Co-convenor cyberspace law and policy, UNSW law faculty, David Vaile, said this was controversial and messy in terms of interpretation of the new law.
"The practice of the Privacy Commissioner, has generally been not to actually make determinations on complaints, which would be the equivalent of court judgements, so there is little true 'case law' to assist determining how the Act will be interpreted," he said. "The safest approach would be to assume you remain fully responsible [liable]for the handling of personal information by offshore entities.
"So you would want to consider rock solid contracts, very intrusive due diligence as if you were checking out your own security, and regular audits for compliance with Australian privacy law and effective best practice IT security.
"If something goes wrong and you end up carrying the can, every clear effort you made to ensure you are treating the privacy of the data entrusted to you as if it remains in your own hands will tend to count towards the 'reasonableness' of your efforts."
While the mandatory breach laws did not pass through the parliament, Vaile also believes that could a change. "If Australia does not make it mandatory, it is the odd one out, as there are laws to require disclosure in the US and EU, and other places," he said. "To be safe, make preparations for detecting, recording, disclosing and remedying breaches on the basis that you will probably at a minimum be required to audit it internally, and more likely make appropriate disclosures.
"Be proactive, put in place world's best practice, most transparent plans so you aren't caught out looking like you want to hide. Breaches happen, the issue is what you do next."
Vaile suggested an audit of data that fits with the definition of "personal information" under the Privacy Act, including information from which someone's identity "could reasonably be ascertained". This is broader than the US "personally identifying information", which is not much more than name and address. It could include data such as cookie info, IMEI, MAC address, IP address, location, and many others, when combined in newly available tools especially in the Big Data area.
Thomas Duryea CTO, Rhys Evans, said the lack of court precedents would make the operation of the new laws "ridiculously confusing" until somebody was taken to court.
"From our perspective, I think it's going to be a big change for the SI industry and it will have to be a lot stricter about how it shares data and who it shares data with," he said.
"If we start seeing those very large vendors such as Microsoft and EMC changing their compliance on how they share data with the community, that will have an effect on distributors and SI partners."
Sign up for CIO Asia eNewsletters.