The European Union General Data Protection Regulations (GDPR) came into effect on 25 May 2018, harmonising data protection laws across the European Union. The GDPR are privacy laws similar to the Privacy Act 1988 (Cth), but they go further. Some Australian businesses covered by the Privacy Act may need to comply with the GDPR, and the penalties for non-compliance could be significant.
Application of GDPR to Australian businesses
Australian businesses may need to comply with the GDPR if they:
- have an establishment in the EU (such as an EU subsidiary);
- offer goods and services in the EU; or
- monitor the behaviour of individuals in the EU.
The Privacy Business Resource 21, published by the Office of the Australian Information Commissioner, lists examples of Australian businesses that may be covered by the GDPR. These include an Australian business:
- with an office in the EU;
- with a website that targets EU customers, for example, by enabling them to order good or services in a European language (other than English) or enabling payment in Euros;
- with a website mentions customers or users in the EU;
- that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals in the EU on the internet and to analyse and predict their personal preferences, behaviours and attitudes.
Whereas, the Privacy Act applies to businesses with a turnover of more than AU$3M and other specified entities, the GDPR applies to all businesses regardless of size and whether the relevant data is processed or controlled within or outside the EU.
Features of GDPR
The GDPR and the Privacy Act share many common requirements, including to:
- implement a privacy by design approach to compliance;
- demonstrate compliance with privacy principles and obligations; and
- adopt transparent information handling practices.
However, the GDPR include a range of new and enhanced rights for individuals, which are not available under the Privacy Act, including the right to:
- require their data to be deleted (the 'right to be forgotten');
- object to the processing of an individual's personal data (including profiling);
- 'data portability', that is, to receive personal data that an individual has provided to the controller, where the processing is based on the individual's consent or for the performance of a contract and where processing is carried out by automated means in a 'structured, commonly used, machine-readable format'; and
- obtain a restriction on processing of their personal data from the controller.
There are strict rules for the processing of special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic and biometric data for uniquely identifying a natural person, data concerning health and data concerning a natural person's sex life or sexual orientation. The processing of such data is prohibited unless one of ten exceptions apply.
Just like the recent introduction of the mandatory date breach notification regime under the Privacy Act, the GDPR also contain a mandatory requirement for data breach notification. Data controllers must notify breaches within 72 hours and processors must notify breaches 'without undue delay'. Under the Privacy Act, breaches must be notified 'as soon as practicable' after breach awareness.
Impact for Australian businesses and their insurers
The GDPR specify fines for contraventions by controllers or processors, of up to €20 million or 4 per cent of annual worldwide turnover (whichever is higher).
Consumers affected by breaches of the GDPR can also claim compensation from businesses or through EU courts if they suffer financial loss or non-material damage such as distress or loss of reputation.
For insurers of Australian businesses operating in the EU or otherwise captured by the GDPR, there is the prospect of regulatory fines and civil damages flowing from data breaches and non-compliance with GDPR. Underwriters of such businesses may wish to investigate where there is compliance with the GDPR as part of an audit of insured's cyber programmes. Where the GDPR offer enhanced rights to consumers, compared to what is required under the Privacy Act, Australian businesses could consider offering Australian consumers the same benefits to improve trust through enhanced privacy practices. If Australian insureds took these additional steps, it may well lower the risk of claims from aggrieved consumers.
Legal advice is essential for Australian businesses with exposure to the GDPR. Australian businesses may already have some of the measures in place that are required under the GDPR; however, the GDPR are complex and it is incumbent on businesses with an EU connection and their directors and officers to ensure compliance with the GDPR to avoid penalties or civil claims.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.