A data breach has been reported and some user data may have been compromised.
Click here to read more about the incident and check if it affected you.
Businesses with a presence in the European Union must ensure their data collection practices comply with the General Data Protection Regulation (GDPR).
The European Union GDPR contains new data protection requirements that apply from 25 May 2018. The extraterritorial applicability means GDPR can apply to Australian businesses if they have a business presence in the EU, offer goods and services in the EU or gather customer information in the EU.
The GDPR is intended to harmonise data protection laws across the EU and replace any existing national data protection rules. It aims to protect individuals’ rights in relation to the processing of their personal data. Personal data includes an individual’s name, address and phone number, location, health records, income and banking information and cultural preferences (Article 4).
There are significant penalties for businesses failing to meet their GDPR obligations that range from lower level penalties (such as for not having their records in order) with a maximum of €10 million or 2% of worldwide revenue to higher level penalties (such as for not having sufficient customer consent) with a maximum of €20 million or 4% of worldwide revenue (Article 83). The penalties apply to Data Controllers and Data Processors, meaning ‘clouds’ are not exempt from GDPR enforcement. Data Controllers are entities that determine the purpose, conditions and means of processing personal data and Data Processors are the entities that process the personal data on behalf of the Data Controller.
The GDPR applies to all businesses processing the personal data of individuals residing in the EU, regardless of the location of the business. The Privacy Act 1988 (Cth) only applies to Australian businesses when the annual turnover exceeds $3 million. There is no such threshold requirement for the GDPR.
The GDPR will apply to businesses outside the EU if they:
The accessibility of a business’s website from the EU is not in itself sufficient to establish that it is doing business in the EU and is required to comply with the GDPR.
The GDPR can apply where business websites include the ability to order goods or services in a language other than English, allow payment in euros, reference customers in the EU, or have an EU top level domain.
Additional obligations that may be imposed on Australian businesses by the GDPR include:
Businesses bound by the GDPR must have a representative located in the EU. If your business processes personal data regularly or systematically, or processes a special category of data on a large scale and processing is your core business activity, your business is also required to have a Data Protection Officer. This will apply, for example, where your business processes personal data to target advertising through search engines based on individuals’ online behaviour but not if your business sends promotional material to your clients once a year (Article 27 & Article 37).
A data breach occurs if personal data is disclosed accidentally or unlawfully to unauthorised recipients or is made temporarily unavailable or is altered. If this poses a risk to individual rights and freedoms, your business is required to notify the proper EU supervisory authority within 72 hours of becoming aware of the breach. Individuals can bring their own personal actions for data breaches, which is not available under Australian privacy laws (Article 33).
Consent is defined in the GDPR as being freely given, specific, informed and an “unambiguous indication” by a “statement or clear affirmative action” that the individual agrees to the personal information processing activity. This means the consent should be given by an affirmative act, such as checking an online box or signing a form, and the consent should specify the precise way in which the business is authorised to process the individual’s data (Article 7).
Individuals have a right to require data controllers to delete their data in certain circumstances. This includes, but is not limited to, when the information is no longer necessary for the purpose for which it was collected, consent is withdrawn, or there is no other legal ground for processing their data. There is no equivalent provision in Australian privacy laws (Article 17).
The GDPR includes data portability which requires, at an individual’s request, a business to give all information concerning them to the individual in a structured, commonly used and machine-readable format (Article 20).
Individuals have the right to request access to their personal data free of charge and in an accessible format. Individuals can also request a business provide them with information about profiling (the automated processing of personal information to evaluate personal aspects of a person) and can object to the processing of their personal information which can require a business to cease processing their personal data (Articles 15, 21 & 22).
We recommend businesses conduct a comprehensive data audit against the GDPR legal framework, including reviewing:
You should have detailed knowledge of whether your business has personal identifiable information of customers, where this data is stored, who has access to it and with whom the data is being shared. The GDPR requires that a Data Controller only engage a Data Processor who offers sufficient guarantees. We can assist you to include guarantees in a written contract with Data Processors as well as other terms to protect your business.
You should consider your data flows and personal data handling practices. Contact us for a discussion about the GDPR and how we can assist you with your compliance obligations.