The Australian data protection landscape is set to become even more complicated. As well as existing and proposed Australian requirements, Australian entities that hold personal data relating to European residents will soon be subject to the European General Data Protection Regulation (GDPR), which will have extra-territorial effect. After 3 years of debate, on 17 December 2015 the European Union Parliament, Council and Commission agreed on and published the ]]>final text of GDPR]]>. The final texts are expected to be approved by the European Parliament in early 2016, and should become applicable in 2018 without the need for further implementing legislation in each EU member state.
The GDPR will apply to data controllers and data processors outside of the European Union where their data processing activities affect EU residents. This would extend the GDPR’s extra-territorial effect beyond multinational organisations with establishments in Europe. It could also apply to agencies or organisation based solely in Australia if they offer goods or services to EU residents (e.g. exporters, financial services institutions with EU-resident account holders), or where they monitor behaviour taking place in the EU.
Some key points to note about the privacy regime to be created under the GDPR:
- The scope of ‘personal data’ that will be protected under the GDPR will include any information about an identified or identifiable person. A person will be ‘identifiable’ if they can be directly or indirectly identified, including by reference to their name, ID number, location data or online identifier. A person might also be ‘identifiable’ if they can be identified by reference to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
- Data controllers will be subject to accountability obligations, including maintaining documentation to demonstrate compliance, conducting data protection impact assessments for riskier processing activities, and implementing ‘data protection by design and by default’ principles to minimise the potential privacy impacts of their activities.
- Processing of personal data can only be lawful if it is on the basis of the consent of the person concerned (the ‘data subject’) or on some other basis laid down by law. Where processing is based on consent, the data subject’s consent must be freely given, specific, informed and unambiguous, shown by a statement or clear affirmative action that shows agreement to the processing. In addition, for processing specific categories of more sensitive personal data the consent must be ‘explicit’. The data subject must be able to withdraw their consent to the processing at any time.
- The ‘right to be forgotten’ recognised in the European Court of Justice’s ruling in the ]]>Google Spain case C0131/12]]> of 13 May 2014 will be given statutory force.
- Under the data breach notification requirement, all data controllers will be required to notify the appropriate Data Protection Authority ‘without undue delay’ (and when feasible within 72 hours) where there has been a data breach leading to the loss, access or disclosure of personal data. The affected individual should also be notified if the personal data breach is likely to result in a high risk for their rights and freedoms. The requirement, which will be subject to a range of exceptions, will differ from that proposed requirement to notify of serious data breaches contained in the exposure draft of the ]]>Privacy Amendment (Notification of Serious Data Breaches) Bill 2015]]>, as discussed in our previous Keynote.
- In certain circumstances, data controllers and data processors will be required to appoint a data protection officer if they are a public authority or if the core activities of the controller or processor consist of processing which, by its nature, scope or purpose, require regular and systematic monitoring of data subjects on a large scale or processing of a large scale of special categories of data.
- Organisations breaching the data protection rules under the GDPR could be fined up to 4% of their annual worldwide turnover. In addition, the GDPR will give data subjects a private right of action in EU courts, under which they can claim monetary damages from either data controllers or processors for harm caused by processing personal data.
All Australian agencies and organisations should use the next two years before the GDPR comes into effect to:
- consider the extent to which they might hold personal data about European residents and may fall within the definition of ‘data controller or ‘data processor’ for the purposes of the GDPR;
- determine the scope of their obligations under the GDPR, if any; and
- review their privacy policies and practices, to ensure that they remain consistent with current Australian requirements, as well as the GDPR to the extent that it applies.