EU data protection laws overhauled - does this affect my business in Australia?

If you have an establishment in the European Union (EU), offer goods and services in the EU, or monitor the behaviour of individuals in the EU, then the answer is probably yes, and you should certainly read on.

The new EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and for many businesses all around the world, is driving a focus on understanding and updating their data handling practices to ensure they are ready to comply.  This is because not only can the GDPR apply to businesses outside of the EU, but there are also significant penalties for non-compliance (up to €20 million or 4% of global annual turnover for the preceding financial year in certain circumstances).

So, with a little over 10 months to go before the new regime applies, we recommend that Australian businesses think about whether they are caught, and if so, start planning for the legal and operational changes that are required to comply with GDPR.

Privacy law update - data breaches must now be notified

It is time to review your cyber security posture

In brief

Australia’s federal privacy laws are set for their most significant amendment since the introduction of the Australian Privacy Principles in 2012.  

On Monday, Parliament passed the Privacy Amendments (Notifiable Data Breaches) Bill 2016 (the Bill), which will make it mandatory for entities regulated by the Privacy Act to notify of any data breach that is likely to result in serious harm.

These amendments have been a long time coming.  They were originally recommended as part of the Australian Law Reform Committee’s 2008 report on Australia’s privacy laws, and then were proposed as part of the legislative package of changes in 2015 that required telecommunications providers to store metadata.

A not-so-safe harbour

Alex Hutchens, John Kettle, Paul McLachlan, William McCullough

It is impossible to avoid the frenzy that has been kicked up by the European Court of Justice’s (ECJ) decision of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.

What is/was the Safe Harbour?

Like Australia, the Member States of European Union (EU) are subject to strict data protection regulations. Generally speaking, personal data cannot be transferred out of a Member State unless the destination country has adequate protection for the data in question. Over a decade ago, the United States of America (US) and European Commission entered into the ‘Safe Harbour Agreement’ which meant that data could be shared where both companies comply with the Safe Habour Agreement.

All was well and good and many big businesses (including Amazon and Google) relied on the enforceability and protection of the Safe Harbour Agreement.

Forget-me-not (just forget what I’ve done)

The right to be forgotten

Alex Hutchens, Malcolm McBratney, Sheena Fraser

To forget is human.  The problem is, the internet never forgets.  At least, not until now.

Earlier this year, European courts confirmed the right of Europeans in certain circumstances to request that information pertaining to them be deleted from the internet.  This means that they no longer have to rely on peoples’ fading memories for what they have done to be forgotten.

OPSM parent company loses $33.5 million ADF contract for privacy breach

The parent company of OPSM, Luxottica Retail Australia has lost a $33.5 million contract with the Australian Defence Force (ADF) by sending ADF medical records overseas.

Luxottica was awarded the contract by the ADF in 2012 under which it provided optical services to all ADF personnel.  At that time, Luxottica claimed that it would exclusively offer eye services to more than 80,000 ADF personnel each year primarily through its OPSM stores.