June 27, 2018

The EU General Data Protection Regulation and what it means for Australian business

While the GDPR and the Australian Privacy Act 1988 (the Privacy Act) share a number of common features, the GDPR contains heightened compliance obligations, enhanced consumer rights and significantly higher penalty provisions.

Many Australian organisations have had to quickly identify whether they are subject to the GDPR, and if potential exposure exists, review and develop policies and procedures to facilitate compliance.

Australian organisations likely to be impacted by the GDPR include businesses that are registered as foreign entities within the EU, have an office in the EU, provide online and electronic services which target EU customers or are responsible for websites that contain personal data of EU citizens. Australian businesses that rely upon third parties that process or control data within the EU will also be impacted by the GDPR.

Unlike Australia's Privacy Act, which does not apply to some organisations whose annual turnover is less than $3,000,000, the GDPR applies to the data processing activities of all businesses regardless of their size, where the data processors or controllers fall within the GDPR’s territorial scope.

Compliance with the Australian Privacy Act will not necessarily result in compliance with the GDPR. The GDPR imposes new obligations on Australian businesses including:

  • Enhanced individual rights including the right to access personal data free of charge in an electronic format, the right to erasure (a right to have personal data erased in certain circumstances), and the right to data portability (a right to receive personal data in a structured and commonly used electronic form that can also be transferred to another controller);
  • Expanded accountability and governance requirements that are required to demonstrate that processing of personal data is performed in accordance the GDPR;
  • Consent to the processing of personal data must be given freely, be specific and informed. An unambiguous indication of the data subject's wishes is required and that agreement must be provided by a statement or by clear affirmative action; and
  • Mandatory notification to the supervisory authority within 72 hours where a data breach is likely to result in a risk to the rights and freedoms of natural persons.

While these expanded rights and obligations do not currently exist under the Australian Privacy Act, the GDPR is also influencing the development of privacy laws within the Asia Pacific region including in Japan, Hong Kong, and Philippines. Over time the GDPR is also likely to influence amendments to Australia’s Privacy Act.

Australian data breaches that are notifiable under the Privacy Act may also trigger an organisation's GDPR obligations. The trigger for notification under the Australian Privacy Act is a "likely risk of serious harm to affected individuals". This is a different threshold to the trigger under the GDPR which requires notification to the relevant supervisory authority within 72 hours where there is a "risk" to the rights and freedoms of natural persons, and notification to individuals where there is a "high risk".

The threshold for notifying individuals is therefore higher than the threshold for notifying the supervisory authority. As a result even if an Australian organisation determines it is not necessary to notify under the Privacy Act it may still be required to notify the relevant supervisory body or affected individuals under the GDPR.

Over time, the need for GDPR compliance will become increasingly important to many Australian organisations requiring them to incorporate key components of the GDPR into their existing risk registers, data protection procedures, policies and incident response plans to ensure investigation and notification obligations comply with the GDPR. They will also need to review existing contractual arrangements with third parties that process or control data within the EU and manage any relevant counter-party risk.