There are new data protection regulations coming into force on 25 May 2018 in the EU. If you do business in the EU, here’s what you need to know.
Data protection requirements in the EU and how they may apply to you
Like Australia, the European Union is getting tough with data protection and will introduce new requirements to the General Data Protection Regulation (GDPR) from 25 May 2018.
The GDPR may apply to Australian businesses regardless of their turnover whereas for the most part, the Australian Privacy Act 1988 only applies to Australian businesses with an annual turnover in excess of $3m. Furthermore, although many of the requirements of the GDPR are similar to the requirements set out in the Privacy Act, the GDPR does impose some additional requirements.
It is vital that Australian businesses that do business in the EU or with EU customers establish whether they are covered by the GDPR and if they are, ensure their practices are compliant when the requirements come into force.
Will the GDPR apply to my business?
The GDPR will apply to an Australian business which:
- has an establishment in the EU (for example, a sales or other office)
- has a sales agent in the EU offering goods and services to individuals
- visits the EU to offer goods and services to individuals (not companies) in the EU
- otherwise offers goods or services to individuals in the EU (for example, by advertising in a European publication)
- has a website offering goods or services to individuals in the EU (for example, by enabling ordering of goods or services in a European language, allowing payment in Euros or mentioning other customers in the EU)
- monitors spending patterns, preferences and other behaviour of individuals in the EU (for example, by analysing traffic on a website and other internet data analysis).
It is important to note that except where an Australian business has an establishment in the EU, it will only be caught by the GDPR if the business is targeting customers in the EU that are individuals as opposed to customers that are companies or other incorporated organisations.
Furthermore, an Australian business that has a distributor (as opposed to a sales agent) in the EU will not be caught by the GDPR unless any of the above scenarios also apply to the business. This is regardless of whether the distributor on sells to EU customers that are individuals or companies. In such cases, the distributor may be caught by the GDPR.
If the GDPR will apply to current operations, can they be restructured to avoid it?
In light of the above it is possible for an Australian business to restructure its EU operations to avoid the GDPR applying to the business when it commences. This could be done by the business, as from May, only dealing with companies and other incorporated organisations (and not individuals) in the EU or by appointing distributors in the EU and only dealing with those distributors.
If the business has an establishment in the EU, it would also have to shift that establishment to another country outside of the EU.
If the business has a website offering goods or services in the EU, it should ensure that the website does not permit the placement of orders by individuals in the EU. This can be done by including on the website a statement to that effect or by providing for minimum volumes for orders which would effectively prevent placement of orders by individuals.
What if my business can’t avoid the GDPR? What information is subject to these requirements?
Similar to the Privacy Act, these requirements apply to “personal data” which includes any information that can be used to directly or indirectly identify a person. It can be anything from a name, a photo, an email or location address, bank details or customer identification number.
Like the Privacy Act, the GDPR includes additional protections for special categories of personal data including information relating to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual activity or orientation, health or genetic information.
It is important to understand that these requirements will apply to the above information collected or held by an Australian business caught by the GDPR regardless of where the information is processed.
If my business complies with the Privacy Act will it have to do anything extra to comply with the GDPR?
Although there are many similarities between the Privacy Act and the GDPR, there are a number of important differences. These include:
- additional governance requirements (which in some cases may include the obligation to appoint a “data protection officer” to monitor and advise on compliance)
- undertaking of compulsory data protection impact assessments (DPIA) prior to data processing which is likely to result in a higher risk to the privacy of individuals
- keeping of records of processing of personal data (this does not apply to some smaller businesses)
- encouraging the use of codes of conduct for personal data protection prepared by individual businesses and approved by the EU Commission
- expanded rights of individuals (right to have personal data erased, right of data ‘portability’, right to object or restrict the processing of personal data).
Australian businesses caught by the GDPR will not simply be able to assume that by complying with the Privacy Act, they will also be complying with the requirements of the GDPR.
What do you need to do?
If you think your business is likely to be caught by the GDPR when it commences operation in May, you should restructure its European operations so that the GDPR will not apply to it or seek legal advice as soon as possible to ensure that the business’ practices are brought into line with the GDPR requirements.
If your business is caught by the GDPR when it commences but does not have an establishment in the EU, it will have to appoint a representative established in an EU member State to be the point of contact for supervisory authorities and individuals in the EU on all issues related to data processing, and to ensure compliance with the GDPR. However, there is an exception to this requirement where the Australian business only occasionally processes personal data which does not include special categories of personal data to any significant extent.
This would mean for example, that an Australian business that only occasionally used personal data to process an order received from individuals in the EU would not need to appoint a representative in the EU for the purpose of compliance with the GDPR. However, the business would still otherwise have to comply with the GDPR requirements.
The cost of doing nothing
The potential costs of not complying with the GDPR are much higher than the costs of not complying with the Privacy Act. The GDPR provides for the imposition of fines on a business which contravenes the GDPR requirements. Many contraventions will attract a maximum penalty of €20 million or 4 per cent of the annual worldwide turnover of the business (whichever is greater).
For more specific information on any of the material contained in this article please contact Johanna Churchill on +61 8 8210 1236 or firstname.lastname@example.org. Johanna is a Board Member of Food South Australia and a partner of Norman Waterhouse Lawyers. She advises on a wide range of corporate and commercial matters and has a particular interest in the food industry. Norman Waterhouse Lawyers are an Associate Sponsor of Food South Australia.