The GDPR will overhaul data protection throughout the EU and enters into force on 25 May 2018. It has extraterritorial reach beyond the EU, which could affect a large number of Australian businesses, not previously bound by EU data protection legislation. Therefore, the clock is ticking for affected Australian businesses to become compliant with the GDPR.
Below is a brief overview of some of the significant elements of the GDPR.
Some aspects of the GDPR are similar to certain principles under the Privacy Act 1988 (Cth) (Privacy Act), but the GDPR goes further than the Privacy Act in other respects.
The GDPR gives much more power to individuals in regard to the use of their personal information by businesses. For example, individuals have rights in respect of:
- data portability;
- the right to be forgotten;
- the right to restrict processing; and
- the right not to be subject to decisions based solely on
automated processing (eg profiling). The GDPR will automatically apply throughout all member states of the EU. However, member states are also implementing their own legislation.
Applicability of GDPR to Australian businesses
Australian businesses, of any size, may need to comply with the GDPR if they:
- have an establishment in the EU;
- offer goods or services in the EU e.g. if the business' website is in an EU language, allows purchases in an EU currency or otherwise directly targets EU residents; or
- monitor the behaviour of individuals in the EU e.g using cookies or IP addresses to actively collect the personal data of, track or profile EU individuals.
The GDPR could have significant consequences for Australian businesses not previously caught by EU data protection law. Businesses should consider data flow arrangements with all affiliate entities, and advertising arrangements, which may reach individuals in the EU.
The GDPR could bind Australian businesses not subject to the Privacy Act. Unlike the Privacy Act, that requires that a business have a minimum annual turnover of AU$3,000,000 to be caught by this Act, there is no minimum amount of turnover or sales needed in the EU for a business to be deemed to be a data controller or data processor.
The GDPR protects personal data, which is any information relating to an identified or identifiable (either directly or indirectly) natural person. The definition specifically includes information such as location data and an online identifier as well as the more traditional types of personal data.
The GDPR specifies additional protections for personal data which fall within a `special category' (similar to sensitive information under the Privacy Act), including personal data relating to an individual's ethnicity, sexual orientation, political opinions, religious beliefs or health.
The GDPR distinguishes between data "controllers" (who determine the method and purpose of personal data collection and processing) and data "processors" (who process the personal data on the controller's behalf).
Similar to the Privacy Act, the GDPR adopts a principles based approach and requires that data controllers and processors display adherence to the GDPR's fundamental principles of personal data processing, which include lawfulness, fairness and transparency, accuracy, accountability and integrity and confidentiality.
Accountability and governance
Data controllers or processors that are subject to the GDPR, but not established in the EU, will usually have to appoint a representative in the EU. There are certain exceptions for infrequent, small-scale or low-risk processing of personal data.
Data controllers will also need to:
- undertake compulsory data protection impact assessments before processing data which has high risks for the rights and freedoms of individuals;
- keep records of data processing activities for which they are responsible;
- consider creating a code of conduct to facilitate compliance with the GDPR;
- only engage with data processors that provide sufficient guarantees of compliance with the GDPR; and
- create a contract with any data processor they engage with that contains certain prescribed terms relating to the security and confidentiality of the data processor's procedures.
Power to the people
Individuals have far more power over their personal data under the GDPR than previously in the EU. Some of these rights also exist under the Privacy Act.
Businesses will generally need to secure explicit consent of individuals to be able to collect, retain and use their personal data in accordance with the GDPR.
Consent must be freely given, specific and informed and be an unambiguous indication by a `statement or clear affirmative action' that the individual agrees to the processing. It should be easy to access, use simple and clear language and be distinguishable from other matters. Any part of a consent declaration which infringes the GDPR will not be binding. Therefore, businesses need to use an opt in scenario to secure explicit consent.
It must be as straight forward to withdraw consent as initially giving consent.
As the Privacy Act also has consent provisions in place, many companies may already be compliant in this regard. However, systems should be reviewed in light of the GDPR, particularly regarding withdrawal of consent. Businesses should also have appropriate records of what individuals have consented to and where they have withdrawn consent.
2. Right to information
Individuals have the right to information about how their data is processed, including the purpose of the processing, the retention period for the personal data and with whom the personal data will be shared. The information must be presented in a succinct, transparent, understandable and easily accessible way and should be provided without undue delay and free of charge.
APP entities in Australia that collect personal information must take reasonable steps to give individuals information about certain matters, under the Privacy Act, such as in their privacy policies and collection notices. Therefore, they may already substantially comply with the GDPR in this regard. However, documents should be assessed to ensure that they comply with any additional GDPR disclosure obligations.
3. Data portability
Data portability is an individual's right to receive their personal data in a structured, commonly used and machine-readable format and the ability to transmit such data to another controller.
This right exists where:
- the individual has provided the personal data to the controller;
- the data processing has been consented to by the individual or is for the performance of a contract; and
- the data processing is automated.
Where `technically feasible, the data subject should have the right to have personal data transmitted directly from one controller to another'. It is still unclear how this will work in practice.
The right to data portability does not exist under the Privacy Act. However, given that the Privacy Act grants individuals the right to access their personal information and, where, reasonable, in the manner they request, many Australian businesses may, in some respects, already be complying with this to some extent.
4. Right to be forgotten
The right to be forgotten is an individual's right to have their personal data deleted by the data controller. This arises where the data on an individual is irrelevant for the purpose for which it was initially collated or where the individual withdraws their consent to have their data processed and there is no other lawful reason for the processing.
The `right to be forgotten' has no equivalent under Australian privacy law. However, under APP 11.1, APP entities holding personal information must take reasonable steps to destroy or de-identify it once it is no longer needed for any purpose under the Privacy Act.
5. Restrictions on processing
Individuals have the right to restrict the processing of their personal data. If data processing is restricted, the individual's personal data can be stored but not used. The right to restrict processing can be exercised:
- for the period that data is being verified by a controller, where the individual challenges the accuracy of their personal data;
- where the personal data is unlawfully processed and the individuals requests restrictions rather than erasure of their data;
- where the data controller no longer needs the personal data but the individual requests that it be stored for the purpose of a legal claim; or
- where the individual objects to the processing of their data and the data controller is determining whether they have legitimate grounds to override the objection.
The restriction must be enacted without undue delay and free of charge. The right to restrict processing has no equivalent under Australian privacy law.
Individuals can seek confirmation as to whether their personal data is being processed and can access this personal data and certain supplementary information. Individuals have a similar right to access their personal information under the Privacy Act. The data should be provided without undue delay and free of charge.
Individuals can have inaccurate personal data corrected and may also have the right to have incomplete personal data completed, depending on the purpose for which the data is being processed. The data should be corrected or completed without undue delay and for free.
APP 10 and 13 of the Privacy Act contain similar provisions.
8. Right to object
Individuals also have the right to object to the processing of their data.
This right extends to data processing undertaken for:
- legitimate interests or to perform a task in the public interest or exercise of official authority (including profiling);
direct marketing (including profiling); or
scientific and historical research and statistics.
The right to object has no equivalent under Australian privacy law.
9. Rights relating to automated decision making
Automated decision making includes profiling. Profiling is any form of automated processing of personal data to make evaluations about an individual. Individuals have the right not to be subject to decisions based solely on automated processing.
The right not to be subject to automated processing does not apply to decisions:
- necessary to enter into or perform a contract between the controller and the individual;
- authorised by EU or any Member state's law;
- or based on the individual's explicit consent.
This is not addressed in the Privacy Act and could affect Australian businesses with respect to profiling activities.
Data breach notification under the GDPR
The GDPR introduces a mandatory notification scheme where there is a breach relating to personal data. A similar scheme was introduced in Australia in February 2018, under the Privacy Act.
Under the GDPR, controllers will be obliged to report personal data breaches to their lead supervisory authority within 72 hours after becoming aware of such a breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR also sets out the content of the notification.
The Privacy Act, does not explicitly set out a strict timeframe for data breach notifications to the OAIC. It provides for notification to the OAIC, as soon as practicable after an entity learns of the breach. In practice, eligible data breaches are usually notified to the OAIC within a very short timeframe in any case.
Under the GDPR, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller will communicate the personal data breach to the data subject without undue delay, unless certain exceptions apply, such as where the controller has taken subsequent measures which ensure that such high risks are no longer likely to materialise. Under the Privacy Act, the APP entity must also notify affected individuals as soon as practicable and there are also exceptions to these requirements.
While there are similarities between the GDPR and Privacy Act regarding notifications, Australian businesses need to be aware of the notification requirements for the EU, and in particular, which lead supervisory authority in the EU to notify.
Transfer of data
One issue of significant importance for Australian entities to which the GDPR applies, is the transfer of data outside of the EU. The GDPR includes strict requirements for the transfer of data to countries or international organisations outside the EU. Such transfers will only be permissible if the EU has found national privacy laws to be adequate, or if the business has in place adequate safeguards. Currently, Australia is not on the EU Commission's list of countries that offer `adequate protection'. This means that any transfers of personal data from the EU to Australia will be dealt with individually and will require implementation of appropriate protection by the relevant party.
In Australia, there is a distinction between use and disclosure of personal information, which is relevant for cross border disclosures. The GDPR does not make any similar distinction.
The overseas disclosure requirements in the Privacy Act are less rigorous than those that will be imposed by the GDPR. As such, Australian businesses may need to review and strengthen their safeguards to ensure they can access transfers of personal data from the EU.
Sanctions and enforcement
Supervisory bodies in EU member states have the power to enforce the GDPR and penalise data processors that are in breach of it. Penalties for breaching the GDPR can be up to 4% of an entity's annual global turnover for the preceding year or up to 20 million, whichever is greater, so the penalties are potentially higher than under the Privacy Act. This increases the potential liability of Australian businesses that breach the GDPR.
Individuals who have suffered material or non-material damage as a result of infringement of the GDPR have the right to receive compensation from the relevant controller or processor.
While the GDPR provides for extensive extraterritoriality, in practice, if could be difficult for the relevant EU supervisory authorities to enforce their decisions against entities which do not have any assets in the EU. The mechanism for extra-territorial enforcement is still unclear. Possibly, a desire to avoid reputational damage will play a significant role in ensuring compliance for data processors and controllers outside of the EU. Alternatively, EU regulators may coordinate with the OAIC to enforce the GDPR. However, enforcement remains to be seen.
Consequences of the GDPR for Australian businesses
Australian businesses that have customers in the EU or operate in the EU should check whether the GDPR is relevant to them prior to May 2018 and if so, adjust their systems and processes.
The role of the Privacy Officer will become more and more important and appropriate internal procedures and training should take place to ensure that businesses are fully prepared for GDPR.