Data security and privacy are trending topics. While the Australian Government introduced a new mandatory notification procedure for data breaches earlier this year, on 25 May 2018 the European Union’s General Data Protection Regulation (the GDPR) comes into force and imposes further potentially significant obligations on Australian businesses. This might explain why you are receiving a constant stream of emails from international organisations updating their privacy policies.
The GDPR replaces a Data Protection Directive and existing national data protection rules in the EU and is designed to “harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy”. A significant change to this regime is the extended jurisdiction of the GDPR to businesses (regardless of size) that:
- Offer goods or services to individuals in the EU (irrespective of whether a payment is required);
- Monitor the behaviour of individuals in the EU, where the behaviour takes place in the EU (monitoring includes analysing a person’s personal preferences, behaviours and attitudes); or
- Have a physical presence in the EU.
While the Australian Privacy Act 1988 (Cth) (Privacy Act) and the GDPR have similarities about the transparent handling of personal information, demonstrating compliance with the legislation, and data breach notification procedures, the GDPR provides a higher standard of protection and control to individuals.
Key differences to Australian legislation
- The GDPR potentially applies to a more extensive type of information. The GDPR protects “personal data” which is “any information relating to an identified or identifiable natural person”. The Privacy Act’s “personal information” only extends to information about an identified or identifiable individual.
- The GDPR strengthens the requirement that consent be given by individuals to the processing of their personal data. Consent must be freely given, specific, informed and unambiguous. Consent requires a positive “opt in”. Implied consent (which is allowed under the Privacy Act) is unlikely to be sufficient – pre-ticked boxes and silence are not consent.
- Limited or restricted consent to use personal information can also be given under the GDPR and businesses must comply. The Privacy Act, however, allows businesses to use personal information they have collected for a purpose other than why the information was initially collected (the primary purpose) if individuals would reasonably expect the entity to use it for a secondary purpose and the secondary purpose is related to the primary purpose.
- The GDPR grants an express right for individuals to withdraw consent and to require the relevant business erase their personal data without undue delay (the right to be forgotten). The Privacy Act has no equivalent as businesses can keep personal information until the business itself determines it no longer needs the information.
- While the GDPR and the Privacy Act both require the notification of data breaches, the GDPR requires reporting within 72 hours whereas the Privacy Act allows up to 30 days.
- The GDPR requires businesses to carry out data protection impact assessments, appoint a data protection officer and contains specific requirements for technical security measures. The Privacy Act requires businesses to take “reasonable steps” to protect the information, allowing each business the freedom to determine what is appropriate for their organisation.
- The Privacy Act requires individuals to complain to the Privacy Commissioner to seek determinations for interferences with their privacy. Regardless of what EU national supervisory bodies might do, the GDPR allows individuals to seek compensation directly against the relevant business.
Australian businesses that have customers in the EU, target potential customers in the EU or operate in the EU should confirm whether they are covered by the GDPR to ensure compliance. Australian businesses that use service providers to process or collect data in an EU country (IT cloud services off-shore for example) may also be subject to the GDPR.
From a risk management perspective, it will be critical for Australian businesses subject to the GDPR to establish an information governance framework, including appropriate policies, processes and impact assessments.
The coming into force of the GDPR is also a good reminder that businesses generally should review their privacy obligations and whatever privacy statements exist on their websites.
Even if a company does not do business in the EU, privacy is a complex issue in a changing environment that anyone in business should stay informed about and up to date with.
This is a sponsored article, though all opinions are the author’s own. For more information on paid content, see our sponsored content policy.