There has been a lot of interest and concern in Australia about the applicability and impact of the European Union General Data Protection Regulation (the GDPR), which came into force on 25 May 2018.
As you delete that final email asking you (again) for your consent, you may be asking yourself what the introduction of the GDPR means for Australian businesses who may already be complying with their Australian privacy law obligations.
In this article, we provide a high-level, practical answer to this question.
What is the GDPR?
The GDPR is the new European Union Regulation about privacy and data protection. It essentially regulates the “personal data” of individuals in the EU through the entire life-cycle of collection, use, retention, transfer and deletion.
The GDPR therefore covers similar ground as the Australian Privacy Act 1988 and the Australian Privacy Principles (the Australian Privacy Law), which regulate the collection, use and disclosure of “personal information” (that definition differing in a nuanced way to “personal data” under the GDPR). The GDPR is widely considered to be the most wide-ranging, broadly applicable and comprehensive privacy legislation in the world.
While the GDPR has only just become fully enforceable, the entire regulation has been on the books in final form since January 2016. Regulators are likely to take the view that businesses have had ample time to prepare.
Think about your supply chain
So what does this mean for Australian businesses?
The first thing to consider is that, while your business may not directly collect the personal information of individuals in the EU, the GDPR may still affect you indirectly because of the agreements you have with customers or suppliers. So ask yourself, “do I deal with the personal information held by EU corporate customers?”
The reason is that the GDPR forces your EU corporate customers to have specific terms in their sub-contracts with companies processing personal information. These terms replicate to some extent the EU corporate customer’s own obligations under the GDPR.
The clear and present danger for Australian business isn’t whether the French Commission Nationale de l’Informatique et des Libertés is going to come to the antipodes with questions or fines…
Instead, the reality is that your EU corporate customers, upon whom the GDPR undoubtedly applies, and who are far more at risk from their national privacy regulators, are going to start making sure that their contracting arrangements are compliant.
That doesn’t just mean your EU corporate customer’s relationship with you – it also includes your relationships with your service providers down the chain which process personal information for your business. According to the GDPR, the EU corporate customer is on the hook for all of it.
What does this mean practically?
It means that if you want to keep or obtain new EU corporate customers, you’ll probably have to update your customer terms and conditions for them, as well as your sub-contracts with your subcontractors (known as processors or sub-processors) who access or are provided personal information (for example, CRMs, cloud-based systems and some data analytics tools).
The specific requirements for these contracts come from a few places, primarily Article 28 of the GDPR, which applies to all processing and sub-processing arrangements, and Article 46, which deals with international transfers of personal information.
What makes things complicated for Australian businesses is that Australia has not been recognised as having “adequate privacy laws” by the European Commission. This means that further “appropriate safeguards” have to be taken by organisations which want to transfer information to Australian service providers.
This might involve further terms and conditions (model clauses nominated by the EU) or consent, which the GDPR makes more difficult to manage.
The good news is that larger sub-processors are probably onto it already, meaning you may be able to rely on the steps they have taken to be GDPR-compliant.
OK, I understand that my EU corporate customers will be looking for new contracts. What about the direct application of the GDPR to my business?
If your business sells goods or services directly to customers in the EU and you collect the personal information about individuals in the EU, you will likely be caught by the GDPR. The GDPR may also apply directly to you in many cases where you are processing the personal information of individuals in the EU, with or without an intervening EU corporate. The requirements are deceptively complicated – consider if you are targeting and marketing goods and services to individuals in the EU, or monitoring and profiling them.
Sometimes the answer is obvious – but if you think you’re on the fence, seek legal advice.
So what else do I have to do under the GDPR if I’m already complying with Australian Privacy Law?
Whether you’re complying with the GDPR directly or through a contract, it’s worth noting the substantial overlap between the GDPR and the Australian Privacy Law.
Broad principles in the GDPR like data minimisation, transparency, use only for specified purpose, and security are all already reflected in the Australian Privacy Principles. Both require “privacy by design”.
One of the key differences is that the GDPR has the concepts of “controllers” and “processors”. “Controllers” are effectively the entity that decides why personal information is collected and processed.
They are responsible for ensuring that personal information is processed in accordance with the GDPR, whether they process it themselves or outsource to a “processor”.
“Processors” only process personal information on behalf of, on instructions from, and under a contract with, the controller, and have more limited obligations than controllers.
The GDPR places obligations on controllers that are more onerous than the Australian Privacy Law. Some of the key differences are as follows:
Choice of “lawful basis” of processing
A data controller under the GDPR has to ensure that it processes personal information under a “lawful basis”, which could be:
- contractual obligation to the individual.
- compliance with legal obligation..
- necessity to protect vital interests
- necessity for a task carried out in the public interest and
Consent is harder to obtain
In Australia, consent can be implied. Under the GDPR, it must be explicit by “a statement or by clear affirmative action”. Under both systems, consent must be able to be withdrawn at any time.
Data subjects’ enhanced rights
While there is already a right of access and right to correct personal data in Australia, the GDPR adds additional rights such as the right to erase data, the right to data portability and the right to not be subject to decisions based solely on automated processing except in certain circumstances.
Appointment of EU representative and Data Protection Officer
You might need to appoint a “representative” established in the EU, or a Data Protection Officer.
Greater data breach requirements
You’ll need to report a greater range of data breaches in a much shorter time frame.
What public action has been taken under the GDPR?
With respect to Google, the complaint noted that the maximum possible fine is 4% of the revenue of the Alphabet Group, amounting to about €3.79 billion.
The GDPR will likely directly affect your business if you supply goods or services to individuals in the EU. It may also affect your business if you have an EU customer or client which has to meet its own obligations under the GDPR. In that case, your EU customers or clients may require new or updated agreements for the processing of personal information, and require that you impose the same obligations on your service providers regardless of their location.
The GDPR is a regulation with genuine teeth, as the recent complaints against Google and Facebook show. While clear guidance is likely to be some ways off, these complaints show that companies whose business model involves targeted advertising to individuals in the EU will need to have particular care with their privacy strategy. This will include carefully considering the lawful bases of processing on a granular level.
As it is never too late to comply with the Australian Privacy Law and now the GDPR, now is a good time to undertake an audit to understand the collection channels, lawful bases of processing and life cycle of personal information in your business, as well as the technical and organisational security measures you have in place. Don’t wait for a complaint to be filed against you or one of your EU customers.