After years of negotiations, the new EU General Data Protection Regulation (GDPR) has been passed, bringing with it wide reaching changes to the EU data protection regime which has been in place for over 20 years, under the EU’s Directive 95/46/EC. Much has been written about the changes (which won’t come into effect until May 2018) and the wrangling that has preceded the final compromise but what effect, if any, will the new GDPR have for non-EU countries like Australia?
This whitepaper highlights some of the new provisions in the GDPR which are most relevant for Australian organisations.
You might be covered: Perhaps the most important change for Australian organisations is the extension of the scope of the new GDPR to include businesses with no physical presence in the EU. The GDPR will apply to non EU-based controllers who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). This could be your organisation. This extended scope reflects the expansionary view of jurisdiction taken by other regulators including the Australian Privacy Commissioner as demonstrated in the Ashley Madison data breach investigation. The Australian Privacy Commissioner determined that the Australian Privacy Act 1988 (Cth) applied to Ashley Madison a Canadian company, with no office or other physical presence in Australia and whose breached data servers were also located in Canada. The relevant considerations were that Ashley Madison advertised in Australia, targeted its services at Australian residents, and collected information from people in Australia. These activities were deemed to be sufficient for it to be carrying on business in Australia and so within the operation of the Australian legislation. On this basis, many organisations without any physical presence in Australia may be covered by the Privacy Act. Similarly, Australian organisations may be covered by the new European data protection laws which explicitly apply to organisations that target services to EU residents in the same way as Ashley Madison. So, be careful!
Stricter definition of ‘consent’: Consent will be defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” This new definition suggests that bundled consents, ‘opt-outs’ and pre-ticked boxes may no longer be appropriate. To be ‘freely given’ individuals must also have a genuine choice as to whether or not to give their consent. Currently, there is a limited definition of consent in the Australian Privacy Act (i.e. it means either implied or express consent). In the future the issue of what is consent for the purposes of the Australian Act may well be interpreted on the basis of the requirements of the GDPR.
Right to withdraw consent: Individuals will have the right to withdraw consent which will make any processing on the basis of consent highly risky. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing. The rules around withdrawal of consent are not clear in Australia but care should be taken in those situations where relying on consent, for example, where disclosing personal information to overseas service providers or collecting sensitive personal information.
Additional rights for individuals: The GDPR expands data subjects’ existing rights such as the right to access, the right to rectification and the right to object. The GDPR also introduces important new rights for data subjects, including the right to erasure, the right to data portability and the right to restrict processing. Although it is not likely that these extended rights will be introduced into the Australian legislation, they certainly set a higher bar for how entities must deal with personal information and may become relevant in a practical sense if individuals in Australia expect the same protections, particularly in regard to rights such as the right to be forgotten.
Restrictions on profiling: There are important new provisions covering the automated processing of data, including the right for individuals to object to decisions based solely on profiling. Australian entities should be aware of these provisions as they may be used by the Privacy Commissioner in considering what might be an allowable ‘use’ of personal data under the Australian Privacy Act.
Concise, transparent, intelligible and easily accessible: As well as specifying certain additional information that must be provided to individuals, controllers and processors are required to give that information in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language communicate.’ This may become the expected standard for communicating with individuals in Australia. As well, it is worth considering the additional information required to be provided under the GDPR and whether it would be prudent to include the same sort of information in Australian privacy policies and collection notices.
Security: The new GDPR provides specific requirements for the ‘appropriate technical and organisational measures’ that need to be taken by data processors including:
• The pseudonymisation and encryption of personal data;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Australian entities that hold or process personal information should consider whether they meet these requirements which could be referred to by the Australian Privacy Commissioner when considering whether entities have taken ‘reasonable steps’ to secure personal information for the purposes of Australian Privacy Principle 11.
Data breach notification: Controllers will have to report data breaches to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk for data subjects' rights and freedoms). Affected data subjects must be notified of a breach without undue delay if the breach is likely to result in a "high risk" for their rights or freedoms. The currently proposed Australian data breach notification obligations are different to these requirements but valuable guidance might be provided by the EU regulators on how to assess the risk to individuals from a data breach, a concept which underpins the Australian provisions.
Enforcement and penalties: The GDPR will harmonise the tasks and powers of supervisory authorities and significantly increase fines. There will be a new 2 tier system with major penalties (20 million Euros or 4% of annual group turnover, whichever is higher) and lesser penalties (10 million Euros or 2% of annual group turnover whichever is higher). The hefty fines and penalties for infringement has been one of the most talked about feature of the new regulation. It is hoped that they will encourage greater investment in compliance. Fines at the higher threshold will apply to more serious violations including violating basic principles for processing data, consent, and data subjects’ rights. The lower tier fines apply to obligations such as data breach notification and appointment of a data protection officer.
Other changes: Some other changes that are worth noting:
• Most data processors and controllers must have a Data Protection Officer who has a number of specified obligations and duties. These may be worth noting for Privacy Officers appointed by Australian organisations;
• Privacy by design and data protection impact assessments are now required. The Australian Privacy Commissioner has made it clear that these should be part of an organisation’s Privacy Management Framework. Australian entities would be wise to start moving towards implementation of both of these important governance elements; and
• Cross border transfers from the EU will in many ways be simplified. The adequacy rule for transfers from the EU are unchanged and there is no suggestion that Australia might be regarded as an ‘adequate’ jurisdiction. However, given the more stringent requirements of the GDPR, an Australian-based entity transmitting personal information to an EU country can continue to rely upon the APP 8.2(a)(i).
There are a number of reasons why Australian organisations should be aware of and consider the extent to which they might voluntarily adopt some of the changes to be introduced under the new GDPR. It is likely that the provisions in the new GDPR will influence the Australian Privacy Commissioner’s approach to the interpretation and application of the Australian Privacy Principles, particularly in view of the growing international co-operation between privacy regulators in responding to data breach cases involving multiple jurisdictions.
Organisations should also appreciate that Australians will be exposed to the new practices when dealing with European based organisations and may come to expect the same kind of protections from Australian entities, setting a new hurdle for trust that will apply regardless of what may be required by the less stringent Australian Privacy Principles.
In short, the GDPR flags a new direction in data protection and it would be prudent for all Australian organisations to pay attention.
30 September 2016
About the Author
Jodie Siganto PhD CISSP
Jodie graduated as a lawyer and after 8 years in private practice became in-house counsel for computer companies Tandem, Unisys Asia and Dell Financial Services. In 2000, she co-founded Bridge Point Communications where she worked in security management consultancy. Jodie has led IT Security Training Australia, a local training organisation, since 2010. For IT Security Training Australia, Jodie develops and delivers training directed at the intersection of technology, security and the law. Some of her courses include:
• Privacy and confidentiality law in Australia;
• Cloud computing contracts: Legal, privacy and security issues;
• ISO 27001 Information Security Management System: Overview; and
• Privacy Impact Assessment Workshop.
Completing a PhD at QUT in 2015, Jodie is a keen researcher into privacy and information security issues, contributing to a range of projects including the Cyber Security Cartographies study with colleagues from Royal Holloway University of London and more recently to the AISA Cyber Security Skills Shortage report.
For more information on training courses offered by IT Security Training Australia Pty Ltd:
• Australian organisations could be covered by the GDPR if their services are targeted at EU residents or they monitor their behaviour.
• A new definition of ‘consent’ means that it will become difficult to rely on pre-ticked boxed, opt-out provisions or bundled consents. Australian entities should consider the extent to which they comply with this definition when relying on consent under the Australian Privacy Act.
• Information must be provided in a way which is concise, transparent, intelligible and easily accessible. It is possible that the Australian Privacy Commissioner will expect the same standard of disclosure from Australian organisations.
• To encourage compliance, the EU regulator will be able to impose much higher penalties than before, with the higher penalty regime being fines up to 20 million Euro or 4% of annual group turnover. The imposition of high penalties for significant violations may encourage the Australian regulator to take similar action.
• Data security measures are specified to include restoring availability and access and a
process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures. The Australian Privacy Commissioner may incorporate similar expectations into the interpretation of ‘reasonable steps’ for the purposes of APP 11.