Pri­va­cy — It is every­one’s business

Even if you have no inter­est in pri­va­cy law, you would need to be liv­ing on a plan­et in a galaxy far, far away not to be aware of the GDPR.

GDPR

The GDPR (Gen­er­al Data Pro­tec­tion Reg­u­la­tion), came into oper­a­tion on 25 May 2018. Dur­ing the weeks lead­ing up to that date, many of us received a slew of emails inform­ing us that the sender has updat­ed its pri­va­cy pol­i­cy or online terms and con­di­tions of business.

Whilst the GDPR is a crea­ture of the Euro­pean Coun­cil and Par­lia­ment and, as such, must be com­plied with across all 28 mem­ber states, many Aus­tralian busi­ness­es have been scram­bling to under­stand whether and, if so, to what extent the GDPR applies to them.

FOR­EIGN APPLICATION

As a ​“for­eign” law why should the GDPR con­cern an Aus­tralian business?

Like many US laws (includ­ing, the For­eign Cor­rupt Prac­tices Act), the GDPR also applies out­side its juris­dic­tion, in this case, the EU and so Aus­tralian busi­ness­es— even those that have no estab­lish­ment in the EU — may be oblig­ed to com­ply with cer­tain parts of the Regulation.

As regards non-EU based busi­ness­es, the GDPR extends to such busi­ness­es that process per­son­al data of EU data sub­jects, where the pro­cess­ing activ­i­ties are relat­ed to (a) offer­ing goods or ser­vices to EU sub­jects (even where no pay­ment is made); or (b) mon­i­tor­ing the behav­iours of EU subjects.

Key to the appli­ca­tion of the GDPR to Aus­tralian busi­ness­es with­out an estab­lish­ment in the EU are the con­cepts of data pro­cess­ing, offer­ing goods or ser­vices to EU sub­jects and mon­i­tor­ing the behav­iours of EU subjects.

DATA PRO­CESS­ING

Data pro­cess­ing is a wide­ly defined term, which includes any oper­a­tion which is per­formed on per­son­al data, such as the col­lec­tion, record­ing, organ­i­sa­tion, stor­age, adap­ta­tion, alter­ation, retrieval, con­sul­ta­tion, use, dis­clo­sure by trans­mis­sion, of per­son­al information.

It would be a tru­ly unique Aus­tralian enter­prise, which receives (as part of its busi­ness) per­son­al infor­ma­tion of EU sub­jects, that could legit­i­mate­ly con­tend that it is not a data processor.

OFFER­ING GOODS OR SER­VICES TO EU SUBJECTS

The GDPR pro­vides some lim­it­ed guid­ance as to whether a busi­ness offers goods or ser­vices to EU sub­jects. In short, it states that one should con­sid­er whether it is “…appar­ent that the busi­ness envis­ages offer­ing goods or ser­vices to data sub­jects…” in one or more EU mem­ber states. 

The mere fact that EU sub­jects have access to a busi­ness’ web­site in the EU, or to an email address or of oth­er con­tact details, is insuf­fi­cient to ascer­tain such intention.

Exam­ples of where a non EU based busi­ness will be regard­ed as offer­ing goods or ser­vices to EU sub­jects would include:

• an Aus­tralian busi­ness whose web­site tar­gets cus­tomers, for exam­ple by enabling them to order or place an order for ser­vices in a Euro­pean lan­guage (oth­er than Eng­lish) or by enabling pay­ment in Euros;

• an Aus­tralian web­site that mon­i­tors cus­tomers or users in the EU;

MON­I­TOR­ING THE BEHAV­IOURS OF EU SUBJECTS

Mon­i­tor­ing behav­iour in this con­text would arise where, for exam­ple, the busi­ness tracks indi­vid­u­als in the EU on the inter­net and uses data pro­cess­ing tech­niques to pro­file indi­vid­u­als, to analyse and pre­dict per­son­al pref­er­ences or behav­iours etc.
If, as a result of the above, a non EU based busi­ness is sub­ject to the GDPR, it is nec­es­sary to deter­mine which pro­vi­sions apply to the business.

The good news is that if you com­ply with the Aus­tralian pri­va­cy laws and prin­ci­ples, you are like­ly (at least on the face of it) to be com­pli­ant with many of the GDPR require­ments. But there are oblig­a­tions with­in the GDPR that have no sim­i­lar coun­ter­part in the Aus­tralian leg­is­la­tion and, even where there are sim­i­lar pro­vi­sions, some of the GDPR pro­vi­sions are more oner­ous than their coun­ter­part pro­vi­sions in our law.

WHAT SHOULD AUS­TRALIAN BUSI­NESS­ES DO?

Stat­ing the obvi­ous, it is impor­tant that Aus­tralian busi­ness­es — if they have not already done so— ensure that they are ful­ly com­pli­ant with the Aus­tralian Pri­va­cy Prin­ci­ples and the Pri­va­cy Act. Whether or not the GDPR is applic­a­ble to your busi­ness, whilst an impor­tant con­sid­er­a­tion, should not detract from ensur­ing com­pli­ance with Aus­tralian law.

But com­pli­ance with Aus­tralian law is not lim­it­ed to hav­ing in place a com­pli­ant pri­va­cy pol­i­cy and suit­able online terms and con­di­tions of busi­ness — it is much more than that.

Com­pli­ance includes hav­ing appro­pri­ate sys­tems, pro­to­cols, tech­ni­cal and organ­i­sa­tion­al mea­sures in place to ensure or to at least facil­i­tate the prop­er col­lec­tion of per­son­al data and the pro­tec­tion of such data against unau­tho­rised or unlaw­ful access, dis­clo­sure, loss or pro­cess­ing. It is dur­ing a con­sid­er­a­tion of these issues that Aus­tralian busi­ness­es should also con­sid­er and then deter­mine what aspects of the GDPR apply to them. Only then will busi­ness­es be in a posi­tion to know whether they actu­al­ly have in place sys­tems and process­es that will mean­ing­ful­ly assist them to com­ply with applic­a­ble Aus­tralian pri­va­cy law and the GDPR.

In our next issue, we will describe the var­i­ous require­ments that non EU based busi­ness­es, to which the GDPR applies, need to com­ply with.