New requirements under EU privacy laws

After extensive consideration, the EU’s new General Data Protection Regulation (Regulation) has now been finalised. Although it does not come into effect until 25 May 2018, it contains obligations which will effect some Australian organisations and will require time to prepare for.

All Australian organisations, regardless of their size, will need to comply with the Regulation if they:

• have an establishment in the EU;
• offer goods and services in the EU; or
• monitor the behaviour of individuals in the EU.

The Regulation applies to ‘personal data’, which is defined in Article 4 as “any information relating to an identified or identifiable natural person”. This definition is largely analogous to the definition ‘personal information’ in s 6(1) of Australia’s Privacy Act, which is defined as “information or an opinion about an identified individual, or an individual who is reasonably identifiable”.

Whilst many of the requirements under the Regulation overlap with requirements Australian companies already need to meet under Australian privacy laws, there are some additional obligations. The key differences are as follows:

Requirement to appoint a data protection officer

Under Article 37, the following entities will be required to designate a Data Protection Officer (DPO) as part of their accountability programme:

• public authorities;
• companies where the controller or processor’s core activities consist of processing of a large scale regular monitoring of data subjects; and
• companies where the controller or processor’s core activities consist of processing of a large scale of special categories of data.

The DPO will be responsible for monitoring and advising on compliance with the Regulation, as well as with the organisation’s internal privacy polices and procedures. Accordingly, the DPO will need to have sufficient expert knowledge of the processing activities for which they will be responsible.

An individual’s right to erasure and to be forgotten

• Individual will have the right to require data controllers to erase their data in certain circumstances, including, amongst others, where (per Article 17):
  • the information is no longer necessary for the purpose for which it was collected; or
  • the individual withdraws their consent and there is no other legal justification for processing their data.

When deleting personal data, data controllers are also required to take reasonable steps to inform other controllers also processing the same data of any links to, copies of, or replication of that data.

Right to data portability

Article 20 provides individuals with a right to:

• receive personal data they provided to a controller in a “structured, commonly used, machine-readable format”; and
• transmit that data to another controller, where the data is processed electronically.

This right only extends to data which the individual provided to the controller themselves, and the transfer can only occur where the individual consents, or where it is required for the performance of a contract.

Requirement of data breach notification

Under Article 34, all data controllers will be required to notify the appropriate Data Protection Authority without undue delay, and within 72 hours if feasible, where there has been a data breach leading to the loss, access or disclosure of personal data. 

The individual to whom the data relates should also be notified if the breach is likely to result in a high risk to their rights and freedoms. 

This is a lower threshold than under the new Australian requirement to notify of serious data breaches, and will therefore apply to a wider range of breaches.

Australian organisations should begin preparations now to ensure they are ready for the introduction of the Regulation in 2018. Organisations should:

• review their data to assess the extent to which they hold data about European resident and so will be captured by the Regulation; and
• determine the requirements and obligations to which they will be subject under the Regulation.

Organisations should also take this as an opportunity to review their current privacy policies and compliance with Australian privacy laws.