There has been a lot of discussion around GDPR for Australia and how it will affect Australian businesses. Designed to establish a single set of data protection across Europe, it is now more relevant than ever after recent data breaches like the Facebook-Cambridge Analytica scandal.
We broke down exactly what GDPR is, it’s main principles and how it will affect Australian businesses.
What GDPR is
General Data Protection Regulation (GDPR) is a regulation in European law on data protection and privacy for individuals within the European Union. It is intended to give individuals better control over their personal data held by organisations.
GDPR applies to the data processing activities of businesses with an establishment in the EU that are data processes or controllers. These businesses need to comply with GDPR regardless of whether the data is processed in the EU. Generally, it is the responsibility of the data controller to implement effective measures. A data controller says how and why personal data is processed. The data processor must be able to demonstrate the compliance of processing activities. This is even if the processing is carried out by a data processor on behalf of the controller.
The main principles for GDPR:
- The right to be forgotten i.e. users have the right to unsubscribe from marketing.
- Transparency in processing of private information via automatic means. For example, a business uses an automatic system such as Mailchimp or RMS to market to someone. That Australian business must be able and willing to disclose that information about that person to that person.
GDPR for Australia – How it will affect Australian businesses
GDPR is not confined to entities within the EU. It will apply to foreign entities if they:
- Have an establishment in the EU. E.g. an Australian business with an office in the EU.
- Offer goods and services in the EU. E.g. an Australian business that targets EU customers.
- Monitor the behaviours of individuals in the EU. E.g. an Australian business that tracks individuals in the EU on the internet. For example to analyse and predict personal preferences.
An example of a customer in Australia:
A European tourist who provides personal information when booking a service with an Australian business, while in Australia – GDPR does not apply. If however you market to that person a month later when they have returned to Europe, then GDPR does apply.
An example of a customer in Europe:
If a non-EU citizen is residing in Europe, then GDPR may apply. For example, if an Australian is on holidays in Europe and receives a marketing email from an Australian business, GDPR does not apply. If however that Australian is temporarily living in Europe for say 2 years then GDPR may apply.
Compared to GDPR, under Australian privacy law, if it is reasonably expected that someone would want to be marketed to, businesses are able to market to them.
Does GDPR apply to my Australian business?
Whether or not GDPR applies to you depends on whether:
- You are a data controller or processor;
- What type of personal data you collect or process; and
- The extent of that collection or processing.
Dealing with GDPR for the future
As GDPR is still new, there are still grey areas with certain cases of data ownership. Maximum penalties for a breach of GDPR at 20M or 4% of annual revenue, whichever is greater. However we predict that the targets of such penalties will most likely be large companies such as Facebook and Google.
If you are looking for more detail on GDPR for Australia, we encourage to seek your own independent legal advice.