In Australia, the commencement of the European Union's General Data Protection Regulation (GDPR) on 25 May 2018 has been largely overshadowed by the Notifiable Data Breach regime (NDB Regime) under the Privacy Act 1988 (Cth) (the Privacy Act) that came into force in February 2018.
However, the GDPR will apply to many Australian businesses, including businesses that may not need to comply with the NDB Regime.
The Office of the Australian Information Commissioner (OAIC) has published guidance for Australian businesses on the GDPR requirements1 and has recommended organisations assess whether the GDPR may apply to them, and if so, take steps to implement any necessary changes to ensure compliance.
Who does the GDPR apply to?
The scope of the GDPR is broad, and will capture many Australian businesses that have some kind of connection with the EU.
Significantly, the application of the GDPR on businesses is not limited by any revenue thresholds. This may potentially catch Australian businesses off guard, especially those which have an annual turnover of less than AUD 3 million and have determined they are not subject to the NDB Regime.
The GDPR has a broad extraterritorial reach and will apply to businesses which:
- are data processers and controllers based in the EU;
- organisations which offer goods or services to people in the EU; or
- organisations which monitor the behaviour of individuals in the EU.
Australian businesses will need to carefully consider whether they meet the above requirements, particularly the latter two that can easily be met by Australian businesses that have no physical operations in the EU.
What are the obligations and sanctions under the GDPR?
The GDPR imposes significant obligations on applicable businesses that are either similar to or stricter and more onerous than those set out in the Privacy Act. This includes obligations that businesses:
- implement a privacy-by-design approach to compliance;
- be able to demonstrate that appropriate technical and organisational measures have been implemented to comply with GDPR privacy principles and obligations;
- adopt transparent information handling practices; and
- comply with 72 hour breach notification requirements.
The GDPR also offers rights to individuals that are not available under the Privacy Act. This includes the right to seek deletion of their data in certain circumstances.
Sanctions that can be imposed under the GDPR for non-compliance are severe. Administrative fines of up to EUR 20 million or 4% of annual worldwide turnover (whichever is higher) can be imposed on certain types of contraventions.
Clyde & Co's global cyber team has previously published guidance on the obligations under the GDPR which can be found here.
How will it be enforced in Australia?
The OAIC has stated its commitment to internationally coordinated approaches to privacy regulation. It is therefore likely to cooperate with and assist the EU Commission and supervisory authorities to enforce the GDPR outside of the EU and in Australia.
Australian businesses need to consider whether they need to comply with the GDPR and if so, the steps they need to take now to meet the obligations that will be imposed by the legislation come 25 May 2018.