On the 25th May 2018 the EU introduced a unified regulation to deal with the protection of data. This regulation is known as the General Data Protection Regulation (“GDPR”).
For Australian purposes, it is important to understand the GDPR is intended to have extra territorial application. In other words, the EU intend the law to apply to businesses outside the EU.
The reason is obvious. While the GDPR aims at protecting the personal data of those living in the EU, in this modern age, that information may be collected and used by businesses anywhere in the world. The business may, but need not, have a physical presence in the EU.
In many ways this is okay for Australian companies. Although the language is different, the underlying principles of the GDPR are very much the same as set out in the Privacy Act and the Australian Privacy Principles.
For example, In Australia, it is likely that businesses would be familiar with our concepts of collecting, using and disclosing personal information under the Australian Privacy Laws. Under the GDPR, however, all these concepts are collectively referred to as ‘Processing’.
In saying that, there are some addition rights that are created under the GDPR that are not mirrored in Australian Law. This includes that:
- Individuals have the right to stop a business from Processing (collect, use, disclose) their data in certain circumstances
- Individuals can object to their data being used for statistical or research purposes (however, there are exceptions to this)
- Individuals can require human intervention if, as result of an automated profiling or processing system, they are bound to a legal requirement (although we have a similar right under the Electronic Transactions Act)
- Individuals can request that their personal data be transferred to another person in machine readable form
- Individuals have the right to be forgotten (although the obligation to de-identify comes close)
Another key difference relates to mandatory breach reporting. In Australia you have 30 days to investigate and determine if a breach is a serious breach and therefore needs to be reported. Under the GDPR, however, there is only 72 hours to report unless it is “unlikely to result in a risk to the rights and freedoms of natural persons”
Having considered these differences, a preliminary question of all Australian Businesses is “does the GDPR actually apply to my business”?
Article 3 of the GDPR affirms that the law applies to the processing of personal data of individuals either in the EU by a controller or processor, or not in the EU but only where:
- you have an office in the EU; or
- Where the processing activities are related to:
- Offering good or services to individual in the EU
- Monitoring the behaviour of individual in the EU (where that behaviour take place in the EU)
The observations of the Australian Office of the Information Commission is that, to be considered a business that offers goods and services in the EU for the purposes of the GDPR, businesses need to do more than merely have an Australian website available for viewing in the EU. The connection needs to be direct. Rather, if you are an Australian company whose website targets EU customers for example, by having foreign language parts of your site, or enabling payment in Euro’s, or by referring to clients or customers from the EU as part of your marketing, then the GDPR will likely apply to you. If, however, you only occasionally collect data from those in the EU or get a customer from the EU, that in itself would not seem to mean that the GDPR would automatically apply to you.
For Australian companies who do find themselves covered by the GDPR, it is imperative that they formally appoint a representative of the company in the EU to deal with any privacy issues that arise. However, this appointment does not apply to “the processing [of data]which is occasional, and which does not include, on a large scale, processing of special categories of data”. Special categories are set out in Article 9 and include information about race, political opinions, religion, health, trade union membership, ethnicity, genetic data, sex, sexual orientation or biometric data.
For most Australian businesses it will not be hard to become GDPR complaint – if you comply with the Australian Laws you have complied with the bulk of the laws under the GDPR.
It is clear, however, that many businesses are insisting that Australian business declare that they are “GDPR compliant” and hence small changes to your Privacy Policy, or a short addendum to it, may be appropriate.