What you need to know – EU General Data Protection Regulations
Did you know that the European Union (EU) has introduced new data protection measures that may apply to Australian businesses?
The new set of stronger data protection rules are known as the “General Data Protection Regulation” (GDPR). The new GDPR will strengthen the individual’s right to personal data protection reflecting the nature of data protection as a fundamental right for the EU (Article 8 of the EU Charter of Fundamental Rights).
Who does the GDPR apply to?
The GDPR applies to all companies operating in the EU wherever they are based.
When do the new regulations come into effect?
The new regulations will come into effect on 25 May 2018 and will apply to any Australian business that obtains or uses the ‘personal data’ of EU residents. Some of the provisions in the EU General Data Protection Regulation (GDPR) may require Australian businesses to change or update their Privacy Policies. If you operate a business in the EU, you will need to consider how you use the personal data of EU residents.
What is personal data?
Personal data is any data that is ‘relating to an identified or identifiable natural person’. This is the definition applicable to the GDPR and is similar to the definition used in Australia’s Privacy Act 1988 (Cth) which defines ‘personal information’ as:
‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Importantly, the GDPR also has certain protections on the use of ‘special categories’ of personal data. This includes information about some of the following subjects: political affiliations, racial or ethnic origin, religious beliefs, trade union membership, and data concerning the health or sex life of a person. If there is a chance that you may be obtaining some of the information above, then most likely you will have specific obligations that your business must comply with.
Do they apply to my business?
The GDPR applies to any Australian business that holds, collects, controls, or processes the personal data of EU residents. It also applies to businesses that have an establishment in the EU, for example, if your business has an office in the EU. If you think the GDPR might apply to your business, you need to further consider what specific obligations you may need to comply with.
Businesses with an establishment in the EU
If your business has an establishment in the EU, regardless of size, and handles the personal information of EU residents, then you will have to ensure that you meet your obligations under the GDPR. These obligations apply to any business that controls or processes personal data, regardless of whether the personal data is processed in the EU establishment. For example, if your business engages in data collection or data processing of EU residents in the US, and you also have an office in the EU, then the GDPR will apply to your business.
Businesses without an establishment in the EU
The GDPR may still apply to your business, even if you do not have an establishment in the EU. If your business engages in data processing activities, either as a processor or a controller, that relate to either:
- offering goods or services to residents in the EU (irrespective of whether a payment is required); or
- monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU.
If your business fits in the above category, then in most cases, you will also need to appoint a representative established in an EU State, to handle any claims and concerns regarding your use of any personal information collected in relation to EU residents. For more information, and to see whether you might be exempt from this, please refer to Article 27 of the GDPR.
What are the requirements under the GDPR?
If your business is affected by the GDPR, you may have some substantial obligations that your business is required to follow. This may include implementing principles governing how you use and process data, the lawfulness of the data you are processing, how you secure the data, and accountability measures. For example, you may have to show how your business complies with the principles relating to processing of personal data listed under Article 5 of the GDPR. Further, the GDPR may require you to implement data protection policies to ensure that your business handles personal information in a manner consistent with the GDPR. Other, more stringent requirements of the GDPR include, preparing a compulsory data protection impact assessment (DPIA), where the personal information being processed is likely to be classified as a ‘high risk’ in relation to a person’s rights and freedoms.
Notice and consent
The GDPR requires that businesses handling the personal information of EU residents comply with strict consent and notice obligations. This means that in certain circumstances an individual must give consent to the processing of his or her personal data. Further, the consent must be given in relation to a specific purpose, it must be freely given, and must be informed. This means that consent obligations under the GDPR will not be satisfied if, for example, a person does not have a choice in giving consent (e.g. pre-ticked agreement). In addition, the GDPR requires that notice must be given to individuals regarding how their personal data is being processed. This information must be clear and concise so that individuals can properly understand how their personal data may be used.
What happens if my business does not follow the GDPR obligations?
If your business is affected by the new GDPR regulations it is important that you are aware of your obligations and exactly what you need to do to ensure your business is compliant. There are significant penalties for businesses who contravene their obligations under the GDPR. This includes fines up to 20 million Euro, or 4 percent of annual worldwide turnover (whichever is higher). Remember that these obligations come into effect on the 25 May 2018, and your business may need time to consider what measures and changes are required to ensure that your business is compliant with its new obligations under the GDPR.
Sam Gilbert, IP and Technology Consultant, B.A., LL.B University of Technology, Sydney
For any more information, or to find out if your business is up to speed with its requirements under the GDPR, please do not hesitate to get in contact with the team at W3IP LAW at 1300 776 614 or 0451 951 528.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.