On 24 March 2026, after eight years of on-and-off talks that began in June 2018, the European Union and Australia concluded negotiations on a comprehensive free trade agreement covering more than €89.2 billion in annual two-way trade. Most coverage led with tariffs and critical minerals. The more durable story sits in the digital trade chapter — and in a quiet collision between what Australia just promised Brussels and what its own Privacy Act is busy becoming.
What Article 11.5 actually locks in
The released text contains binding cross-border data-flow disciplines that, until recently, governments treated as aspirational. According to legal analysis published by the International Economic Law and Policy Blog on 22 April 2026, Article 11.5(1) restricts five distinct categories of measure. The parties may not require the use of domestic computing facilities or locally certified network elements; may not mandate that data be stored or processed within national territory; may not prohibit storage or processing in the other party's territory; may not condition transfers on localisation; and — most consequentially — may not require prior approval before data crosses the border.
This is the strongest data-flow language Australia has accepted in any trade instrument. The European Commission frames it plainly: the agreement "sets rules on data flows and prohibits data localisation requirements, which is an important step for digital and tech companies." For a mid-sized economy whose cloud, fintech and research sectors depend on routing data through Singapore, Dublin and Frankfurt, a treaty-grade ban on protectionist data rules is a genuine win for the open internet.
The case for the regulators
Before criticising the friction, it is worth stating the strongest version of the privacy side. Australia's overseas-disclosure regime exists for a real reason: once personal data leaves the country, the individual it describes loses any practical ability to enforce their rights against a recipient in a jurisdiction with weaker law. Australian Privacy Principle 8, set out in the OAIC's guidelines, requires an entity to take reasonable steps to ensure an overseas recipient does not breach the APPs. Section 16C goes further — it makes the disclosing Australian entity accountable for the recipient's breach, deeming that act to be a breach by the Australian entity itself. That accountability model is precisely what gives a privacy right meaning across borders; without it, "we sent your data offshore" becomes a liability shield.
Where the texts pull against each other
The problem is that Australia's privacy regime is tightening at exactly the moment the FTA pushes the other way. The Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024, introduced a ministerial "whitelist" mechanism: countries offering substantially similar protection can be designated so that transfers to them are streamlined. It also added a statutory tort for serious invasions of privacy, new civil-penalty and infringement-notice powers for the OAIC, and a doxxing offence — a clear expansion of cross-border exposure for entities that move data offshore.
The FTA anticipates this and carves space for it. Article 11.5(2)(a) lets a party subject a specific transfer instrument to approval "on grounds relating to the protection of personal data and privacy," and the chapter's general exceptions (incorporating GATT Article XX and a clause protecting "privacy of individuals in relation to processing and dissemination of personal data") give regulators further cover. So Australia has not signed away its privacy sovereignty.
But the carve-out is narrower than the obligation. The treaty bans prior approval as a default condition on transfers, while permitting approval only for a specific instrument on privacy grounds. APP 8 plus s 16C operates as a general, economy-wide accountability and reasonable-steps requirement — closer to the prohibited default than to the permitted exception. The IELP analysis itself concedes the open question, noting that "we are going to need some disputes and case law" before anyone knows how these clauses bite in practice. That is an honest admission that the line between a legitimate privacy safeguard and a disguised transfer barrier has not yet been drawn.
The proportionate path forward
This tension is resolvable, and the resolution favours both open data flows and strong privacy — if Canberra acts on a tool it has already built but not used. As of mid-2026, no country has been added to the whitelist, despite the mechanism being live since December 2024. An empty whitelist is the worst of both worlds: it imposes APP 8's reasonable-steps and s 16C accountability burden on every transfer while delivering none of the streamlining the reform promised.
Designating the EU — whose GDPR plainly clears the "substantially similar" bar — would collapse most of the friction at a stroke. It would make the FTA's data-flow commitment operational for the bilateral relationship, reward the exact regulatory convergence trade agreements are meant to encourage, and preserve s 16C accountability for transfers to genuinely under-protected jurisdictions where the safeguard does real work. Reserving the heaviest compliance burden for the riskiest destinations is the textbook definition of proportionate regulation.
The Australia-EU FTA is a model of how a liberal trading democracy should treat cross-border data: presumptively free, with targeted, evidence-based exceptions. The agreement has done its part. Australia's privacy regulator now has to do the unglamorous work of making the carve-out match the commitment — starting with a whitelist that is no longer empty.