Will the EU’s new GDPR apply to your business?

The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018 and will harmonise data protection laws across the EU.

What relevance does this have to Australian businesses?

Some Australian businesses may need to comply with the GDPR, in breach of which there are penalties of up to a maximum of €20 million or 4 per cent of annual worldwide turnover.

(Note: Not all Australian businesses are covered by the Australian Privacy Act 1988 (the Privacy Act). Many Australian businesses with annual turnover under $3 million are not covered by the Privacy Act.)

However, as a result of the GDPR, any Australian business, whether or not covered by the Privacy Act, will need to comply with the GDPR if they:

  • have an establishment in the EU (regardless of whether they process personal data in the EU), or
  • do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU.

What do the laws of the GDPR mean?

The GDPR applies to the data processing activities of businesses, regardless of size, that are data processors or controllers. Generally speaking, a “controller” says how and why personal data is processed and a “processor” acts on behalf of the controller.

The GDPR privacy laws include some similar requirements to the Australian Privacy Act. Both laws foster transparent information handling practices and business accountability to give individuals confidence that their privacy is being protected. Both laws require businesses to implement measures that ensure compliance with a set of privacy principles, and data breach notification is required in certain circumstances under the GDPR and under the Privacy Act.

However, the GDPR includes a range of new and enhanced rights for individuals some of which have no equivalent under the Privacy Act, such as, the ‘right to erasure’ (which encompasses the ‘right to be forgotten’). The ‘right to erasure’ gives individuals a right to require data controllers to delete their data in certain circumstances.

In addition, data controllers and processors that are covered by the GDPR, but not established in the EU, will generally have to appoint a representative established in an EU member State as the point of contact for supervisory authorities and individuals in the EU on all issues related to data processing, to ensure compliance with the GDPR.

Therefore an existing Privacy Policy of an Australian business may not be enough in itself to comply with the GDPR.

So how do I know if my business might have to comply with the GDPR?

Q – I don’t have a presence in the UK but sometimes people from the UK (still in the EU for now) order goods or services from my Australian website?

A – If your website targets EU customers, for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros, you will have to comply with the GDPR.

However, inadvertent receipt of UK business to an English language website based in Australia may not fall within the GDPR.

The Regulator will consider whether it is apparent that the controller or processor envisages offering services to people in one or more Member States in the European Union.

While the mere accessibility of your website in the EU, or the use of English language in your Australian website in common with the language of a member EU state (the UK) is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more EU Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU, may make it apparent that you envisage offering goods or services to people in the EU and therefore you must comply with the GDPR.

Conclusion

If you have a business in the EU, or do business with people in the EU, you ought to obtain advice about how you can comply with the European Union General Data Protection Regulation or risk significant penalties – and remember, the GDPR is in effect from 25 May 2018.

If you need information or assistance about this or any Commercial Law matter please do not hesitate to contact one of our friendly and informed Commercial Lawyers at Your Gold Coast Lawyers, McLaughlins Lawyers.

Author/Director: Ian Kennedy

Date: 22 May 2018