Even if you have no interest in privacy law, you would need to be living on a planet in a galaxy far, far away not to be aware of the GDPR.
GDPR
The GDPR (General Data Protection Regulation), came into operation on 25 May 2018. During the weeks leading up to that date, many of us received a slew of emails informing us that the sender has updated its privacy policy or online terms and conditions of business.
Whilst the GDPR is a creature of the European Council and Parliament and, as such, must be complied with across all 28 member states, many Australian businesses have been scrambling to understand whether and, if so, to what extent the GDPR applies to them.
FOREIGN APPLICATION
As a “foreign” law why should the GDPR concern an Australian business?
Like many US laws (including, the Foreign Corrupt Practices Act), the GDPR also applies outside its jurisdiction, in this case, the EU and so Australian businesses— even those that have no establishment in the EU — may be obliged to comply with certain parts of the Regulation.
As regards non-EU based businesses, the GDPR extends to such businesses that process personal data of EU data subjects, where the processing activities are related to (a) offering goods or services to EU subjects (even where no payment is made); or (b) monitoring the behaviours of EU subjects.
Key to the application of the GDPR to Australian businesses without an establishment in the EU are the concepts of data processing, offering goods or services to EU subjects and monitoring the behaviours of EU subjects.
DATA PROCESSING
Data processing is a widely defined term, which includes any operation which is performed on personal data, such as the collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, of personal information.
It would be a truly unique Australian enterprise, which receives (as part of its business) personal information of EU subjects, that could legitimately contend that it is not a data processor.
OFFERING GOODS OR SERVICES TO EU SUBJECTS
The GDPR provides some limited guidance as to whether a business offers goods or services to EU subjects. In short, it states that one should consider whether it is “…apparent that the business envisages offering goods or services to data subjects…” in one or more EU member states.
The mere fact that EU subjects have access to a business’ website in the EU, or to an email address or of other contact details, is insufficient to ascertain such intention.
Examples of where a non EU based business will be regarded as offering goods or services to EU subjects would include:
an Australian business whose website targets customers, for example by enabling them to order or place an order for services in a European language (other than English) or by enabling payment in Euros;
an Australian website that monitors customers or users in the EU;
MONITORING THE BEHAVIOURS OF EU SUBJECTS
Monitoring behaviour in this context would arise where, for example, the business tracks individuals in the EU on the internet and uses data processing techniques to profile individuals, to analyse and predict personal preferences or behaviours etc.
If, as a result of the above, a non EU based business is subject to the GDPR, it is necessary to determine which provisions apply to the business.
The good news is that if you comply with the Australian privacy laws and principles, you are likely (at least on the face of it) to be compliant with many of the GDPR requirements. But there are obligations within the GDPR that have no similar counterpart in the Australian legislation and, even where there are similar provisions, some of the GDPR provisions are more onerous than their counterpart provisions in our law.
WHAT SHOULD AUSTRALIAN BUSINESSES DO?
Stating the obvious, it is important that Australian businesses — if they have not already done so— ensure that they are fully compliant with the Australian Privacy Principles and the Privacy Act. Whether or not the GDPR is applicable to your business, whilst an important consideration, should not detract from ensuring compliance with Australian law.
But compliance with Australian law is not limited to having in place a compliant privacy policy and suitable online terms and conditions of business — it is much more than that.
Compliance includes having appropriate systems, protocols, technical and organisational measures in place to ensure or to at least facilitate the proper collection of personal data and the protection of such data against unauthorised or unlawful access, disclosure, loss or processing. It is during a consideration of these issues that Australian businesses should also consider and then determine what aspects of the GDPR apply to them. Only then will businesses be in a position to know whether they actually have in place systems and processes that will meaningfully assist them to comply with applicable Australian privacy law and the GDPR.
In our next issue, we will describe the various requirements that non EU based businesses, to which the GDPR applies, need to comply with.