The General Data Protection Regulation: How does it affect Australian businesses?

The European Union’s new privacy law, the General Data Protection Regulation (the “GDPR”) recently took effect. But the GDPR does not just affect European businesses: Australian businesses may be affected too.

Do I need to comply with the GDPR?

Australian businesses will need to comply with the GDPR if they fall into one of two categories:
 
1. Your business has an “establishment” located in the European Union (“EU”) which processes personal information.
 
“Establishment” doesn’t just mean a branch or office: it may also include a less formal presence, such as a sales representative or agent. It may even include a course of regular business activity in the EU, without any physical presence at all.

A European Court of Justice case from 2014 involving Google illustrates how broad the concept can be. Google Inc operates its popular search engine from the USA. Google has a subsidiary in Spain which sells advertisements on the search engine to Spanish businesses. While Google’s Spanish subsidiary does not operate the search engine, the court deemed that Google was nevertheless processing personal information in Spain, because the revenue from the advertisements sold by Google’s Spanish subsidiary were effectively funding the search engine.

If your business has an establishment in the EU, the GDPR will apply to all data processing activities undertaken by that establishment. This will be the case even if those data processing activities take place outside the EU, and even if they relate to individuals located outside the EU.

2. Your business processes personal information in the course of:

  • offering goods or services to individuals who are located in the EU; or
  • monitoring individuals who are located in the EU.

The critical factor is whether the individuals are “located in the EU”. Citizenship or residency is irrelevant. For some businesses, this will mean they need to identify where their customers are located for the first time. This rule also poses a challenge for businesses such as hotels and airlines, who frequently deal with travellers.

If your business is in this category, the GDPR will only apply to those processing activities which relate to offering goods or services to, or monitoring, individuals who are located in the EU. Any other processing of personal information will not be subject to the GDPR (although it will still be subject to the Australian Privacy Act).

These extraterritorial rules mean that the GDPR will affect many Australian businesses who would not usually expect to be subject to EU law. Even businesses who do not target Europe as their main market may have a few customers who are located in the EU. Those businesses will have to comply with Australia’s Privacy Act in relation to all processing of personal information; in addition, they will have to comply with the GDPR in relation to processing activities which relate to offering goods or services to, or monitoring, individuals who are located in the EU.

The GDPR is only enforced by EU data protection authorities, so in practice Australian businesses who have no presence or assets in the EU – and no plans to establish any - may decide that they can safely ignore the GDPR. There are still some risks in this approach: for example, it may be possible for an individual to seek an order for damages for breach of the GDPR against an Australian business in the United Kingdom and then seek to enforce that judgment in Australia. More generally, it is likely that more countries will start to adopt data protection laws based on the GDPR in the coming years, so becoming GDPR-compliant now may make data protection compliance easier later.

What are the requirements of the GDPR? 

The GDPR is the strictest data protection regime in the world. Even if your business already complies with Australia’s Privacy Act, there are a number of new measures you will need to take to comply with the GDPR. For example:

  • you may need to appoint a data protection officer to manage your privacy practices, and designate a representative in the EU to deal with regulators;
  • you must keep written records of data processing activities and be able to demonstrate your compliance with the GDPR on request by a regulator;
  • privacy notices to individuals need to contain more detail than is required under the Privacy Act about how you will process their personal information, and the grounds you are relying on to do that;
  • opt-out mechanisms which are valid for obtaining consent under the Privacy Act, such as pre-ticked check boxes, will not be valid to obtain consent under the GDPR;
  • if you use any third parties to process personal information on your behalf, you will need to include specific provisions in your contract with them;
  • if you transfer personal information across borders, you will need to put in place specific measures, such as the “Standard Contractual Clauses” approved by the European Commission; and
  • data breaches involving EU data subjects must to be notified to EU regulators within 72 hours, and to affected individuals without undue delay (in addition to the notification requirements under the Privacy Act).

The GDPR also introduces a series of new rights for individuals, including a right to have their data erased (the so-called “right to be forgotten”), a right to object to data processing, and a right to take their data with them when leaving a provider.

European data protection authorities have the power to enforce the GDPR by levying fines of up to 4% of an organisation’s global revenue or €20 million, whichever is greater. Individuals affected by a contravention of the GDPR may also take legal action against a business to recover compensation.

My business is not directly required to comply with the GDPR – does the GDPR still affect me?

Even if your business does not fit into one of the above categories, it may still be indirectly affected by the GDPR if it deals with suppliers or customers who are subject to the GDPR. There are two situations where this may arise:

1. An entity which is subject to the GDPR is transferring personal information to you in Australia.

The GDPR imposes restrictions on transferring personal information outside the European Economic Area (“EEA”). As a general rule, an entity may not transfer personal information from the EEA to Australia, unless the individual has provided his or her express consent to the transfer or the organisation has put in place appropriate safeguards for the data (there are several other exceptions, but these are the most common).

The most common way to facilitate such transfers is by entering into a set of standard contractual clauses approved by the European Commission. You may well be asked by suppliers or customers in the EEA to enter into these clauses. These clauses may require you to treat the personal information you receive in accordance with either the GDPR or a simplified set of data protection principles.

2. You are processing personal information on behalf of an entity which is subject to the GDPR.

The GDPR distinguishes between “controllers” and “processors”. Controllers determine how personal information is processed; processors process personal information on behalf of the controller. Cloud service providers, payroll providers and mailing houses are all examples of processors.

If you are a processor for an entity which is subject to the GDPR, that entity will be required to include certain contractual obligations in its service agreement with you – for example, they must require that you only process the personal information in accordance with their documented instructions. While it is mandatory to include certain obligations, the wording for these contractual obligations is not prescribed by the European Commission, so there is some scope for controllers and processors to agree on appropriate terms. It is common for parties to agree to add these provisions as an “addendum” to an existing service agreement.

Of course, both the above situations may apply to your business, if you are receiving personal information in Australia in order to process it on behalf of an EU entity. In that case, it is common to combine the required contractual provisions in a single addendum.

What should I do now?

Australian businesses should review their data processing practices to identify whether, and to what extent, the GDPR applies to them.

If the GDPR does apply to your business, then it will almost certainly be necessary to upgrade your privacy practices and policies to meet the stricter requirements of the GDPR. Kennedys’ experienced data privacy specialists can assist you with this.

Even if the GDPR does not directly apply to your business, you should ask your suppliers or customers (particularly those in the EU) whether they need you to enter into additional contractual provisions or take any additional measures to allow them to comply with the GDPR. If you receive data protection agreements or addenda from your suppliers or customers, Kennedys can help ensure that they are appropriate to the circumstances and limited to what is necessary for your supplier or customer to comply with the GDPR.