If Australian businesses conducting activities in the EU were not already paying attention to the General Data Protection Regulation (GDPR) introduced in Europe last May, they should be now.
This week the UK's data protection regulator, the Information Commissioner's Office (ICO), signalled its intention to issue a fine to British Airways, which would be 1.5 per cent of the airline's global turnover in 2017. Under laws introduced in May 2018, the regulators in the EU have an arsenal of enforcement options, including the ability to issue fines of up to 20 million euros or four per cent of global annual turnover (whichever is higher).
Up until now, this has been a theoretical risk. It's now looking very real.
The proposed fine comes as a result of a cyber incident notified to the ICO by British Airways in September 2018, where the personal data of approximately 500,000 customers was compromised through hackers diverting users to a fake website.
The ICO's investigation has found that certain personal information was compromised partly as a result of poor security arrangements at British Airways, including the security of login and payment information. BA will now get the opportunity to make representations to the ICO on the proposed findings and it has signalled its intention to defend its position 'vigorously, including making any possible appeals'. In its view, it says it responded quickly to what was a criminal act.
As we have written about previously, GDPR rules can apply to Australian businesses where they process personal data of individuals located in Europe by offering goods or services to such individuals or monitoring the behaviour of individuals located in the EU. While Australian privacy laws contain similar requirements, the GDPR is more far-reaching in terms of the future of data protection, and as this example shows, the penalties are (currently) potentially much higher.
Australian businesses are urged to take steps to determine whether the GDPR is applicable, and consider revising their information handling processes, information security practices, collection notices, privacy policies and data breach response plans to ensure compliance.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.