On 25 May 2018 the new European Union General Protection Regulation (the GDPR) came into force. The GDPR regulates the handling of personal data by “controllers” and “processors”, irrespective of whether the controller or processor was established in the EU.
Australian businesses, individuals, public authorities, agencies or other bodies may be bound by the GDPR and will be required to comply with these new data protection requirements as well as Australian privacy laws.
Does the GDPR apply to you?
The GDPR applies to the processing of personal data activities of “controllers” or “processors” with an establishment in the EU. Generally, a “controller” determines the purposes and means of the processing of personal data and a “processor” processes personal data on behalf of the controller.
The GDPR also applies to the processing of personal data activities of controllers or processors not established in the EU, where the processing activities are related to:
- the offering of good or services to individuals who are in the EU, irrespective of whether a payment is required; or
- the monitoring of the behaviour of individuals in the EU.
Therefore, an Australia business may be covered by the GDPR including in circumstances where the business has an office in the EU, the website enables an individual to order good and services in a European language (other than English) or enables payment in currency (such as euros).
Personal data and the GDPR
The GDPR defines ‘personal data’ as: “any information relating to an identified or identifiable natural person”.
An “identifiable natural person” is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In comparison, the definition of ‘personal data’ is similar to the definition of ‘personal information’ in Australia’s Privacy Act 1988 (Cth), which is defined as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’.
Obligations and requirements of the GDPR
The GDPR imposes numerous obligations and requirements on data controllers and processors. Some of these include:
- Consent: where the processing of personal data is based on consent, the controller must be able to show that the individual has consented to the processing of his or her personal data. Where a controller uses a pre-formulated request for consent it must be presented in a manner which is ‘clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language’. Furthermore, an individual has a right to withdraw consent at any time.
- Accountability: a controller is responsible for, and must be able to demonstrate compliance with the principles relating to processing of personal data in Article 7, including for example, that personal data is “collected for specified, explicit and legitimate purposes and not further processed in a manner that is not incompatible with those purposes”.
- Right to erasure (‘right to be forgotten’): an individual has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. The controller has the obligation to erase personal data where a ground in Article 17 of the GDPR applies.
- Right to data portability: where the processing of personal data is carried out by automated means an individual who has provided their personal data to a controller has the right to receive that personal data in a structured, commonly used and machine-readable format. However, this right to transmit or receive personal data ‘should not create an obligation for controllers to adopt and maintain processing systems which are technically compatible’.
- Right to object: an individual has the right to object to the processing of their personal data even when that processing is ‘necessary for the performance of a task carried out in the public interest’ or ‘for the purposes of the legitimate interests of the controller or by a third party’’. It is the obligation of the data controller to show that its ‘compelling legitimate interest overrides the interests or fundamental rights and freedoms’ of the individual.
- Responsibility of the controller: a controller must implement ‘appropriate technical and organisational measures to ensure and be able to demonstrate’ compliance with the GDPR. This may include the implementation of data protection policies.
- Representatives: a controller or processor who is not established in the EU must designate in writing a representative in the EU unless an exception under Article 27(2) of the GDPR applies, such as being a public authority or body.
- Notification of a personal data breach: a controller must without undue delay, notify the “supervisory authority” of a data breach within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. A processor also has an obligation to notify the controller of a personal data breach without undue delay. These requirement are similar to the mandatory data breach notification regime now required by Australian privacy laws.
We note that there are many other requirements that data controllers and processors need to comply with under the GDPR and this article is only intended to provide a snapshot of the requirements of the GDPR.
Risk of non-compliance
The GDPR gives each “supervisory authority”, being an independent public body established by a Member State pursuant to the GDPR, the power to impose administration fines in accordance with the GDPR. The maximum administrative fine can be up to 20 million euro or 4% of the total worldwide annual turnover of the proceeding financial year (whichever is higher) for contraventions, including:
- ‘the basic principles of processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9’;
- ‘the data subject’s rights pursuant to Articles 12 to 22’;
- ‘the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49’.
As seen above the consequences of not complying with the GDPR can be significant. Therefore, if this is relevant to you and your business, it is crucial that you ensure that you comply with the requirements of the GDPR.
 Article 3(1) of the GDPR.
 Article 4(7) and 4(8).
 Article 3.
 Recital 23 of the GDPR.
 Article 4(1).
 Privacy Ac 1988 (Cth) s 6(1); OAIC, Australian businesses and the EU General Data Protection Regulation (March 2018), 4.
 Article 7(1).
 Recital 42.
 Article 7 and Recital 42.
 Article 5.
 Article 17.
 Article 20.
 Recital 68.
 Article 21 and 6(1)(e)-(f).
 Article 69.
 Article 24.
 Article 27.
 Article 33(1).
 Article 3.
 Article 4(21).
 Article 83(5).