The General Data Protection Regulation (“GDPR”) is a significant regulatory development in the privacy law of the European Union (“EU”). The GDPR will be fully enforceable by 25 May 2018 and creates enduring regulatory thresholds for Australian businesses to be aware of in monitoring privacy best practice. The following is a high-level analysis of some significant elements of the GDPR in the context of Australian businesses.

What is the GDPR about?

In essence, the GDPR is a modernisation of the already existing European laws that empower individuals to control aspects of the data they generate. Specifically, the GDPR expands, entrenches and standardises the regulatory approach of 1995’s Directive 95/46/EC, also known as the Data Protection Directive (“DPD”).

The first change to note is that, unlike its previous iteration, the GDPR is a regulation, the highest form of EU law. Regulations are immediately enforceable in all member states of the EU. Directives, on the other hand, must be transposed into national law in each of the member states.

Some of the GDPR’s significant substantial changes include:

• Expressly recognising and placing obligations on data controllers and data processors. This includes regulations to cover organisations such as third-party contractors (e.g. cloud computing or third-party payment providers) that do not deal directly with individuals in the EU.
• Establishing mandatory guidelines on how organisations should conceptualise and approach customer privacy in their goods and services, store data securely and respond to security breaches.
• Significantly increasing the penalties for contraventions of European privacy law. Fines for breaches of the GDPR are two-tiered, with serious breaches being punishable by fines of €20 million or 4 per cent of global revenues, whichever is greater, whilst less serious contraventions can be met with fines of up to €10 million or 2 per cent of global revenue, whichever is greater.

Does the GDPR apply outside of the EU?

Yes, the GDPR may apply to Australian organisations. The regulation seeks to expand the scope and extraterritorial reach of EU privacy law by expressly stating its’ provisions apply to any entity that collects or processes the data of any individuals based in the EU. This includes entities that do not maintain an EU presence. The GDPR will apply to an Australian company if it:

• establishes an office in the EU;
• enables customers to order or pay for goods or services in a European language (other than English) or in Euros;
• maintains a website that targets, or even mentions, customers or users in the EU; and/or
• uses data processing techniques to profile or analyse individuals located in the EU.

It is yet to be seen how the GDPR’s extraterritorial scope will be enforced.

There is a further global element of the GDPR from an enforcement perspective. Where an entity is found to be in breach of the GDPR, fines are calculated on the basis of global revenues. This means that a company’s global business may be penalised for European legal breaches.

Australia to follow suit?

In Australia, data and privacy are governed by the Australian Privacy Principles (‘APPs’), contained in the Privacy Act 1998. Although the GDPR’s approach is broadly similar to the Australian Privacy Act in spirit, many Australian businesses may face far greater regulatory burdens under the GDPR, and much larger fines. Some discrepancies include the APPs not applying to some small businesses and imposes less strict requirements for obtaining consent to collect data.

It is reasonable to assume that over time Australia may move to adopt similar provisions as the GDPR. Accordingly, Australian organisations may wish to evaluate its information handling procedures and governance structures ahead of the GDPR’s commencement on 25 May 2018.

The information above is general in nature. If you would like to make sure your business is GDPR compliant, please feel free to contact us below.