Perth:+61 8 9481 2040
Geraldton:+61 8 9921 2344
On Friday 25 May 2018 the EU General Data Protection Regulation (GDPR) came into effect, giving residents of the EU increased control over their personal data. Importantly, GDPR extends far beyond the boundaries of Europe.
Here we have summarized what this means for Australian businesses.
Does it apply to my Australian business?
GDPR can apply to businesses incorporated outside of the EU, regardless of their size.
GDPR applies to Australian businesses that:
If an Australian company has an office in the EU, sells goods or services to people in the EU, or processes or handles data relating to EU individuals – even if that data processing occurs only in Australia - that is usually enough to bring the company within the scope of GDPR.
The fact that people in the EU can access a website is not enough to bring the company within GDPR. However, using a European language or currency on your website, or mentioning customers or users who are in the EU, can be considered having an intention to offer services to EU individuals. This will bring any data concerning those EU individuals within GDPR, and so the Australian business will need to comply with GDPR.
Who and what are covered?
The GDPR covers the “personal data” of an “EU individual”. The concept of an “EU individual” extends to EU residents, EU citizens and citizens of other countries who are temporarily in the EU. This could include an Australian resident working temporarily in the EU. The scope of “personal data” is broad - it includes any data set which can identify or single out an individual. It is broader than the definition of personal information under Australian legislation.
Importantly, GDPR focusses on the person to whom the information relates, not where the information handling or processing actually occurs.
So, an Australian company that uses computer servers provided by third parties to process the personal data of an EU individual (e.g. Amazon or Microsoft Azure servers) is bound by GDPR even if those servers are located outside of the EU. GDPR extends far beyond the boundaries of Europe.
If an Australian company has European customers, then they msut comply with GDPR.
We comply with Australian Privacy Laws, isn’t that enough?
Unfortunately it is not that simple. Although the Australian Privacy Act 1988 (Cth) and the GDPR have similar requirements, some requirements of GDPR are stricter than those under Australian privacy law. For example:
Alternatively, you may need to implement strategies to remove your business from the scope of GDPR. We can assist in this regard.
Europe's Regulatory Focus- will non-EU companies be fined?
The processing of employee data, such as payroll data, has been identified by EU regulators as a key area for protection. Any Australian business that seriously breaches GDPR in relation to EU employee information could be the subject of enforcement action by EU regulators. In the event of a serious data breach, fines may be imposed. Fines under GDPR can be extremely high - up to €20 million or 4% of annual worldwide turnover, whichever is greater.
Importantly, European regulators are taking action against non-EU companies. The first company to be fined under GDPR by the UK's Information Commissioners Office (ICO) was a Canadian company with apparently no EU presence. The ICO also issued a formal warning under GDPR in November 2018 to the Washington Post over how it was obtaining consent for cookies on its website. The ICO did not take the matter further at the time, and presumably will not in a post-Brexit world. However, it is clear that European regulators may target companies outside of Europe in sufficiently serious cases.
Also, any EU individual whose data has been compromised as a result of an unauthorised disclosure or data breach can take action directly against an Australian company under GDPR.
Many countries are following GDPR
Legislation similar to GDPR has already been passed in many jurisdictions outside of Europe. Other non-European countries are currently updating their privacy laws as a response to GDPR. These countries include Argentina, Bahrain, Brazil, China and Hong Kong, Iraq, Israel, Kazakhstan, Norway, Panama, Peru, Russia, Singapore, California and the United Kingdom. Australian companies operating in, or with customers in, these countries will need to be sure they comply with those laws.
What to do now
The message is clear. Many Australian companies holding or processing personal data of an EU individual should:
For Australian companies that wish to avoid the cost of dealing with GDPR, there are strategies that can be implemented to remove their business from the scope of GDPR.
If you have any questions about your company’s obligations or need help to comply with GDPR or avoid GDPR, please contact Damian Quail in our Perth office.