What is the GDPR?

The GDPR

The Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) (GDPR) sets out the rules in relation to the processing and storage of the personal data of citizens of the EU. The GDPR is designed to protect the data of, and give additional rights to, all EU citizens, regardless of where data is being processed or stored.

Personal Data for the purpose of the GDPR means any information relating to a natural person that identifies that natural person directly or indirectly, or assigns a person with an identifier, or links to them by specific physical, mental, economic, or social identifiers of a natural person.

The GDPR assigns rights to the natural person (Data Subject) from whom the data is obtained, and places an obligation on the entities holding or processing the data (Controller), which are operating within the EU. The GDPR is intended to apply to all entities that collect, process, or store personal data on a Data Subject regardless of the entity's location or origin.

The GDPR also broadly defines the Processing Activity as any operation, automated or otherwise, performed on Personal Data or on sets of Personal Data. This includes the collection, recording, and destruction, as well as any transmission, consultation, adaptation, or combination of the Personal Data.

The GDPR creates a number of inalienable rights for Data Subjects, and a Controller may not act in a manner that risks these rights, including in the transfer of Personal Data to other parties or to other countries. A Controller must also take into account the rights of a Data Subject, and consider the scope, context and purposes of processing before it implements any processing procedures.

The Privacy Act

Australians are subject to the Privacy Act 1988 (the Act), which has a similar operation to the GDPR. The Act operates differently from the GDPR, as it sets out a set of Australian Privacy Principles with which all entities that collect, process, or store data must comply instead of creating rights for a "Data Subject".

While the Act and the GDPR use several similar terms, the simplest method to differentiate the two is that the GDPR deals with Personal Data, and the Privacy Act deals with Personal Information, which are defined differently.

The Act regulates the collection and processing of Personal Information by entities which come within the ambit of the Act (APP entities).1 Personal Data in the EU and Personal Information in Australia have a significant overlap. Australia's definition is broad but only comes into effect if or once a person is reasonably identifiable2, whereas the EU's definition includes data that allows a person to be identified as well as other special classes of information.3

However, the Act includes opinions about a person, regardless of whether that opinion is true. This expands its application for financial services or credit licensees, as they will often need to formulate an opinion on a customer or the customer's financial position and retain evidence or a record of the basis for their decision. This can include information that you are required by law to collect and retain, such as:

  • Information a financial services provider may obtain in giving personal financial product advice, such as a person's salary, superannuation arrangements, tax returns, or investments.
  • Information a credit assistance provider collects such as a person's credit reports, bank statements, or loan statements.
  • Information sought or obtained by a remittance provider during KYC, including director or controller information of corporate customers.

There are also different limits set on the use or collection of information or data. The GDPR requires Personal Data be collected and processed for a defined purpose that has been consented to by the Data Subject. The purpose of collection may be laid out by a Controller in their Privacy Policies, but it would be insufficient under the GDPR to include consent to data collection within any other matters.4

The Act allows APP entities to collect a person's Personal Information, in situations where it is reasonably necessary or directly related to the APP entity's primary purpose of collection. The Act also does not require a person's specific consent to the collection or processing of Personal Information, other than in relation to "Sensitive Information", and may obtain implied consent for collecting Sensitive Information expanding the use of Personal Information beyond the primary purpose.5 The GDPR by comparison requires all consent given by a Data Subject to be express and informed.6

Does the GDPR apply to Australia?

The scope of the GDPR extends to any entity regardless of their size, Y767 including joint ventures or entity groups, that collect, store, or process Personal Data relating to offering goods or services to EU citizens or monitoring the online behaviour of EU citizens within the EU. It also includes any offers for goods or services where no payment is made or required by the Data Subject.8 This is an extremely broad application that would include to any website that utilise or extract data from third-party tracking cookies such as those offered by Amazon Web Services or Google.9

Outside of the EU, the GDPR applies to a Controller where "it is apparent the Controller envisages offering services to [EU] Data Subjects." The circumstances where this will be inferred include offering an EU language where that language is not native to the Controller's nation of operation, offering products priced in euros, or using EU citizens as customer attestations.10

The GDPR is also designed to apply to you if you receive Personal Data from a third party, including from a third party that is not based in the EU. If you receive Personal Data, you are required to have mechanisms in place to protect the data to the same extent as the GDPR, including that any third party will comply with the EU standards should you transfer data to them.11 While some nations have been deemed to have adequate data security laws to allow for general international transfer, Australia has not been deemed adequate by the Commission, and you would need to review their privacy and data protection policies prior to transferring or sharing any Personal Data.

Data Protection and Privacy Policies

Your Privacy Policy should set out your obligations to a customer, and a customer's rights in dealing with their Personal Data or Personal Information: if you are based or geographically linked to Australia, your obligations will be sourced from the Act, and if you are dealing with the Personal Data of EU citizens, your customers' rights will be sourced from the GDPR. Where both the GDPR and the Act apply to you, your Privacy Policy should consider the obligations placed on you by both laws and apply the regime which imposes the more onerous burden.

There are a number of rights that are granted by the GDPR that do not have parallels within the Act, such as the right to restrict processing.12 If you currently have an Australian Privacy Policy that does not consider the GDPR, you may wish to review it prior to onboarding EU citizens or receiving Personal Data.

You may wish to implement separate internal policies dealing with data handling and management including deletion procedures and timelines, storage and cybersecurity processes, and access control.

The Federal Court of Australia in ASIC v Westpac Securities Administration found that AFS Licensees must adhere to social and commercial norms or standards of behaviour when considering data protection and consumer privacy13 when meeting its general obligations. These standards include having documentation and controls in respect of cybersecurity and cyber resilience in place to the standard a reasonable cybersecurity expert would expect.14

Optus, Medibank, and your Obligations

Optus and Medibank in 2022 both suffered data breaches wherein many people's Personal Information was accessed and copied by hackers, highlighting the need for appropriate cybersecurity controls. These breaches left over 4 million Australians vulnerable to identity theft or fraud as the Information included records of identity documents and contact addresses. They are not the only high-profile breaches that have occurred in Australia or the EU, but they served to highlight the importance of securing internal information to ordinary Australians.

In October 2022 the EU received notice from Kingfisher Insurance in the UK, where it admitted hackers had access to a significant amount of information including customer profiles and Personal Data (the hackers claimed they copied 1.4 TB, which Kingfisher denied).

In Greece, COSMOTE Telecommunications in September 2020 suffered an attack allowing access to unencrypted customer data for 4.8 million customers. While the Personal Data was removed via digital means, the 'hack' was initially undertaken through social engineering, wherein the hackers contacted an employee via LinkedIn and convinced them to disclose data access methods, which were then breached using brute force attacks.

Meanwhile in Australia, there have been a number of attacks outside of Optus and Medibank that have resulted in Personal Information being accessed or disclosed. In January 2021 Tasmanian Ambulance Service's paging system was breached and allowed access to all records from November 2020 including the gender, age and addresses of anyone who requested an ambulance over the three month period.

Similarly, the Australian National University in 2018 was subject to a spear-phishing attack15that allowed hackers to access 19 years of information including contact details, bank account information, and tax file numbers.

These examples show that while "data and information privacy" sounds like a relatively straightforward phrase at a surface level, the systems for protecting the privacy and meeting your obligations extend to all parts of your operation, including staff training and systems updating.

Tips

  1. Know the regulatory regime that applies to your current activities and will apply to you in the future.
  2. Know your customer base, who you're advertising to, and how you're framing your public facing materials.
  3. Know what information you collect, how to keep it secure, where it can be sent and how it can be destroyed.
  4. Keep your Policies and Procedures up to date and relevant to your business.

Footnotes

1 An APP Entity under the Act includes any entity type with an annual turnover of greater than $3 million, and may include smaller entities that deal with health information, are a Reporting Entity under the Anti-money Laundering and Counter-Terrorism Financing Act, or receive or provide benefits for collecting and disclosing Personal Information. Entities that are established by a government or court for a public purpose are also excluded.

2 Privacy Act s6.

3 GDPR Article 4(1)

4 Orange România SA v. Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP), Court of Justice of the European Union, Case C-61/19. https://curia.europa.eu/juris/document/document.jsf?text=&docid=233544&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=1807923.

5 An APP entity must obtain consent, either expressly or impliedly, to collect Sensitive Information. Sensitive Information under the Act includes health and genetic information, criminal records, political or religious opinions, racial and ethnic origin, or sexual orientation.

6 AGDPR Article 4(11)

7 There are exemptions to record keeping requirements and the requirement to have a representative located inside the EU that apply to entities with fewer than 250 employees.

8 GDPR Article 3(2)(a)

9 GDPR Article 3(2)(b)

10 GDPR Recital 23

11 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (16 July 2020), Court of Justice of the European Union, Case C-311/18. https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=3268466

12 GDPR Article 18.

13 Australian Securities and Investments Commission v Westpac Securities Administration Ltd (2019) 272 FCR 170 at [173].

14 Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [49].

15 Phishing is where a hacker holding themselves out to be a trustworthy source, commonly a regulator or large IT supplier, with the hope that a user will provide their access credentials (username and password) to the hacker either directly or via malicious link.
Spear-Phishing is a phishing attack where a single specific user is targeted in a similar manner, but at a more personal level. In spear-phishing attacks the hackers identify the user by name and may hold themselves out to be a member of the user's organisation to obtain the access credentials

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.