William Roberts Lawyers principal Robert Ishak and lawyer Eric Vuu have provided an overview of general data protection regulation, including how to make sure your organisation complies.
What is it?
In 1995, the European Union (EU) adopted the Data Protection Directive (95/46/EC) which protected the rights of individuals with “regard to the processing of [their] personal data and on the free movement of such data.”
It has since been superseded by the General Data Protection Regulation (GDPR), which came into force on 24 May 2016 and applies as at 25 May 2018. As explained by the European Commission, the GDPR was designed with the intention to “enhance data protection rights of individuals and to improve business opportunities by facilitating the free flow of personal data in the digital single market.”
In its Joint Statement on the adoption of the GDPR, the European Commission submitted that the “new rules will ensure that the fundamental right to personal data protection is guaranteed for all ... [and will] foster trust in online services by consumers and [provide] legal certainty for businesses based on clear and uniform rules."
Ambit of the GDPR
The GDPR has a deliberately wide extraterritorial reach, and its ambit embraces companies who have an establishment in the EU, or do not have an establishment in the EU, but otherwise offer goods and services or monitor the behaviour of individuals within the EU. Illustrative examples are helpfully provided by the Office of the Australian Information Commissioner (OAIC), but as Hern correctly observes, the GDPR “affects every company, but the hardest hit will be those that hold and process large amounts of consumer data.”
Does your organisation already comply?
The OAIC has observed that the GDPR shares similar obligations with our Privacy Act 1988 (Cth).
Although coextensive in some respects, Australian businesses should not assume that compliance with the domestic legislation will ensure compliance with the GDPR. For example, under GDPR Article 17, individuals have the “right to be forgotten” – there is no statutory analogue of this article under our domestic legislation (see below).
There are also a variety of “dissuasive” sanctions that can be imposed under the GDPR, and specifically under Article 83, the maximum penalty for severe breaches includes a fine of up to 20 million euros, or 4 per cent of annual worldwide turnover of the preceding financial year (whichever is greater).
Although this article will not attempt to outline the various obligations imposed by the GDPR, it is important to briefly identify, at a high level, some individual rights that have been introduced (beyond the Privacy Act 1988 (Cth)).
In contrast to our domestic legislation:
1. Individuals have the right to be forgotten - Under certain circumstances, including where the data ceases to become relevant for the original purpose, individuals are entitled to have their data erased (Article 17 of the GDPR)
2. Individuals have the right to data portability - That is, to receive their personal data which has been previously provided, and to transmit that data to another data controller (Article 20 of the GDPR)
3. Individuals have the right to object - Individuals have the right to object, at any time, to the processing of personal data, and if such an objection is raised, the controller of the data must not process it unless it can be demonstrated that there are “compelling legitimate grounds for processing” (Article 21 of the GDPR)
It is important therefore, that organisations undertake a rigorous evaluative process to determine whether their current systems are capable of upholding all the articles of the GDPR that are applicable to them.