Europe’s new data privacy regulations
Are you doing business in Europe? or with Europeans? If so, you’ll need to ensure you comply with new data protection requirements that came into effect last month.
The European Union General Data Protection Regulation (GDPR) is the most important change in European data privacy regulations in 20 years. It harmonises data protection laws across the EU and replaces existing national data protection rules.
Australian businesses of any size may need to comply with it if they have an establishment in the EU, offer goods and services in the EU or monitor the behaviour of individuals in the EU.
According to a new resource published by the Office of the Australian Information Commissioner (OAIC), the GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
- Implement a privacy by design approach to compliance.
- Be able to demonstrate compliance with privacy principles and obligations.
- Adopt transparent information handling practices.
Data breach notification is required in certain circumstances under the GDPR and under the Privacy Act In addition, privacy impact assessments, mandated in certain circumstances under the GDPR, are expected in similar circumstances in Australia.
There are, however, some notable differences between the laws, including certain rights of individuals, such as the ‘right to be forgotten’, which do not have an equivalent right under the Privacy Act.
But, given the many similarities, Australian businesses may already have some of the measures in place that will be required under the GDPR. Even so, the OAIC says they should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes.
Where additional measures are implemented and these are not inconsistent with the Privacy Act, the OAIC says businesses could consider rolling these out across their Australian operations.
‘This could improve consumer trust through enhanced privacy practices and allow for more consistent internal privacy practices, procedures and systems across the business,’ it says.
The GDPR applies to the data processing activities of businesses, regardless of size, that are data processors or controllers with an establishment in the EU.
Generally speaking, a controller says how and why personal data is processed and a processor acts on behalf of the controller. Where a business has ‘an establishment’ in the EU, activities of the business that involve processing personal data will need to comply with the GDPR, regardless of whether the data is actually processed in the EU.
The GDPR includes a range of new and enhanced rights for individuals. For example, the right to erasure, which encompasses the ‘right to be forgotten’, gives individuals a right to require data controllers to delete their data in certain circumstances. This includes circumstances where the information is no longer necessary for the purpose for which it was collected or where the individual withdraws their consent and there is no other legal ground for processing their data.
There are exceptions to this right, including where data processing is necessary to exercise the right of freedom of expression and information.
There is no equivalent ‘right to erasure’ under the Privacy Act. However, entities holding personal information are required to take reasonable steps to destroy the information or to ensure it is de-identified if the information is no longer needed for any purpose permitted under the Act.
Another enhanced right for individuals in the GDPR is the right to object at any time to the processing of an individual’s personal data (including profiling).
The new laws also include a right to ‘data portability’ — a right to receive personal data an individual has provided to a controller in a ‘structured, commonly used, machine-readable format’ and to transmit that data to another controller, where the data is processed electronically. This right only applies to personal data that an individual has provided to the controller, where the processing is based on the individual’s consent or for the performance of a contract and where processing is carried out by automated means.
The Privacy Act does not include an equivalent right to ‘data portability’ or ‘right to object’. However, individuals do have a right to request access to, and correction of, their personal information.
The following resources may assist you in assessing whether you are covered by the GDPR and the steps you should be taking to comply:
- European Commission, 2018 reform of EU data protection rules.
- Article 29 Working Party (from 25 May 2018, the European Data Protection Board) GDPR guidance.
- Asia Pacific Privacy Authorities EU General Data Protection – General Information Document.
- UK Information Commissioner’s Office Guide to the GDPR.