Regulators around the world are, and will be, taking a much closer look at rules on the protection of individual personal data and the security of their citizen’s information. The onslaught of the new and arduous General Data Protection Regulation (GDPR) regime in Europe, the recent ‘protectionist’ changes to the PRC Cybersecurity Laws in China on 1 June 2017, anticipated changes in Singapore’s data privacy regime, as well as rumblings from other Asia-Pac countries in this area, all confirm that these are issues where national regulators are sitting up and taking action. Recent cyber events, including the much-reported ‘Wannacry’ cyber-attack, add to global unrest in this area.
Traditionally to date, Australia has adopted a more transparent and conciliatory approach to privacy and security. However, this is a position that is likely to face challenge now in light of international developments in this area. The introduction in Australia of the long awaited new mandatory Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) in February 2017 commencing from, at the latest, February 2018, as well as the Government’s budget confirmation of the Productivity Commission’s new law on personal data sharing and release go some way to support Australia’s renewed focus in this area.
The Office of the Australian Information Commissioner (OAIC) has also just released their updated resource, General Data Protection Regulation Guidance for Australian Businesses (the Guide) to confirm that Australian businesses should, as a matter of priority, review the extent of their compliance obligations under the GDPR and take steps now to ensure their handling practices comply, prior to its commencement from 25 May 2018. At a conference hosted last month by the OAIC, the Privacy Commissioner, Timothy Pilgrim, expressly underlined the importance of GDPR for Australian businesses, and advised that the OAIC will be taking a closer look at compliance in this area.
Therefore, to the extent that an Australian company handles or processes EU individual data in the course of its operations and this processing falls within the scope of the extra-territorial reach of the GDPR (as described further below), this company will be required to comply with the onerous requirements of GDPR and may be subject to its sanctions.
The Guide confirms that Australian businesses “of any size” may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
The guide helpfully compares the GDPR and Privacy Act 1988 (Cth) principles in an easy to read comparison table. Certain similarities are highlighted and both laws contain a shared focus on fostering transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.
However, there are notable differences in the GDPR. In addition to the myriad of broadly defined terms and wide scope of personal data, there are enhanced rights for individuals to their data, data portability obligations, a right “to be forgotten”, enhanced consent requirements and a 72 hour mandatory data breach requirement in certain cases, not to mention the unwieldly fines and sanctions.
While some Australian businesses may already have certain measures in place that will be required under the GDPR, the Guide recommends that all organisations should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes well before commencement of the GDPR.
We take a closer look here at the GDPR and its implication for Australian businesses processing EU personal data / global organisations operating in Australia with the required relationship to the EU, who handle personal information of EU/UK citizens.
So, what is GDPR?
You will no doubt have read multitudes of reports and analysis on this new legislation and what it may mean for both European and global organisations. In brief, the GDPR is a wide-ranging piece of (directly applicable) privacy legislation recently adopted by the EU institutions, which mandates a significant rise in personal data protection compliance obligations for all organisations coming within its reach – both inside and outside the EU.
Notably, due to its new extra-territorial effect, a large number of global organisations operating across borders who were not previously caught by the existing regime will be affected. This will also be directly applicable in the UK for a period, despite Brexit considerations. It is widely accepted that the same / a similar regime will apply in the UK post-separation.
The GDPR was adopted on 26 April 2016 and is due to come into effect on 25 May 2018. As the legislation took over five years of intense lobbying and debate (inside & outside the EU) prior to its adoption, there are a number of interpretative issues and unanswered questions (including extra-territorial issues). Although only less than a year to go, guidance to date has been relatively sporadic from the EU.
Why is GDPR so important?
There are some key reasons:
- The significantly increased fines for personal data breach for all organisations caught by GDPR (of up to €10-20mil or 2-4% of global annual group turnover) means that it is a group board-level issue for many organisations. Non-compliance in even smaller companies in a group may lead to significant ramifications where GDPR applies to that group / company within the group
- A host of new obligations on data controllers and data processors (for the first time) are introduced, which include enhanced rights for individuals to their data, data portability obligations, the right to be forgotten, enhanced consent requirements to name but a few
- Underpinning the GDPR are ‘accountability’ and ‘transparency’ obligations which require a holistic approach to be taken to privacy compliance – around the world. Getting prepared may require internal re-organisation of each group member business activities and procedures – on a wholesale group basis
- Even where a group / company may not currently fall within the scope of GDPR, continuous review and re-organisation may still be required so as to avoid company activities falling under its scope in the future
- A group / company’s partners and third party suppliers and customers may be caught by the GDPR and additional compliance requirements / contractual obligations on companies may be forthcoming from such organisations
- Fundamentally, protecting the reputation and brand of the wider group where any breach or suspected data breach / security / information governance issues arise remains an ever-present and key driver
Why does GDPR concern Australian operations?
In determining whether activities fall within its geographical reach, the GDPR considers not only the location of where information is being processed (as was the case under the old EU Data Protection Directive), but now also the location of the individual whose data is being processed.
Under the existing regime, non-EU businesses only fall within the scope of the Directive if processing took place using equipment in the EU (e.g. using servers/ employees located in the EU). This will no longer be the test and the ambit of the GDPR seeks to capture all processing of EU individual data, regardless of where such processing takes place.
The GDPR will apply to any Australian business who processes personal data:
- “In the context of the activities of an establishment of any organisation in the EU”
- “Of EU individuals where the processing activities relate to the:
- Offering or goods or services to individuals in the EU (including where no payment is required); or
- Monitoring the behaviour of individuals in the EU (where such behaviour takes place in the EU)”
Both “personal data” and “processing” under GDPR are broadly interpreted and go much further than the analogous definitions of “personal information” and “handling” under the Privacy Act /APPs in Australia.
A review of your existing use, handling and processing of EU individual personal data and the targeting of services outside of Australia to the EU is recommended. Reviewing both existing and anticipated data flows (e.g. which may arise as a result of group company acquisitions, disposals or new third party contracts) is also recommended.
Referencing specific GDPR recitals, the OAIC provides some examples of GDPR application on Australian businesses that may fall under this test in its recently published Guide .
To determine if GDPR impacts your business, the fundamental question to ask at the outset is “Do you target EU individuals or organisations and if so, what percentage of personal information is processed related to such activities?” If you are likely to be at risk, the time to act to ensure compliance is now.
This extra-territorial effect of GDPR has been well publicised (and criticised) and organisations outside of the EU are now taking stock to review their privacy compliance obligations.
While there are still question marks over the practical enforceability of the GDPR regime and its sanctions outside of the EU (with ongoing discussion of extra-territorial co-operation agreements with EU supervisory authorities), the OAIC has confirmed that it will continue to use its enforcement powers under the Australian Privacy Principles (APPs) where a privacy breach arises.
It has also recently confirmed that it is committed to internationally coordinated approaches to privacy regulation, recognising that APP entities carry on their business globally and that personal information is regularly disclosed, handled and stored overseas. The OAIC also participates in several international forums and arrangements to promote best privacy practice internationally, address emerging privacy issues in Australia and cooperate on cross-border privacy regulation and enforcement matters.
As such, if an Australian business is found to contravene the GDPR in respect of data / security breach (for example) this may be sufficient to bring it to the attention of the OAIC, who may take action under the APPs in respect of that data / security breach (without prejudice to any EU enforcement capability).
While we have yet to see the full impact that GDPR will have on non-EU businesses, for market-leading organisations operating in Australia, reviewing your privacy compliance obligations with the GDPR will be crucial to ensure the protection of your reputation and brand and to minimise any risks of exposure to exponential fines and sanctions for breach.
As the Privacy Commissioner has confirmed, privacy and data protection is an area that is likely to see further change in the coming years for Australian companies. This is one area where organisations can get ahead of the game by applying additional measures under the GDPR (even where not mandatory / required) to enhance privacy practices, engage consumer trust and ensure consistent internal privacy practices, procedures and systems across all businesses.
We are currently completing GDPR gap analysis, data flow mapping and risk compliance audits for our clients and would be delighted to answer any questions you may have on this area and on whether GDPR is likely to impact your business in Australia.
Please see our resources which include key requirements and some practical tasks for implementation which can assist you to understand and comply with this new and significant impending legislation.