The European Union General Data Protection Regulation (GDPR) will be in effect from 25 May 2018, and will replace existing data protection rules set out in the 1995 European Directive 95/46/EC. While the GDPR will be law in the European Union (EU), it is likely to have an impact on Australian businesses that operate internationally, as it applies to organisations that act within the EU or interact with its citizens.
Who does this apply to?
The GDPR applies to data controllers and processors with an office inside the EU, or entities operating outside of the EU which offer goods and services to individuals in the EU, even if no payment is required, or monitor the behaviour of individuals in the EU, such as through internet use profiling.
An organisation is considered a ‘data controller’ if it possesses, and is responsible for, the data that it manages. This might include companies, government departments, general practitioners or sole traders.
As separate legal entities, holding companies and subsidiaries might also be considered data controllers due to legal data protection responsibilities, and legal status distinct from the parent organisations.
Where an organisation is in possession of the data, but another entity is responsible for it, the organisation is considered a ‘data processor’, and is subsequently bound by GDPR requirements.
For example, an entity responsible for processing, managing or even monitoring client information on behalf of a controller selling to Member States will be required to adhere to GDPR rules, irrespective of whether the processing occurs in the Union.
What data is protected by the GDPR?
The GDPR applies to personal data, being ‘any information relating to an identified or identifiable natural person’. This can include a variety of identifiers, including name, ID number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The GDPR also has special rules concerning particular categories of sensitive personal information, such as racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data controllers must now comply with regulations regarding the processing of personal data, and limitations on the period of time that data can be stored for. In specific circumstances, it may also be necessary to appoint a data protection officer (DPO) to monitor and advise on compliance with the GDPR, especially where data processing and monitoring occurs on a large scale.
The definition of consent has been updated, to make it clear that, where consent is required under the GDRP, it must be freely given, specific and informed. It is important to note that silence, pre-ticked boxes or inactivity are incapable of constituting consent under the new regulations.
Data Breach Notifications
Data controllers must provide a notice to the EU Commission or relevant supervisory authority within 72 hours of any data breach, the contents of which are strict and specific. Any delay must be justified with reasons, which must accompany the notice. In the event of high risk breaches to the rights and freedoms of a data subject, the data subject must be informed without undue delay.
Individuals now have the right to erasure, meaning data controllers must delete their data upon request. This may be where the data is no longer necessary for the purpose for which it was collected, or where consent is withdrawn by the data subject. There is also a right for data portability, meaning the individual has a right to receive data in an electronic format, as well as a right to object to data on specific grounds.
Personal data can be transferred overseas only where an adequate level of protection exists, and where consideration is given to the rule of law, human rights, legislation and public security concerns.
Failure to adhere to GDPR requirements may incur significant pecuniary penalties.
For a serious infringement, for example failure to obtain customer consent for data processing, the penalty may involve a maximum administrative sanction of 4% of global annual turnover or 20 million Euros, whichever is greater.
Where the breach is a minor infringement, for example failure to obtain parental consent for the processing of personal data for a child under the age of 16 years, the maximum penalty is a fine of 2% of global annual turnover or 10 million Euros, whichever is greater.
Similarly, there exists the possibility that where a data subject has suffered damage, either material or non-material, resulting from an infringement, individual claims may be made against data controllers and processors.
We recommend that businesses review the systems they have in place regarding data protection and management to ensure that they are compliant with statutory provisions.
We also recommend that businesses ensure that, where they interact with countries in the EU in the course of commercial dealings, their data systems and policies adhere to GDPR regulations, so as to avoid potential penalties.
HWL Ebsworth’s Data Protection team has considerable experience helping clients with their compliance obligations in Australia and abroad. Please contact a member of our team for further information on how we can assist you.
This article was written by Luke Dale, Partner, and Jonothan Cottingham-Place, Law-Clerk.
P: +61 8 8205 0580