On 25 May 2018 the European Union [EU or Union] General Data Protection Regulation [GDPR] came into effect. The GDPR is a law directed to the protection of privacy and personal information, like the Australian Privacy Act 1988 (Cth) [Privacy Act].
Recent examples of substantial data breaches and data misuse, as in the Cambridge Analytical/Facebook imbroglio, illustrate the need for effective systems to protect personal privacy and data. The GDPR is designed for this, but compared to the regime in Australia under the Privacy Act and the Australian Privacy Principles, it is a bit like the 8,000 lb blockbuster bombs that the RAF used in the Second World War, or maybe even the 22,000 lb Massive Ordinance Air Blast bomb (colloquially, “Mother of All Bombs”) used by the US in Afghanistan against ISIS. With weapons like that there is always collateral damage.
Many Australian businesses will be affected by the GDPR and compliance will not be a simple matter.
What Does the GDPR Apply to? Personal Data
The GDPR applies to “personal data”. This is a similar concept to personal information in the Privacy Act. It includes any information relating to “an identified or identifiable natural person” called a “data subject”. An “identifiable natural person” is a person who “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person”.
There are special categories of personal data which have additional conditions and protections. Special categories include things like racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data and data concerning a person’s sex life or sexual orientation.
Who Does the GDPR Apply to? Processors and Controllers
The GDPR applies to a natural person or a legal person (such as a company) that is a:
- “controller” or a
- “processor”.
A controller “alone or jointly with others, determines the purposes and means of the processing of personal data”. Specific criteria may be provided for by Union or Member State laws. Responsibility for compliance with the Regulation is vested in many cases in the controller.
A processor “processes personal data on behalf of the controller”.
The concept of “processing” is key, and:
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not automated by means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Who Does the GDPR Apply to Outside the EU?
Article 3 of the GDPR deals with its territorial scope.
The Regulation applies to the “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. “Establishment” is not defined.
The Regulation also applies to the “processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The Office of the Australian Information Commissioner [OAIC] gives the following examples of Australian businesses that may be affected[1]:
- an Australian business with an office in the EU;
- an Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in Euros;
- an Australian business whose website mentions customers or users in the EU; or
- an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
The requirement that a controller or a processor may be taken to offer goods or services in the EU in Article 3 does not specifically mention the requirement for the offer to be made in a European language other than English, or payment in Euros. This is deduced from Recital 23 of the GDPR which notes that “the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or other contact details, or the use of a language generally used in the third country where the controller is established, is in sufficient to establish such intention (to offer goods or services to data subjects in the Union)”. The Recital goes on to say that factors such as the “the use of a language or a currency generally used in one or more Member States” may make it apparent that a controller envisages offering goods or services in the Union.
Does the GDPR Apply to all Businesses?
The GDPR applies to all processors and controllers. There is no limitation, as in the Privacy Act, to businesses with a turnover less than a specified amount ($AU3 million) or any other amount.[2] So, although the Regulation, or many of its provisions, may be aimed at the likes of Google or Facebook, it will affect any Australian business that comes within its scope.
Compliance: New Requirements
It is impossible in a short article to mention all of the requirements of the GDPR, or areas where this differs from or extends concepts in the Privacy Act. Many of the obligations imposed by the GDPR are more extensive or different from the Privacy Act and it is not possible for an entity that is required to comply with the GDPR to rely solely on measures taken to comply with the Australian Privacy Principles.
Some of the requirements of the GDPR are discussed below.
Principles for Processing
Article 5 of the GDPR contains detailed and stringent requirements for processing of personal data in summary, these include requirements for:
- processing “lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”;
- election for “specified, explicit and legitimate purposes and not further processed in the manner that is incompatible with those purposes … (‘purpose limitation’)”;
- only “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”;
- “accurate and, where necessary, kept up to date; every reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”;
- “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed … (‘storage limitation’)”; and
- “processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”.
The controller is responsible for demonstrating compliance with these requirements.
Lawful Processing: Consent
Processing of personal data is only lawful if it complies with at least one of the conditions set out in Article 6. The first and most general requirement is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. This may explain why you have received more than the usual amount of emails, from entities in the EU, recently asking you to consent to remain connected.
Individual Rights: Erasure/Portability/Objection
The GDPR contains rights of individuals which do not have substantive equivalents under the Privacy Act. These are rights to:
- erasure of data (Article 17);
- portability of data (Article 20); and
- objection to processing of data (Article 21).
Appointment of EU Representatives
Where the GDPR applies to a controller or a processor under Article 3.2 (processing activities related to offering of goods or services, or monitoring of behaviour) the controller or processor must designate in writing a representative in the Union (Article 27). The representative must have authority to be addressed by authorities in all matters relating to the Regulation.
There is, however, a limitation on this requirement as it does not apply to “processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, scope and purposes of the processing”.
Mandatory Data Breach Notification
Similarly to the Privacy Act, following recent amendments, a controller under Article 33, must “without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify a personal data breach to the (competent) supervisory authority … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
Penalties
As may be expected, the GDPR provides for imposition of penalties by way of administrative fines for infringements of the Regulation which are to be determined by each supervisory authority and which are to be “effective, proportionate and dissuasive”. For infringement of some Articles the administrative fines may be up to 10,000,000 EUR or up to 2% of the total worldwide annual turnover of an undertaking for the preceding year, whichever is higher. For infringements of some other Articles, administrative fines may be up to 20,000,000 EUR or 4% of the total worldwide annual turnover of an undertaking of the preceding financial year, whichever is higher.
Consideration and Compliance
As noted above, this brief Article only touches on some of the requirements and issues arising out of the GDPR. Many of the requirements, and terms of the GDPR are not necessarily clear or easy to interpret, and the meaning and effect of the Regulation in many areas may not be apparent until there has been interpretation of the terms of the Regulation.
An Australian business that is caught in the blast from the GDPR should, if it has not already done so, give consideration to the requirements of the GDPR and take steps for compliance as soon as possible.
OAIC Privacy Business Resource X, October 2016
The Privacy Act does specify that organisations that are health service providers are required to comply with the Australian Privacy Principles even if turnover is less than $3 million.