Its nearly six months since the GDPR came into effect on 25 May. It forms the basis part of the European Commission's package of data protection reforms which aim to modernise and harmonise EU data protection law. Even though the GDPR is EU law, its impact has been global. This is because it can apply directly to organisations not located in the EU, if they fall within the extra-territorial application in Article 3 of the GDPR, or indirectly, if they provide services to other organisations that are subject to the GDPR.
The Office of the Australian Information Commissioner (OAIC) has confirmed that, while the GDPR contains similar requirements to those in the Privacy Act 1988 (Cth) (Privacy Act), organisations that are impacted by the GDPR will need to put in place additional compliance measures. The OAIC also indicated that, where these additional measures do not conflict with Australian privacy laws, organisations that are subject to Australian privacy laws and the GDPR could consider rolling out GDPR compliance measures across their operations to 'improve consumer trust through enhanced privacy practices and allow for more consistent internal privacy practices, procedures and systems across the business.'
Since the GDPR commenced, a key challenge for Australian organisations is understanding the extra-territorial effect of the GDPR (as set out in Article 3.2) on their activities, whether directly or as a consequence of their contractual arrangements with overseas entities. The GDPR can also potentially apply to government as well as to private sector organisations. Below is some practical guidance to follow if you are trying to work out whether the GDPR applies to your organisation, either because it is offering goods or services to, and/ or it is monitoring the behaviour of, people in the EU.
You might otherwise find that while your organisation is not subject directly to the extra-territorial application of the GDPR, because it provides services to organisations established in the EU, they will want to amend their contract with you to impose data protection terms which reflect GDPR obligations that apply to your organisation as a data processor. You will need to consider carefully whether to agree to some or all of these terms and if so, on what basis, who bears the costs of any additional compliance obligations and whether the indemnity terms should be given the potential GDPR liability.
Once you decide that the GDPR does apply to your organisation as a result of Article 3.2, then you also need to consider what steps to take to uplift your current privacy compliance to comply with the GDPR and what are the risks from enforcement by any of the Member State supervisory authorities and/or the European courts.
Are you offering goods or services to individuals in the EU?
The effect of Article 3.2(a) is that, even if your organisation does not have an establishment in the EU, the GDPR will apply to any personal information you process about individuals who are in the EU (including in countries in the European Economic Area) if you are offering goods or services to people in countries (referred to in the GDPR as Member States) in the EU (regardless of whether payment is required).
In considering whether your organisation is 'offering goods or services' to individuals in the EU, the following factors are a strong indication that it will be subject to the GDPR (see Recital 23):
- a representative of your organisation has a physical presence in, or visits, a Member State to offer the goods or services;
- your organisation's website or marketing material has the following features:
- language: using the language of a Member State and that language is not relevant to individuals in the organisation's home country (ie English for Australia);
- currency: using the currency of a Member State, and that currency is not generally used in the home country;
- domain name: your organisation's website has a top level domain name of a Member State;
- you offer to and deliver physical goods to a Member State;
- you use references to individuals in a Member State to promote the goods and services (eg testimonials from people in a Member State);
- your organisation has a large proportion of customers based in the EU; and
- your organisation's advertising is targeted at individuals in one or more Member States.
Weaker indications that goods and services are being offered to individuals in the EU include:
- accepting payment using a credit card with a billing address in the EU;
- delivering goods or services electronically to an individual who might be in the EU;
- your organisation's internet or email advertising is not targeted at individuals in the EU, but might be seen by individuals there; and
- your telephone numbers on the website have an international prefix for people dialling from the EU.
Based on these factors, the mere fact that a person in the EU could purchase a product or service from your organisation online, without taking some action to specifically target people in the EU, is unlikely, without other factors, to trigger the application of Article 3.2(a).
An example of an organisation offering goods or services to people in the EU that would meet the requirements of Article 3.2(a) is where it advertises goods for sale on its website and the website targets EU customers by enabling them to change the language on the website to a European language, pay in euros and receive delivery of products to their address in the EU.
Are you monitoring the behaviour of people in the EU?
Article 3.2(b) extends the operation of the GDPR to organisations located outside the EU if they monitor the behaviour of people in the EU, in so far as the behaviour takes place in the EU.
In considering whether your business is caught by the 'monitoring' limb of the GDPR, Recital 24 of the GDPR states that 'it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.' Recital 30 provides that '[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers…'
'Profiling’ is defined in Article 4(4) and is composed of three elements:
- it has to be an automated form of processing;
- it has to be carried out on personal data; and
- the purpose of the profiling must be to evaluate personal aspects or traits about a natural person.
This definition of monitoring suggests that where individuals are tracked and their personal data collected, then the subject of any processing by your organisation with an intention to analyse or predict their behaviours, preferences or attitudes or make decisions about them, will be 'monitoring' for the purpose of Article 3.2(b). This is also the case where the data is processed by automated means. According to the Article 29 Working Party, broadly 'profiling means gathering information about an individual (or group of individuals) and evaluating their characteristics or behaviour patterns in order to place them into a certain category or group, in particular to analyse and/or make predictions about, for example, their:
- ability to perform a task;
- interests; or
- likely behaviour.'
Therefore there would need to be something more than a passive incidental tracking and effectively you are making a decision about the person as a result of the collection and evaluation.
Australian organisations required to meet the GDPR requirements should carefully assess the risks of enforcement of the GDPR obligations against them. Article 50 of the GDPR imposes obligations on the European Commission and supervisory authorities to take appropriate steps to cooperate with international stakeholders, and provide international mutual assistance in the enforcement of legislation for the protection of personal data. With this in mind, we expect that the European supervisory authorities will seek to cooperate with local regulatory authorities such as the OAIC in relation to any potential breaches of the GDPR, particularly where the possible GDPR data breach is also a breach of the Privacy Act.