The European Union’s (EU) new data privacy legislation, the General Data Protection Regulation (GDPR), commenced on 25 May 2018 and some Australian businesses may be affected.
The GDPR has been introduced to harmonise the data protection laws across Europe and to impose stricter standards of personal information handling for businesses.
One of the key changes imposed by the new GDPR is the expansion of the territorial scope of EU data protection laws to some Australian businesses that:
- have an establishment in the EU (regardless of whether they process personal data in the EU);
- offer goods and services to EU customers; or
- monitor the behaviour of individuals in the EU.
The online business model is becoming increasingly prevalent as internet usage becomes more accessible and consumers grow more confident in sourcing and outsourcing goods and services internationally. As a result, this extension of the laws has the capacity to capture a large number of Australian businesses.
We expect that the obligations are only likely to be imposed on businesses that actively target their goods and services at EU consumers. This view also appears to be supported by examples provided by the Australian Privacy Commissioner of the types of Australian businesses that may be required to comply with the new GDPR regime, which include an Australian business:
- with an office in the EU;
- whose website targets EU customers, for example, by enabling them to order goods or services in a European language (other than English) or enabling payment in euros;
- whose website mentions customers or users in the EU; and
- that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
As a starting point, Australian businesses that are caught by the regime will generally be required to appoint a representative located within the EU to ensure compliance with the GDPR and act as an intermediary between the business and the supervising authorities and individuals in the EU. However, there is a limited exception in cases where the processing of data by the business is occasional and unlikely to cause a risk to, or impinge upon, the rights of a person.
There are also more stringent requirements for consent, which must now be:
- freely given;
- informed; and
- an unambiguous indication of an individual’s wishes by which that person, by a statement or by a clear affirmative action, signifies agreement to the business handling their information.
In addition to this, relevant businesses must be able to demonstrate compliance with the new rules and will be required to ensure that personal data is:
- processed ‘lawfully, fairly and in a transparent manner’;
- collected for ‘specified, explicit and legitimate purposes’;
- ‘adequate, relevant and limited to what is necessary’ in relation to these purposes;
- accurate and up to date;
- kept in identifiable form for no longer than is necessary for the purposes; and
- processed in a manner that ensures ‘appropriate security of the personal data’.
While there are similarities in the GDPR to existing requirements under Australia’s Privacy Act 1988 (Cth), this new legislation is set to impose a higher standard of protection on the handling of personal data. Australian businesses that are subject to the GDPR should be aware of the enhanced rights for individuals, greater accountability and governance standards.