By Tim de Sousa – Senior Consultant, elevenM and Veronica Scott – Special Counsel, Minter Ellison.
This article was originally published in issue #81 (5 December 2017) of Privacy Unbound, the journal of the International Association of Privacy Professionals, Australia-New Zealand (iappANZ).
The EU’s new and wide-ranging General Data Protection Regulation (GDPR) represents an unprecedented shakeup of the European data protection regulatory environment. The GDPR promises to set a new regulatory benchmark and drive reform in jurisdictions around the world. The GDPR will come into force on 25 May 2018, replacing the current EU Data Protection Directive 95/46/EC. It will have immediate direct effect in all EU Member States.
Australian companies with exposure to the European market should take note – the GDPR can and will apply to companies based outside of Europe. Australian-based companies should take this opportunity to confirm whether the GDPR will apply to them come May, or whether they need to prepare for GPDR compliance to access the European market in the future.
The costs of non-compliance may be extreme – the GDPR introduces a new set of sharp teeth for European regulators, including fines of up to €20 million or 4% of global revenue, whichever is the greater. However, the added burden of compliance promises to pose a challenge for many businesses working with limited resources.
Part 1 of this article will help you understand whether the GDPR will apply to your business. Part 2, will help you focus your efforts in preparing for the GDPR by identifying links and differences between the 13 Australian Privacy Principles and the GDPR’s 99 Articles.
The GDPR’s extra-territorial application
Critically for Australian companies, Article 3 of the GDPR extends the GDPR to any company that controls or processes the personal information of individuals in the EU (whatever their nationality or place of residence) if the processing is related to offering goods or services or monitoring their behaviour, whether or not the company is located in the EU or the processing occurs in the EU.
For the purposes of the GDPR, a data ‘controller’ determines the purposes and means of the personal information, and the ‘processor’ processes the information on their behalf. ‘Processing’ is not a term found in Australian privacy law. The term is broadly defined and essentially means any act or practice that is done to, or in connection with, personal information.
Therefore, Australian companies that service or supply European clients, or otherwise offer goods or services to or monitor the behaviour of individuals in the EU that takes place in the EU, need to assess their client and individual customer bases, operations, systems and processes to answer three key questions:
- Do you have an ‘establishment’ in the EU? (Article 3.1)
- Do you offer good or services to individuals who are in the EU (whether or not you charge for them) ? (Article 3.2(a))
- Do you monitor any behaviour of individuals in the EU? (Article 3.2(b)
Article 4 provides that the main establishment of a data controller is the “place of its central administration” in the EU. That is, where the “decisions on the purposes and means of the processing” occur. For example, if you have an EU office or headquarters.
For processors, the main establishment will be either the place of central administration in the EU or, if the processor does not have one, then where the main processing activity in the EU takes place. For example, if you have your head office in Australia, but maintain an EU data centre.
Offering goods and services
The GDPR recitals explain that a range of factors will be relevant to deciding whether a company is ‘offering goods or services’ to individuals in the EU. These include:
- the use of language and currency or a top-level domain name of an EU Member State
- delivery of physical goods to a Member State
- making references to individuals in a Member State to promote the goods and services, or
- targeting advertising at individuals in a Member State.
Mere accessibility of an Australian company’s website or app to individuals in the EU will not, by itself, reach the threshold.
Some of these factors obviously indicate that goods and services are being offered. But it may ultimately be the cumulative effect of various activities that bring a company’s data processing within the reach of the GDPR.
To determine whether a processing activity can be considered to be ‘monitoring’ the behaviour of individuals in the EU for the purposes of Article 3.2(b), you should consider whether your company is:
- associating individuals in the EU with online identifiers provided by their devices, applications, tools and protocols, such as IP addresses and cookie identifiers
- tracking their behaviour on the Internet, and
- using data processing techniques that profile individuals, particularly in order to make decisions concerning them for analysing or predicting their personal preferences, behaviours and attitudes.
European data protection authorities will have increased supervisory powers under the GDPR. However, the question of how those authorities will approach extraterritorial enforcement against companies established and operating outside the EU is far from settled.
GDPR Article 50 imposes obligations on the EU Commission and authorities to take appropriate steps to cooperate with international stakeholders. In recent years, there has been increasing cooperation between authorities. Under the GDPR, it is likely that EU authorities will liaise with the Australian privacy regulator – the Office of the Australian Information Commissioner (OAIC) – when responding to data processing by an Australian company. This may in turn trigger regulatory action by the OAIC or a cooperative effort to effect an appropriate response. Any evidence of a company’s presence in or nexus with an EU Member State may influence the potential for cross-border enforcement action.
How can you prepare?
If any of your answer to the three questions above is ‘yes’, then you will need to consider:
- what are the risks from gaps in your current compliance under Australian privacy law against the GDPR requirements, and
- what additional steps you need to take to ensure that you can comply with additional GDPR requirements, or
- whether you need to cease any activities in relation to individuals in the EU to which the GDPR will apply and/or restructure your EU operations