An explanation of GDPR for Australian businesses
Here, the DVM Law team cut through the scare-mongering to explain exactly how Europe's stringent new data privacy laws will affect businesses here in Australia.
There has been a lot of interest and concern in Australia about the applicability and impact of the European Union General Data Protection Regulation (the GDPR), which came into force on 25 May 2018.
As you delete that final email asking you (again) for your consent, you may be asking yourself what the introduction of the GDPR means for Australian businesses who may already be complying with their Australian privacy law obligations.
In this article, we provide a high-level, practical answer to this question.
What is the GDPR?
The GDPR is the new European Union Regulation about privacy and data protection. It essentially regulates the “personal data” of individuals in the EU through the entire life-cycle of collection, use, retention, transfer and deletion.
The GDPR therefore covers similar ground as the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (the Australian Privacy Law), which regulate the collection, use and disclosure of “personal information” (that definition differing in a nuanced way to “personal data” under the GDPR). The GDPR is widely considered to be the most wide-ranging, broadly applicable and comprehensive privacy legislation in the world.
While the GDPR has only just become fully enforceable, the entire regulation has been on the books in final form since January 2016. Regulators are likely to take the view that businesses have had ample time to prepare.
Think about your supply chain
So what does this mean for Australian businesses?
The first thing to consider is that, while your business may not directly collect the personal information of individuals in the EU, the GDPR may still affect you indirectly because of the agreements you have with customers or suppliers. So ask yourself, “do I deal with the personal information held by EU corporate customers?”
The reason is that the GDPR forces your EU corporate customers to have specific terms in their sub-contracts with companies processing personal information. These terms replicate to some extent the EU corporate customer’s own obligations under the GDPR.
The clear and present danger for Australian business isn’t whether the French Commission Nationale de l’Informatique et des Libertés is going to come to the antipodes with questions or fines.
Instead, the reality is that your EU corporate customers, upon whom the GDPR undoubtedly applies, and who are far more at risk from their national privacy regulators, are going to start making sure that their contracting arrangements are compliant.
That doesn’t just mean your EU corporate customer’s relationship with you – it also includes your relationships with your service providers down the chain which process personal information for your business. According to the GDPR, the EU corporate customer is on the hook for all of it.
What does this mean practically?
It means that if you want to keep or obtain new EU corporate customers, you’ll probably have to update your customer terms and conditions for them, as well as your sub-contracts with your subcontractors (known as processors or sub-processors) who access or are provided personal information (for example, CRMs, cloud-based systems and some data analytics tools).
The specific requirements for these contracts come from a few places, primarily Article 28 of the GDPR, which applies to all processing and sub-processing arrangements, and Article 46, which deals with international transfers of personal information.
What makes things complicated for Australian businesses is that Australia has not been recognised as having “adequate privacy laws” by the European Commission. This means that further “appropriate safeguards” have to be taken by organisations which want to transfer information to Australian service providers.
This might involve further terms and conditions (model clauses nominated by the EU) or consent, which the GDPR makes more difficult to manage.
The good news is that larger sub-processors are probably onto it already, meaning you may be able to rely on the steps they have taken to be GDPR-compliant.
OK, I understand that my EU corporate customers will be looking for new contracts. What about the direct application of the GDPR to my business?
If your business sells goods or services directly to customers in the EU and you collect the personal information about individuals in the EU, you will likely be caught by the GDPR. The GDPR may also apply directly to you in many cases where you are processing the personal information of individuals in the EU, with or without an intervening EU corporate. The requirements are deceptively complicated – consider if you are targeting and marketing goods and services to individuals in the EU, or monitoring and profiling them.
Sometimes the answer is obvious – but if you think you’re on the fence, seek legal advice.
So what else do I have to do under the GDPR if I’m already complying with Australian Privacy Law?
Whether you’re complying with the GDPR directly or through a contract, it’s worth noting the substantial overlap between the GDPR and the Australian Privacy Law.
Broad principles in the GDPR like data minimisation, transparency, use only for specified purpose, and security are all already reflected in the Australian Privacy Principles. Both require “privacy by design”.
One of the key differences is that the GDPR has the concepts of “controllers” and “processors”. “Controllers” are effectively the entity that decides why personal information is collected and processed.
They are responsible for ensuring that personal information is processed in accordance with the GDPR, whether they process it themselves or outsource to a “processor”.
“Processors” only process personal information on behalf of, on instructions from, and under a contract with, the controller, and have more limited obligations than controllers.
The GDPR places obligations on controllers that are more onerous than the Australian Privacy Law. Some of the key differences are as follows:
Choice of “lawful basis” of processing
A data controller under the GDPR has to ensure that it processes personal information under a “lawful basis”, which could be:
- consent
- contractual obligation to the individual
- compliance with legal obligation
- necessity to protect vital interests
- necessity for a task carried out in the public interest and
- legitimate interest of the controller or a third party. This needs to be documented, for example in your Privacy Policy
Consent is harder to obtain
In Australia, consent can be implied. Under the GDPR, it must be explicit by “a statement or by clear affirmative action”. Under both systems, consent must be able to be withdrawn at any time.
Data subjects’ enhanced rights
While there is already a right of access and right to correct personal data in Australia, the GDPR adds additional rights such as the right to erase data, the right to data portability and the right to not be subject to decisions based solely on automated processing except in certain circumstances.
More Privacy Policy requirements
Data controllers will need to communicate more information to individuals, usually in your Privacy Policy, than required under Australian Privacy Law.
Appointment of EU representative and Data Protection Officer
You might need to appoint a “representative” established in the EU, or a Data Protection Officer.
Greater data breach requirements
You’ll need to report a greater range of data breaches in a much shorter time frame.
What public action has been taken under the GDPR?
It has been less than a week since the GDPR came into force, as of the date of this article. Nevertheless, a non-profit European privacy organization, noyb.eu, has already filed complaints against Facebook, Google, Instagram and Whatsapp under the GDPR, alleging amongst other complaints that consent is only requested with respect to the entire Privacy Policy on a take it or leave it basis – a practice that most businesses will find familiar.
With respect to Google, the complaint noted that that maximum possible fine is 4% of the revenue of the Alphabet Group, amounting to about €3.79 billion.
Takeaways
The GDPR will likely directly affect your business if you supply goods or services to individuals in the EU. It may also affect your business if you have an EU customer or client which has to meet its own obligations under the GDPR. In that case, your EU customers or clients may require new or updated agreements for the processing of personal information, and require that you impose the same obligations on your service providers regardless of their location.
The GDPR is a regulation with genuine teeth, as the recent complaints against Google and Facebook show. While clear guidance is likely to be some ways off, these complaints show that companies whose business model involves targeted advertising to individuals in the EU will need to have particular care with their privacy strategy. This will include carefully considering the lawful bases of processing on a granular level.
As it is never too late to comply with the Australian Privacy Law and now the GDPR, now is a good time to undertake an audit to understand the collection channels, lawful bases of processing and life cycle of personal information in your business, as well as the technical and organisational security measures you have in place. Don’t wait for a complaint to be filed against you or one of your EU customers.
Don’t hesitate to contact us if you have any questions while the effect of the GDPR unfolds and watch for more updates from our team.
Article by the DVM Law team.
This is a very well written article with a good, pragmatic approach to the current situation.
We’re an Australian based company that have created a suite of tools to aid businesses and other website owners with compliance. The first is a compliance kit, which allows website owners to obtain granular consent for using tracking cookies, analytics tags and the like when a user first visits their site (and importantly), before any of the tags first fire. This kit also includes hosted forms for managing data rights requests, with a control panel for tracking progress. Furthermore, the kit provides additional information for your Privacy and/or Cookie Policy based on the tags you provide.
The second option is an EU Traffic Blocking tool, which detects visitor locations as soon as the page is accessed, and redirects EU visitors to a customisable ‘blocked access’ page in order to minimise your website compliance risk.
You can find out more at https://www.ezigdpr.com/
User ID not verified.
Article 30 paragraph 5 (I think) , says businesses with fewer than 250 staff are exempt from record processing. What does this mean for small businesses?
User ID not verified.
Hi Brett, it’s a good question. The answer is basically, it doesn’t mean as much as we might hope. While you might get out of record-keeping, that’s only one obligation out of many under the GDPR – if the GDPR applied to you, it’s likely you’d still need to enable individuals to exercise their right to erasure, for example.
The <250 exception does not even apply if you process sensitive information (this is the "special categories") or if the processing is "not occasional", so it can be a difficult exception to rely on even for record-keeping.
Feel free to reach out to us at http://www.dvmlaw.com if we can assist you further.
User ID not verified.
How is it that EU Citizens have more data rights and protections in Australia than an Australian in Australia?
Everyone including our government seems to play fast and lose with our Australian data. Promiscuity with our private data seem almost encouraged by our Prime Minister who feels that because we had to have our picture taken to drive than stretches that to say that we approved allowing our faces to be facially recognised. Our faces will now be kept in a database and processed by a third party overseas company, a risk to national security. All this over-seen by a man who spent several years planning a third rate internet fit for 2008 in 2018.
What chance do we have of having our own equivalent of the GDPR here in Australia to give us our rights over our own personal IP?
User ID not verified.
Dear DVM Law team, what is the difference between a European resident and a citizen in terms of the GDPR? Would a dual citizen have rights under the GDPR here?
User ID not verified.
Hi
If an Australian based company has a UK office with UK staff employed and deals with UK customers, is there anything which GDPR specifically states that you are not allowed to store any data relating to the UK based customers and UK based staff in Australia ie Office 365, file servers in Australian data centers… ?
User ID not verified.