EU General Data Protection Regulations (GDPR) and Australian Privacy Laws
What is ‘GDPR’?
The European Union fast tracked the implementation of the General Data Protection Regulations (GDPR) for the protection of personal data in member countries following the emergence of the Facebook data breach in February 2018. GDPR commenced on the 25 May 2018.
GDPR increased the governance and accountability of controllers and processors of personal data and provides individuals a number of new rights including the right of erasure, right of data portability and the right to object to processing of data including profiling. The new rights are currently not part of Australian privacy laws.
When does GDPR apply to Australian organisations?
Australian organisations irrespective of their size have to comply with the GDPR if they:
- have offices in a EU member country that process personal data, regardless of whether the “processing” of the data takes place in or outside the EU;
- operate outside the EU and offer goods or services to individuals in the EU, that involves the processing of personal data of individuals located in the EU;
- are involved in the monitoring of behaviour of individuals in the EU on the internet and use data processing techniques to analyse or predict personal preferences, behaviours and attitudes[i].
GDPR defines “processing” to mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. [ii]
What are the major differences between GDPR and Australian privacy laws?
1. Governance and Accountability
The GDPR expanded governance and accountability requirements include the principle of “data protection by design and by default”[iii], mandatory data protection impact assessments prior to data processing where the processing is likely to result in high risk to the rights and freedoms of individuals[iv] and the implementation of risk mitigation measures before processing where the assessment indicates high risk[v].
Some exceptions apply to small business.
Protection of Data by Design and by Default under GDPR
The principle of “data protection by design and by default” under GDPR requires organisations to implement appropriate technical and organisational measures to show that they have considered and integrated data protection measures in their data processing activities.
From a practical perspective, the design and implementation of any new projects, business processes, practices, procedures, transactions and systems will require consideration of privacy compliance and data protection from the outset as a part of the design stage/phase. Appropriate technical and organisation measures also have to be implemented where there is a default or non-compliance.
Although the Australian privacy laws do not expressly implement the principle of “data protection by design and by default”, the existing OAIC Privacy management framework requires organisations to adopt a “data protection by design” approach where entities are considered better placed to meet their privacy compliance and data protection obligations in the design of their information handling processes, from an organisational and technological perspective[vi].
The OAIC Privacy management framework also requires entities undertake evaluations of the areas of risk when deciding on what are the reasonable steps required to ensure compliance with the APP.
The OAIC expects organisations to have a culture of compliance by appointing key roles and responsibilities for privacy management with a senior member of staff having overall accountability.
The GDPR provisions for obtaining informed consent from an individual for the processing of personal data are more stringent than under the Australian privacy law. Explicit consent from the individual is one of the legal grounds for the processing of personal data[vii]. An individual’s consent to the processing data must be freely given, specific, informed and unambiguous indication by the individual by a statement or by a clear affirmative action that signifies agreement to the processing of personal data[viii].
Parental consent is required for processing of data from children under the age of 16 years. In the case of some EU member states the age limit for parental consent may be different and organisations should check the age limit for parental consent in each EU member state[ix].
Reporting of data breaches
Data breaches have to be reported to the relevant GDPR supervisory authority within 72 hours of the breach unless the breach is unlikely to result in high risk to the rights and freedoms of an individual. Under Australian privacy law a notifiable data breach has to be notified to the OAIC and the individual as soon as practicable after the organisation becomes aware of the breach.
Sanctions for non-compliance with GDPR
The sanctions for non-compliance with GDPR are significantly higher than under Australian privacy laws. Fines up to Euro 20 million or 4% of the annual worldwide turnover (whichever is the higher) can be imposed under GDPR.
2. Individual Rights
GDPR gives individuals new data rights which currently are not part of Australian privacy laws. The new rights are the right of erasure, right to object to processing of data including profiling and the right of portability of data.
The right of erasure (which includes the right to be forgotten)[x]
The right of erasure gives the individual the right to require an organisation to delete their data in certain circumstances including where personal information is no longer required for the purpose for which it was collected, where the individual withdraws their consent to the use of the data and there are no legal grounds for processing the data. Exceptions apply to this right.
Although there is no equivalent right under Australian privacy law, individuals do have a right to access their personal information if the exceptions do not apply (APP12). Individuals also have a right to require organisations to correct personal information so that it is accurate, up to date, complete, relevant and not misleading (APP13).
Organisations are also required to take reasonable steps to destroy or de-identify information that is no longer required for the permitted purpose where retention is not required under an Australian law (APP 11.2)
Right to object to the processing of data including profiling[xi]
The right to object gives the individual the right at any time to object to the processing of the individual’s information including profiling. Where an organisation receives an objection, it must stop the processing unless exceptions apply. The exceptions do not apply where processing is for direct marketing. Profiling includes any form of automated processing of personal data consisting of the use of the personal data to evaluate certain personal aspects relating to a person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement[xii].
Right of data portability[xiii]
The right of data portability gives the individual the right to receive personal data that the individual has provided to the organisation and to transmit the data to another organisation where the data is processed electronically.
Although there is not an equivalent right under existing Australian privacy laws, the introduction in Australia of the new Consumer Data Right (CDR) scheme in the banking, energy and telecommunications sectors, will give consumers (that is, individuals and small/medium businesses) the right to access CDR data and to direct the companies that hold their CDR data to transfer the data to the consumer or an accredited entity. The CDR data that a consumer will be able to access and have transferred is still to be determined for each industry sector. The CDR data will have to be transferred in a format that is proscribed by the new law. The draft Consumer Data Rights Bill has been issued for consultation and submissions.
Compliance with GDPR
Compliance with GDPR for Australian companies and other organisations involved in any data processing activities involving personal data of individuals located in EU member states, can be complex and costly. GDPR implemented by each EU member state are not uniform and permitted variations exist. Checks of GDPR have to be made in each relevant EU member country to ensure compliance.
Resources are available for GDPR compliance on the European Commission website https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en. Expert advice should be sought.
Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants
© Stephens Lawyers & Consultants. September 2018
This Information Sheet is not intended to be a substitute for obtaining legal advice.
For further information contact:
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] GDPR, Article 3.
[ii] GDPR Article 4 Definitions
[iii] GDPR, Article 25.
[iv] GDPR, Articles 35
[v] GDPR, Article 30.
[vi] OAIC Privacy Management Framework: enabling compliance and encouraging good practice, Page 3
[vii] GDPR Article 6
[viii] GDPR Article 3. Definition – Consent.
[ix] GDPR Article 8.
[x] GDPR, Article 17.
[xi] GDPR Article 21
[xii] GDPR, Article 4(4).
[xiii] GDPR, Article 20.