With the introduction of the European Union (EU) General Data Protection Regulation (GDPR) fast approaching, many Australian businesses will be required to reconsider the way they process, store and protect personal information.

Set to come into operation on 25 May 2018, the GDPR will replace an out-dated directive that has been in operation since 1995. The GDPR will provide consistency throughout all 28 member States in the EU, including countries such as the United Kingdom, France, Germany and Italy.

The GDPR won’t just affect businesses located in EU member States. If an Australian businesses (of any size) processes ‘personal data’ (as defined below) through a business establishment in the EU or in the course of one of the following activities, it must comply with the GDPR:

  • offering goods or services to individuals located in the EU (irrespective of whether connected with a payment); or
  • monitoring the behaviour of individuals located in the EU.

Circumstances in which the above qualifying factors would be met include where an Australian business has an office located in the EU, a website allowing customers in the EU to order goods and services or a website that monitors individuals located in the EU through the use of cookies (which identify an individual either directly or indirectly). However, an Australian business that merely allows individuals located in the EU to access their website (without monitoring that individual or offering goods or services for sale) would not be caught.

While Australian privacy laws contain similar requirements, the GDPR is more far-reaching in terms of the future of data protection. Australian businesses should therefore take steps to determine whether the GDPR is applicable, and consider revising their information handling processes to ensure compliance.

Personal Data

The GDPR applies to ‘personal data’, which is defined in Article 4 of the GDPR to mean “any information relating to an identified or identifiable natural person.” A natural person may be identified by a wide range of factors including their “name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.”

This broad definition of personal data, which includes identification by way of an online identifier, may cover individuals that can be identified by their devices, such as through internet protocol addresses or the use of cookies. Significantly, due to the new consent requirements outlined below, it is no longer sufficient to rely on messages which state “by using this site, you accept the use of cookies.”

Special protections also apply to ‘special categories’ of information, which includes personal data relating to matters such as racial or ethnic origin, religious beliefs or health information.

EU Representative

Australian businesses that are not established in the EU but meet one of the qualifying factors set out above must, in some circumstances, appoint a representative established in the EU as a point of contact for the relevant authorities. The appointment of a representative will not be required where processing is occasional or does not include large-scale processing of ‘special categories’ of data, and is unlikely to result in a risk to the rights and freedoms of natural persons (taking into account the nature, context, scope and purposes of the processing).

Similarities

Some features of the GDPR which are similar to Australian privacy laws include:

  • the privacy by design approach, whereby controllers must implement appropriate measures to ensure compliance (such as data protection policies)
  • transparent information handling practices; and
  • the requirement to demonstrate compliance.

Consent

Processing of personal data will only be lawful if one of the requirements set out in Article 6 of the GDPR applies. One circumstance in which the processing of personal data is permitted is if the data subject has given their consent. Consent will generally occur if there is a freely given, specific, informed and an unambiguous indication of the person’s agreement (by either a statement or a clear affirmative action). This means that silence or pre-ticked boxes will not be sufficient.

Notification

Data controllers must, without undue delay, notify the relevant supervisory authority (for example, the Information Commissioner’s Office for the United Kingdom), no later than 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Additional requirements will apply (unless an exception applies) if the breach is likely to result in a high risk to the rights and freedoms of natural persons, whereby the controller must also notify the affected individual without undue delay.

Key Obligations

  • Controllers, who are responsible for determining the purpose and means of processing personal data, will be subject to increased accountability obligations. For example, controllers will be required to prepare compulsory data protection impact statements for high-risk activities and keep records of their processing activities
  • A ‘Data Protection Officer’ must be appointed to oversee compliance and data security strategy where the controller engages in regular and systematic monitoring of a large-scale, where the controller engages in large-scale monitoring of ‘special categories’ of data or where processing is carried out by a public authority. This may be an employee of the controller, so long as their professional duties are compatible and there is no conflict of interest
  • The GDPR includes enhanced rights for individuals, including the ‘right to be forgotten’, whereby controllers are required to delete an individual’s data in certain circumstances, including when data is no longer necessary for the purpose for which it was collected or consent is withdrawn
  • While personal data may be transferred outside of the EU, it may only be transferred to countries that provide an adequate level of data protection or where appropriate safeguards have been put in place.

Penalties

Hefty fines of up to 20 million euros or 4 per cent of global annual turnover (whichever is higher) may be imposed by the relevant supervisory authority for contraventions of the GDPR.

What does this mean for Australian businesses? Prior to the commencement of the GDPR on 25 May 2018, Australian businesses should:

  • act promptly to determine whether they are covered by the GDPR
  • determine how personal information is currently being collected from EU residents
  • understand their obligations under the GDPR
  • review and revise information handling processes to ensure compliance with the GDPR
  • if necessary, appoint a representative established in the EU and a Data Protection Officer; and
  • involve staff at all levels to ensure your business is prepared to deal with the above.