On 25 May 2018 the European Union [EU or Union] General Data Protection Regulation [GDPR] came into effect. The GDPR is a law directed to the protection of privacy and personal information, like the Australian Privacy Act 1988 (Cth) [Privacy Act].
Recent examples of substantial data breaches and data misuse, as in the Cambridge Analytical/Facebook imbroglio, illustrate the need for effective systems to protect personal privacy and data. The GDPR is designed for this, but compared to the regime in Australia under the Privacy Act and the Australian Privacy Principles, it is a bit like the 8,000 lb blockbuster bombs that the RAF used in the Second World War, or maybe even the 22,000 lb Massive Ordinance Air Blast bomb (colloquially, “Mother of All Bombs”) used by the US in Afghanistan against ISIS. With weapons like that there is always collateral damage.
Many Australian businesses will be affected by the GDPR and compliance will not be a simple matter.
The GDPR applies to “personal data”. This is a similar concept to personal information in the Privacy Act. It includes any information relating to “an identified or identifiable natural person” called a “data subject”. An “identifiable natural person” is a person who “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person”.
There are special categories of personal data which have additional conditions and protections. Special categories include things like racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data and data concerning a person’s sex life or sexual orientation.
The GDPR applies to a natural person or a legal person (such as a company) that is a:
A controller “alone or jointly with others, determines the purposes and means of the processing of personal data”. Specific criteria may be provided for by Union or Member State laws. Responsibility for compliance with the Regulation is vested in many cases in the controller.
A processor “processes personal data on behalf of the controller”.
The concept of “processing” is key, and:
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not automated by means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Article 3 of the GDPR deals with its territorial scope.
The Regulation applies to the “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. “Establishment” is not defined.
The Regulation also applies to the “processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
The Office of the Australian Information Commissioner [OAIC] gives the following examples of Australian businesses that may be affected:
The requirement that a controller or a processor may be taken to offer goods or services in the EU in Article 3 does not specifically mention the requirement for the offer to be made in a European language other than English, or payment in Euros. This is deduced from Recital 23 of the GDPR which notes that “the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or other contact details, or the use of a language generally used in the third country where the controller is established, is in sufficient to establish such intention (to offer goods or services to data subjects in the Union)”. The Recital goes on to say that factors such as the “the use of a language or a currency generally used in one or more Member States” may make it apparent that a controller envisages offering goods or services in the Union.
The GDPR applies to all processors and controllers. There is no limitation, as in the Privacy Act, to businesses with a turnover less than a specified amount ($AU3 million) or any other amount. So, although the Regulation, or many of its provisions, may be aimed at the likes of Google or Facebook, it will affect any Australian business that comes within its scope.
It is impossible in a short article to mention all of the requirements of the GDPR, or areas where this differs from or extends concepts in the Privacy Act. Many of the obligations imposed by the GDPR are more extensive or different from the Privacy Act and it is not possible for an entity that is required to comply with the GDPR to rely solely on measures taken to comply with the Australian Privacy Principles.
Some of the requirements of the GDPR are discussed below.
Article 5 of the GDPR contains detailed and stringent requirements for processing of personal data in summary, these include requirements for:
The controller is responsible for demonstrating compliance with these requirements.
Processing of personal data is only lawful if it complies with at least one of the conditions set out in Article 6. The first and most general requirement is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. This may explain why you have received more than the usual amount of emails, from entities in the EU, recently asking you to consent to remain connected.
The GDPR contains rights of individuals which do not have substantive equivalents under the Privacy Act. These are rights to:
Where the GDPR applies to a controller or a processor under Article 3.2 (processing activities related to offering of goods or services, or monitoring of behaviour) the controller or processor must designate in writing a representative in the Union (Article 27). The representative must have authority to be addressed by authorities in all matters relating to the Regulation.
There is, however, a limitation on this requirement as it does not apply to “processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, scope and purposes of the processing”.
Similarly to the Privacy Act, following recent amendments, a controller under Article 33, must “without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify a personal data breach to the (competent) supervisory authority … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
As may be expected, the GDPR provides for imposition of penalties by way of administrative fines for infringements of the Regulation which are to be determined by each supervisory authority and which are to be “effective, proportionate and dissuasive”. For infringement of some Articles the administrative fines may be up to 10,000,000 EUR or up to 2% of the total worldwide annual turnover of an undertaking for the preceding year, whichever is higher. For infringements of some other Articles, administrative fines may be up to 20,000,000 EUR or 4% of the total worldwide annual turnover of an undertaking of the preceding financial year, whichever is higher.
As noted above, this brief Article only touches on some of the requirements and issues arising out of the GDPR. Many of the requirements, and terms of the GDPR are not necessarily clear or easy to interpret, and the meaning and effect of the Regulation in many areas may not be apparent until there has been interpretation of the terms of the Regulation.
An Australian business that is caught in the blast from the GDPR should, if it has not already done so, give consideration to the requirements of the GDPR and take steps for compliance as soon as possible.
 OAIC Privacy Business Resource X, October 2016
 The Privacy Act does specify that organisations that are health service providers are required to comply with the Australian Privacy Principles even if turnover is less than $3 million.
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.