APP 8 Explained: Cross-Border Data Transfers and Australian Business Email

Australian Privacy Principle 8 (APP 8) in Schedule 1 to the Privacy Act 1988 addresses what happens when an Australian business discloses personal information to an overseas entity. The core obligation is straightforward: before making a cross-border disclosure of personal information, an APP entity must take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information. The consequence is equally straightforward: if the overseas recipient breaches the APPs, the Australian entity that made the disclosure is treated as having breached the APPs itself.

How Email Hosting Creates APP 8 Liability

When you send or receive email through a service hosted offshore — Gmail (Google LLC, Mountain View California), Microsoft 365 (Microsoft Corporation, Redmond Washington), Yahoo Mail (Yahoo Inc., USA), or virtually any mainstream global provider — that email is processed, stored, and backed up on servers outside Australia. Each transmission of an email containing personal information constitutes a disclosure to an overseas recipient under APP 8. This is not a theoretical risk — it is an ongoing, daily disclosure occurring with every email sent and received.

The US CLOUD Act: Why "Australian Data Residency" Is Not Enough

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted by the US Congress in March 2018, allows US law enforcement agencies to compel US-based technology companies to produce data stored anywhere in the world — including data stored in their Australian data centres. When Google or Microsoft maintain an "Australian data centre" for primary storage, the data remains subject to CLOUD Act compulsion because the service provider (Google LLC, Microsoft Corporation) is a US person. Australian courts have no jurisdiction over this process, your clients are not notified, and the disclosure may be under a gag order preventing the provider from telling you it occurred.

Who Is Most Exposed Under APP 8?

• Healthcare providers: Patient clinical notes, test results, referral letters, and Medicare information in email. Health information is sensitive information under APP 3 — the highest protection level. APP 8 exposure for a medical practice using Gmail is among the most serious privacy law risk in Australian business.
• Law firms: Solicitor-client privileged communications in email. Foreign government access to offshore email servers can undermine privilege — the Law Council of Australia has specifically highlighted this risk.
• Financial services: Client financial information, superannuation details, investment advice, and SMSF data. ASIC-regulated businesses face additional obligations on top of APP 8.
• Government contractors: Businesses handling Commonwealth or state government data face mandatory Australian data residency requirements under PSPF and ISM in addition to APP 8.
• Any business handling sensitive personal information: Mental health information, sexual orientation, religious beliefs, ethnicity, criminal records — all sensitive information categories receive heightened APP protection, including under APP 8.

Complying with APP 8: The Practical Path

There are two legitimate paths to APP 8 compliance for email: (1) ensuring the overseas recipient is subject to a law providing substantially similar protections to the APPs and the individual can seek enforcement of those protections — which in practice means an adequacy assessment comparable to the EU's GDPR adequacy mechanism, something the OAIC has not formally established for the US; or (2) obtaining the express, informed consent of every individual whose information will be disclosed offshore — impractical for ongoing business email. The practical reality for most Australian businesses is that APP 8 compliance means moving to Australian-hosted email.