Australia's privacy law (as it applies to private sector bodies) has some international reach but it is seen to be weak compared to other models. A "reasonable belief" that the transfer is to a recipient in a country with substantially similar law to the Federal Privacy Act is one of a number of "limitations" on transfer of personal information overseas. What is a "reasonable belief" hasn't been tested in the courts and no one knows if any of our major corporations have been quizzed on the issue by the Privacy Commission.
Consent would also justify transfer, but a personal anecdote on this. In order to obtain a travel insurance benefit I was looking to apply this week for a new charge card. One of the fine print details stipulated in the application form was agreement that the company could:
"transfer personal information confidentially to related companies and other organisations which issue or service (the card). This includes transferring personal information to the United States or other countries for data processing and servicing".No choice about it. Of course US privacy laws aren't all that flash and data held in the US must be provided on demand to security services. As to what goes in the unnamed "other countries", who knows.
The issue of adequacy of Australian law regarding trans border data flows is one of the many issues being looked at by the Australian Law Reform Commission.