Australian businesses that offer goods and services to individuals within the European Union will be affected by new EU data protection regulations that offer the 'biggest shakeup' to European privacy law for 20 years. Partner Michael Park, Senior Associate Alice Williams and Paralegals Phoebe St John and Natalie Czapski explain the impact and what businesses should do to ensure they comply with the new regulation.
How does it affect you?
- The European Union's General Data Protection Regulation (GDPR) has extra-territorial reach, so Australian businesses processing personal data in the EU will be affected.
- Businesses based outside the EU who offer goods or services to individuals within the EU will be affected. The GDPR also applies to businesses based outside the EU who monitor the behaviour of individuals in the EU. This is slightly more uncertain, but suggests tracking individuals online for profiling purposes.
- Crucially, if these extra-territorial provisions apply to a business, that data controller or processor (as such terms are used in the EU) must appoint a representative who will be based in the member state. Exceptions do apply, however, such as where the processing is occasional, unlikely to involve a risk to individuals and does not engage in the large-scale processing of sensitive personal data.
- Australian businesses should evaluate their information handling procedures and governance structures ahead of the GDPR's commencement on 25 May 2018 and should ensure their compliance with the GDPR's requirements by that date.
The Office of the Australian Information Commissioner (OAIC) has released Privacy Business Resource 21: Australian businesses and the EU General Data Protection Regulation (the Resource) to assist organisations understand the new requirements under the GDPR and how organisations can comply with both these and Australian privacy laws.
The GDPR will harmonise data protection rules across all EU member states, replacing current nation-level rules, and will become directly effective from 25 May 2018. It is widely considered the 'biggest shakeup' to European privacy law for 20 years.
The rules apply to the data processing activities of businesses, irrespective of their size, that are data controllers or processors with an establishment in the EU. The OAIC notes that Australian businesses covered by the Privacy Act 1988 (Cth) may need to comply with the GDPR if they:
- have an office in the EU (regardless of whether they process personal data in the EU), or
- do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU, eg:
- where a website enables EU customers to order goods and services in the language of a member state or enables payment in Euros; or
- where a business tracks EU individuals online and uses data processing techniques to profile those individuals and determine their preferences.
The Resource emphasises that there are key similarities between the Privacy Act and the GDPR, meaning Australian businesses may already have some measures in place that will be required under the GDPR.
The GDPR manages and regulates the processing of 'personal data', defined in Article 4 as 'any information relating to an identified or identifiable natural person'. This is similar to the definition of 'personal information' in the Privacy Act, meaning 'information or an opinion about an identified individual, or an individual who is reasonably identifiable' (as per Privacy Act s 6(1)).
Additional categories apply under Article 9 to the processing of special categories of information, such as personal data revealing ethnic or racial origin, political opinions, processing of genetic data, data concerning health etc. Similar categories of 'sensitive information' receive additional protections in the Privacy Act.
Under the GDPR, a data controller (which is a person who determines the purposes for which and the manner in which any personal data is, or is to be, processed) must:
- comply, and demonstrate that it complies with the core principles relating to the processing of personal data (Article 5), and implement appropriate technical and organisational measures in relation to that personal data (Article 24);
- demonstrate they have considered and integrated data protection into their processing activities – 'data protection by design and default' (Article 25) – examples of internal policies and practices could include:
- minimising processing of personal data;
- pseudonymising personal data as soon as possible;
- transparency as to the functions and processing of personal data;
- enabling the individual to monitor the data processing; and
- enabling the data controller to create and improve security features.
Additional governance requirements include:
- data controllers and data processors (which is a person who processes the data on behalf of the data controller) appointing a data protection officer in certain circumstances/for certain businesses (Article 37);
- data controllers undertaking a compulsory data protection impact assessment prior to data processing where this is likely to result in a high risk for the rights and freedoms of individuals;
- data controllers keeping records of processing activities; and
- data controllers being encouraged to draw up codes of conduct to contribute to the proper application of the GDPR.
The OAIC notes that the Privacy Act has similar accountability and 'privacy by default and design principles':
- APP 1.2 requires entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs (and applicable registered APP codes) and enable complaints;
- the OAIC's Privacy Management framework also provides steps the OAIC expects businesses to undertake to ensure good privacy compliance, and recommends organisations appoint key roles and responsibilities for privacy management, including a senior accountable staff member;
- APP 1.2 and the Privacy Management framework adopt a privacy by design approach where 'entities are considered better placed to meet their privacy obligations if they embed privacy protections in the design of their information handling practices'; and
- APP 1.2 means that a Privacy Impact Assessment would be required for many new or updated projects involving personal information.
Under the GDPR, one of the conditions for processing personal data is that the individual has given its consent (Article 6).·
The new definition of consent in the GDPR provides that it must be freely given, specific, informed, and include an unambiguous indication of the data subject's agreement to the processing. Given the parallels in this description to the definition of 'consent' as per the Privacy Act, Australian businesses subject to the GDPR may choose to standardise their consent mechanisms to ensure greater consistency across their business' privacy practices and systems.
Essentially, the data controller must be in a position to demonstrate that the individual has consented to the processing of their data. This consent is not seen to be freely given without any genuine or free choice, or if they are unable to withdraw or refuse consent at any time. Businesses must also inform individuals about this right to withdraw consent (Article 7(3)), with the understanding that such withdrawal should be as easy as giving that consent.
In the case of written declarations, as per Article 7(2), such consent must be clearly distinguishable from other matters, and presented in an easily accessible and intelligible form using clear and plain language.
The GDPR gives rise to a range of new and enhanced individual rights:
The right to data erasure: The right to erasure gives individuals a right for their data to be deleted by data controllers in certain circumstances, including where their information is no longer necessary for its original collection purpose, or where individual consent is withdrawn and no other legal ground for processing that data exists.
The right to object at any time to the processing of an individual's data (including profiling): This right only applies to certain types of processing, such as for direct marketing or in the case of legitimate business interests. Some exceptions do exist to allow certain data controllers to continue processing despite any requests, but these do not cover direct marketing.
A right to 'data portability': that is, a right to receive the personal data an individual has provided to a data controller in a 'structured, commonly used, machine-readable format', and to be able to transmit that data to another controller. This right is, however, dependant on such data processing being based on the individual's consent or performance of a contract, and where the processing is automatic.
A right to restriction of data processing: Where the processing of an individual's personal data is restricted from the controller, that data may only be processed in certain limited circumstances.
Under the GDPR, personal data may only be transferred outside the EU to international organisations and countries that provide an adequate level of data protection.
The factors the EU Commission must consider when deciding this threshold of adequate protection are contained in Article 45. The EU Commission will consider whether the country to which the personal data is being transferred has legislation in place (which is implemented) relating to personal data, including rules for the onward transfer of personal data to another third country. The EU Commission will also look at whether that country has effective and enforceable data subject rights in place and whether there is an independent supervisory authority in place to ensure and enforce compliance with the relevant data protection rules. The EU Commission will also consider whether the relevant country has international commitments arising from conventions relating to the protection of personal data.
As well as this, the European Data Protection Board is required to provide the EU Commission with an opinion assessing the adequacy of a country or organisation's level of data protection. If a country has 'adequate protection' personal data can be transferred to these countries without additional safeguards and protections being in place. In the absence of such a decision, overseas transfers are still permitted as long as safeguards are in place where appropriate, and the individual's enforceable rights and effective remedies are available to them. Australia does not currently sit on the EU Commission's list of countries that have in place 'adequate protection'. For the time being at least, any transfers of personal data from the EU to Australia must be assessed on a case-by-case basis and appropriate protections put in place.
Supervisory authorities have the power to issue sanctions for contraventions under the GDPR, such as imposing administrative fines (of up to €20 million, or 4 per cent of annual worldwide turnover). This applies to contraventions such as the infringement of the data processing principles, the data subjects' rights, and the requirements regarding personal data transfers to a recipient in a third country or international organisation.
This is only furthered by the cooperation of the EU Commission and supervisory authorities to provide mutual assistance in the enforcement of these data protection laws outside of the EU.
Australian oganisations that are operating in the EU, processing personal data, offering goods and services to individuals or monitoring the behaviours of individuals in the EU will be affected and should review their privacy arrangements to ensure compliance with the GDPR. It would also be worth monitoring the implementation of the GDPR from May 2018 to look at the impact of this new legislation.