The General Data Protection Regulation (“GDPR”) is a significant regulatory development in the privacy law of the European Union (“EU”). The GDPR will be fully enforceable by 25 May 2018 and creates enduring regulatory thresholds for Australian businesses to be aware of in monitoring privacy best practice. The following is a high-level analysis of some significant elements of the GDPR in the context of Australian businesses.
In essence, the GDPR is a modernisation of the already existing European laws that empower individuals to control aspects of the data they generate. Specifically, the GDPR expands, entrenches and standardises the regulatory approach of 1995’s Directive 95/46/EC, also known as the Data Protection Directive (“DPD”).
The first change to note is that, unlike its previous iteration, the GDPR is a regulation, the highest form of EU law. Regulations are immediately enforceable in all member states of the EU. Directives, on the other hand, must be transposed into national law in each of the member states.
Some of the GDPR’s significant substantial changes include:
Yes, the GDPR may apply to Australian organisations. The regulation seeks to expand the scope and extraterritorial reach of EU privacy law by expressly stating its’ provisions apply to any entity that collects or processes the data of any individuals based in the EU. This includes entities that do not maintain an EU presence. The GDPR will apply to an Australian company if it:
It is yet to be seen how the GDPR’s extraterritorial scope will be enforced.
There is a further global element of the GDPR from an enforcement perspective. Where an entity is found to be in breach of the GDPR, fines are calculated on the basis of global revenues. This means that a company’s global business may be penalised for European legal breaches.
In Australia, data and privacy are governed by the Australian Privacy Principles (‘APPs’), contained in the Privacy Act 1998. Although the GDPR’s approach is broadly similar to the Australian Privacy Act in spirit, many Australian businesses may face far greater regulatory burdens under the GDPR, and much larger fines. Some discrepancies include the APPs not applying to some small businesses and imposes less strict requirements for obtaining consent to collect data.
It is reasonable to assume that over time Australia may move to adopt similar provisions as the GDPR. Accordingly, Australian organisations may wish to evaluate its information handling procedures and governance structures ahead of the GDPR’s commencement on 25 May 2018.
The information above is general in nature. If you would like to make sure your business is GDPR compliant, please feel free to contact us below.