Click here to download a full copy of this article.

Introduction

European privacy regulation is undergoing massive changes, with the new General Data Protection Regulation (the GDPR) to take effect from 25 May 2018.

The GDPR differs from the existing law in several key ways. Enforcement rules and penalties are also much more onerous than what businesses have been used to.

GDPR: The Key Changes

  • ​Tougher sanctions
  • High bar for consent
  • Catches suppliers too
  • Harder to show ‘lawful processing’
  • Increased rights for individuals
  • Enhanced notification requirements
  • Wider territorial scope
  • Increased requirements for record keeping & internal policies
  • Online identifiers now treated as personal data
  • Data Protection Officers – new roles required by law
  • Enhanced restrictions on automated decision making and profiling

The GDPR will apply to Australian businesses that:

  • Have an establishment in the EU (regardless of whether they process personal data in the EU), or
  • Do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU.

It is essential that those companies take immediate steps to understand the impact of the GDPR and to implement necessary changes.

Australian businesses that may have to comply with the GDPR include:

  • ​A business with an office in the EU
  • A business whose website targets EU customers
  • A business that tracks individuals in the EU on the internet and uses automated decision making and profiling.

GDPR vs Australian privacy law: What’s the difference?

Australian businesses bound by Australian privacy laws will naturally ask ‘what’s different’ about the two regimes. For efficiency reasons, having a coordinated compliance regime across a company’s Australian and UK operation is preferable, so companies will want to know whether their existing processes already do an adequate job.

Whilst there are similarities across aspects of Australian privacy law and the GDPR, there are key differences too. These include principles found in GDPR which are entirely absent from the Australian regime and hence unfamiliar to Australian compliance officers.

A comparison of the two regimes is as follows:

 

Topic

 

  

Australia privacy law

 

  

The GDPR

 
 

Application

 

  

Applies to businesses and Australian Government agencies with turnover of over $3M, together with some other smaller businesses

 

  

Applies to all data controllers and data processors regardless of turnover

 
 

Concept of personal information

 

  

Information which identifies an individual, whether or not it is true and whether or not it is recorded in a material form.

 

Examples include a person’s name, address, email address, telephone number, date of birth, signature, customer records, bank account details, health information or any commentary or opinion about a person

 

  

Similar approach as the Australian regime, although uses the term “personal data”

 
 

Who does the data relate to

 

  

The Privacy Act refers to the “individual”; being the person who Personal Information relates to

 

  

Similar approach, uses the term “data subject”

 
 

Distinction between Data Controller and Data Processor

 

  

No distinction

 

  

Distinction:

 

    • A controller determines the purposes and means of processing personal data

 

    • A processor is responsible for processing personal data on behalf of a controller

 

 
 

Consent

 

  

Defined as ‘express’ or ‘implied’. Key elements include:

 

  • individual adequately informed before giving consent
  • individual gives consent voluntarily
  • consent is current and specific
  • individual has the capacity to understand and communicate consent

 

 

  

Needs to be ‘freely given, specific, informed and unambiguous’

 

 

 
 

Sensitive data

 

  

Sensitive information attracts a higher level of protection under the Privacy Act.  Sensitive information includes information about an individual’s race or ethnicity, political persuasion or political associations, religious beliefs, sexual orientation, criminal record and health and genetic information (section 6, Privacy Act).

 

  

Similar approach

 
 

Transfer of data overseas

 

  

Business must take ‘reasonable steps’ before transferring

 

  

Strict conditions to be met before transfer

 
 

Right to restriction of processing

 

  

Not included

 

  

Data subject has right to obtain restriction of processing (subject to the processing condition relied upon)

 
 

Right to be forgotten

 

  

Not included

 

  

Data subject can demand erasure of data (subject to the processing condition relied upon)

 
 

Data portability

 

  

No direct equivalent

 

  

Data subject can demand receipt of data in a portable format (e.g. CSV file) if the processing condition relied on is that the individual has consented or it is necessary for performance of a contract (subject to the processing condition relied upon)

 
 

Data breach notification

 

  

Notifiable Data Breach scheme in effect since 22 February 2018.  Entities must notify individuals and the Commissioner about eligible breaches

 

  

Controllers to notify breaches likely to result in risk of significant damage (e.g. ID theft or financial loss) to the regulator within 72 hours and to affected individuals if the breach poses a high risk to them. Processors must notify their clients without undue delay. All data breaches must be logged in internal records

 
 

Penalties

 

  

Limited penalties for an isolated breach, however serious or repeated interferences with privacy may be subject to a civil penalty of up to $420,000 per contravention

 

Conduct may also amount to misleading and deceptive conduct under the Australian Consumer Law, with the potential for significant fines

 

  

Under Article 83:

 

  • Up to 10,000,000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body

 

  • Up to 20,000,000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject’s rights, transfer beyond EU, etc

 

 

 

Compliance with GDPR – what Australian companies need to do

If your company is bound by the GDRP, you should take steps towards compliance without delay. Whilst the law is not in force until May 2018 and foreign companies are unlikely to be the first parties of interest for the Information Commissioner, implementing the necessary changes will take time.  It is important that your company is able to show an intention to do its best to comply with GDPR, and a record of actions taken to do so.

As a starting point, we recommend the following four steps:​

 

1. Audit

 

  

  • Audit what data you use and whether you might be caught by the regime. This is known as ‘data mapping’.
  • You should create a log of all your processing activities covering:

–  the location of the data on your systems

–  what data is captured and the source of the data

–  what it is used for, who receives it

–  where it is transferred to geographically

–  what security is in place to protect the data

–  how long it is kept for

–  applicable contractual protections for the data
 

2. Understand

 

  

  • Examine the GDPR principles in detail including which of the prescribed processing conditions may justify your use of the data
  • Identify which ones are particularly relevant for your business
  • Identify your compliance weak spots

 

 
 

3. Plan

 

  

  • What do you need to change in order to comply with the GDPR
  • How will you implement those changes (who will do it, when, what’s the cost)
  • Set out a project plan

 
 

4. Implement

 

  

  • Implement your plan
  • Continue to monitor for updates
  • Update plan if your business changes
  • Seek advice in the event of a breach

 

 

Further useful tips for compliance are set out in Sarah Needham’s article ‘Picking the low-hanging GDPR fruit’, which can be found here: https://keystonelaw.co.uk/keynotes/picking-the-low-hanging-gdpr-fruit-a-pre-christmas-checklist.

Conclusion

Any largescale regulatory change can be daunting and the GDPR is no exception. However, Australian companies, like their European counterparts, should start moving towards compliance now. By taking a practical and phased approach, the project becomes manageable.

Keystone Law and Keypoint Law are innovative law firms based in England and Australia, respectively.  Keystone Law can provide English law advice regarding the impact of GDPR on Australian businesses and Keypoint Law can advise clients on Australian privacy law. Should you wish to learn more about our services in this area, please contact one of the authors listed below.

By Suzy Schmitz, Sarah Needham and Michael Mitchell

Suzy Schmitz is a dual-practising Australian and English lawyer based in Melbourne who works with both Keystone Law and Keypoint Law. A commercial lawyer with particular expertise in intellectual Property and technology, Suzy can assist Australian businesses with their UK legal matters including distribution agreements, brand registration and enforcement and technology-related contracts.

Sarah Needham is an English law Data Protection expert at Keystone Law with over a decade’s experience at advising on privacy regulation. Sarah is a specialist in the GDPR and steps required to achieve compliance. She has extensive experience in conducting data audits, structuring data flows and preparing GDPR-compliant data use contract terms.

Michael Mitchell is an experienced international commercial lawyer with Keypoint Law. Many of his clients are based in or trade with Europe. He takes a keen interest in data protection and privacy and has presented to industry groups on these issues. Michael is based in Sydney.

For further information please contact:

This article is for general information purposes only and does not constitute legal or professional advice.  It should not be used as a substitute for legal advice relating to your particular circumstances.  Please also note that the law may have changed since the date of this article.