We are now one month away from the historic enforcement of the EU General Data Protection Regulation (GDPR) and it is clear that there is still much to do by many Australian organisations to ensure compliance by the 25 May 2018 deadline.
While many Australian organisations have historically adopted a more transparent and conciliatory approach to privacy and security, without the need to look too far across national borders, this is a position that now faces challenge in light of increasing globalisation and intensified data flows across borders.
The recent Australian Mandatory Data Breach Notification Regime has placed data privacy security front of mind for many organisations. But there is still a level of unawareness of the scope and the risks of the EU GDPR for many businesses. This is so despite increased publicity of the Regulation, including from the Privacy Commissioner. The OAIC has encouraged businesses and public sector entities ‘of any size’ to review their privacy practices and the extent of their compliance obligations under the GDPR and take immediate steps to ensure their handling practices comply, prior to its enforcement date.
Broad scope of defined ‘personal data’
The extra-territorial application of GDPR means that companies incorporated outside of the EU but which use or collect personal data on individuals within the EU, will be subject to the new GDPR regime. The scope of that defined personal data is broad – it includes any data set which can identify or single out an individual. It is much broader than the Australian definition of personal information or the US concept of PII.
Biometric and genetic data sets are called out as special categories of data, the processing of which is prohibited unless an exemption can be identified – in many cases this will require the explicit, informed and unambiguous consent of the individual before processing. But there cannot be any imbalance when obtaining that consent – which must be unbundled from other notices and terms provided to individuals.
This will be of particular importance for employers who can no longer readily rely on an employee’s general agreement under an employment agreement as constituting valid consent to the processing of their data. Many must now turn to other lawful basis, including evaluating that it is in the legitimate interests of the organisation, in order to process employee data.
Indeed, for Australian organisations, the processing of employee and payroll data will be a key area of concern. Under the Australian Privacy Act, there is an exemption for a private sector employer handling employee personal information in many cases – there is no such exemption under GDPR. The processing of employee and payroll data has been identified by EU regulators as a key area for protection, where employers in most cases will act as the data controller of employee information. This can apply in respect of any employees seconded to Europe or where payroll processing is completed by equipment or servers located in Europe, including through outsourced service providers. Therefore, any Australian organisation holding or processing EU resident employee data should immediately review their employee data processing practices, determine the effectiveness of their information and security practices, and put in place measures to ensure compliance.
Public sector organisations are not immune
Contrary to popular belief, public sector entities are not immune. While there are some notable exemptions for public authorities in the area of the prevention, investigation or persecution of criminal offences or criminal penalties, including public and national security, the regime has broad application to all public bodies.
The Australian Government has urged all Government departments and public bodies to accordingly review their EU data processing practices, including with third party providers, to assess their exposure. Where a public authority’s processing activities falls under the remit of Article 3 of GDPR, in addition to its general obligations, there is also a requirement to appoint a data protection officer (DPO) to oversee and police data compliance – as a mandatory requirement for all public authorities.
Enforceability and Take-up
The take-up in Australia has to date been decisively (and perhaps not surprisingly) slow, with many organisations appearing to take a ‘wait and see’ approach to compliance. This may be due to the questions which arise on the likelihood of any proactive regulator investigation or enforcement outside of the EU.
But organisations should take note – the new Regulation brings with it the potential for joint and several liability for controllers and processors brought under its remit (as those terms are used in the Regulation) as well as enhanced rights for individuals. So, if you are an Australian organisation processing data on behalf your EU customer, an individual whose data has been compromised as a result of an unauthorised disclosure or breach can choose to take recourse directly against you, or your EU customer.
In the event of a serious incident, it is not unlikely that fines would be imposed with the potential for direct liability of the Australian organisation if it participated or had knowledge of the breach and/or joint and several liability with EU customer. Data protection rights are enshrined in the Charter of Fundamental Rights of the European Union and these rights have been actively enforced by regulators and the courts under the current regime.
Australian companies are likely to see this being manifested in current and future agreements with EU customers, where additional due diligence and assurances on security, governance and compliance policies and procedures will be required. Detailed data processing addendums incorporating wide indemnities for breach are also likely to be forthcoming.
Additional measures will be applied by EU customers and suppliers alike in an effort to discharge their compliance requirements. This will be the case even when an Australian organisation is not itself caught by the Regulation, as EU organisations strive to ensure compliance with the new regime.
The prohibitory fines for breach of the GDPR mean that Australian organisations would be well advised to review their propensity for liability under the GDPR and their data mapping and compliance journey, sooner rather than later.
Given the current timings until enforcement and with less than a month to go, any organisation who has not yet started this journey would be well advised to develop and document an immediate risk mitigation strategy on compliance.
Please see our earlier article with further information on the impact of the GDPR for Australian organisations.