Skip to content

  • Home
  • COVID-19 Guide
  • COVID-19 AV library
  • Client results
  • Expertise
  • News & Insights
  • People
  • Our DNA
  • Inclusion and Diversity
  • Join us
  • Contact Us
Home / NEWS & INSIGHTS / Insight / EU data protection laws overhauled – does this affect my business in Australia?
Insight 4 July 2017

EU data protection laws overhauled – does this affect my business in Australia?

If you have an establishment in the European Union (EU), offer goods and services in the EU, or monitor the behaviour of individuals in the EU, then the answer is probably yes, and you should certainly read on.

The new EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and for many businesses all around the world, is driving a focus on understanding and updating their data handling practices to ensure they are ready to comply. This is because not only can the GDPR apply to businesses outside of the EU, but there are also significant penalties for non-compliance (up to €20 million or 4% of global annual turnover for the preceding financial year in certain circumstances).

So, with a little over 10 months to go before the new regime applies, we recommend that Australian businesses think about whether they are caught, and if so, start planning for the legal and operational changes that are required to comply with GDPR.

Some familiar concepts

There are many similarities between the GDPR and the Australian Privacy Act 1988 (Cth), including:

  • The need for transparency and the importance of privacy by design.
  • The need to be able to demonstrate compliance with certain privacy principles.
  • The GDPR concept of personal data is largely analogous with the Australian concept of personal information. The GDPR also has extra protections dealing with special categories of information that are similar to Australian sensitive information (e.g. information dealing with race, gender, health, political opinion etc.).
  • The importance of consent when dealing with personal data.

This makes the initial task of understanding what sort of data is caught, and therefore whether GDPR is likely to be relevant to the data that your business handles, a relatively straightforward process. Having passed through that gating process, the question then becomes one of whether you have sufficient nexus with the EU and EU citizens’ data or behaviour to be caught, and if so, what different obligations apply.

Some new concepts

There are some key differences between the Australian regime and the GDPR that could trip up an unwary business. Some of these differences are:
Australian businesses of any size may need to comply with the GDPR (as opposed to the limited exemptions from the Australian law for small business with an annual turnover of $3 million or less).

The concepts of data controllers and data processors will not be familiar to many Australian businesses, but these are fundamental to understanding the GDPR. You will need to identify which term applies to your business and (most likely) appoint a representative in an EU Member State to field communications from the EU regulator and individuals.

Under the GDPR, data controllers must notify the authorities of a data breach within 72 hours of becoming aware of the breach (exceptions apply). Under Australia’s new mandatory data breach notification laws (effective 22 February 2018) an entity will have to notify Australia’s Information Commissioner and affected individuals as soon as practicable (exceptions apply), which will in most cases be a more generous time frame than the 72 hours required by GDPR.

The GDPR contains a ‘right to be forgotten’. This is a right for an individual to require the deletion of their data on request in specific circumstances. There is no similar right under Australian law.
Australian businesses need to be aware of the fact that the relationship between a data controller and a data processor (as those terms are understood under the GDPR) needs to be recorded in a contract containing certain mandatory clauses.

Under the GDPR, an individual can require a data controller to provide the individual’s data in a commonly-used, machine readable format so that it can be ported to a new data controller.

Transferring overseas

Under chapter eight of the Australian Privacy Principles (APP), an entity transferring personal information from Australia must generally take reasonable steps to ensure that an overseas recipient does not breach the APP (and can be held responsible for the recipient’s failure to comply with the APP).

The GDPR requires that personal data can only be transferred outside of the EU to countries that provide an adequate level of data protection. Australian data protection laws are not currently listed as being adequate in this regard. This means that the transfer of certain information to Australia from the EU requires specific safeguards to be in place. These safeguards include (but are not limited to) the following:

  • binding corporate rules are in place for intra-group transfers, and
  • the data controller has entered into certain standard-form data protection clauses with the recipient.
Next steps

This note is not intended to be exhaustive. A good starting point if you think you might be affected by the GDPR is the resource prepared by the Office of the Australian Information Commissioner (click here). The next step is seeking legal advice, particularly if you are involved in international data transfer arrangements with EU Member States. If you are caught, there are significant legal and operational requirements which you will need to take into account.

We have experience in preparing policies and data sharing agreements that meet the requirements of both regimes (including to automatically accommodate the GDPR).

For further information on any of the issues raised in this alert please contact us.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

About the authors

  • Alex Hutchens

    Partner
  • Paul McLachlan

    Strategic Adviser
  • Belinda Breakspear

    Partner
  • John Kettle

    Partner

In other news

New Industrial Relations Laws – What it means for you

22 December 2020Insight

Payment Times Reporting Scheme

21 December 2020Insight

Australian Government proposes new broadcaster’s licence and forced investment quotas in Media Reform Green Paper

14 December 2020Insight

Verification of identity – does it always need to be in person?

6 December 2020Insight

VIEW ALL NEWS & INSIGHTS

BRISBANE

Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
Tel +61 7 3233 8888
Fax +61 7 3229 9949

 

GET IN TOUCH

Contact form

We handle your personal information in accordance with our privacy policy.

sydney

Level 32, MLC Centre
19 Martin Place
Sydney NSW 2000
GPO Box 462
Sydney NSW 2001

Tel +61 2 8241 5600
Fax +61 2 8241 5699

 

GET IN TOUCH

Contact form


We handle your personal information in accordance with our privacy policy.

melbourne

Level 27, 101 Collins Street
Melbourne VIC 3000
GPO Box 2924
Melbourne VIC 3001

Tel +61 3 9067 3100
Fax +61 3 9067 3199

 

GET IN TOUCH

Contact form

We handle your personal information in accordance with our privacy policy.

follow us

CLIENT LOGIN

newcastle

Level 2, 16 Telford Street
Newcastle NSW 2300
PO Box 394
Newcastle NSW 2300

Tel +61 2 4914 6900
Fax +61 2 4914 6999

 

GET IN TOUCH

Contact form


We handle your personal information in accordance with our privacy policy.

canberra

Level 9, 2 Phillip Law Street
Canberra ACT 2601

Tel +61 2 6243 3699
Fax +61 2 8241 5699

 

GET IN TOUCH

Contact form


We handle your personal information in accordance with our privacy policy.

© 2017 McCullough Robertson. Site map Disclaimer Privacy Policy Credit Reporting Policy

X