The General Data Protection Regulation: How will it affect Australian businesses?

The EU's new privacy law, the General Data Protection Regulation (GDPR) will take effect in May 2018 but its impact is not limited to European businesses. Australian businesses with European customers or staff may be affected too.

Which Australian businesses will need to comply with the GDPR?

There are two ways in which the GDPR might apply to Australian businesses:

1. The GDPR applies to the activities of an establishment located in the EU. The definition of “establishment” is very broad: it includes a branch or office, but it may also include less a formal presence, such as a sales representative or agent. It may even include a course of regular business activity in the EU, without any physical presence at all. If an Australian business has an establishment in the EU, the GDPR will apply to all data processing activities undertaken by that establishment. This will be the case even if those data processing activities take place outside the EU, and even if they relate to individuals located outside the EU.

2. For an organisation that does not have an establishment in the EU, the GDPR will apply only to personal information processing activities that relate to:

  • offering goods or services to individuals who are located in the EU; or
  • monitoring individuals who are located in the EU

As such, an Australian business without an establishment in the EU will still be subject to the GDPR to the extent that it is processing the data of individuals who are located in the EU for the purposes of offering them goods or services or monitoring their conduct.

These extraterritorial rules mean that the GDPR will affect many Australian businesses, many of whom would not expect to be subject to EU law. Even businesses who do not target Europe as a market may have a few customers located in the EU. Those businesses will have to comply with Australia’s Privacy Act in relation to personal information they hold about all their customers; in addition, they will have to comply with the GDPR in relation to those customers who are located in the EU. (For some digital businesses, this will mean they need to identify where their customers are located for the first time.)

The GDPR is only enforced by EU data protection authorities, so in practice Australian businesses who have no presence or assets in the EU – and no plans to establish any - may decide that they can safely ignore the new law. Unfortunately, few Australian businesses offering goods or services to, or monitoring, individuals located in the EU will be in this category.

What are the requirements of the GDPR?

The GDPR promises to be the strictest data protection regime in the world. It goes further than existing EU data privacy laws, and Australia’s Privacy Act, in a number of important respects. Some of the key new requirements of the GDPR include:

  • data breaches must to be notified to regulators within 72 hours, and to affected individuals without undue delay
  • opt-out consent mechanisms will no longer be a valid method of obtaining consent (for example, to use personal information for direct marketing)
  • businesses must implement internal privacy policies and processes and to keep written records of data processing activities, and
  • businesses may need to appoint a data protection officer and designate a data protection representative in the EU.

The GDPR also introduces a series of new rights for individuals, including a right to have their data erased (the so-called “right to be forgotten”), a right to object to data processing, and a right to take their data with them when leaving a provider.

European regulators have the power to enforce the GDPR by levying fines of up to 4% of an organisation’s global revenue or €20 million, whichever is greater. Individuals affected by a contravention of the GDPR may also take legal action against a business to recover compensation.

Transferring personal information from the EU to Australia

One provision of the GDPR which will affect all Australian businesses (whether they are subject to the GDPR or not) is the restriction on transferring personal information from the EU to Australia.

The GDPR imposes similar restrictions on transferring personal information outside the EU to previous European data privacy laws. As a general rule, an organisation may not transfer personal information from the EU to Australia unless:

  • the individual has been informed of the risks and provided his or her express consent to the transfer
  • the organisation has put in place appropriate safeguards for the data through contractual provisions or binding corporate rules (although, unlike previous EU data privacy laws, the GDPR does not require a specific form of contract for this purpose)
  • the transfer is required by a contract to which the individual is a party, or by a contract in the interests of individual between the data user and a third party, or
  • the transfer is required to establish, exercise or defend legal rights, in the public interest, or to protect the vital interests of any person.

Action items

Australian businesses should review their data processing practices to identify whether, and to what extent, the GDPR applies to them. If so, they have until May 2018 to become compliant with the new law.

Even those businesses to whom the GDPR does not apply should review any arrangements they have to transfer personal information from the EU to Australia to ensure they comply with the new requirements.