All public sector entities should seek to understand the application and reach of the GDPR and assess whether it applies to their activities.
The European Union General Data Protection Regulation (GDPR) is leading a revolution in international privacy and data standards. Although a European law, the GDPR's broad extra-territorial reach is such that it is impacting many entities within Australia and around the globe. But while much ink has been spilled about the GDPR's application to the Australian private sector, comparably little has been written about its potential application to, and impact on, the Australian public sector.
Accordingly, almost 12 months after the GDPR came into effect there still remains considerable uncertainty and complexity about how, and to what extent, it applies to the Australian public sector.
Ultimately, whether the GDPR applies must be carefully considered on a case-by-case basis and this article sets out some of the key areas of relevance for the Australian public sector.
But even where the GDPR does not apply, it is still helpful to understand it. The GDPR has become the new gold standard for the protection of personal data and public sector agencies should look to certain aspects of the GDPR to enhance how they handle and protect personal data.
How the GDPR might apply to the Australian public sector
The GDPR applies to two categories of entities: "controllers" and "processors" of "personal data". Broadly stated, personal data is similar to the concept of "personal information" that exists under the Commonwealth Privacy Act 1988 and under many Australian State and Territory privacy laws that apply to the public sector.
Both "controller" and "processor" are broadly defined under the GDPR to include a "natural or legal person, public authority, agency or other body". The GDPR does not define public authority, agency or body, nor whether these terms are restricted to bodies of EU member states. In the context of enforcement of the GDPR, it will likely then depend on the relevant implementing state as to how these terms are defined and applied.
Given the breadth of the terms "controller" and "processor" under the GDPR, it is likely that Australian Federal, State and Territory Government agencies and departments, as well as Australian public bodies such as public universities, would be captured by these terms. These entities will typically be a data "controller" under the GDPR because they have control over the way personal data is processed, including the purposes and means of processing the data. They may also be a "processor" in limited circumstances where processing data on behalf of another body.
However, the GDPR will only apply to the extent that a controller or processor falls within the territorial scope of the GDPR, that is, if it:
- has an "establishment" in the EU and processes personal data in the context of the activities of the establishment (Article 3(1)); or
- offers goods or services to individuals in the EU (Article 3(2)(a)); or
- monitors the behaviour of individuals in the EU (Article 3(2)(b)).
Processing related to an establishment in the EU
The first point is focused on whether an entity has an establishment in the EU. Guidelines issued by the European Data Protection Board acknowledge that "the notion of establishment is broad" and that the presence of one employee or agent may trigger Article 3(1) in some cases. However, there are limits to the breadth of Article 3(1) and the European Data Protection Board states that it is unlikely that the GDPR would be triggered solely because a body has a website that is accessible within the EU. A body might be regarded as having an establishment in the EU if it has a physical presence within the EU – for example, a university with an EU campus.
Processing related to offering goods or services to people in the EU
The GDPR may also apply under Article 3(2)(a) to public sector entities in relation to their offering of goods or services to persons in the EU, such as promotional campaigns for tourism, trade or studying opportunities or educational programs that target EU subjects. Targeting could include websites or advertisements which are in the language of an EU Member State and/or allow payment in the currency of one or more EU Member States, such as in Euros. But without an offer to a person in the EU or an intention to target people in the EU, a website that is merely accessible in the EU will likely be insufficient to fall within the reach of the GDPR.
Processing relating to monitoring behaviour in the EU
So, the GDPR potentially applies – what does this mean for the public sector?
The GDPR contains a number of provisions that broadly align with existing Commonwealth and State and Territory privacy laws – but with some salient differences:
- The GDPR introduces several new concepts, such as the concept of data "controller" and "processor". This may require additional steps for ensuring compliance by service providers and other third parties where there is an exchange of personal data.
- The GDPR also imposes a generally higher standard of data security compliance and greater rights for data subjects over how their data is used and managed, such as the right to restrict the processing of their personal data and the right to "data portability" in some circumstances. From a technical perspective, these requirements will require agencies to reassess their personal data processes and ensure they are geared to ensuring compliance in all applicable instances.
- The GDPR imposes restrictions on the transfer of personal data outside the EU, which may impact the transfer of information from the EU back to Australia. This may cause difficulty for Australian public sector entities, as even when there is a legitimate basis for processing personal data under the GDPR, the legal requirements for the transfer out of the EU also need to be satisfied.
- At present certain Australian State and Territory government agencies and departments (but not Commonwealth agencies) are not required to comply with the Australian Notifiable Data Breach scheme under the Privacy Act, unless they are a Tax File Number (TFN) recipient and the breach relates to TFN information. The GDPR does not have a similar exemption – it requires all personal data breaches be reported within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33).
General exemptions from the GDPR
Given the nature of the activities that are typically carried out by public authorities and bodies, they may be able to rely on certain exemptions under the GDPR in some situations. The exemptions that are potentially available under the GDPR share similarities with those under Australian privacy laws – for instance, certain data processing activities carried out by a competent authority for the purposes of the prevention, investigation, detection or prosecution of criminal offences, including prevention of threats to public security.
However, the GDPR exemptions are subject to restrictions and depend on the particular circumstances of the case, including the way that the GDPR is administered through the national laws of EU member states – for example, the agency might have to be authorised for law enforcement purposes under the laws of the EU state enforcing the provisions.
Foreign immunity exemption
Another key aspect to consider is also the legal principle that foreign states and their agencies are entitled to some immunity from the jurisdiction of the courts of foreign jurisdictions, which may potentially impose limitations on the ability for certain public entities to be prosecuted and penalised under the GDPR, especially for acts connected to their government administration or law enforcement activities. However, this immunity is less likely to extend to situations of commercial activity by public sector entities or the activities of their suppliers located within the EU. Even if an agency successfully claims immunity from privacy laws, it will still need to consider the public perceptions of the alleged breach and its consequences.
What are the consequences of non-compliance where the GDPR does apply?
The potentially severe sanctions for non-compliance with the GDPR have been well-publicised, but the extent to which they apply to non-EU public authorities and bodies remains unclear. However, as a practical matter, formal enforcement against a foreign public body is probably less likely in the first instance than informal approaches directed to the relevant Australian diplomatic representative.
The public sector should act now
All public sector entities should seek to understand the application and reach of the GDPR and assess whether it applies to their activities. An area of particular risk for the public sector relates to data processing related to activities that have a commercial element (for example, public sector entities that offer goods or services to individuals in the EU).
Even where the GDPR does not apply to public sector entities, they should seek to understand the GDPR to see whether there are any aspects of the GDPR that, where practicable, are worth emulating to bolster their existing data protection practices and procedures. For example, public sector entities could adopt improved data governance and protection measures (such as data protection by design and default) that include appropriate technical and organisational measures, such as pseudonymisation, to protect the rights of data subjects (Article 25 and Recital 78).
Understanding the GDPR will also assist public sector entities to understand how the GDPR potentially applies to some of their contractors and suppliers who may be subject to it. Knowing the laws that suppliers and contractors are subject to, can assist the due diligence process of assessing whether or not those suppliers are able to protect personal information in a manner that will ensure compliance with the contract and applicable Commonwealth or State or Territory privacy legislation.