (border protection, law enforcement, national security), and the overseas recipient was a body that performs functions or exercises powers similar to those of an enforcement body, the disclosure satisfied APP 8.2(f). The OAIC observed that Home Affairs made very few cross-border disclosures of PNR data — in the 2019 calendar year, only two cross-border disclosures of PNR data were made, and neither involved EU PNR data; at the time of the assessment fieldwork in June 2022, no cross-border disclosures of PNR data had been made in the 2021–2022 financial year. This low volume reflected Home Affairs' practice of instructing officers to consider alternative data that might sufficiently address a request, thereby minimizing the risk that an inappropriate disclosure of PNR data would be made.

The OAIC also noted that where APP 8.2(c) or APP 8.2(f) did not apply, APP 8.1 would require Home Affairs to take reasonable steps to ensure that the overseas recipient did not breach the APPs. Home Affairs adopted a layered approach to securing disclosed information, relying on caveats included in disclosure documents and enforced by information-sharing agreements. This approach is flexible — caveats can be easily amended and adjusted as required, unlike a formal agreement — and the OAIC treated it as a reasonable step under APP 8.1 where no APP 8.2 exception applied.

## When APP 8.2(f) is appropriate and best practice

The APP 8.2(f) exception is primarily used in operational law-enforcement and regulatory cooperation scenarios where:

1. Cross-border enforcement cooperation is routine — for example, Australia–New Zealand trans-Tasman policing cooperation, Australia–United States mutual-assistance criminal investigations, Five Eyes intelligence sharing, ASIC cooperation with foreign securities regulators on market-manipulation investigations, ATO cooperation with foreign revenue authorities on tax-evasion investigations, or Home Affairs cooperation with foreign border-protection agencies on people-smuggling and border-security matters.

1. The overseas recipient is a law-enforcement or regulatory body with analogous functions — not a private entity, not a non-enforcement government agency, and not a foreign contractor or service provider.

1. The disclosure is for a specific enforcement-related purpose — prevention, detection, investigation, prosecution, or punishment of an offence or breach; intelligence gathering; surveillance; or preparation for or conduct of proceedings — and the agency has a reasonable basis for believing the disclosure is reasonably necessary for that purpose.

Not a substitute for due diligence. The OAIC does not encourage routine reliance on APP 8.2(f) as a substitute for the reasonable-steps framework under APP 8.1 where an alternative pathway is available. For example, if the foreign enforcement body is subject to a substantially similar law under APP 8.2(a) (for example, a UK law-enforcement agency bound by the UK GDPR and Data Protection Act 2018), the agency should consider whether APP 8.2(a) is the more natural exception. APP 8.2(f) is a lawful exception, but it shifts privacy risk entirely from the disclosing agency to the individual (by removing s 16C accountability), and agencies should be transparent about that trade-off.

Administrative arrangements and protocols. Although APP 8.2(f) removes the APP 8.1 reasonable-steps requirement and the s 16C accountability provision, the OAIC recommends that an agency intending to rely on this exception should consider establishing administrative arrangements, memorandums of understanding, or protocols with the overseas enforcement body that set out mutually agreed standards for the handling of personal information and provide privacy protections comparable to the APPs. These arrangements do not alter the legal effect of APP 8.2(f) — the agency is still exempt from the reasonable-steps requirement and accountability — but they serve three purposes: risk mitigation (even where the agency is not legally accountable under s 16C, mishandling by the recipient may expose the agency to reputational harm or policy review), compliance with international commitments (where the disclosure is governed by an international agreement, compliance with the agreement's safeguards is a reasonable step even if APP 8.1 is not strictly required), and transparency and audit (demonstrating due diligence and facilitating later review or investigation).

## Documentation and audit trail

Because the OAIC may investigate a complaint or conduct an assessment years after the event, and because the burden of proof rests on the agency to demonstrate that it reasonably believed the disclosure was reasonably necessary for enforcement-related activities and that the overseas recipient performed similar enforcement functions, best practice is to:

1. Identify the enforcement-related activity — specify whether the disclosure is for prevention, detection, investigation, prosecution, intelligence gathering, surveillance, or preparation for proceedings, and identify the specific offence, breach, or misconduct.

1. Document the reasonable belief — record the factual basis for the agency's belief that the disclosure was reasonably necessary for that enforcement-related activity, including the nature and severity of the matter, the relevance of the personal information, and whether alternative sources were considered.

1. Confirm that the overseas recipient performs similar enforcement functions or exercises similar enforcement powers — document the recipient's legal mandate, statutory powers, and operational functions, and record the basis for the conclusion that the recipient is analogous to an Australian enforcement body.

1. Make a written note under APP 6.5 — if the disclosure is also made under APP 6.2(e), record the details of the disclosure (date, personal information, recipient, basis for reasonable belief) unless a law prohibits such a record.

1. Maintain records of the disclosure, the legal basis, and any administrative safeguards, in accordance with APP 11 (security of personal information) and the agency's records-management obligations.

The OAIC's enforcement and assessment history (particularly the 2022 PNR assessment) demonstrates that the OAIC expects agencies relying on APP 8.2(f) to be able to justify the enforcement basis and the functional similarity when called upon. An agency that cannot substantiate its reliance on APP 8.2(f) will be assessed under APP 8.1 — and may be found to have breached the reasonable-steps requirement or the s 16C accountability provision if the overseas recipient subsequently mishandles the information.

Source: Privacy Act 1988, Schedule 1, Australian Privacy Principle 8.2(f) Source: OAIC, Chapter 8: APP 8 — Cross-border disclosure of personal information (Australian Privacy Principles Guidelines, v1.3, October 2025), paras 8.57–8.60 Source: OAIC, Chapter B: Key concepts (Australian Privacy Principles Guidelines) — "Enforcement related activity" Source: OAIC, Cross-border disclosures of personal information – Passenger Name Records (2022 assessment)