The European Union General Data Protection Regulation ("GDPR") came into effect on 25 May 2018. Its primary objective is to harmonise data protection laws across the EU. In the process, existing EU data protection laws have been updated, and Australian organisations with European connections may in some circumstances be required to adjust their existing privacy practices in order to comply.
In many respects, Australia's privacy laws are already consistent with the updated European requirements, and to this extent, the potential impact on Australian businesses will be contained. The primary question is whether, and under what circumstances, Australian businesses will become subject to the new European regime at all.
Despite considerable conjecture, it is our view that for most Australian businesses, the impact will be minimal. In some circumstances, however, existing data protection practices may have to be adjusted.
The issue arises because of Article 3(2) which provides:
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
Recital 23 provides some guidance as to what constitutes "the offering of goods or services" by entities not established in the EU:
"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
Recital 24 provides some guidance as to what constitutes "monitoring the behaviour" of an individual in the EU:
"The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes."
Is an Australian business bound by the GDPR?
The GDPR applies to data "processors" and "controllers" with an establishment in the EU, or to processors and controllers outside the EU, where their processing activities involve the offering of services to individuals in the EU, or monitoring the behaviour of individuals in the EU.
The terminology "processor" and "controller" is unique to European law and does not have a direct equivalent in Australian law. In essence, however, a typical Australian business will be the equivalent of a "controller" to the extent that it is responsible for the collection and use of personal information (e.g. information relating to individual clients) in the normal course of its operations; and typically, it will not be a "processor", unless it has outsourced the handling of client data to a European-based entity.
Obviously, many Australian businesses do not have an establishment in the EU. Accordingly, they will only be subject to the GDPR if they are offering services to, or monitoring the behaviour of, individuals in the EU.
With respect to "offering services" for the purposes of Article 3(2)(a), Recital 23 suggests that the following activities may fall under this umbrella:
- an Australian business whose website targets EU customers, for example by enabling them to order goods or services in a European language (other than English), or enabling payment in Euros; or
- an Australian business whose website mentions customers or users in the EU.
As to whether an Australian website is "targeting EU customers", the examples contained in Recital 23 are not exhaustive. Nevertheless, applying those criteria, the following considerations will normally be taken into account:
- whilst the fact that the website is accessible from Europe and that customers are intermittently sourced from Europe will not be relevant, a business strategy which demonstrably seeks to solicit work from Europe may be;
- the fact that the website uses languages other than English is not determinative, but it will be relevant if the reason for doing so is to facilitate access by European-based clientele; and
- the fact that a business invoices European customers in Euros will not itself be indicative of "targeting EU users", but the advertising of fees in Euros on the website may be.
If it can be concluded that, on this basis a business is targeting EU users, then it may be "offering services" to European individuals in the manner envisaged by the GDPR, and this, in turn, would make it subject to the GDPR.
What is the gap between current Australian privacy obligations and the GDPR requirements?
To a large extent, an Australian business will meet the GDPR requirements if it complies with the Australian Privacy Principles (APPs).
Nevertheless, despite a considerable amount of overlap, the obligations arising under the APPs and under the GDPR are not quite aligned in the following respects.
Accountability and governance
It is a requirement to appoint a data protection officer located in the EU in some circumstances. Under Article 37, this obligation only applies to businesses whose core activities "consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale". This is a focussed scenario which will not capture a majority of Australian businesses, but which will nevertheless do so if, for example, it has an outsourcing facility based in Europe.
Other new "accountability and governance" obligations introduced by the GDPR are:
- an obligation to undertake compulsory data protection impact assessments prior to certain types of data processing activities. Unless a business were to outsource the processing of personal information to a European-based entity, this is unlikely to be an issue for Australian businesses;
- an obligation to keep records of processing activities. The Office of the Australian Information Commissioner (OAIC) states that this is addressed by APP 1.2 although this may be an overstatement – it is in fact addressed by the OAIC's recommendations as to how an organisation should comply with APP 1.2. Most Australian businesses should already comply with this obligation in any event; and
- an obligation to draw up a code of conduct in relation to compliance with the GDPR. This is not a mandatory obligation, however, and will not necessarily trouble a business with only incidental European links.
Accordingly, it appears that the inconsistencies between the GDPR and the Privacy Act 1988 in relation to accountability and governance will not be of significant consequence to a typical Australian business.
The GDPR introduces special provisions for obtaining consent from individuals below the age of 16 years. The Privacy Act 1988 does not have an equivalent stipulation, even though the OAIC APP Guidelines suggest that an individual aged 15 years or over has the capacity to consent, thus giving rise to a potential inconsistency.
In practical terms, unless a business has occasion to obtain consent of individuals under the age of 16 years, this will not be an issue.
Mandatory Data Breach Notification
The GDPR requires the reporting of "high-risk" data breaches within 72 hours of detection, whereas the Privacy Act 1988 requires the reporting of "serious" data breaches "as soon as practicable". Whilst these two obligations are almost aligned, an Australian company would have to ensure that, in the case of a serious data breach involving personal information stored in Europe, notification was provided within 72 hours even in circumstances where it would otherwise have formed the view that it was impracticable to do so.
Right to erasure
Under the GDPR, individuals can require the deletion of personal information which they consider is no longer necessary. There is no equivalent provision in the Privacy Act 1988 but it is instructive that when a similar right was proposed in Australia by the Australian Law Reform Commission in 2014, the OAIC resisted change to the APPs on the basis that an equivalent right was already encompassed by APP 11.2. APP 11.2 requires the destruction or de-identification of personal information when no longer required in connection with the original purpose of collection.
Accordingly, there does not appear to be a need for an Australian business to adjust its current practices in order to comply with the new European standards.
Under the GDPR, an individual has a right to require that their personal information be transferred to another "controller" in a "structured, commonly used, machine-readable format". There is no equivalent right under the Privacy Act 1988, although a similar concept has been recommended in Australia by the Productivity Commission.
This issue would typically confront a business in circumstances where a customer seeks to transfer to a competitor, and wants their personal information to be transferred in the process. Whilst most businesses would normally accede to such a request, those which don't would need to adjust their practices.
Right to object
The GDPR includes a right of an individual to object to the continued processing of their personal information in certain circumstances. The right only applies, however, where the individual contests the accuracy of their personal data, considers the processing to be unlawful or considers the information to be no longer required. Whilst the Privacy Act 1988 operates in a different manner, the effect of APP 10 (quality of personal information) and APP 13 (right to correct personal information) means that coverage under Australian privacy law is essentially the same. Again, there should be no need for an Australian business to alter its existing practices in order to accommodate this change.
The GDPR regulation of transborder data flows is structured differently to APP 8, although the effect is ultimately similar.
Transfers of data from Australia to the EU are unaffected by the new Regulation. For different reasons, transfers of data from Europe to Australia will also remain unaffected – whilst complications arise where data is transferred from the EU to a country which lacks an "adequate" level of data protection, Australia has in fact been in that category since the former EU Article 29 Committee determined in 2001 that Australia's data protection laws were "inadequate" as a consequence of their failure to match European standards. This in effect means that it will still be necessary (as has always been the case in theory) for an Australian business to provide certain contractual undertakings to European based entities which are forwarding personal information to it.
In other words, the GDPR does not alter the existing position regarding overseas transfers of personal information or the receipt of personal information from a European source.