From 25 May 2018, it came a shock to many Australian businesses that they needed to comply with the new European Union General Data Protection Regulation (GDPR) in circumstances where they have an establishment in the European Union (EU), they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.
As a brief recap, the GDPR has similar requirements to the Privacy Act 1988 (Privacy Act) as well as additional measures that aim to foster transparent information handling practices and business accountability around data handling. There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not yet have an equivalent right under the Privacy Act. The GDPR imposes significant requirements on “data controllers” (business entities that determine the purpose and means of processing personal data) and “data processors” (third party businesses that process data on behalf of data controllers) within the EU, as well as certain organizations located outside the EU. Those businesses affected were required to implement a privacy by design approach, additional data protection practices, and systems for dealing with the new data handling requirements to ensure compliance with both Australian and EU privacy laws.
Given the uncertainty around the extra-territorial application of some aspects of the GDPR, it is welcome news that the European Data Protection Board (EDPB) on 23 November 2018 adopted new draft guidelines intended to provide clarity about the territorial scope of the GDPR. Further guidelines may be expected to be released by the EDBP, and as such, continued vigilance will be required to ensure ongoing compliance.
These new GDPR guidelines seek in part to provide much sought after clarification on several key issues, including how the GDPR will be applied to businesses located in different parts of the world, and which businesses will need to appoint a EU-based representative and that non-EU based entities must appoint as a liaison with EU regulators.
Some of the salient highlights provided within the recent GDPR guidelines follow:
- A data controller located outside the EU shall not be deemed to be an EU-based entity merely because that controller’s website is accessible in the EU; provided, however,that even if one employee of that data controller works in the EU, that data controller may need to be GDPR compliant if its employee oversees significant business activities and has a long term, stable presence in the EU;
- A data controller located outside the EU that utilises a EU-based processor for business activities outside of the EU that do not target EU residents is not subject to the GDPR. However, the EU-based processor will be subject to the relevant GDPR provisions that apply to data processors;
- Where a data controller subject to the GDPR utilises the services of a data processor located outside the EU (that is not otherwise subject to the GDPR), that data controller must ensure, by written contract or other legally binding act, that its data processor processes its data in compliance with the GDPR;
- The GDPR applies to data processing/monitoring activities related to any individual who is then-present in the EU, and is not limited in application to EU citizens, legal residents of the EU or any other type of legal status of the data subject (meaning non-EU residents). The requirement that the data subject be located in the EU shall be determined at the moment when the relevant trigger activity takes place, i.e. at the moment that the goods or services are offered to the data subject or the moment when the data subject’s behaviour is monitored, regardless of the duration of the offer made or monitoring undertaken;
- Non-EU based entities that are subject to the GDPR must appoint a representative in the EU, but the representative relationship can be based on a service contract entered into with an individual or an organization, such as law firms, consultants and private companies. Please note that this third-party representative may act on behalf of several non-EU based data controllers and data processors; and
- When the function of a representative is assumed by a company or any other type of legal entity, it is recommended that a single individual be assigned as a lead contact and person “in charge” for each data controller or data processor represented.
Given the severity of the penalties for violations of the GDPR (the greater of €20 million or 4% of worldwide revenue), all Australian businesses subject to the GDPR should closely follow the newly-released guidelines in order to ensure that they are in full compliance with the GDPR.
 On 15 October 2018, the Queensland Government released its response to recommendations made in September 2018 by the Queensland Anti-Cyberbullying Taskforce. Significantly, the taskforce recommended that Queensland lobby the Commonwealth Government to amend the Privacy Act 1988 to introduce a “right to be forgotten” and a “right to erasure”, similar to the equivalent rights contained in Europe’s General Data Protection Regulation.
This publication covers legal and technical issues in a general way. It is not designed to express opinions of specific circumstances. It is intended for information purposes only and should not be regarded as legal advice. Further professional advice should be obtained before taking action on any issue dealt with in this publication.
Individual liability limited by a scheme approved under professional standards legislation (personal injury work exempted).