We’re based in Australia so why should we worry about European law?

The Short Answer Part One – the GDPR applies to organisations globally, regardless of size, that process the personal data of anyone in the European Union. More specifically those people only have to be in Europe when you collect their data, they don’t have to be residents, citizens or even domiciled there. This applies to Australians travelling in Europe – when you’re there, you’re protected by EU law.

The Short Answer Part Two – if you have an office in the EU, offer goods or services (including online) to people in the EU data subjects or monitor their behaviour, the GDPR applies to you.

Another catch-all the GDPR has up its sleeve is that if you’re subject to public international law (which Australia is), then you need to comply where Short Answers Parts One and Two apply.

Let’s include a Short Answer Part Three - the Australian Privacy Act doesn’t cover universities, public schools, some small businesses etc. – the GDPR is somewhat simpler: basically if you process personal data and you’re not doing that in the course of a purely personal or household activity, then you’re likely to ‘engage’ the GDPR – which is a clever way of saying that it applies to you. 

Australia has its own Privacy Act …

The Australian Privacy Act (1988) was introduced to promote and protect the privacy of individuals and to regulate how Australian government agencies and organisations (where turnover > $3 million), and some other organisations, handle personal information. Apart from the turnover limits in the Privacy Act which the GDPR doesn’t have, there are many similarities in the obligations to protect individuals’ privacy.

Another difference between the Australian and European law is that Australia has the Information Privacy Act 2014 (ACT) which applies specifically to Australian Capital Territory (ACT) public sector agencies. This requires those agencies to establish two specific roles, the Privacy Champion and the Privacy Officer.

The Privacy Officer is similar to the GDPR’s requirement under certain circumstances to have a Data Protection Officer (DPO). The DPO, from a European law perspective, is a statutory role and there are three articles in the GDPR that outline the designation (when you need one), position and roles of the DPO. Interestingly this position appears not to be a requirement under the Privacy Act.

Regarding ACT public sector agencies, they may also require a Privacy Management Plan, this is not specifically called out in the GDPR but is neat idea that should be included in a future revision of the GDPR.

Someone mentioned principles …?

The Australian Privacy Act identifies 13 Privacy Principles (Australian Privacy Principles or APPs) in Schedule 1, while the GDPR identifies 7 principles in Article 5. There’s a lot of crossover of the principles even when you consider the three exceptions outlined in the Australian Privacy Regulations 2013.

The Australian APP codes provide specific guidance and address different areas of the Privacy Act however in their objectives they’re similar to the GDPR’s principles.

The principles in both Australian and European data protection and privacy law are there to guide data protection and privacy activities and can also be used retrospectively to ask, ‘did we do what we should’ve done?’

But Australian companies are already on the road to complying with the Privacy Act

Complying with the Australian Privacy Act will sadly not provide automatic compliance with the GDPR. Why? Basically, because the GDPR is a bit tougher on things like obtaining and managing consent, breach notification requirements, rights of individuals and a new requirement to appoint a data protection officer in certain cases.

OK, so what exactly is the GDPR?

Simply put, the GDPR is European data protection law that applies globally (see Short Answers).

The interesting bit about the GDPR is that is places the burden of proof on the organisation rather than on the individual. It’s now up to the organisation to show that they are complying with the law – and here’s the rub – you need to be able to show before you process someone’s personal data that you have all the right things in place, not afterwards. For example, you need to be able to show that you have a legal reason for processing their data before you actually do the processing, otherwise you’ll be processing their data unlawfully.

Just to be clear this doesn’t mean that you need to go to each person every time you process their data, typically only the first time, and often this can be by way of the appropriate notification at the time you first process their data, e.g. from a ‘Contact Us’ page on your website.

What does the GDPR include and does this apply over here?

Simply put, the GDPR protects individuals with regard to others processing their personal data.

Some of the detail in the GDPR includes:

The processing: under the GDPR processing cover a wide range of activities whether automated or not: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction etc. etc.  The Privacy Act covers collection, holding, use, correction or disclosure of personal information.

The data: the GDPR is concerned with personal data which is essentially any data that can be used to identify a (living) individual and this is similar to the definition under our Privacy Act 1988. This ‘personal data’ includes things like name, phone number, address etc. This similarity continues between the GDPR ‘special categories’ and the Australian Privacy Act definition of ‘sensitive information’ which includes things such as sexuality, racial or ethnic origin, medical/genetic data and trades union membership and political affiliation.

The rights: the GDPR identifies 8 rights (legal entitlements) which include; the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and lastly the rights in relation to automated decision making and profiling.

The notifications: the GDPR requires organisations to notify individuals on first processing (or when there is a change to the purposes or means) of a number of facts, many of which are reflected in APP 5 (Australian Privacy Principle 5 – ‘Requirement for a collection notice’). The GDPR notifications are specific to personal data obtained from the individual themselves and also those provided by a third party.

The legal bases for processing: the GDPR requires that one or more of 6 identified legal bases to be identified for processing personal data – these legal bases are consent (the individual has given clear consent for you to process their personal data for a specific purpose), contract (the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract), legal obligation (the processing is necessary for you to comply with the law (not including contractual obligations), vital interests (the processing is necessary to protect someone’s life), public task (the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law and lastly legitimate interest (the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests).

In the Privacy Act this is somewhat looser as personal data can only be collected, used or disclosed by fair and lawful means and if the personal data is ‘reasonably necessary’. Some exceptions provided for under the Privacy Act include processing sensitive information and here consent is required, health and emergency situations.

Some gotchas: the first one is the concept of controllers and processors. These concepts aren’t included in the Privacy Act but are very important in the GDPR and especially so if Australian businesses are engaging the GDPR (see Short Answers above).

Under the GDPR a controller is an individual, public authority, agency or other body (read ‘organisation’) that alone or jointly determines the purposes and means of the processing of personal data. A processor only processes personal data on behalf of the controller and under the controller’s instructions. If the processor does otherwise then a joint-controller relationship arises which then needs to be dealt with differently.

While the Privacy Act mention APP entities - agencies or organisations the distinction between controllers and processors is not included. The GDPR adds another class of relationship to the controller and processor perspective, the joint controller.

These distinctions are important under the GDPR as it requires transparency of your personal data processing. Without going into detail it’s also worth knowing that there are different obligations on the organisations who undertake these different roles and most importantly that each is linked with regard to obligation and liability, and in some cases the liability can be multiplied rather than reduced.

A second gotcha is consent. Automatic opt-in is not permitted under the GDPR. If you want someone’s consent, for example, to provide them a monthly update they should provide consent that is specific to that purpose. Remember too that if you’re processing under the legal basis of consent, individual also have the right to withdraw that consent in which case you are obliged to stop processing the personal data for the purposes for which consent was collected in the first instance.   

The Privacy Act defines consent as express consent or implied consent- clearly a big jump from the GDPR definition.

The third gotcha is the DPIA (data protection impact assessment). This has a relative in the Privacy Act in that the Australian Information Commissioner (AIC) has the power to conduct privacy assessments of APP entities (organisations or authorities – as a matter of interest in the EU at the moment [and putting Brexit aside] there are some 28 member states and approximately 47 data protection authorities roughly equivalent to the OAIC).

Under the GDPR, the privacy impact assessment, aka data protection impact assessment (DPIA) is the responsibility of the organisation (specifically the controller) and must be undertaken whenever there is a risk that any new processing or change to processing of personal data will result in a risk to the rights and freedoms of the individual(s) affected. In the case of the organisation deciding not to undertake a DPIA they should also document the reasons why that decision was taken.

There are other gotchas but perhaps the most pervasive gotcha is that which requires organisations to be able to prove prior to processing that they’re compliant. After the event is not sufficient. So not only does the organisation have to be able to show before it processes personal data that it is compliant, the burden of proof lies with the organisation not the individual.

What are the main differences that my business in Australia needs to consider?

Firstly, do the Short Answers earlier makes sense in the context of your business and do any of them apply?

If the answer is ‘none of them apply’ then you can probably just read the rest of this article for idle curiosity. However, if any of them apply then the rest of this article becomes somewhat more important.

Does this mean I have to update my systems and stop using certain providers?

Without knowing your specific circumstances this is difficult to answer, which doesn’t help you much, but that being said there’s a chance you won’t have to change your systems if you’ve paid attention to their design, architecture and implementation (although you should ensure that you’ve set all the security switches on).

If however you’re using as-a-service or cloud-based applications, services and utilities you’ll need to know that the GDPR has some specific things to say about this, in particular relating to organisational and technical measures which include security (physical and cyber as well as training). You should also be aware of the type of relationship you’ve entered into with your service providers with regard to the controller/processor concepts outlined earlier. Remember that under the GDPR these place obligations and potential liabilities on each party. You can’t outsource risk under the GDPR – the buck stops with you.

Again … the GDPR is about transparency.

Troublesome penalties …

Yes, troublesome might be the word and you’ve possibly heard about the huge fines by scaremongers – fines up to 4% of your global turnover or €20 million (whichever is greater). On the face of it pretty severe, but to attract this sort of sanction you’d need some egregious violation of the law. While we’re on this it’s worth mentioning a few other nasties that don’t often make the headlines - these include the potential for the equivalent of class actions and even for criminal penalties! Oh yes, one other thing, the potential fines can account for profit in cases where the offending organisation has benefitted from the unlawful processing of personal data. 

The Office of the Australian Information Commissioner (OAIC) has confirmed that it will continue to use its enforcement powers under the Australian Privacy Principles (APPs) where a privacy breach arises.

On a more rigorous note, the Australian Privacy Act holds that much of Chapter 2 of the Criminal Code applies to all offences against the Privacy Act.

Before reaching for the off switch it’s worth mentioning that both the GDPR and the Privacy Act, despite the preceding paragraphs, are really about doing the right thing, specifically ensuring that individuals’ privacy is taken seriously.

Lastly, a worthwhile mention is that the GDPR is really about being transparent in your processing of personal data and this doesn’t mean giving away the farm.

Adequacy and Safeguards

The GDPR is largely about ensuring that organisations manage personal data correctly. As mentioned above it’s about being transparent about how you manage personal data. When it comes to sending personal data to a ‘third country’ (one outside of current 28 European Member states including Norway, Iceland and Lichtenstein) you need to ensure that the countries you’re sending to provide the level of protection expected to

The European Commission has created another category of countries outside those just mentioned above as providing adequate protection without needing further safeguards and the countries within this group include: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America.

Currently Australia isn’t currently in this list – so what does this mean? Basically - organisations in Australia will need to consider specific safeguards such as binding corporate rules, standard data protection clauses etc. or under very specific consent conditions from the individual whose personal data is being transferred.

Beware dodgy advice

The GDPR is not a standard that you can choose to implement or not – if you ‘engage’ the GDPR (see the Short Answers earlier) then you’re obliged to comply with the law – that simple. That being said you should be wary of snake-oil, there ain’t no such thing when it comes to the GDPR.

It’s also worthwhile saying that you should look for help from consulting organisations who specialise in the areas of data protection and privacy and always remember - if you’re not sure, consult your Legal Counsel. Consider whether last year’s widget vendor is really likely to be your best choice for this year’s GDPR support …

Copy ‘n paste, downloadable toolkits and a sneaky skim from someone else’s website just won’t hack it. We see this often and all this does is advertise to the world what you’ve done! In the words of an Australian data protection lawyer now living in the UK, ‘compliance is enterprise-specific’. This means that only you will know the details of your processing, the jurisdictions you operate in, where your clients are, your providers, your data, your security … you get the idea?

Blanket advice from poor consulting has seen one UK company lose 98% of their contacts from their CRM – that was a big oops because under that particular situation they weren’t able to go back to some 14 000 people to get their consent to continue processing their personal data. Most often the legal obligation to have privacy notices is improper addressed, specifically on company websites and all this does is advertise to the world that you’re not taking your legal obligations seriously.

Is there good news?

Yes, there are many similarities between our Australian Privacy Act 1988 and the GDPR which means if you’ve taken privacy and data protection seriously (and also considered the Short Answers above) you’re probably on your way to being compliant with the GDPR.

What should organisations in Australia be doing now?

Find a reputable organisation that specialises in data protection and privacy and get them to whether you need to comply, and if so, identify the things you need to consider first. 

Remember you’ll be complying with the law so consider a risk-aware approach, address the legal minimum, recognise the gaps and get a good plan together. Data protection isn’t just for Christmas, it’s something you’ll need to ensure is part of the way you run your business – so as things change so will your data protection need to keep up.

Get a workshop or training from a reputable company to kick-start your journey.

Finally

Complying with the GDPR isn’t that difficult, but you do need to get it right, so put GDPR on the agenda before it becomes the agenda.

 

Some small print

  • The GDPR refers to European data protection and privacy law aka Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). We also note that the GDPR is not UK law, but has in large part been imported into the UK Data Protection Act (2018). After Brexit the GDPR is likely to be converted into UK law under the European Union (Withdrawal) Act 2018.
  • The Privacy Act refers to Australian data protection and privacy law aka Privacy Act 1988 (Cth) (‘Privacy Act’) and others are imported by reference including the Privacy Amendment (Notifiable Data Breaches) Act 2017, the Privacy (Australian Government Agencies — Governance) APP Code 2017 and the Privacy Regulation 2013
  • The focus of this article is the GDPR and the Privacy Act however there are many other laws related to data protection and privacy in both Australia and Europe/UK including areas such as freedom of information, telco, health, surveillance, security, intellectual property etc.
  • This article is not meant to provide a detailed comparison of the GDPR and the Privacy Act, its primary purpose is to provide an initial insight into why Australian business should (a) be aware of the GDPR and (b) consider whether they engage the GDPR in which case they should consider addressing their obligations under the law
  • This article makes no claim as to potential changes in the law or the implications of those changes in the future.

Copyright © 2019 GDPR360 and Alan Simmonds

Author
Alan Simmonds

TOGAF® Standard Version 9.2, Applied Business Architecture