- Australian organisations could be covered by the GDPR if their services are targeted at EU residents or they monitor their behaviour.
- A new definition of ‘consent’ means that it will become difficult to rely on pre-ticked boxed, opt-out provisions or bundled consents. Australian entities should consider the extent to which they comply with this definition when relying on consent under the Australian Privacy Act.
- Information must be provided in a way which is concise, transparent, intelligible and easily accessible. It is possible that the Australian Privacy Commissioner will expect the same standard of disclosure from Australian organisations.
- To encourage compliance, the EU regulator will be able to impose much higher penalties than before, with the higher penalty regime being fines up to 20 million Euro or 4% of annual group turnover. The imposition of high penalties for significant violations may encourage the Australian regulator to take similar action.
- Data security measures are specified to include restoring availability and access and aprocess for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures. The Australian Privacy Commissioner may incorporate similar expectations into the interpretation of ‘reasonable steps’ for the purposes of APP 11.
After years of negotiations, the new EU General Data Protection Regulation (GDPR) was passed in 2016, bringing with it wide reaching changes to the EU data protection regime which has been in place for over 20 years, under the EU’s Directive 95/46/EC. Much has been written about the changes (which come into effect in May 2018) and the wrangling that has preceded the final compromise but what effect, if any, will the new GDPR have for non-EU countries like Australia?
This whitepaper highlights some of the new provisions in the GDPR which are most relevant for Australian organisations.
You might be covered: Perhaps the most important change for Australian organisations is the extension of the scope of the new GDPR to include businesses with no physical presence in the EU. The GDPR will apply to non EU-based controllers who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). This could be your organisation. This extended scope reflects the expansionary view of jurisdiction taken by other regulators including the Australian Privacy Commissioner as demonstrated in the Ashley Madison data breach investigation. In that case, the Australian Privacy Commissioner determined that the Australian Privacy Act 1988 (Cth) applied to Ashley Madison a Canadian company, with no office or other physical presence in Australia and whose breached data servers were also located in Canada. The relevant considerations were that Ashley Madison advertised in Australia, targeted its services at Australian residents, and collected information from people in Australia. These activities were deemed to be sufficient for it to be carrying on business in Australia and so within the operation of the Australian legislation. On this basis, many organisations without any physical presence in Australia may be covered by the Privacy Act. Similarly, Australian organisations may be covered by the new European data protection laws which explicitly apply to organisations that target services to EU residents in the same way as Ashley Madison. So, be careful!
Stricter definition of ‘consent’: Consent will be defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” This new definition suggests that bundled consents, ‘opt-outs’ and pre-ticked boxes may no longer be appropriate. To be ‘freely given’ individuals must also have a genuine choice as to whether or not to give their consent. Currently, there is a limited definition of consent in the Australian Privacy Act (i.e. it means either implied or express consent). In the future the issue of what is consent for the purposes of the Australian Act may well be interpreted on the basis of the requirements of the GDPR.
Right to withdraw consent: Individuals will have the right to withdraw consent which will make any processing on the basis of consent highly risky. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing. The rules around withdrawal of consent are not clear in Australia but care should be taken in those situations where relying on consent, for example, where disclosing personal information to overseas service providers or collecting sensitive personal information.
Additional rights for individuals: The GDPR expands data subjects’ existing rights such as the right to access, the right to rectification and the right to object. The GDPR also introduces important new rights for data subjects, including the right to erasure, the right to data portability and the right to restrict processing. Although it is not likely that these extended rights will be introduced into the Australian legislation, they certainly set a higher bar for how entities must deal with personal information and may become relevant in a practical sense if individuals in Australia expect the same protections, particularly in regard to rights such as the right to be forgotten.
Restrictions on profiling: There are important new provisions covering the automated processing of data, including the right for individuals to object to decisions based solely on profiling. Australian entities should be aware of these provisions as they may be used by the Privacy Commissioner in considering what might be an allowable ‘use’ of personal data under the Australian Privacy Act.
Concise, transparent, intelligible and easily accessible: As well as specifying certain additional information that must be provided to individuals, controllers and processors are required to give that information in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language communicate.’ This may become the expected standard for communicating with individuals in Australia. As well, it is worth considering the additional information required to be provided under the GDPR and whether it would be prudent to include the same sort of information in Australian privacy policies and collection notices.
Security: The new GDPR provides specific requirements for the ‘appropriate technical and organisational measures’ that need to be taken by data processors including:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Australian entities that hold or process personal information should consider whether they meet these requirements which could be referred to by the Australian Privacy Commissioner when considering whether entities have taken ‘reasonable steps’ to secure personal information for the purposes of Australian Privacy Principle 11.
Data breach notification: Controllers will have to report data breaches to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk for data subjects’ rights and freedoms). Affected data subjects must be notified of a breach without undue delay if the breach is likely to result in a “high risk” for their rights or freedoms. The Australian data breach notification obligations are different to these requirements but valuable guidance might be provided by the EU regulators on how to assess the risk to individuals from a data breach, a concept which underpins the Australian provisions.
Enforcement and penalties: The GDPR will harmonise the tasks and powers of supervisory authorities and significantly increase fines. There will be a new 2 tier system with major penalties (20 million Euros or 4% of annual group turnover, whichever is higher) and lesser penalties (10 million Euros or 2% of annual group turnover whichever is higher). The hefty fines and penalties for infringement has been one of the most talked about feature of the new regulation. It is hoped that they will encourage greater investment in compliance. Fines at the higher threshold will apply to more serious violations including violating basic principles for processing data, consent, and data subjects’ rights. The lower tier fines apply to obligations such as data breach notification and appointment of a data protection officer.
Other changes: Some other changes that are worth noting:
- Most data processors and controllers must have a Data Protection Officer who has a number of specified obligations and duties. These may be worth noting for Privacy Officers appointed by Australian organisations;
- Privacy by design and data protection impact assessments are now required. The Australian Privacy Commissioner has made it clear that these should be part of an organisation’s Privacy Management Framework. Australian entities would be wise to start moving towards implementation of both of these important governance elements; and
- Cross border transfers from the EU will in many ways be simplified. However, the adequacy rule for transfers from the EU are unchanged and there is no suggestion that Australia might be regarded as an ‘adequate’ jurisdiction. Conversely, given the more stringent requirements of the GDPR, an Australian-based entity transmitting personal information to an EU country can continue to rely upon the APP 8.2(a)(i).
There are many reasons why Australian organisations should be aware of and consider the extent to which they might voluntarily adopt some of the changes to be introduced under the new GDPR. In particular, it is likely that the provisions in the new GDPR will influence the Australian Privacy Commissioner’s approach to the interpretation and application of the Australian Privacy Principles, particularly in view of the growing international co-operation between privacy regulators in responding to data breach cases involving multiple jurisdictions.
Organisations should also appreciate that Australians will be exposed to the new practices when dealing with European based organisations and they may come to expect the same kind of protections from Australian entities, setting a new hurdle for trust that will apply regardless of what may be required by the less stringent Australian Privacy Principles.
In short, the GDPR flags a new direction in data protection and it would be prudent for all Australian organisations to pay attention.
EU GDPR http://www.eugdpr.org/
Office of the Australian Information Commissioner: https://oaic.gov.au/media-and-speeches/news/general-data-protection-regulation-guidance-for-australian-businesses
About the Author – Dr Jodie Siganto PhD LLM CISSP
Dr Siganto is a partner in the technology and privacy law and consulting firm, Ringrose Siganto.
Dr Siganto graduated as a lawyer from the University of Queensland and after 8 years in private practice became in-house counsel for Tandem Computers followed by roles with Unisys Asia and Dell based in Singapore. She returned to Australia in 2000, founding Bridge Point Communications (specialists in data networking and security) with two other colleagues. In 2008, she established IT Security Training Australia, specialising in information security and privacy consulting and training. Dr Siganto completed her PhD on privacy and information security practice in 2014. In 2017, she joined with long-time colleague Edward Ringrose in Ringrose Siganto.
Dr Siganto has been sought out by government departments, international corporations and Australian businesses to advise them on privacy and security matters, conducting privacy compliance reviews and privacy and security impact assessments. She has been engaged to act for corporations on the privacy, security and legal implications of moving data to the cloud, to review data sharing contracts and undertake privacy impact assessments.
She has been involved with a range of industry groups, including acting as the Chair of the AISA Policy Committee, and more recently the AISA Education Director. In addition to her other works, Dr Siganto pursues research projects into cyber security issues. She has participated in a study led by Royal Holloway, University of London, which mapped some of the unique traits of information security practitioners in Australia and led AISA’s research into the Australian Cyber Security Skills Shortage.