Australian organisations beware ‒ you could be caught by EU's new General Data Protection Regulation

By Alexandra Wedutenko, Mathew Baldwin
01 Feb 2018

The scope of the EU's new General Data Protection Regulation is broad enough to cover the activities of many Australian organisations.

Europe might be on the other side of the world, but in an online world it's only a click away - and so are its data protection laws.

From 25 May 2018, the European Union will be subject to the new General Data Protection Regulation (GDPR), which will impose a higher standard for the protection of the privacy of individuals than Australia's under the Privacy Act 1988 (Cth). This includes granting individuals the ability to take direct action for infringement, and national supervisory bodies the right to levy significant fines against companies that breach it.

Australian organisations' operations in Australia could fall under the GDPR where they either:

  • supply goods or services to, or monitor, individuals in the EU through an online presence; or
  • process personal data in connection with the activities of an EU establishment (which is undefined, but seems to require effective and real exercise of activity through stable arrangements), including potentially where this is done via a data centre of a service provider located in the EU.

The GDPR can apply to personal data in these contexts even where it doesn't relate to an EU resident, with the scope of processing defined broadly to mean the operations performed on personal data, including collection, storage, alteration, use and disclosure (Processing).

Even if you don't think your activities will leave you liable under the GDPR, given that privacy breaches can have a significant adverse impact on reputation it's wise to consider going beyond the Privacy Act's requirements, and the GDPR gives a good perspective on privacy "best practice".

GDPR: new rules from 25 May 2018

From 25 May 2018, the GDPR applies in each EU member, regulating the Processing of personal data without the need for national implementation (although the UK is set to leave the EU in March 2019, the UK Government has said it expects the GDPR will continue to apply in substance). EU members will supplement the GDPR with their own laws, including to identify the relevant national supervisory bodies.

Personal data is defined under the GDPR to mean any information "relating to" an identified or identifiable natural person (a data subject). While the Privacy Act also protects privacy by requiring relevant entities to comply with a set of Australian Privacy Principles (APPs) that apply to specific activities, such as the collection, storage, use or disclosure of personal information, the GDPR regulates the Processing of personal data under a broader set of principles and also grants privacy rights directly to data subjects. The scope of personal data under the GDPR is also potentially broader than the scope of personal information under the Privacy Act, which must be "about" an individual.

The GDPR regulates data Processing activities by entities that determine the purpose and means by which personal data is Processed (Controllers) and also by entities that Process personal data on behalf of Controllers (Processors).

While broader in scope, many of the obligations on Controllers and Processors under the GDPR are similar in nature to the obligations on Australian entities under the APPs. These include requirements to:

  • notify individuals of the purpose for which personal data will be Processed;
  • restrict Processing to the purpose for which personal data was collected, except in specific circumstances;
  • store personal data securely;
  • allow individuals to access their personal data; and
  • notify regulators and individuals in the event of certain data breaches (a requirement being introduced in Australia in February 2018).

However, in a number of significant areas, the obligations to protect personal data under the GDPR apply more broadly, with narrower exceptions than those in the Privacy Act. The GDPR also expressly grants enforceable rights to data subjects, with corresponding obligations in the APPs only enforceable through the Information Commissioner. Examples of where the GDPR imposes a higher standard include:

  • express rights under the GDPR for individuals to require erasure of their personal data (including where no longer necessary for the purpose for which it was collected), to restrict the purpose for which personal data can be Processed, and to withdraw consent for the Processing of personal data;
  • the GDPR's scrutiny on consent as a basis for Processing, with implied consent unlikely to be sufficient in most circumstance. Article 7 requires that consent be freely given and that any written consents clearly (and separately to other issues) specify the purpose for which consent is sought in an intelligible and easily accessible form, using clear and plain language; and
  • the GDPR requiring reporting of any personal data breach, unless it is unlikely to result in a risk to an individual's rights and freedoms. The GDPR also requires organisations to report breaches to the relevant individuals if there is a high risk to their rights and freedoms. The new data breach notifications under the Privacy Act only require reporting of disclosure or access likely to result in serious harm.

Controllers must also carry out data protection impact assessments and designate data protection officers. While this is similar to the new APP Code that will apply to Australian Government agencies, the GDPR applies these requirements more broadly and has more extensive provisions regulating the data protection officer's role.

Direct enforcement by data subjects

Under the Privacy Act, an individual needs to make a complaint to the Privacy Commissioner to seek a determination for interferences with their privacy. Under Article 79 of the GDPR, regardless of any action taken by a national supervisory body, each data subject has the right to access judicial processes and seek an effective remedy where they consider their rights have been infringed as a result of non-compliance in Processing personal data. Proceedings may be brought in the courts of the EU member where the Controller or Processor has an establishment, or (except in the case of a public authority exercising public powers) where the data subject resides.

A person suffering damage as a result of an infringement is also entitled under the GDPR to claim compensation from the Controller or Processor for the damage suffered. The Processor is liable to the individual where it has not complied with its obligations, or has acted outside or contrary to lawful instructions of the Controller and the Controller is jointly liable unless it proves it was not responsible (which is likely to be a high bar).

Enforcement and administrative penalties by supervisory bodies

In addition to direct enforcement, national supervisory bodies in the EU will be able to investigate conduct and enforce the GDPR, including by imposing administrative fines for some breaches of up to 20 million EUR or 4 % of total worldwide annual turnover in the preceding financial year. The level of fines are determined by national bodies, but are required to be effective, proportionate and dissuasive. The process for deciding to impose a fine is based on the circumstances of the breach and considers not only the nature of the infringement and seriousness, but also the action that led to it, the history of the party, and degree of co-operation with the national body.

Under the Privacy Act, the Information Commissioner does not have the power to issue fines, but in addition to declaring that compensation is payable to an individual, can apply to the Federal Court or Federal Circuit Court for a civil penalty order in respect of serious or repeated interference with privacy. However, the Information Commissioner's guidance supports a conclusion that only the most flagrant or serious conduct would meet this requirement, with no reported cases of applications to date, and a maximum for such penalty orders of $2.1 million for corporations, which is considerable less than the potential for administrative fines under the GDPR.

Application of GDPR to Australian organisations

The GDPR will apply under Article 3(1) to organisations that Process personal data in the context of their own establishment within the EU. In addition, both Articles 3(1) and 3(2) extend the GDPR in a number of circumstances to regulate the activities of organisations that do not have an EU establishment.

Under Article 3(2), the GDPR will apply to organisations without an EU establishment if Processing of personal data is related to either:

  • offering goods or services to data subjects in the EU; or
  • monitoring data subjects' behaviour as far as it takes place in the EU.

This means that Australian organisations offering goods or services to individuals located in the EU, or monitoring their activities, will be required to comply with the GDPR, regardless of whether they have a physical establishment in the EU. This will potentially apply to organisations such as banks and airlines targeting EU customers, as well as other online retailers if they regularly sell into the EU market.

More controversially, under Article 3(1) the GDPR also has application beyond where the Controller has an EU establishment. Article 3(1) extends to situations where Processing "relates" to the activities of an EU establishment, of either the Controller or a Processor. This is very broad, and may capture the activities of an Australian organisation where a subcontractor has an EU establishment that either Processes or is responsible for the Processing of personal data on the organisation's behalf. There is no requirement that the data subjects be EU residents under Article 3(1).

Most global IT vendors and large corporates have established or access data centres via cloud services off-shore. A popular choice for data centres is Ireland (an EU member), which is home to data centres run by companies including AWS, Apple, Facebook, Google, IBM and Microsoft. Many IT vendors will also provide follow-the-sun support that can involve access to and Processing of customer data from offshore locations, potentially under sub-contracting arrangements. In this context, even where an Australian organisation does not have a presence in the EU, if they use a service provider that Processes their data in connection with the operation of an EU data centre, potentially both the Australian Controller and the EU Processor will be jointly liable under Article 3(1) of the GDPR in respect of the Processing activities. It will be important for Australian organisations to have an awareness of who is providing them with services (including any subcontractors) and where they are Processing personal data.

While an organisation may assess as low the likelihood of an EU national supervisory body pursuing administrative penalties in respect of personal data of non-EU citizens, as the GDPR grants direct rights to data subjects, it also presents an alternative pathway for non-EU citizens to raise complaints and take legal action to recover compensation for a breach of their data privacy.

For organisations without an EU establishment that are subject to Article 3(2), there are also obligations to appoint a representative within the EU that data subjects and EU national supervisory bodies are entitled to interact with for the purpose of ensuring GDPR compliance.

Cross-border data flow issues

Both the Privacy Act and the GDPR provide for restrictions on the cross-border transfer (disclosure under the Privacy Act) of personal data. However, they differ in terms of application, with the Office of the Australian Information Commissioner issuing guidance suggesting that transfer of personal information to an overseas recipient will not always amount to "disclosure". For example, if a cloud provider were to access information under a services agreement and the Australian organisation retained effective control of how the information is handled, this may amount to "use" rather than disclosure under the Privacy Act, which is not subject to the same requirements on cross-border transfer.

When there is a transfer of personal data that is undergoing Processing in a third country, the GDPR does not make this same distinction between use and disclosure, restricting transfers of data for the purpose of Processing in the third country (including where the transferor remains the Controller of the data). Transfer is permitted in circumstances including where the EU has made a finding of adequacy of national privacy laws (no such finding has been made in respect of Australia under the current EU directive which is less onerous than the GDPR ), or where the Controller or Processor has provided adequate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. In the absence of meeting these more general exceptions, while other grounds are available, it will be difficult for an organisation to transfer personal data outside the EU, as:

  • to use consent as a basis to transfer personal data requires that it be express and freely given with notice of the possible risks (it has been suggested that this may not always be possible to obtain in the case of one party having uneven power); and
  • to justify transfer under a contract with the data subject it must be "necessary" for performance, not just convenient.

These requirements are also harder to meet than the requirements under the Privacy Act for cross-border disclosure, which only require (where they apply) that the entity take reasonable steps to ensure the overseas recipient does not breach the APPs and also allow disclosure to an overseas recipient based on express consent.

While the protections in the GDPR are then likely to satisfy any requirements under the Privacy Act on cross-border transfers where an Australian organisation discloses personal data to an EU service provider, they will impose additional requirements when transferring personal data to (or back to) Australia. The EU has not made an adequacy decision in respect of Australia's privacy laws and it will be difficult for an Australian organisation to obtain certainty that transfer of personal data into Australia is permitted under the GDPR. Many of the measures listed in the GDPR as providing adequate safeguards will only apply for transfer to a Processor outside the EU or are directed to intragroup transfers.

To ensure certainty, the best option for an Australian organisation may be to seek authorisation of the relevant EU national supervisory body of a contract with the Processor on terms that give protection to the rights of the data subjects consistent with the GDPR. This may also require the Australian organisation to notify and enter into binding arrangements directly with data subjects whose data it Processes, giving equivalent contractual protection to the rights under the GDPR. In some circumstances it may also be possible to justify transfer on the basis of:

  • obtaining fully informed express consent to the transfer from data subjects; or
  • relying on adequate contractual provisions with the Processor and/or data subjects, without approval by the relevant EU national supervisory body, though this is not clearly permitted by the text of the GDPR and carries a risk if the measures are later found to be insufficient.

Getting Australian organisations ready for the GDPR

Prior to implementation of the GDPR, Australian organisations need to ensure that they make an assessment about whether the GDPR will apply to their operations, and take measures to either avoid the application of the GDPR, or ensure both they and any service providers are compliant with the GDPR.

This includes assessing whether they (or service providers on their behalf) are:

  • monitoring or offering goods or services to individuals based in the EU under Article 3(2) of the GDPR; or
  • engaging in Processing of personal data in the EU, or in connection with the activities of an EU establishment under Article 3(1).

Even where the GDPR does not apply to an organisation, it may still be appropriate to adopt a stricter approach to privacy protection than is mandated under the Privacy Act - such as by requiring express consent from individuals wherever possible - as part of demonstrating commitment to international best practice.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.