The Framework

Under Australia’s Privacy Act 1988, personal data cannot be disclosed to a recipient outside Australia unless “reasonable steps” are taken to ensure the recipient adheres to the Australian Privacy Principles (APPs). If a breach occurs abroad, the Australian entity may remain liable unless an exemption applies, such as the individual’s informed consent, the recipient being subject to comparable privacy laws, or a valid “permitted general situation.” In practice, this means implementing robust contractual measures, maintaining detailed oversight of data processing activities, and routinely assessing the risk of noncompliance.[1]

Implications for U.S. Technology Companies

Big U.S. technology companies often rely on rapid data flows to power analytics, user services, and product development. Complying with Australia’s cross-border regulations necessitates complex internal and external agreements, data audits, and ongoing risk assessments—driving up costs. This may hinder the expansion of certain U.S. services, especially if Australian regulators and consumers demand additional assurances or if the legal environment remains uncertain. Over time, even well-resourced U.S. firms could see reduced agility in rolling out new features or services.

How China Benefits

When U.S. companies scale back or adopt more cautious strategies due to regulatory complexity and liability risks, Chinese firms—often with robust state support—have an opportunity to gain market share in Australia. As U.S. companies dedicate resources to compliance, Chinese businesses may move faster to market with fewer cross-border obligations, thereby bolstering China’s global tech presence and influence.

Endnotes