Chapter 8: Privacy Safeguard 8 — Overseas disclosure of CDR data by accredited data recipients

15 November 2022

Download the print version (version 4.0)

Update Information

We are currently in the process of publishing the current version of the Privacy Safeguard Guidelines on the OAIC’s website in HTML format. In the meantime, if you need assistance because the document you need is not available in a format you can access, please contact us at cdr@oaic.gov.au.

Key points

  • Privacy Safeguard 8 sets out the circumstances in which an accredited data recipient of a consumer’s CDR data can disclose that data to a recipient located overseas.
  • Under Privacy Safeguard 8, an accredited data recipient of a consumer’s CDR data must not disclose that data to a recipient located overseas (other than the CDR consumer) unless one of the following exceptions applies:
    • the overseas recipient is also an accredited person
    • the accredited data recipient takes reasonable steps to ensure the overseas recipient will not breach privacy safeguard penalty provisions (noting that, for this exception, the accredited data recipient remains accountable for any breach of the relevant privacy safeguards by the overseas recipient), or
    • the accredited data recipient reasonably believes the overseas recipient is subject to a law or a binding scheme equivalent to the privacy safeguards and there are mechanisms available to the consumer to enforce that protection.
  • These requirements are in addition to the other disclosure restrictions set out in Privacy Safeguards 6, 7 and 9 and the consumer data rules (CDR Rules).