New regulations in the European Union (“EU”) are bringing significant change to the way in which Australian businesses must approach the use and storage of customers’ electronic information.

Introduction

If you are subscribed to email newsletters or have visited a large company’s website, you may have received an email requiring you to opt-in to continued newsletters, or noticed a banner or pop-up informing you that the website uses cookies and tracks your data, and requires you to check a box agreeing to the use of cookies before you can continue to browse.

The use of cookies in websites is not new – cookies are small packets of data that are stored and processed both at the host server and on the user’s computer, and have been in use largely since the advent of internet communications.

Cookies are vital to everyday browsing, helping to remember previous browsing data – they are fundamental to the success of the online shopping cart.

The reason that you must now actively consent to the website using cookies to track your browsing data is the EU General Data Protection Regulations (“GDPR”), which came into force on 25 May 2018.

What is the GDPR?

The GDPR is a regulation that is intended to afford protection to natural persons within the EU with respect to their “personal data”.1

Personal data is defined as any information relating to an identified or identifiable natural person, whether directly or indirectly capable of identification, such as an online identifier (an IP address, for example).2

The GDPR applies to the “processing of personal data” of individuals within the EU, whether or not the processor or the controller is located within the borders of the EU, where the processing involves:

  • the offering of goods or services to individuals within the EU; or
  • the monitoring of behaviour of individuals within the EU, where that behaviour occurs within the EU.3

Relevantly, the definitions of “controller” – who determines the purpose and means of processing the relevant personal data – and “processor” – who processes the personal data at the behest of the controller – include both:

  • natural or legal persons; and
  • public authorities, agencies or other bodies.4

All processing is based on the concept of explicit informed written consent that data will be collected and subject to processing.5

Breaches of the GDPR may attract fines of €10,000,000 to €20,000,000 or up to 2% or 4% of total annual global turnover, whichever is higher (depending upon the nature of the breach), in addition to exposing the controller or processor to an action for compensation from the affected party.

Rights of the Individual

The rights of the data subject are set out in Chapter III of the GDPR, and all businesses captured by the operation of the GDPR are required to uphold the expressed rights, which include:

  • providing transparent avenues for data subjects to exercise their rights, including access to information about what data has been obtained;6
  • a right to rectify inaccurate information;7 and
  • a right of erasure or “right to be forgotten” once the personal data is no longer necessary for the purposes for which it was originally collected, or otherwise ought to be erased (however, this right does not infringe or overbear the exercise of the right to freedom of expression or information).8

Responsibilities of the controller

The obligations upon a controller are set out in Chapter IV, and require, amongst other things, that:

  • the controller implement relevant technological safeguards;9
  • data protection be designed as the default safeguard, including minimising the processing of data where it is technologically and practically possible to do so;10
  • the controller only engage processors who are able to uphold the provisions of the GDPR;11 and
  • the supervisory authority (and individual, where there is a risk to the rights and freedoms of the individual) be notified of a data breach as soon as feasible and without delay.12

The GDPR and Australian Businesses

Under the GDPR, it will no longer be sufficient to presume an individual consents to the use of cookies on the basis that they, for example, voluntarily visited the Australian business’ website in order to purchase goods or services.

Depending upon the sophistication of the business, and the nature of the data collected, Australian entities which attract inquiries regarding goods or services from customers based in the EU may need to consider:

  • including a pop-up in the design of their webpage that prompts the browser to actively consent to the use of cookies to track their data and browsing;
  • upgrading their data protection systems, and ensuring that their systems are only recording or processing the minimum level of information possible;
  • ensuring that, where offshore data processing facilities are being engaged, those facilities or organisations are appropriately sophisticated to protect the data they are obtaining; and
  • whether the data they obtain is sufficiently high-volume (undefined by the GDPR) or includes special categories of data as defined by Article 9, such that a representative may need to be appointed in the EU.

While the GDPR will apply to small and medium enterprises which may engage with customers in the EU, the GDPR does impose a proportionate responsibility upon data controllers – where the data is less identifying, or is of lower volume, a small business may not need to engage state-of-the-art technological safeguards.

On the other hand, a small business that deals with high-level identifying data (such as medical records, for example) relating to individuals within the EU may need to consider stringent safeguards to protect that data, and therefore have a higher burden than a business which only records basic browsing data.

In a space which small businesses and multinational companies both inhabit, the fines expressed in the GDPR are clearly aimed at discouraging large multinationals from playing fast and loose with data protection, however, the monetary figures are not expressed to be proportionate to the business’ turnover, unless that turnover is greater than €500,000,000 (approx. AU$800,000,000).

Consequently, a small Australian company that commits an egregious breach of the GDPR, could quite easily find itself in a precarious financial position, and subject to a personal action by the injured party for compensation.

Conclusion

While Australian consumers will not be afforded the rights that protect their EU counterparts, the structural changes which are mandated by the obligations upon data controllers will have a flow-on positive effect on the treatment of local consumer’s personal data.

Australian companies should take heed of the GDPR if their business attracts customers from the EU, and should take steps to minimise the volume and nature of data that is collected only to the level which is necessary to provide the services on offer.

Where the data collected is of a particularly personal nature or tends to identify the individual more readily, greater protection, through use of more sophisticated firewalls or other technological protections should be considered.

Additionally, companies that choose to offshore their data collection or processing teams should carefully consider whether those processing teams meet the requisite standards in terms of data protection, as a breach by the processor may result in a substantial fine being levied against the responsible controller.

In taking these steps, the company will minimise its potential exposure to penalties or civil actions which could arise out of even inadvertent data breaches.