On Friday 25 May 2018 the EU General Data Protection Regulation (GDPR) came into effect, giving residents of the EU increased control over their personal data. Importantly, GDPR extends far beyond the boundaries of Europe.
Here we have summarized what this means for Australian businesses.
Does it apply to my Australian business?
GDPR can apply to businesses incorporated outside of the EU, regardless of their size.
GDPR applies to Australian businesses that:
- have an establishment in the EU;
- offer goods or services to EU individuals (including where no payment is required); or
- monitor the behaviour of EU individuals e.g. through the use of website “cookies”.
If an Australian company has an office in the EU, sells goods or services to people in the EU, or processes or handles data relating to EU individuals – even if that data processing occurs only in Australia - that is usually enough to bring the company within the scope of GDPR.
The fact that people in the EU can access a website is not enough to bring the company within GDPR. However, using a European language or currency on your website, or mentioning customers or users who are in the EU, can be considered having an intention to offer services to EU individuals. This will bring any data concerning those EU individuals within GDPR, and so the Australian business will need to comply with GDPR.
Who and what are covered?
The GDPR covers the "personal data" of an "EU individual". The concept of an "EU individual" extends to EU residents, EU citizens and citizens of other countries who are temporarily in the EU. This could include an Australian resident working temporarily in the EU. The scope of "personal data" is broad - it includes any data set which can identify or single out an individual. It is broader than the definition of personal information under Australian legislation.
Importantly, GDPR focusses on the person to whom the information relates, not where the information handling or processing actually occurs.
So, an Australian company that uses computer servers provided by third parties to process the personal data of an EU individual (e.g. Amazon or Microsoft Azure servers) is bound by GDPR even if those servers are located outside of the EU. GDPR extends far beyond the boundaries of Europe.
If an Australian company has European customers, then they msut comply with GDPR.
We comply with Australian Privacy Laws, isn't that enough?
Unfortunately it is not that simple. Although the Australian Privacy Act 1988 (Cth) and the GDPR have similar requirements, some requirements of GDPR are stricter than those under Australian privacy law. For example:
- Companies must notify EU individuals within 72 hours of a data breach occurring. This is a very short timeframe from discovery of a breach. Companies will need to put in place processes to deal with a breach before any breach actually occurs.
- Specific steps must be taken by a company when transferring personal data outside of Europe or to a third party commercial services provider.
- Companies must implement appropriate technical and organisational measures and processes, including data protection policies, to ensure and be able to demonstrate that data processing and retention complies with GDPR. Importantly, there must be "data protection by design and by default".
- EU Individuals have a "right to be forgotten" under GDPR which does not yet exist under Australian privacy law.
Alternatively, you may need to implement strategies to remove your business from the scope of GDPR. We can assist in this regard.
Europe's Regulatory Focus- will non-EU companies be fined?
The processing of employee data, such as payroll data, has been identified by EU regulators as a key area for protection. Any Australian business that seriously breaches GDPR in relation to EU employee information could be the subject of enforcement action by EU regulators. In the event of a serious data breach, fines may be imposed. Fines under GDPR can be extremely high - up to €20 million or 4% of annual worldwide turnover, whichever is greater.
Importantly, European regulators are taking action against non-EU companies. The first company to be fined under GDPR by the UK's Information Commissioners Office (ICO) was a Canadian company with apparently no EU presence. The ICO also issued a formal warning under GDPR in November 2018 to the Washington Post over how it was obtaining consent for cookies on its website. The ICO did not take the matter further at the time, and presumably will not in a post-Brexit world. However, it is clear that European regulators may target companies outside of Europe in sufficiently serious cases.
Also, any EU individual whose data has been compromised as a result of an unauthorised disclosure or data breach can take action directly against an Australian company under GDPR.
Many countries are following GDPR
Legislation similar to GDPR has already been passed in many jurisdictions outside of Europe. Other non-European countries are currently updating their privacy laws as a response to GDPR. These countries include Argentina, Bahrain, Brazil, China and Hong Kong, Iraq, Israel, Kazakhstan, Norway, Panama, Peru, Russia, Singapore, California and the United Kingdom. Australian companies operating in, or with customers in, these countries will need to be sure they comply with those laws.
What to do now
The message is clear. Many Australian companies holding or processing personal data of an EU individual should:
- Review their current data processing practices to understand what data is collected, processed and retained
- Determine whether current information handling, security and retention practices comply with GDPR
- Update privacy policies, practices and procedures if GDPR is applicable
- Put in place measures to deal with a data breach before one occurs
- Obtain formal contractual guarantees from third party service providers (e.g. who host or process relevant data) that they are compliant with GDPR.
For Australian companies that wish to avoid the cost of dealing with GDPR, there are strategies that can be implemented to remove their business from the scope of GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.