Contributed by Geoff Bloom, Partner at HWL Ebsworth Lawyers and Eli Fisher, Senior Associate at HWL Ebsworth Lawyers.
As you are probably already aware, the General Data Protection Regulation (GDPR) came into force on 25 May 2018 in all member states of the European Union, bringing along a new regime of data protection laws – and large penalties – that will replace all existing privacy law in Europe.
The GDPR is a hugely ambitious regime which aims to harmonise data protection laws across Europe. The GDPR has been described as the most important change in data privacy regulation in 20 years. And most importantly, the GDPR affects Australian businesses.
The GDPR will not just have an impact in the EU. An Australian businesses will need to comply with the GDPR if the business:
- has an establishment in the EU (regardless of whether they process personal data in the EU);
- offers goods or services to EU data subjects; or
- monitors the behavior of EU data subjects.
There is little doubt that the GDPR purports to apply to an Australian business:
- with an office somewhere in the EU;
- whose website targets EU customers, for example, by enabling them to order goods or services in German, or enabling payment in Euros;
- whose website has testimonials from EU customers; and
- which tracks individuals in the EU on the internet and uses analytics to profile them.
In complying with the GDPR, there are two different sets of obligations. Which set of obligations applies will depend on whether the organisation is a ‘data controller’ or a ‘data processor’.
Under Article 4 of the GDPR:
- a ‘controller‘ is the person which, alone or jointly with others, determines the purposes and means of the processing of personal data; and
- a ‘processor‘ is the person which processes personal data on behalf of the controller.”
An organisation is likely to be classified as a ‘data controller’ under the GDPR, if it decides:
- who collects the personal data;
- the type of personal data that is collected (includes the content of the data);
- the purpose for which the personal data is to be used;
- the types of data subjects that are involved;
- whether the organisation will disclose the data and, if so, to whom; or
- how long the organisation to retain the data or whether to make non-routine amendments to the data.
By contrast, a data processor will only process data on instruction from the data controller. The controller is essentially the master in the relationship, and the processor its servant, processing information only in accordance with the direction of the controller. Whilst a full set of privacy obligations apply to the controller, a smaller range of privacy obligations applies to the processor.
There are some of the key differences between the Australian privacy law and the GDPR, including in relation to consent and overseas transfers of data. Other key differences include the grant of individual rights to data subjects, including the rights:
- to have the data erased (“the right to be forgotten”);
- to restrict processing of personal data;
- to data portability;
- to object to the processing of personal data; and
- related to automated decision making, including profiling.
These rights are completely foreign to Australian privacy law, and will change the way that businesses around the world process information.
One of the most significant differences from privacy law are the penalties for non-compliance – the GDPR has penalties which are truly game-changing. Serious contraventions can result in penalties of up to €20 million or 4% of annual worldwide turnover (whichever is higher), and less serious contraventions can result in penalties of up to €10 million or 2% of annual worldwide turnover (whichever is higher).
CCH Learning hosted a webinar that was presented by Geoff Bloom & Eli Fisher of HWL Ebsworth on Tuesday 12 June 2018. The webinar recording will introduce the GDPR to an Australian audience and build upon pre-existing knowledge, with a particular focus on practical issues. The webinar recording will also address the relationship between controllers and processors and Article 28 Agreements in greater detail in the webinar recording, as well as the various governance and accountability requirements, including Data Protection Officers, Article 30 Registers, Data Protection Impact Assessments and EU Representatives. These are of great importance for Australian businesses caught by the GDPR.