Australia: GDPR: Change to European privacy laws and its impact on Australian businesses

The European's Union General Data Protection Regulation (GDPR) imposes significant change to privacy laws in Europe and will apply and be enforced from 25 May 2018. Organisations that fail to comply with the GDPR face heavy fines up to €20 million or up to 4% of global annual turnover, whichever is higher. The GPDR will have a global impact because it applies to businesses operating in the EU as well as businesses outside the EU that offer goods or services or monitor the behaviour of individuals in the EU. Businesses that are subject to the GDPR should assess their current information and privacy processes and governance structures, and take the necessary steps to ensure GDPR compliance.

Background to GDPR

After four years of debate, the GDPR was approved by EU Parliament on 14 April 2016 and comes into force on 25 May 2018. The GDPR replaces the Data Protection Directive 95/46/EC and as set out in the EU GDPR website 'was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy'.

Extended jurisdiction

A major change is the extended jurisdiction of the GDPR set out in Article 3, as it applies to the processing of personal data of individuals in the EU by a controller or processor not in the EU where the processing activities are related to:

  • The offering of goods and services, irrespective of whether a payment of the individual is required;
  • The monitoring of their behaviour as far as their behaviour takes place within the EU.

Controllers determine the purpose and means of processing personal data (Article 4(7)). They are the principal party with responsibilities including – collecting and managing consent and enabling rights under the GDPR. Processors means the organisation which processes personal data on behalf of the controller (Article 4(2)). The obligations on data processors under the GDPR are new. Article 28 (1) requires controllers to only use processors providing 'sufficient guarantees to implement appropriate technical and organisational measures' that will meet the GDPR requirements.

Implication for Australian businesses and how to comply

The GDPR applies to the following:

  • Australian businesses that are data processors or controllers with an establishment in the EU. That is, either an Australian business operating either on its own account or through a related entity or subsidiary, that is either processing or controlling personal data of EU residents, whether or not the data is processed in the EU;
  • Australian businesses offering goods or services to individuals in the EU (irrespective of whether payment is required).
  • Australian businesses monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU. Internet tracking of individuals and profiling are examples of monitoring (Recital 24).

To comply with the GDPR, Australian businesses that are data controllers and processors, which are not established in the EU, must appoint a representative within the EU in one of the Member States where the individuals who personal data are processed reside. The representative is the point of contact for supervisory authorities and individuals in the EU on all issues related to data processing under the GDRP (Article 27).

GDRP applies to personal data

The GDPR applies to the processing of personal data (Article 2). The GDPR states that 'personal data' means 'any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4).

The GDPR refers to sensitive personal data as 'special categories of personal data' (Article 9). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

The Privacy Act 1988 (Cth) defines personal information as, 'information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.' Additional protections apply to similar categories of 'sensitive information' (listed in section 6(1)), for example, Australian Privacy Principle 3.3 which provides that sensitive information can only be collected if the individual consents and it is reasonably necessary for, or directly relation to, one or more of the organisation's activities.

Consent

The conditions for consent under the GDPR have been strengthened. Article 4(11) of the GDPR states that consent of the individual means any: 'freely given, specific, informed and unambiguous indication of the individual's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'.

The request for consent must be clear, concise, transparent and in easily accessible form, with the purpose for data processing attached to that consent. It must be as easy to withdraw consent as it is to give it. The UK ICO's Guide states, 'Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation'.

Consent requires a positive opt-in. Silence, pre-ticked boxes or inactivity does not constitute consent (Recital 32). When the data processing activities has multiple purposes, consent is required to be given for all of the processing purposes (Recital 32).

The Article 29 Data Protection Working Party released proposed Guidelines on Consent on 18 December 2017, which are open for public comment until 23 January 2018.

In Australia, consent in section 6(1) of the Privacy Act means 'express or implied consent'. The four key elements of consent are set out in OAIC's APP guidelines as:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific, and
  • the individual has the capacity to understand and communicate their consent.

Notification of Breach

Under the GDPR, notification must be made where a data breach is likely to 'result in a risk for the rights and freedoms of individuals'. Notification must be made within 72 hours of first having become aware of the breach. Data processors are required to notify their customers and the controllers 'without undue delay' after first becoming aware of a data breach.

In Australia notification must be made promptly to affected individuals and the Australian Information Commissioner where an organisation has reasonable grounds to believe a data breach is likely to result in serious harm. An organisation must take all reasonable steps to complete the assessment within 30 days after it became aware of the grounds that cause it to suspect an eligible data breach – see my article on the Australia's Notifiable Data Breach Scheme.

Rights of individuals under GDPR

There are rights for individuals under the GDPR which include – the right of access, right to be informed, right to object, right to withdraw consent, right to rectification, right to erasure/be forgotten, right to data portability, right to restrict processing in certain circumstances and the right to object to automated decision making in certain circumstances. Rights exercised and information provided to pursuant to requests must be free of charge. However, a 'reasonable fee' can be charged when a request is manifestly unfounded or excessive.

Right of Access

As part of the expanded rights under the GDPR, is the right for individuals to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller must provide a copy of the personal data, free of charge, in an electronic format. This is a significant change empowering individuals and highlights the shift to data transparency under the GDPR.

Right to be Forgotten

The right to be forgotten under the GDPR is set out in Article 17 and entitles individuals to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties stop processing of the data in certain circumstances including: the data no longer being relevant to the original purposes for processing; or a data subjects withdrawing consent. There are exceptions to this right, including where data processing necessary for the exercising of the right requires controllers to compare the subjects' rights to 'the public interest in the availability of the data' when considering such requests.

Data Portability

In Article 20 the GDPR introduces the right for individuals to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine-readable format and have the right to transmit those data to another controller'.

Transfers outside the EU

To ensure that an adequate level of personal data protection is guaranteed, international transfers to third counties outside the EU are only permitted where the conditions laid down in the GDPR are complied with (Article 44).

To ensure that an adequate level of personal data protection is guaranteed, international transfers to third counties outside the EU are only permitted where the conditions laid down in the GDPR are complied with (Article 44).

Transfers may take place to a third country or international organisation where the EU Commission has decided that it ensures 'an adequate level of protection' (Article 45(1)). The adequacy decisions under the current Directive remain in force under the GDPR and those determined by the EU Commission to provide 'an adequate level of protection' are: Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Transfers to the US are currently permitted pursuant to the Commission's July 2016 decision on the adequacy of the protection provided by the EU/US Privacy Shield.

Transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable individual rights and effective legal remedies for the data subject are available (Article 46). Appropriate safeguards include:

  • Approved binding corporate rules that enable transfers within a multinational group of companies (Article 47).
  • Standard data protection contractual clauses approved by the EU Commission.
  • Approved code of conduct pursuant to Article 40, and the recipient gives binding and enforceable commitments to apply appropriate safeguards.
  • Approved certification mechanism pursuant to Article 42, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards.

Accountability and Governance

The GDPR sets out expanded accountability and governance requirements including that data controllers must:

  • Demonstrate that they comply with all the principles set out in Article 5(1) of the GDPR. These principles relate to the processing of personal data which include: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. Article 5(2) states that the controller is responsible for and must be able to demonstrate compliance with 5(1).
  • Implement appropriate technical and organisational measures to ensure compliance with the GDPR, including implementation of data protection policies (Article 24).
  • Implement 'data protection by design and by default'. The controller is required at the outset to determine the means for processing data, as well as at the time of processing to implement appropriate technical and organisational measures to ensure it complies with the GDPR and protects the rights of individuals. (Article 25). This includes ensuring that only personal data collected and processed is for the specific purpose of the transaction, personal data is stored no longer than it is required and that access to personal data is restricted.
  • Implement appropriate technical and organisational 'measures to ensure a level of security appropriate to the risk'. This includes as appropriate: de-identification and encryption of personal data; ongoing confidentiality, integrity and availability and resilience of processing systems and services; ability to restore the availability and access to personal data; and a process for regularly testing, assessing and evaluating the effectives of the measures implemented to ensure security.
  • Data protection impact assessment for high risk processing(Article 35). A data protection impact assessment is required before processing personal data for processing which is likely to result in a high risk to the rights and freedoms of individuals.
  • Appoint a Data Protection Officer (DPO) (Article 37) if the organisation falls within a category where a DPO is mandated. This includes: public authorities, organisations carrying out large scale systematic monitoring of individuals (e.g. online behaviour tracking) or organisations carrying out large scale processing of special categories of data or data relating to convictions and offences. DPO's are required to have 'expert knowledge' of data protection law and practices. The DPO must 'directly report to the highest management level', must not be instructed in the exercise of their tasks and must not be dismissed or penalised for performing their tasks (Article 38(3)).

A cost efficient and effective response to GDPR

In order to comply with GDPR, it will be critical for organisations to know and document the following:

  • what information assets exist
  • where data are located
  • the flow of data within the organisation
  • the value of the data and information held
  • who has access, and
  • how data and information is secured and protected.

More fundamentally from both a risk management perspective and data usage and availability, there are many benefits for an organisation to have:

  • an overarching strategic information governance framework; and
  • a program of implementing unified information policies, processes and procedures throughout the organisation including privacy and privacy impact assessments, information security, and defensible disposition of records.

Boards and Executives will find that this strategic approach will involve the collaboration of all information stakeholders (such as, privacy, legal, IT cybersecurity, data analytics, records and information management) and will result in the break-down of information silos to maximise the value of information while minimising the risks and ensuring compliance with all legal requirements including the GDPR.

Best practice in privacy and information protection: be strategic and proactive

A strategic, proactive and unified information governance approach will ultimately be the most cost effective and efficient way for organisations to meet the requirements of GDPR as well as other privacy regulatory requirements, such as Australia's Notifiable Data Breach Scheme.

Best practice should prompt organisations to establish and embed unified information governance of all information held by the organisation in order to maximise the value of information from data (e.g data analytics) as well as minimising the risks and costs, such as those of non-compliance of the GDPR or arising from data breach. Pursuant to the requirements of the GDPR and Australia Notifiable Data Breach scheme, the importance of embedding privacy by design or 'data protection by design and by default' as it is referred to under the GDPR requires organisations to be strategic and proactive in respect of personal information collected and stored by organisations. Given the potential enormous fines under the GDRP for non-compliance as well as all other costs involved in a data breach, from business interruption, legal costs, reputational damage, organisations need to be proactive, prepared and ready to respond to data breaches.

Essential questions for businesses subject to GDPR

Australian businesses that operate in the EU or with customers in the EU should confirm whether they are covered by the GDPR, and if so, take the necessary steps to ensure compliance by May 2018. The GDPR requires organisations to ensure that they know the way in which they collect, process, store, share and dispose of personal data.

  • Awareness & communication – are senior executives and all information stakeholders aware of the GDPR and the impact it will have on your organisation? Has GDPR training of employees occurred and is there an ongoing training program in place?
  • Update privacy notices and privacy policies – are privacy policies and privacy notices compliant with the transparency requirements and the rights of individuals under the GDPR?
  • Review information held – what personal data is held, where has it come from and with whom it is shared? Carry out an information audit and gap analysis, and implement a remediation plan as needed. The audit should examine how and when personal information is being disposed of when it is no longer in accordance with the consent provided.
  • Transfers outside of EU – is your business compliant with transfer mechanisms? What changes are needed to be compliant with the GDPR and how will you implement the changes to ensure compliance before GDPR comes into force?
  • Update internal procedures – do you have policies, processes and procedures in place to deal with the practical implications of the new and extended rights for individuals under the GDPR? For example, can requests for information be responded to promptly and within one month? In relation to the rights of rectification and erasure, are procedures for ensuring notification is made to other organisations (e.g. suppliers) to whom an individual's personal data has been disclosed in place?
  • Review current systems such as technology and HR systems – are current systems and technology in place to ensure individuals can exercise their rights under the GDPR?
  • Review supplier/processors contracts – ensure that supplier contracts are reviewed and if appropriate renegotiated to ensure GDPR compliance.
  • Update data breach response plan – do you need to review and update your data breach response plan to ensure mandatory data breach notification to a local data protection regulator within 72 hours of data breach? Review and update processes and procedures for the detection, investigation, management and reporting of data breaches.
  • Privacy-by-design/ Data Protection by design – how can you ensure that any activity that involves processing personal data is done with data protection and privacy in mind from the outset and throughout each step of the process? Depending on the activities of your organisation it may include specific projects, product or service development, system developments such as IT and HR.
  • Review insurance and cyber policies – are the terms and coverage of your current policies adequate? If not, add appropriate cyber and data insurance protection as appropriate.
  • Develop a unified Information Governance framework – does your privacy ecosystem align with a unified information governance framework to ensure the value of information throughout the organisation is maximised and risks of holding information are minimised?

Privacy regulation: EU and Australian comparison

OAIC's table compares the requirements under the GDPR with the Australian Privacy Act – Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation

COMPARISON EU GDPR Australian Privacy Act
Who does this apply to? Data processing activities of businesses, regardless of size, that are data processors or controllers Most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.
What does it apply to? Personal data – any information relating to an identified or identifiable natural person: Art 4(1) Personal information (PI) – information or an opinion about an identified individual, or an individual who is reasonably identifiable: s 6(1)
Jurisdictional link Applies to data processors or controllers:
  • with an establishment in the EU, or
  • outside the EU, that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU: Art 3
Applies to businesses:
  • incorporated in Australia, or
  • that 'carry on a business' in Australia and collect PI from Australia or hold PI in Australia: s 5B
Accountability and governance Controllers generally must:
  • implement appropriate technical and organisational measures to demonstrate GDPR compliance and build in privacy by default and design: Arts 5, 24, 25
  • undertake compulsory data protection impact assessments: Art 35
  • appoint data protection officers: Art 37

APP entities must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs and to enable complaints: APP 1.2

Businesses are expected to appoint key roles and responsibilities for privacy management and to conduct privacy impact assessments for many new and updated projects

Consent Consent must be:
  • freely given, specific and informed, and
  • an unambiguous indication of the data subject's wishes which, by a statement or by a clear affirmative action, signifies agreement to processing: Art 4(11)
Key elements:
  • the individual is adequately informed before giving consent, and has the capacity to understand and communicate consent
  • the consent is given voluntarily
  • the consent is current and specific: OAIC's APP GLs
Data Breach notifications Mandatory data breach notifications by controllers and processors (exceptions apply): Arts 33-34 From 22 February 2018, mandatory reporting for breaches likely to result in real risk of serious harm
Individual rights Individual rights include:
  • right to erasure: Art 17
  • right to data portability: Art 20
  • right to object: Art 21
No equivalents to these rights.
However, business must take reasonable steps to destroy or de-identify PI that is no longer needed for a permitted purpose: APP 11.2. Where access is given to an individual's PI, it must generally be given in the manner requested: APP 12.5
Overseas transfers Personal data may be transferred outside the EU in limited circumstances including:
  • to countries that provide an 'adequate' level of data protection
  • where 'standard data protection clauses' or 'binding corporate rules' apply
  • approved codes of conduct or certification in place: Chp V
Before disclosing PI overseas, a business must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information: APP 8 (exceptions apply). The entity is accountable for a breach of the APPs by the overseas recipient in relation to the information: s 16C (exceptions apply)
Sanctions Administrative fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher): Art 83 Powers to work with entities to facilitate compliance and best practice, and investigative and enforcement powers: Parts IV and V

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Coleman Greig Lawyers
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Coleman Greig Lawyers
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions