From the day you were born, your personal information is gathered and stored in databases run by both private and government entities, such as hospitals, schools, banks, public registries, and the business enterprises with which you have previous and current dealings and transactions. The use of advanced software programs and applications has considerably made it easy and efficient to do business with various institutions. With a few clicks and a swipe of a card, transactions and deals are completed almost instantaneously. Retailers and service providers are able to attend to your needs in real time. You are able to wire money from one location to another, to and from remote areas around the world.
Indeed, computer technology has been one of the most important drivers of economies worldwide. However, while it has largely made our lives easy, its downside is that the collection and storage of your personal information may be considered an intrusion of your privacy. The data gathered from you is prone to abuse and misuse by individuals and organised groups with illegal intent. If mishandled, the systems of these institutions may either be hacked or breached, and your data may ultimately fall into the wrong hands, in turn putting you at risk.
Such concern calls for governments’ intervention to ensure that your privacy is protected. The European Union (EU), for one, has moved to update, strengthen, and harmonise existing privacy laws that impact EU citizens, and this has paved the way for the establishment of a new General Data Protection Regulation (GDPR).
What is GDPR?
To strengthen the measures for securing and protecting the collection and use of personal information from possible abuse and breaches, the European Union is now ready to implement the General Data Protection Regulation (GDPR).
How will GDPR affect Australian-based businesses?
Australia has its own privacy protection law embodied under the Australian Privacy Act 1988, which was further amended and enhanced via the Privacy Amendment Act 2012.
Schedule 1 of the Privacy Act includes the Australian Privacy Principles (APP), which serve as guide for the handling, use, and management of personal information collected by various government agencies; private and non-profit organisations with over $3 million turn over per annum; private healthcare service providers; and other small business enterprises. These are collectively called APP entities. Businesses incorporated in Australia, or even those from other countries but collect personal information from sources in Australia and maintain such information in the country, are covered by the Privacy Act. It also applies to foreign entities that run their business in Australia.
In effect, while your business may not be based in an EU member country, if you collect data or have access to data collected from EU citizens or if you run websites that process and control the data of EU citizens — whether they are residing in EU or not — the GDPR should apply to you. If you believe that your business falls in this category, you must confirm that you are covered by the GDPR and must take the necessary measures to ensure your compliance by May 2018. Generally, to ensure that you are GDPR compliant, you will need to appoint a representative (established in EU) who will act as your contact for supervisory authorities and individuals in EU, specifically for issues pertaining to your data processing activity.
What are the differences between the Australian Privacy Act and the EU GDPR?
Generally, it would seem that the Australian Privacy Act is similar to the EU GDPR, as they share the common goal of protecting the privacy of personal information. However, there are two notable distinctions between the two laws.
Under the Australian Privacy Act, businesses with less than $3 million of annual revenue need not comply. On the other hand, all businesses that meet the criteria set under the GDPR, regardless of revenue, must comply with the EU law. In addition, data processors and controllers — whether EU-based or not — are covered by the GDPR.
The GDPR imposes higher penalties for privacy breaches. They amount to €20 million or 4% of the company’s total annual revenue in the preceding financial year where such revenue was derived from its worldwide operation. On the other hand, the highest fine under the Australian law is $2.1 million.
Other Features and Enhancements
Enhanced features of the law include how to obtain consent to collect data, as well as how to explicitly inform individuals of what information you are collecting and why you are collecting their personal information.
The most notable enhancement is ensuring the right to request deletion or restriction on the use of information if it becomes irrelevant or if the individual withdraws their consent. This is consistent with the right to be left alone or the ‘right to be forgotten’.
Data Breach Notification
Data controllers are given 72 hours to report data breach to designated authorities once they become aware of it, but if the individual’s rights and freedom are likely compromised, then reporting should be immediate and must not be delayed.
Proactively, Australia rolled out its data privacy regulation in February 2018. Way ahead of the date set for the implementation of the EU GDPR, Australia introduced its mandatory breach notification scheme. The Office of the Australian Information Commissioner (OAIC) handles reported data breaches.
The enactment of the GDPR, set on May 25, 2018, has set a frenzy among Australian businesses and organisations. Regardless of whether you are EU-based or established and operating in other countries, as long as you gather and use information from EU citizens, then you are covered by the GDPR.
You may have access to appropriate technology, adequate resources, and IT experts to handle the requirements of the GDPR; however, there are features of the law that may somewhat cause confusion. In this case, your best bet is to consult with our legal team who will help you get properly oriented, not only about your responsibilities but your rights as well.
Being GDPR compliant allows you to gain a competitive advantage and ensures that your business complies with all current legislation. Contact our team to discuss your GDPR options or for any further information that you may require.
The information provided in this article is for general information and educative purposes in summary form on legal topics which is current at the time it is published. The content does not constitute legal advice or recommendations and should not be relied upon as such. Whilst every care has been taken in the preparation of this article, FC Lawyers cannot accept responsibility for any errors, including those caused by negligence, in the material. We make no representations, statements or warranties about the accuracy or completeness of the information and you should not rely on it. You are advised to make your own independent inquiries regarding the accuracy of any information provided on this website. FC Lawyers does not guarantee, and accepts no legal responsibility whatsoever arising from or in connection to the accuracy, reliability, currency, correctness or completeness of any material contained in this article. Links to third party websites or articles does not constitute any endorsement or approval of those sites or the owners of those sites. Nothing in this article should be construed as granting any licence or right for you to use that content. You should consult the third party’s terms and conditions of use in relation to any third-party content. FC Lawyers disclaims all responsibility and all liability (including liability for negligence) for all expenses, losses, damages and costs you might incur as a result of the information being inaccurate or incomplete in any way. Appropriate legal advice should always be obtained in actual situations.