The new EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and for many businesses all around the world, is driving a focus on understanding and updating their data handling practices to ensure they are ready to comply. This is because not only can the GDPR apply to businesses outside of the EU, but there are also significant penalties for non-compliance (up to €20 million or 4% of global annual turnover for the preceding financial year in certain circumstances).
So, with a little over 10 months to go before the new regime applies, we recommend that Australian businesses think about whether they are caught, and if so, start planning for the legal and operational changes that are required to comply with GDPR.
Some familiar concepts
There are many similarities between the GDPR and the Australian Privacy Act 1988 (Cth), including:
- The need for transparency and the importance of privacy by design.
- The need to be able to demonstrate compliance with certain privacy principles.
- The GDPR concept of personal data is largely analogous with the Australian concept of personal information. The GDPR also has extra protections dealing with special categories of information that are similar to Australian sensitive information (e.g. information dealing with race, gender, health, political opinion etc.).
- The importance of consent when dealing with personal data.
This makes the initial task of understanding what sort of data is caught, and therefore whether GDPR is likely to be relevant to the data that your business handles, a relatively straightforward process. Having passed through that gating process, the question then becomes one of whether you have sufficient nexus with the EU and EU citizens’ data or behaviour to be caught, and if so, what different obligations apply.
Some new concepts
There are some key differences between the Australian regime and the GDPR that could trip up an unwary business. Some of these differences are:
- Australian businesses of any size may need to comply with the GDPR (as opposed to the limited exemptions from the Australian law for small business with an annual turnover of $3 million or less).
- The concepts of data controllers and data processors will not be familiar to many Australian businesses, but these are fundamental to understanding the GDPR. You will need to identify which term applies to your business and (most likely) appoint a representative in an EU Member State to field communications from the EU regulator and individuals.
- Under the GDPR, data controllers must notify the authorities of a data breach within 72 hours of becoming aware of the breach (exceptions apply). Under Australia’s new mandatory data breach notification laws (effective 22 February 2018) an entity will have to notify Australia’s Information Commissioner and affected individuals as soon as practicable (exceptions apply), which will in most cases be a more generous time frame than the 72 hours required by GDPR.
- The GDPR contains a ‘right to be forgotten’. This is a right for an individual to require the deletion of their data on request in specific circumstances. There is no similar right under Australian law.
- Australian businesses need to be aware of the fact that the relationship between a data controller and a data processor (as those terms are understood under the GDPR) needs to be recorded in a contract containing certain mandatory clauses.
- Under the GDPR, an individual can require a data controller to provide the individual’s data in a commonly-used, machine readable format so that it can be ported to a new data controller.
Under chapter eight of the Australian Privacy Principles (APP), an entity transferring personal information from Australia must generally take reasonable steps to ensure that an overseas recipient does not breach the APP (and can be held responsible for the recipient’s failure to comply with the APP).
The GDPR requires that personal data can only be transferred outside of the EU to countries that provide an adequate level of data protection. Australian data protection laws are not currently listed as being adequate in this regard. This means that the transfer of certain information to Australia from the EU requires specific safeguards to be in place. These safeguards include (but are not limited to) the following:
- binding corporate rules are in place for intra-group transfers, and
- the data controller has entered into certain standard-form data protection clauses with the recipient.
This note is not intended to be exhaustive. A good starting point if you think you might be affected by the GDPR is the resource prepared by the Office of the Australian Information Commissioner (click here). The next step is seeking legal advice, particularly if you are involved in international data transfer arrangements with EU Member States. If you are caught, there are significant legal and operational requirements which you will need to take into account.
We have experience in preparing policies and data sharing agreements that meet the requirements of both regimes (including to automatically accommodate the GDPR).
For further information on any of the issues raised in this alert please contact: