The EU General Data Protection Regulation (GDPR) goes further than previous European privacy rules. It requires organisations that collect the data of EU citizens to comply with the regulations, regardless of where in the world the organisation is based.
Organisations that breach the regulations are subject to tough new penalties, with the most serious breaches attracting penalties of up to 4% of annual global turnover, or 20 million Euros (A$32 million), whichever is greater.
The regulations require organisations that hold or process personal data to implement a process of ‘privacy by design’. This is similar to Australia’s Privacy Principles. It requires the collecting organisation to limit the data collected to only the information absolutely necessary to perform its duties or services. It also limits the number of entities that have access to personal data, for example, where data is sent to a third-party processor.
How do the changes apply to Australian organisations?
Australian companies that may be covered by the regulations include those:
Offering goods or services to European citizens through a targeted approach, such as an option to pay in a European currency, or to change the website’s language to a European language. This applies irrespective of whether payment is required for the goods or services
Monitoring the behaviours of European citizens, such as tracking individuals on the internet or using data profiling techniques to analyse personal preferences and predict behaviours, regardless of whether the website is selling a product, and
With an office in the EU, regardless of whether the office processes personal data.
What should Australian organisations do in order to ensure that they are conforming with the European regulations?
Irrespective of whether you think your company will need to comply with the European regulations, you should take steps to review your policies and procedures for collecting, storing and processing personal data to ensure that they represent world’s best practice. This will protect your company against an inadvertent breach of applicable privacy laws.
You should also review the way your customers consent to having their data collected by your organisation. The consent should be written clearly, in plain language, and separately from other terms and conditions. It should include the purpose of collecting the data and a notice informing users that they may apply to have their data rectified or erased in future.
If your company contracts with a third-party provider to store or process data that your organisation collects, you should also check the policies and procedures of the contractor to ensure that they meet the requirements of the GDPR.
In line with the ‘privacy by design’ approach, organisations should try to de-identify personal data using pseudonyms as soon as possible and ensure that there is a high degree of transparency surrounding the functions and processing of personal data.
Some businesses processing large amounts of personal data may also have to appoint a data protection officer to monitor compliance and liaise with European authorities. This mirrors the Australian requirement for organisations to appoint an employee responsible for management of privacy obligations.
How do the European laws compare to Australia’s data privacy laws?
|Who does it apply to?||
All private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.
Any organisation collecting or processing the data of European citizens, whether based in the EU or not, including monitoring their online behaviours and processing personal data to offer goods or services to them.
|What is personal data/information?||Information or an opinion about an identified individual, or an individual who is reasonably identifiable; whether the information or opinion is true or not and whether it is recorded in a material form or not.||
Any information related to a natural person that could be used to identify them, including name, photo, email address, bank details, social networking posts, medical information or a computer IP address.
It also includes information that could assist in identifying a person such as genetic, mental, economic, cultural or social identity factors.
|What consent is required from users to collect personal data?||
Consent has four elements:
The Privacy Act does not specify a minimum age of consent.
The Office of the Australian Information Commissioner (OAIC) considers that an individual over 15 may provide consent.
Long and legally complicated terms and conditions requesting consent are no longer allowed.
A request for consent to collect personal data, and the purpose of collecting it, must be written in clear and plain language and distinguishable from other matters.
Silence, or a pre-ticked box is not sufficient.
It must be as easy to withdraw consent as it is to give it.
|What are the general obligations of organisations collecting data?||
Entities must take reasonable steps to implement practices, procedures and systems to ensure compliance with the Privacy Act and the Privacy Principles.
An employee should be appointed with responsibility for privacy management and to conduct impact assessments for projects.
An organisation collecting data must implement appropriate technical and organisational measures to show compliance with the GDPR.
A data protection officer may need to be appointed and impact assessments undertaken to determine if data collection is likely to result in a high risk to individuals.
|What rights do individuals have to be forgotten and have their personal data deleted?||
There is no equivalent right to erasure.
Organisations are required to take reasonable steps to de-identify or destroy personal information, if it is no longer needed for any permitted purpose.
Individuals who have provided personal data have a right to be forgotten, that is to have their data erased and to possibly stop third parties processing it.
A controlling entity must set time limits for erasure of personal data, or periodic review of its storage. Time for storage must be kept to a “strict minimum”.
|Can personal data be transferred overseas?||
The entity must take reasonable steps in the circumstances to ensure the overseas recipient of the personal information does not breach the Australian Privacy Principles (APPs).
The Australian entity is responsible if the overseas recipient breaches the APPs.
Personal data may be transferred to countries that have an adequate level of data protection, where standard data protection rules apply or that have approved codes of conduct in place, similar to the APPs.
The entity controlling the collection of data is responsible for ensuring appropriate safeguards are in place for the data transfer.
|What if there is a breach in the secure collection or storage of personal data?||
Where a breach is likely to result in serious harm to any individuals to whom the data relates, the organisation must notify the OAIC as soon as practicable after becoming aware of the breach.
The organisation must then notify affected individuals as soon as practicable.
If a data breach is likely to result in a high risk to the rights and freedoms of individuals it must be reported to European authorities within 72 hours of becoming aware.
The affected individual must be notified without undue delay.
Some exceptions apply.
|What are the penalties for breaching the regulations?||
The OAIC has a range of regulatory powers to investigate a complaint, hold a hearing, accept an enforceable undertaking or apply to the Federal Court for a civil penalty order for a breach of a civil penalty provision.
The maximum penalty the Federal Court can order for a body corporate is five times the civil penalty provision for the provision breached.
A body corporate that breaches Australia’s new notifiable data breaches scheme could be fined up to $2.1m.
A tiered approach to fines has been introduced. The most serious breach attracts a fine up to 4% of annual global turnover or 20 million Euros (A$32m), whichever is greater.
An example of a serious infringement would be if there was not sufficient consent to process personal data.
A person who suffers damage from a breach may also seek compensation from the company that collected or processed the data.