With the introduction of the European Union (EU) General Data Protection Regulation (GDPR) fast approaching, many Australian businesses will be required to reconsider the way they process, store and protect personal information.
Set to come into operation on 25 May 2018, the GDPR will replace an out-dated directive that has been in operation since 1995. The GDPR will provide consistency throughout all 28 member States in the EU, including countries such as the United Kingdom, France, Germany and Italy.
The GDPR won’t just affect businesses located in EU member States. If an Australian businesses (of any size) processes ‘personal data’ (as defined below) through a business establishment in the EU or in the course of one of the following activities, it must comply with the GDPR:
While Australian privacy laws contain similar requirements, the GDPR is more far-reaching in terms of the future of data protection. Australian businesses should therefore take steps to determine whether the GDPR is applicable, and consider revising their information handling processes to ensure compliance.
The GDPR applies to ‘personal data’, which is defined in Article 4 of the GDPR to mean “any information relating to an identified or identifiable natural person.” A natural person may be identified by a wide range of factors including their “name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Special protections also apply to ‘special categories’ of information, which includes personal data relating to matters such as racial or ethnic origin, religious beliefs or health information.
Australian businesses that are not established in the EU but meet one of the qualifying factors set out above must, in some circumstances, appoint a representative established in the EU as a point of contact for the relevant authorities. The appointment of a representative will not be required where processing is occasional or does not include large-scale processing of ‘special categories’ of data, and is unlikely to result in a risk to the rights and freedoms of natural persons (taking into account the nature, context, scope and purposes of the processing).
Some features of the GDPR which are similar to Australian privacy laws include:
Processing of personal data will only be lawful if one of the requirements set out in Article 6 of the GDPR applies. One circumstance in which the processing of personal data is permitted is if the data subject has given their consent. Consent will generally occur if there is a freely given, specific, informed and an unambiguous indication of the person’s agreement (by either a statement or a clear affirmative action). This means that silence or pre-ticked boxes will not be sufficient.
Data controllers must, without undue delay, notify the relevant supervisory authority (for example, the Information Commissioner’s Office for the United Kingdom), no later than 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Additional requirements will apply (unless an exception applies) if the breach is likely to result in a high risk to the rights and freedoms of natural persons, whereby the controller must also notify the affected individual without undue delay.
Hefty fines of up to 20 million euros or 4 per cent of global annual turnover (whichever is higher) may be imposed by the relevant supervisory authority for contraventions of the GDPR.
What does this mean for Australian businesses?
Prior to the commencement of the GDPR on 25 May 2018, Australian businesses should:
Our Data and Privacy professionals can assist you in determining your obligations under the GDPR. Please contact us if you have any queries in relation to the above.
Authors: Dan Pearce and Alicia Bray
Dan Pearce, Partner
T: +61 3 9321 9840
Trent Taylor, Partner
T: +61 7 3135 0668
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.
Published by Dan Pearce