Many in the Australian business community, and especially those trading internationally or with a technology or data focus, will be coming to grips with (or at least have heard about) last year’s ‘once in a decade’ changes to the European Union (EU) equivalent of the more familiar Privacy Act applying in Australia.
Effective from 25 May 2018, the General Data Protection Regulation (GDPR) of the EU mandates comprehensive requirements for the protection of personal data. The GDPR gives teeth to European data protection law by allowing for the imposition of significant penalties for contraventions of the GDPR by controllers and processors of personal data. In some cases, these penalties include fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
Australian businesses may be caught by the GDPR even where they do not have a European parent or subsidiary. This is significant as it may require compliance with the GDPR in a wider range of situations than previously applicable, and potentially impose significant sanction on non-EU trading entities if in breach of the rules.
Importantly, the small business exemption that applies to many Australian businesses under the Privacy Act does not exempt them from complying with the GDPR if they are caught within the GDPR’s territorial scope. Indeed, the Australian small business exemption is a key reason why the EU does not consider Australian law as having adequate protection for the safeguarding EU personal data in respect of crossborder transfers. Australian businesses therefore should not simply assume that compliance with or exemption from the Privacy Act is enough for them to comply with the GDPR.
Is my Australian business caught by the GDPR?
Controllers and processors of personal data can fall within the territorial scope of the GDPR in two main ways, essentially by either being ‘established’ in the EU through stable arrangements, or by ‘targeting’ individuals in the EU. The second of these ways has caused much confusion among non-EU businesses as to whether or not they need to comply with the GDPR, both in terms of what constitutes targeting, and who counts as an individual ‘in the EU’ for the purposes of the targeting test.
Although an Australian citizen on holidays in Europe using goods or services exclusively directed at the Australian market is unlikely to fall within the scope of the GDPR, the offering of goods or services by an Australian business in multiple European languages, or in return for payment in euros, may well be. Your business might also be caught by having websites under European domain names, or by making mention of international clientele comprising customers in various EU member states.
To be clear, not every activity connected to Europe will necessarily be caught by the GDPR, and there may be ways for businesses to mitigate against the risks of being caught. Single elements taken alone may not be enough to come under the GDPR. At the same time, Australian businesses falling within the scope of the GDPR need to ensure they are aware of their obligations, and have in place appropriate measures to comply, even if they do not have a physical European presence.
What do I need to do?
Seek advice taking into account all your relevant operational and commercial circumstances, and which makes an objective, legally informed and technically aware assessment of your position and any relevant obligations you have under the new laws.