Australian entities looking to do business within the European Union must recognise the requirements of the EU General Data Protection Regulation and foreign privacy laws.
In 2018, the General Data Protection Regulation (GDPR) was introduced to give individuals greater autonomy over how their data is collected, utilised and protected online. The law also imposes strict new rules on organisations regarding the use and security of personal data they collect.
Although the GDPR and the Australian Privacy Act 1988 share many similarities, there are some notable differences that Australian entities should be aware of, such as the ‘right to be forgotten’, which currently does not exist in the Australian framework.
When does the GDPR apply?
Australian businesses operating under the Australian Privacy Act may need to comply with the GDPR if they:
- have an establishment in the EU (regardless of whether they process personal data in the EU)
- are not established in the EU, but offer goods or services in the EU
- monitor the behaviour of individuals in the EU.
Examples of Australian businesses that may be captured by the GDPR include a business with an office in the EU, a business whose website refers to customers or users in the EU, or a business that targets EU customers through methods such as enabling them to order products in a European language (non-English) or permitting payment in euros.
What information is affected by the GDPR?
Like ‘personal information’ in the Privacy Act, the GDPR applies to ‘personal data’, meaning any information relating to an identified or identifiable person. The GDPR provides many examples of identifiers that are considered ‘personal data’, such as an online identifier, location data or factors unique to the cultural, economic, genetic, mental, physical, physiological, or social identity of a natural person.
Additional protections are afforded to the processing of ‘special categories’ of personal data, which include information in connection with racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, or data concerning a person’s health.
There are two notable exceptions to the GDPR’s application outside of the EU. The GDPR does not apply to the processing of personal data by a person during a purely personal or household activity and consequently with no connection to a professional or commercial activity.
The second exception applies to organisations with fewer than 250 employees. Although not providing a total exemption, the regulation releases organisations of this size from record-keeping obligations in most circumstances.
Given our national privacy law landscape, Australian businesses may already have some of the measures in place that are required by the GDPR. Regardless, they should assess their information handling practices and governance structures and, where necessary, seek legal advice.
If you are seeking advice in this area, please contact a member of our corporate advisory team.