By Tim de Sousa – Senior Consultant, elevenM and Veronica Scott – Special Counsel, Minter Ellison.
This article was originally published in issue #81 (5 December 2017) of Privacy Unbound, the journal of the International Association of Privacy Professionals, Australia-New Zealand (iappANZ).
In Part 1 of this article our aim was to help you understand whether the GDPR applies to your business. In Part 2 we will help you focus your efforts in preparing for the GDPR by identifying links and differences between the 13 Australian Privacy Principles and the GDPR’s 99 Articles.
Gap analysis – Comparing the GDPR and Australian Privacy Principles
If the GDPR is likely to apply to your data processing, understanding the gaps in your current privacy framework will be critical. A gap analysis can help you identify the key areas to focus on.
The GDPR shares some thematic similarities with Australia’s national privacy regulatory regime, set out in the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
The GDPR and the Privacy Act share a similar purpose – to foster transparent information handling practices and business accountability in relation to the handling of personal information. The two regimes take different approaches – the GDPR’s 99 articles are highly prescriptive, whereas the Privacy Act relies on a principles-based approach supplemented by extensive guidance.
However, the founding principles of the GDPR (the lawful, transparent and fair processing of personal data) laid out in Chapter III (Articles 5-11) and many of the GPDR’s express obligations align with the steps that the OAIC expects Australian companies to take to comply with the APPs (as set out in OAIC guidance). In short, best practice compliance with the APPs will help Australian companies support compliance with the GDPR.
There are some key differences – both in terms of legal concepts and additional data subject rights and corresponding obligations found in the GDPR. These are set out in the comparison table below.
Summary of the APPs vs the GPDR
The Australian Privacy Act applies to ‘APP entities’ – that is Australian and Norfolk Island government agencies (agencies) and private sector businesses (organisations) as well as credit providers and credit reporting bodies. Individuals and many ‘small business operators’ – businesses with an annual turnover of less than AUD $3 million – are exempt from the operation of the Act.
Unlike the GDPR, the Privacy Act does not distinguish between ‘data controllers’ and ‘data processors’ – any APP entity that holds personal information must comply with the APPs.
APP 1 — Open and transparent management of personal information
This first APP requires APP entities to manage personal information in an “open and transparent way”, including taking reasonable steps to ensure that they comply with the APPs.
APP 1 is similar in effect to GDPR Article 5 Principle 2, which requires controllers to be able to demonstrate compliance with the obligations set out in Principle 1. Principle 1(a) also requires data processing to be done in a “transparent manner”.
APP 2 — Anonymity and pseudonymity
APP 2 requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym, unless a listed exception applies.
There is no direct analogue to this provision in the GDPR. However, the GDPR may apply to pseudonymous information (see Recital 28).
APP 3 — Collection of solicited personal information
APP 3 outlines what personal information an APP entity can collect. In particular, this APP requires that organisations only collect personal information that is reasonably necessary or directly related to their functions or activities, by “lawful and fair means” and, where reasonable and practicable, directly from the individual. Higher standards are applied to the collection of ‘sensitive information’ (see comparison table below); specifically, sensitive information may only be collected with consent, or where a listed exception applies.
A comparison can be drawn here to GDPR Article 5, which requires data collected for “specified, explicit and legitimate purposes”, and be processed “lawfully [and] fairly” (Principle 1(a) and (b)). The question of whether a company has a lawful basis for processing personal information is critical.
APP 4 — Dealing with unsolicited personal information
APP 4 requires APP entities to destroy or de-identify unsolicited personal information that they could not have otherwise collected under APP 3.
There is no direct analogue in the GDPR, however it should be noted that the GDPR does not permit collection of personal data without a specified, explicit purpose.
APP 5 — Notification of the collection of personal information
APP 5 requires APP entities to notify individuals (or otherwise ensure that they are aware) of specified matters when they collect their personal information (for example, by providing individuals with a collection statement).
Again, GDPR Articles 12, 13 and 14 impose requirements for the provision of privacy information about how data is processed that are substantially similar to the matters specified in APP 5, as well as additional obligations (see APP 1, above). This includes a requirement that the information is clear and easy to understand. Australian companies should consider, for example, whether their privacy policies are written in plain English.
APP 6 — Use or disclosure of personal information
This APP outlines the circumstances in which an APP entity may use or disclose personal information that it holds. Where an APP entity has collected personal information for a specific purpose, and wishes to use it for a secondary purpose, APP 6 provides that entities may not do so unless the individual has consented, it is within their reasonable expectations, or another listed exception applies. Exceptions include circumstances involving health and safety and law enforcement.
GDPR Article 6 similarly requires that personal data may only be processed where the data subject has consented to one or more of the specific purposes of the processing, or the processing is otherwise lawful as another listed scenario applies. For example, where the processing is necessary to perform a contract or comply with a legal obligation.
APP 7 — Direct marketing
APP 7 provides that an organisation that is an APP entity may only use or disclose personal information for direct marketing purposes if certain conditions are met. In particular, direct marketing messages must include a clear and simple way to opt out of receiving future messages, and must not be sent to individuals who have already opted out. Sensitive information about an individual may only be used for direct marketing with consent of the individual.
GDPR Article 21 provides individuals with, amongst other things, the right to object to the use of their personal data for direct marketing.
APP 8 — Cross-border disclosure of personal information
This principle requires an APP entity, before it discloses personal information to and overseas recipient, to take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. Personal information may only be disclosed where the recipient is subject to a regulatory regime that is substantially similar to the APPs, where the individual has consented, or another listed exception applies. APP entities may be liable for the acts and practices of overseas recipients in certain circumstances (s16).
Chapter 5 of the GDPR provides that transfers of personal data outside of EU jurisdiction may only be made where the recipient jurisdiction has been assessed as ‘adequate’ in terms of data protection, where sufficient safeguards (such as a binding contract or corporate rules) have been put in place, or a listed exception applies. The European Commission has not, to date, assessed Australia as ‘adequate’, but the Commission is currently reviewing its adequacy assessments.
APP 9 — Adoption, use or disclosure of government related identifiers
APP 9 provides that an organisation that is an APP entity may not adopt a government related identifier of an individual as its own identifier, or use or disclose such an identifier, unless a listed exception applies. There is no direct analogue to this provision in the GDPR.
APP 10 — Quality of personal information
APP 10 requires APP entities to take reasonable steps to ensure the personal information it collects, uses or discloses is accurate, up to date and complete.
Accuracy and currency of the information are mentioned in GDPR Article 5 o(Principle 1(d); “every reasonable step must be taken” to ensure that inaccurate personal data is “rectified without delay”.
APP 11 — Security of personal information
This APP requires APP entities to take reasonable steps to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. This provision is a frequent focus of investigations in to APP entities conducted by the Australian Information Commissioner.
GDPR Article 5 similarly requires that data processing be undertaken in a manner “that ensures appropriate security of the data” (Principle 1(f)). Further, Article 32 requires the data controller and the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes). Those measures must also address the confidentiality, integrity and availability of the data.
APP 11.2 provides that APP entities must also take reason steps to destroy or de-identify personal information that they no longer require for a lawful business purpose.
GDPR Article 5 imposes a similar storage limitation – personal data may “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (Principle 1(e)). However, the GDPR also explains that “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)”.
APP 12 — Access to personal information
APP 12 requires APP entities to give an individual access to the personal information about them that the entity holds, on request by that individual. APP 12 imposes procedural requirements around access, and includes limited exceptions.
Article 15 of the GDPR imposes a similar right of access, with additional rights to know information about the collection and envisaged use of the data (such as recipients or potential recipients, likely storage period, and safeguards for overseas transfers)
APP 13 — Correction of personal information
APP 13 requires APP entities to take reasonable steps to correct personal information they hold about an individual, on request by the individual. This APP also imposes procedural requirements and includes limited exceptions.
GDPR Article 16 imposes a similar but stronger right; data subjects have the absolute “right to obtain…without undue delay the rectification of inaccurate personal data concerning [them]”.
GDPR rights that are not in the APPs
What none of the APPs provide is an express right to erasure, the right of restriction of processing, data portability and the right to object. The GDPR provides for these rights in Articles 17, 18 ,20 and 21.
Complimentary APP v GDPR legal concepts comparison table