One of the most significant data privacy reforms, the General Data Protection Regulation, is set to take effect this week. It may have far reaching implications for Australian retailers. Have you audited your business and prepared for the changes?
Earlier this year we told you about preparing for the impending data reforms. Now the time has come. The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will take effect on 25 May 2018. If you are doing business in the EU or if your business processes personal information of individuals in the EU then you need to ensure that your business complies with the new regulations.
- What is it?
The GDPR imposes strict obligations on businesses (which are subject to the regulations) in relation to governance, consent, profiling and data portability. These replace the existing data protection rules to create a uniform set of laws across the EU, enhancing consumer trust in online services.
Some Australian business covered by the equivalent Privacy Act 1988 (Cth) (the Privacy Act) may need to comply with the GDPR. While the laws have a similar purpose and requirements, there are differences (see the table below for more).
An example of ASOS requesting opt-ins from consumers to comply with the GDPR consent rules
- What happens if I don’t comply?
There are significant penalties for failing to comply. The maximum penalty for breaching lower severity obligations is €10,000,000 (approximately AUD$17.7m) or two percent of annual worldwide turnover for the preceding financial year, whichever is the greater amount. The maximum penalty for breaching higher severity obligations is €20,000,000 (approximately AUD$35.4m) or four percent of annual worldwide turnover for the preceding financial year, whichever is the greater amount.
- Am I bound by it?
The GDPR applies to all businesses with an establishment in the EU. However it also applies to businesses outside of the EU that engage in ‘data processing’ activities. Those may be in relation to offering goods or services to the individuals in the EU (including both for a payment or free of charge) or monitoring the behaviour of individuals in the EU. Data processing in this context is the equivalent to collecting, using or transferring personal information. As you can see, there is quite a large scope for the regulations, and Australian businesses who thought they may be exempt, may in fact fall under the definition of these activities. In fact, the regulations offer protection to all ‘individuals in the EU’. This means that the regulations are not restricted to protect only citizens of the EU or products purchased in the EU. If a business knows that its goods or services will be used while in the EU, this may fall under the scope of the regulations.
Similarly, the definition of companies who may be doing business in the EU is larger than simply having a presence there. Does your business:
- Have a physical presence in the EU (eg. An office or permanent agent or representative of the business)?
- Have a website or advertising that specifically references customers in the EU or describes the business as providing goods or services to those in the EU?
- Use the language or currency of an EU member state or have an EU top level domain (eg. company.fr)
Simply being able to access your site from the EU is not enough to establish that it is doing business in the EU and the level of engagement is a factor. However, the definition is broad and businesses need to consider all data flow arrangements with affiliate entities and advertising strategies which may reach those in the EU.
Many Australian online retailers may fall under this provision based on how they collect and use data (for example, cookies for profiling purposes).
- What now?
Complete a comprehensive audit to find out whether or not the GDPR applies to your business. As you can see, it’s not as simple as whether or not you have a presence in the EU. If your business falls under the scope of the GDPR, work out which of your privacy and data management practices need to be modified in order to comply.
Given some of the similarities with the Privacy Act and the GDPR, Australian business may already have some of the measures in place required by the GDPR. Despite this, it is essential to ensure you evaluate all your practices and governance structures in light of the GDPR regulations and seek legal advice where necessary to ensure strict compliance. Adhering to the additional measures required by the GDPR that aren’t covered by the Privacy Act will only increase consumer trust and streamline internal privacy practices across the board.
For more information about whether you are covered by the GDPR and whether you have taken adequate steps comply, see the European Commission 2018 Reform of EU Data Protection Rules and take a look at the comparison table below:
||Australian Privacy Act
|Who does this apply to?
||Data processing activities of businesses, regardless of size, that are data processors or controllers
||Most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.
|What does it apply to?
||Personal data – any information relating to an identified or identifiable natural person: Art 4(1)
||Personal information (PI) – information or an opinion about an identified individual, or an individual who is reasonably identifiable: s 6(1)
||Applies to data processors or controllers:
- with an establishment in the EU, or
- outside the EU, that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU: Art 3
|Applies to businesses:
- incorporated in Australia, or
- that ‘carry on a business’ in Australia and collect PI from Australia or hold PI in Australia: s 5B
|Accountability and governance
||Controllers generally must:
- implement appropriate technical and organisational measures to demonstrate GDPR compliance and build in privacy by default and design: Arts 5, 24, 25
- undertake compulsory data protection impact assessments: Art 35
- appoint data protection officers: Art 37
|APP entities must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs and to enable complaints: APP 1.2
Businesses are expected to appoint key roles and responsibilities for privacy management and to conduct privacy impact assessments for many new and updated projects
||Consent must be:
- freely given, specific and informed, and
- an unambiguous indication of the data subject’s wishes which, by a statement or by a clear affirmative action, signifies agreement to processing: Art 4(11)
- the individual is adequately informed before giving consent, and has the capacity to understand and communicate consent
- the consent is given voluntarily
- the consent is current and specific: OAIC’s APP GLs
|Data Breach notifications
||Mandatory DBNs by controllers and processors (exceptions apply): Arts 33-34
||From 22 February 2018, mandatory reporting for breaches likely to result in real risk of serious harm
||Individual rights include:
- right to erasure: Art 17
- right to data portability: Art 20
- right to object: Art 21
|No equivalents to these rights.
However, business must take reasonable steps to destroy or de-identify PI that is no longer needed for a permitted purpose: APP 11.2. Where access is given to an individual’s PI, it must generally be given in the manner requested: APP 12.5
||Personal data may be transferred outside the EU in limited circumstances including:
- to countries that provide an ‘adequate’ level of data protection
- where ‘standard data protection clauses’ or ‘binding corporate rules’ apply
- approved codes of conduct or certification in place: Chp V
|Before disclosing PI overseas, a business must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information: APP 8 (exceptions apply). The entity is accountable for a breach of the APPs by the overseas recipient in relation to the information: s 16C (exceptions apply)
||Administrative fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher): Art 83
||Powers to work with entities to facilitate compliance and best practice, and investigative and enforcement powers: Parts IV and V
Source: Office of the Australian Information Commissioner