On 25 May 2018, the European Union’s (‘EU’) new data protection framework – the General Data Protection Regulation (‘GDPR’) – took effect. It replaced the Data Protection Directive of 1995.
Like its predecessor, the GDPR captures ‘personal data’. This refers to names, addresses, email addresses, location data and IP addresses of consumers. As such, both controllers (businesses who determine the means of processing data) and processors (third-parties who process the data on behalf of the controllers) are affected.
The objective of the GDPR is to harmonise privacy laws across EU Member States. Organisations, irrespective of size, are obliged to ensure a high level of privacy protection. This means enhanced accountability requirements. Further, there is a responsibility to obtain ‘informed and unambiguous’ consent from consumers. This is a clear reflection of Article 8(2) of the Charter of Fundamental Rights of the European Union. Penalties for non-compliance are also provided.
APP entities caught by the GDPR
In Australia, the Privacy Act 1988 (Cth) (‘Privacy Act’) imposes obligations on ‘APP entities’. Section 6C of the Privacy Act defines an APP entity as a government agency or an organisation. This includes businesses that operate a turnover of $3 million or more, or hold sensitive personal data (such as physical and mental health information).
The Privacy Act contains 13 Principles which regulate how personal data is to be collected, stored, used and disclosed. However, the jurisdiction of the GDPR is extensive. It will apply to APP entities, provided they offer goods and services, or monitor individuals, within the EU. For example, if an APP entity has an office in the EU, targets EU consumers through a website, or tracks EU consumers to predict their preferences for advertising purposes, they will be captured.
The EU is Australia’s second largest trading partner of goods and services. This includes medical and pharmaceutical products. Consequently, the GDPR will impact how data protection matters are addressed in commercial planning. Certain APP entities will need to consider whether to block EU consumers altogether or implement processes to ensure GDPR-compliance. These processes are more demanding than those required by the Privacy Act. They must allow consumers to control, monitor, check and delete personal data.
Australian health and pharmaceutical organisations may be particularly affected. This is because the goods and services they provide elicit sensitive personal data. For example, Australian private health insurers that offer ‘visitors insurance’ to EU consumers may process data pertaining to their health status, genetics, sexual orientation, religious beliefs or biometrics.
Privacy by design
The GDPR requires that organisations implement measures to minimise the processing of personal data. Pseudonymisation is one such measure. It refers to the separation of data from direct identifiers. The result is that linkage to a consumer’s identity is not possible without additional information (which is held separately).
This sees the inclusion of data protection from the onset of system design, rather than a later addition. APP entities will be familiar with pseudonymisation. Privacy Principle 2.1 relays that individuals must have the option of using a pseudonym when dealing with an APP entity.
Appointing an EU representative
If an Australian organisation controls or processes the sensitive personal data of EU consumers, either through monitoring or offering goods and services, they will need to appoint a representative. The representative shall be established in an EU Member State. They will act as a point of contact for supervisory authorities and individuals in the EU on data processing issues. This will not affect Australian organisations which process data occasionally, or if the processing of sensitive data is not ‘on a large scale’. Government agencies will not be affected by this requirement.
Pursuant to subsection 6(1) of the Privacy Act, ‘consent’ may be express or implied. The GDPR, however, sets a far higher standard. Consent must be given in an easy-to-understand and accessible format. Requests for consent should be distinct from other terms. There must also be an easy way for the consumer to reverse their consent. For sensitive data, such as medical information, consent must be explicit. If the consumer does not have a choice, or they are unable to refuse consent without experiencing detriment, then consent will not be provided.
Existing consents will only suffice if they meet the new conditions.
Organisations will need to keep sufficient records to demonstrate that consent was given.
Consent and minors
The Privacy Act does not specify an age in which individuals start making their own privacy decisions. However, guidelines provided by the Office of the Australian Information Commissioner (‘OAIC’) suggest that an APP entity may presume that individuals aged 15 years or over have capacity to consent. In contrast, the GDPR states that the processing of a child’s personal data shall be lawful if they are 16 years old. Parental consent must be given for children under this age.
Fair processing notices
The GDPR requires that consumers be provided with transparent information at the time the data is obtained.
Australian organisations covered by the GDPR will need to re-examine existing notices, as the requirements in the GDPR are more rights-based than those in the Data Protection Directive. This is also more demanding than that set out in the Privacy Act, where APP entities must take reasonable steps to give consumers notice about matters relayed in Principle 5.
Data breach notifications
If a data breach poses a high risk to individual rights or freedoms, organisations will need to advise the EU Data Protection Authorities within 72 hours of awareness. Justification must be provided if the timeframe is not met. The consumer must also be notified without undue delay.
Although this measure appears burdensome, APP entities will be aware of the notifiable data breach scheme which commenced in Australia on 22 February 2018. The scheme applies when a breach will result in serious harm to individuals to whom the data relates. After becoming aware, APP entities must inform the OAIC and the affected consumers of a data breach as soon as practicable.
In accordance with Article 13 of the GDPR, consumers have the right to confirm if their personal data is being processed. Further, they can ask for a copy of the personal data, free of charge. Similarly, Australian consumers do have a right to request access to, and correction of, their personal data under Principles 12 and 13. Under Principle 12, where reasonable and practicable, an APP entity must give access in the manner requested by the individual.
Furthermore, under the GDPR, consumers have the right to request that an organisation erase their personal data, provided a consumer withdraws their consent or the data is no longer relevant to the original purposes for processing. In Australia, there is no equivalent right under the Privacy Act. However, Principle 11.2 requires an APP entity, that holds personal information, destroy the information or ensure it is de-identified if no longer needed for any purpose permitted under the Privacy Act. This follows that such destruction would comply with document retention requirements under legislation or common law.
There is a tiered approach to fines under the GDPR. This is based on the seriousness of the infringement. The maximum fine for a breach of privacy is 20 million euros or 4 per cent of an organisation’s annual global revenue. This is a considerably harsher penalty than the those provided for in the Privacy Act.
Although most exemptions provided by the GDPR relate to EU Member States, there are some applicable to APP entities. Such exemptions include:
- Where personal data is disclosed in accordance with the exercise of a government agency’s official tasks (such as tax and customs authorities);
- Where the personal data relates to deceased persons;
- Where the data is anonymous;
- Where the data relates only to personal or household activity, as opposed to a professional or commercial activity; and
- Where government agencies collect data to prevent, investigate, detect or prosecute criminal offences or preventing threats to public safety.
Despite some similarities with the Privacy Act, many APP entities will need to implement new processes to be GDPR-compliant. Arguably, these processes accord far greater consumer protection than that required by Article 17 of the International Covenant on Civil and Political Rights.
For further information please contact the Law Compliance team:
Phone: 1300 862 667