If you are using an off shore technology vendor, or your customer’s data is stored or processed by an off shore entity then foreign countries may have legal jurisdiction over your client’s private data regardless of where that data is physically located.
The Australian Privacy Act Amendment that became effective March 2014, includes a set of new privacy principles that regulates the handling of personal information by both Australian government agencies and businesses. These newer principles are called the Australian Privacy Principles (APPs). They replaced the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to businesses.
The Australian Sender is liable for the overseas recipient’s acts and practices in respect of the personal information sent as if the Australian Sender had engaged in such activities in respect of that personal information in Australia and, where relevant, be in breach of the APPs due to the overseas recipient’s acts or omissions.
The Australian Privacy Act holds you responsible for actions of your off shore data provider or processor even if these were not of your doing.
This is important to be aware of in today's climate of increasingly larger and more severe data breaches, and where once healthy business' become exposed to significant financial penalties.
Engaging off shore vendors can expose your client’s private data to off shore legal jurisdictions.
For example, U.S. authorities may exercise extraterritorial powers against non-U.S. entities to obtain non-U.S. data if the data is stored on a server located in the U.S., or controlled by or in the possession of a U.S. company, under the USA Patriot Act.
It is not a defence for a U.S. company that possesses or processes data to say that it does so outside the United States.