Very soon on 25 May 2018, the EU General Data Protection Regulation (GDPR) will come into effect. The GDPR was designed to harmonise data privacy laws across the EU and to protect the data privacy of EU “data subjects”.
What does this mean for Australian businesses?
The GDPR applies to any business that holds, controls, or processes personal data of EU data subjects, or which monitors the behaviour of EU data subjects (including website tracking), regardless of that business’s location. This means that any Australian entity operating a business established in the EU, operating a business which offers goods or services to individuals in the EU (regardless of whether a payment is required), or dealing with the personal information of EU data subjects will likely need to comply with the law (you can see a list of EU member countries here, which at this stage still includes the UK [ https://europa.eu/european-union/about-eu/countries_en]). Australian businesses who have made no effort whatsoever to market or aim their services to anyone outside Australia, and whose fees must be paid in AUD, will not be bound by the EU GDPR just because an EU data subject has requested that business ship a product to them in the EU.
Who is an EU “data subject”? The GDPR does not give a specific definition for this term, but various articles of the GDPR, when read together, provide the following guidance:
- a data subject is anyone physically within the borders of the EU at the time their personal data is processed. This includes anyone visiting an EU country on holidays; and
- if the data subject moves out of the EU border (either temporarily or permanently), then their personal data processed outside of the EU is not covered by the EU GDPR and they are no longer a data subject for the purposes of that data, unless that data is being processed or controlled by an organisation established in the EU.
While Australia has had privacy legislation for many decades (the Privacy Act 1988 (Cth)) and has recently introduced a notifiable data breaches scheme, the GDPR is far more comprehensive and goes beyond the requirements of Australia’s privacy regulations. The timeframes for compliance are much shorter, and the penalties for non-compliance are much higher.
The GDPR includes obligations on:
- undertaking a data protection impact assessment;
- obtaining freely given, specific, informed, and unambiguous consent from individuals (pre-ticked boxes or opt-out consents are not permitted under the GDPR);
- implementing appropriate technical and organisation measures for data processing and protection;
- documenting the relationship between a data controller and a data processor in a contract with certain prescribed terms (an IT services provider may be considered a data processor);
- appointing data protection officers to monitor and advise on compliance;
- data minimisation (that is, ceasing the collection of any non-essential data);
- allowing individuals to withdraw consent and to request the deletion of data (including ‘right to be forgotten’ obligations);
- overseas transfer of personal data (which can only be undertaken to countries or organisations that provide an adequate level of data protection); and
- a mandatory data breach notification scheme (which requires notification within 72 hours, unlike Australia’s “as soon as practicable” requirement).
The GDPR also requires that data controllers and processors covered by the GDPR but not established in the EU appoint a representative established in an EU member state as the point of contact for supervisory authorities and individuals in the EU on all issues related to data processing (some exceptions to this do apply).
Importantly for Australian businesses who employ EU data subjects (either directly or via an EU subsidiary), who second employees to the EU, or who operate global payroll operations, there is no exemption under the GDPR similar to the one under the Privacy Act 1988 (Cth) which exempts employee personal information from the law. All personally identifiable information of individuals located in the EU will fall within the scope of the GDPR.
The GDPR imposes much stricter requirements of disclosure before collection of data (including collection of employee data). EU data subjects must be given privacy notices which include:
- the categories of personal data collected;
- the intended purposes(s) for processing the personal data;
- the legal basis for processing the personal data;
- the intended recipients of the personal data;
- the retention period of the personal data;
- the person’s right to request access to, correction or deletion of, personal data; and
- the person’s right to restrict the processing of the personal data.
Like the Australian legislation, certain categories of information are deemed to be sensitive and are subject to more stringent protections (for example, biometric data, racial or ethnic origin, sexual orientation, health data, religion, trade union membership, political opinions). For employers, processing such data will be prohibited unless the processing falls within an exception.
The consequences of non-compliance with the GDPR are significant, with fines of up to £20 million or 4% of global turnover (whichever is the higher amount), plus other sanctions including the ability to halt trading in the EU.
Australian businesses will need to carefully consider whether they hold, control, or process the personal data of EU data subjects and therefore whether they need to comply with the GDPR. If such activities are non-essential to business activity, Australian businesses should reconsider undertaking them. If such activities are essential to business activity, Australian businesses will need to ask themselves the following questions:
- do we have control over the personal data collected on EU citizens?
- how and when is consent to collect, hold, and use the data obtained?
- how is the data used?
- how and to whom is the data disclosed?
- are we prepared to provide evidence of GDPR compliance to regulators when requested?
- have we conducted a data protection impact assessment?
- do we have a data breach response plan that complies with the GDPR’s 72-hour notification requirement?
- do we have a roadmap for GDPR compliance by 25 May 2018?
SLF Lawyers can assist you in determining whether you are bound to comply with the GDPR and in developing strategies for compliance. Please contact Steven Morris or Jennifer Ingrey of our office if you require any advice or further information about anything set out in this article.