GDPR: Change to European privacy laws and its impact on Australian businesses
The European’s Union General Data Protection Regulation (GDPR) imposes significant change to privacy laws in Europe and will apply and be enforced from 25 May 2018. Organisations that fail to comply with the GDPR face heavy fines up to €20 million or up to 4% of global annual turnover, whichever is higher. The GPDR will have a global impact because it applies to businesses operating in the EU as well as businesses outside the EU that offer goods or services or monitor the behaviour of individuals in the EU. Businesses that are subject to the GDPR should assess their current information and privacy processes and governance structures, and take the necessary steps to ensure GDPR compliance.
Background to GDPR
After four years of debate, the GDPR was approved by EU Parliament on 14 April 2016 and comes into force on 25 May 2018. The GDPR replaces the Data Protection Directive 95/46/EC and as set out in the EU GDPR website ‘was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy’.
A major change is the extended jurisdiction of the GDPR set out in Article 3, as it applies to the processing of personal data of individuals in the EU by a controller or processor not in the EU where the processing activities are related to:
- The offering of goods and services, irrespective of whether a payment of the individual is required;
- The monitoring of their behaviour as far as their behaviour takes place within the EU.
Controllers determine the purpose and means of processing personal data (Article 4(7)). They are the principal party with responsibilities including – collecting and managing consent and enabling rights under the GDPR. Processors means the organisation which processes personal data on behalf of the controller (Article 4(2)). The obligations on data processors under the GDPR are new. Article 28 (1) requires controllers to only use processors providing ‘sufficient guarantees to implement appropriate technical and organisational measures’ that will meet the GDPR requirements.
Implication for Australian businesses and how to comply
The GDPR applies to the following:
- Australian businesses that are data processors or controllers with an establishment in the EU. That is, either an Australian business operating either on its own account or through a related entity or subsidiary, that is either processing or controlling personal data of EU residents, whether or not the data is processed in the EU;
- Australian businesses offering goods or services to individuals in the EU (irrespective of whether payment is required).
- Australian businesses monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU. Internet tracking of individuals and profiling are examples of monitoring (Recital 24).
To comply with the GDPR, Australian businesses that are data controllers and processors, which are not established in the EU, must appoint a representative within the EU in one of the Member States where the individuals who personal data are processed reside. The representative is the point of contact for supervisory authorities and individuals in the EU on all issues related to data processing under the GDRP (Article 27).
GDRP applies to personal data
The GDPR applies to the processing of personal data (Article 2). The GDPR states that ‘personal data’ means ‘any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4).
The GDPR refers to sensitive personal data as ‘special categories of personal data’ (Article 9). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
The Privacy Act 1988 (Cth) defines personal information as, ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.’ Additional protections apply to similar categories of ‘sensitive information’ (listed in section 6(1)), for example, Australian Privacy Principle 3.3 which provides that sensitive information can only be collected if the individual consents and it is reasonably necessary for, or directly relation to, one or more of the organisation’s activities.
The conditions for consent under the GDPR have been strengthened. Article 4(11) of the GDPR states that consent of the individual means any: ‘freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
The request for consent must be clear, concise, transparent and in easily accessible form, with the purpose for data processing attached to that consent. It must be as easy to withdraw consent as it is to give it. The UK ICO’s Guide states, ‘Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation’.
Consent requires a positive opt-in. Silence, pre-ticked boxes or inactivity does not constitute consent (Recital 32). When the data processing activities has multiple purposes, consent is required to be given for all of the processing purposes (Recital 32).
The Article 29 Data Protection Working Party published a guidance on Consent in January 2018.
- the individual is adequately informed before giving consent
- the individual gives consent voluntarily
- the consent is current and specific, and
- the individual has the capacity to understand and communicate their consent.
Notification of Breach
Under the GDPR, notification must be made where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals’. Notification must be made within 72 hours of first having become aware of the breach. Data processors are required to notify their customers and the controllers ‘without undue delay’ after first becoming aware of a data breach.
In Australia notification must be made promptly to affected individuals and the Australian Information Commissioner where an organisation has reasonable grounds to believe a data breach is likely to result in serious harm. An organisation must take all reasonable steps to complete the assessment within 30 days after it became aware of the grounds that cause it to suspect an eligible data breach – see my article on the Australia’s Notifiable Data Breach Scheme.
Rights of individuals under GDPR
There are rights for individuals under the GDPR which include - the right of transparent communications and information, right to access, right to rectification, right to erasure/be forgotten, right to restrict processing in certain circumstances, obligation to notify recipients, right to data portability, right to object, and the right to object to automated decision making (to profiling) in certain circumstances. Rights exercised and information provided to pursuant to requests must be free of charge. However, a ‘reasonable fee’ can be charged when a request is manifestly unfounded or excessive.
Right of Access
As part of the expanded rights under the GDPR, is the right for individuals to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller must provide a copy of the personal data, free of charge, in an electronic format. This is a significant change empowering individuals and highlights the shift to data transparency under the GDPR.
Right to be Forgotten
The right to be forgotten under the GDPR is set out in Article 17 and entitles individuals to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties stop processing of the data in certain circumstances including: the data no longer being relevant to the original purposes for processing; or a data subjects withdrawing consent. There are exceptions to this right, including where data processing necessary for the exercising of the right requires controllers to compare the subjects’ rights to ‘the public interest in the availability of the data’ when considering such requests.
In Article 20 the GDPR introduces the right for individuals to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format and have the right to transmit those data to another controller’.
Transfers outside the EU
To ensure that an adequate level of personal data protection is guaranteed, international transfers to third counties outside the EU are only permitted where the conditions laid down in the GDPR are complied with (Article 44).
Transfers may take place to a third country or international organisation where the EU Commission has decided that it ensures ‘an adequate level of protection’ (Article 45(1)). The adequacy decisions under the current Directive remain in force under the GDPR and those determined by the EU Commission to provide ‘an adequate level of protection’ are: Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Transfers to the US are currently permitted pursuant to the Commission’s July 2016 decision on the adequacy of the protection provided by the EU/US Privacy Shield.
Transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable individual rights and effective legal remedies for the data subject are available (Article 46). Appropriate safeguards include:
- Approved binding corporate rules that enable transfers within a multinational group of companies (Article 47).
- Standard data protection contractual clauses approved by the EU Commission.
- Approved code of conduct pursuant to Article 40, and the recipient gives binding and enforceable commitments to apply appropriate safeguards.
- Approved certification mechanism pursuant to Article 42, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards.
Accountability and Governance
The GDPR sets out expanded accountability and governance requirements including that data controllers must:
- Demonstrate that they comply with all the principles set out in Article 5(1) of the GDPR. These principles relate to the processing of personal data which include: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. Article 5(2) states that the controller is responsible for and must be able to demonstrate compliance with 5(1).
- Implement appropriate technical and organisational measures to ensure compliance with the GDPR, including implementation of data protection policies (Article 24).
- Implement ‘data protection by design and by default’. The controller is required at the outset to determine the means for processing data, as well as at the time of processing to implement appropriate technical and organisational measures to ensure it complies with the GDPR and protects the rights of individuals. (Article 25). This includes ensuring that only personal data collected and processed is for the specific purpose of the transaction, personal data is stored no longer than it is required and that access to personal data is restricted.
- Implement appropriate technical and organisational ‘measures to ensure a level of security appropriate to the risk’. This includes as appropriate: de-identification and encryption of personal data; ongoing confidentiality, integrity and availability and resilience of processing systems and services; ability to restore the availability and access to personal data; and a process for regularly testing, assessing and evaluating the effectives of the measures implemented to ensure security.
- Data protection impact assessment for high risk processing(Article 35). A data protection impact assessment is required before processing personal data for processing which is likely to result in a high risk to the rights and freedoms of individuals.
- Appoint a Data Protection Officer (DPO) (Article 37) if the organisation falls within a category where a DPO is mandated. This includes: public authorities, organisations carrying out large scale systematic monitoring of individuals (e.g. online behaviour tracking) or organisations carrying out large scale processing of special categories of data or data relating to convictions and offences. DPO’s are required to have ‘expert knowledge’ of data protection law and practices. The DPO must ‘directly report to the highest management level’, must not be instructed in the exercise of their tasks and must not be dismissed or penalised for performing their tasks (Article 38(3)).
A cost efficient and effective response to GDPR
In order to comply with GDPR, it will be critical for organisations to know and document the following:
- what information assets exist
- where data are located
- the flow of data within the organisation
- the value of the data and information held
- who has access, and
- how data and information is secured and protected.
More fundamentally from both a risk management perspective and data usage and availability, there are many benefits for an organisation to have:
- an overarching strategic information governance framework; and
- a program of implementing unified information policies, processes and procedures throughout the organisation including privacy and privacy impact assessments, information security, and defensible disposition of records.
Boards and Executives will find that this strategic approach will involve the collaboration of all information stakeholders (such as, privacy, legal, IT cybersecurity, data analytics, records and information management) and will result in the break-down of information silos to maximise the value of information while minimising the risks and ensuring compliance with all legal requirements including the GDPR.
Best practice in privacy and information protection: be strategic and proactive
A strategic, proactive and unified information governance approach will ultimately be the most cost effective and efficient way for organisations to meet the requirements of GDPR as well as other privacy regulatory requirements, such as Australia’s Notifiable Data Breach Scheme.
Best practice should prompt organisations to establish and embed unified information governance of all information held by the organisation in order to maximise the value of information from data (e.g data analytics) as well as minimising the risks and costs, such as those of non-compliance of the GDPR or arising from data breach. Pursuant to the requirements of the GDPR and Australia Notifiable Data Breach scheme, the importance of embedding privacy by design or ‘data protection by design and by default’ as it is referred to under the GDPR requires organisations to be strategic and proactive in respect of personal information collected and stored by organisations. Given the potential enormous fines under the GDRP for non-compliance as well as all other costs involved in a data breach, from business interruption, legal costs, reputational damage, organisations need to be proactive, prepared and ready to respond to data breaches.
Essential questions for businesses subject to GDPR
Australian businesses that operate in the EU or with customers in the EU should confirm whether they are covered by the GDPR, and if so, take the necessary steps to ensure compliance by May 2018. The GDPR requires organisations to ensure that they know the way in which they collect, process, store, share and dispose of personal data.
- Awareness & communication – are senior executives and all information stakeholders aware of the GDPR and the impact it will have on your organisation? Has GDPR training of employees occurred and is there an ongoing training program in place?
- Update privacy notices and privacy policies – are privacy policies and privacy notices compliant with the transparency requirements and the rights of individuals under the GDPR?
- Review information held – what personal data is held, where has it come from and with whom it is shared? Carry out an information audit and gap analysis, and implement a remediation plan as needed. The audit should examine how and when personal information is being disposed of when it is no longer in accordance with the consent provided.
- Transfers outside of EU – is your business compliant with transfer mechanisms? What changes are needed to be compliant with the GDPR and how will you implement the changes to ensure compliance before GDPR comes into force?
- Update internal procedures – do you have policies, processes and procedures in place to deal with the practical implications of the new and extended rights for individuals under the GDPR? For example, can requests for information be responded to promptly and within one month? In relation to the rights of rectification and erasure, are procedures for ensuring notification is made to other organisations (e.g. suppliers) to whom an individual’s personal data has been disclosed in place?
- Review current systems such as technology and HR systems – are current systems and technology in place to ensure individuals can exercise their rights under the GDPR?
- Review supplier/processors contracts – ensure that supplier contracts are reviewed and if appropriate renegotiated to ensure GDPR compliance.
- Update data breach response plan – do you need to review and update your data breach response plan to ensure mandatory data breach notification to a local data protection regulator within 72 hours of data breach? Review and update processes and procedures for the detection, investigation, management and reporting of data breaches.
- Privacy-by-design/ Data Protection by design – how can you ensure that any activity that involves processing personal data is done with data protection and privacy in mind from the outset and throughout each step of the process? Depending on the activities of your organisation it may include specific projects, product or service development, system developments such as IT and HR.
- Review insurance and cyber policies – are the terms and coverage of your current policies adequate? If not, add appropriate cyber and data insurance protection as appropriate.
- Develop a unified Information Governance framework – does your privacy ecosystem align with a unified information governance framework to ensure the value of information throughout the organisation is maximised and risks of holding information are minimised?
Privacy regulation: EU and Australian comparison
OAIC’s table compares the requirements under the GDPR with the Australian Privacy Act – Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation
|COMPARISON||EU GDPR||Australian Privacy Act|
|Who does this apply to?||Data processing activities of businesses, regardless of size, that are data processors or controllers||Most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.|
|What does it apply to?||Personal data – any information relating to an identified or identifiable natural person: Art 4(1)||Personal information (PI) – information or an opinion about an identified individual, or an individual who is reasonably identifiable: s 6(1)|
|Jurisdictional link||Applies to data processors or controllers: · with an establishment in the EU, or · outside the EU, that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU: Art 3||Applies to businesses: · incorporated in Australia, or · that ‘carry on a business’ in Australia and collect PI from Australia or hold PI in Australia: s 5B|
|Accountability and governance||Controllers generally must: · implement appropriate technical and organisational measures to demonstrate GDPR compliance and build in privacy by default and design: Arts 5, 24, 25 · undertake compulsory data protection impact assessments: Art 35 · appoint data protection officers: Art 37||APP entities must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs and to enable complaints: APP 1.2 Businesses are expected to appoint key roles and responsibilities for privacy management and to conduct privacy impact assessments for many new and updated projects|
|Consent||Consent must be: · freely given, specific and informed, and · an unambiguous indication of the data subject's wishes which, by a statement or by a clear affirmative action, signifies agreement to processing: Art 4(11)||Key elements: · the individual is adequately informed before giving consent, and has the capacity to understand and communicate consent · the consent is given voluntarily · the consent is current and specific: OAIC’s APP GLs|
|Data Breach notifications||Mandatory data breach notifications by controllers and processors (exceptions apply): Arts 33-34||From 22 February 2018, mandatory reporting for breaches likely to result in real risk of serious harm|
|Individual rights||Individual rights include: · right to erasure: Art 17 · right to data portability: Art 20 · right to object: Art 21||No equivalents to these rights. However, business must take reasonable steps to destroy or de-identify PI that is no longer needed for a permitted purpose: APP 11.2. Where access is given to an individual’s PI, it must generally be given in the manner requested: APP 12.5|
|Overseas transfers||Personal data may be transferred outside the EU in limited circumstances including: · to countries that provide an ‘adequate’ level of data protection · where ‘standard data protection clauses’ or ‘binding corporate rules’ apply · approved codes of conduct or certification in place: Chp V||Before disclosing PI overseas, a business must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information: APP 8 (exceptions apply). The entity is accountable for a breach of the APPs by the overseas recipient in relation to the information: s 16C (exceptions apply)|
|Sanctions||Administrative fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher): Art 83||Powers to work with entities to facilitate compliance and best practice, and investigative and enforcement powers: Parts IV and V|