Like insisting that champagne can only be called champagne if it comes from Champagne, the needy lawmakers in the EU have decided that, from 25 May 2018, their privacy laws are the best and will apply to everyone, everywhere.
Businesses based anywhere in the world will be required to comply with European privacy laws if they have a presence in the EU, offer goods or services to people located there, or if they monitor the behaviour of EU residents. The new regime is called the EU General Data Protection Regulation (GDPR) and the kicker is that the new laws apply to any business, regardless of size. That means Australian businesses which don't need to comply with privacy laws here (due to the $3 million annual turnover threshold) could find themselves falling foul of the EU laws.
It's such a big deal that the Australian Privacy Commissioner has issued guidelines for compliance with the GDPR, and has admitted that its principles are quite similar to the Australian privacy principles. However, there are a few significant exceptions:
1. The right to be forgotten. If an EU resident requests that you delete all personal information you hold, you generally have to do it. Under Australian law, you don't need to agree if you have a legit reason to hang onto it.
2. You may need to appoint a `privacy champion'. Cool name, and probably fun job. To have a privacy officer is only a recommendation of the Australian laws, but the EU is much more serious. If you engage in large scale monitoring of individuals, or process a large amount of sensitive data, someone needs to draw that short straw.
3. Consent. When you obtain the consent of an EU resident to use their personal information, you must also tell them they can withdraw that consent at any time. Also, if the person is under 16, you must obtain the consent of a parent or guardian. These are not requirements of the Australian law.
4. Data breaches. Under our mandatory data breach notification laws (coming next year), you need to notify the authorities within 30 days. For the EU, it's 72 hours. Ouch.
5. The penalties are much bigger. Your exposure for a breach of the GDPR is 20 million or 4% of your annual worldwide turnover (whichever is higher). Here the maximum penalty for a company is $1.7 million. And the GDPR includes mechanisms for enforcement overseas, so you will have nowhere to hide.