The Regulators are becoming active – GDPR Developments

Although of relatively recent origin, the area of regulation around data protection, including by cyber attack, is a fast developing one. As more and more information is captured and transferred electronically, it is becoming more susceptible to misuse and abuse. Protection of collected personal information from misuse and abuse, and punishment of those who either misappropriate or are careless of information entrusted to them, has become an area of increased activity.

The European GDPR scheme is now a year old. The Australian notifiable data breach scheme less than two years old.

We have previously reported on the changes to the European GDPR Privacy regime. Click here to see that article.  That is a regime that applies to cyber and data breaches within the EU.  Although it is a European regime, it is relevant to, and extends to, Australian organisations that collect and transmit personal data internationally.

Penalties under the GDPR are significantly greater then currently under the Australian Privacy Act. There are, however, moves afoot in Australia substantially to increase penalties under the Australian regime. Click here to see our article of 10 April 2019.

In recent times, the European regulator has become very active in relation to data breaches which have occurred within the EU under its scheme. 

In the last few days British Airways was fined £183m for a breach of personal data of 500,000 of the airline’s customers.  That was the first fine under the new regime.

Additionally, a fine of £99.2m is currently being proposed against the Marriott Hotel chain for a breach of approximately 30 million guest records of residents of 31 countries within the EU.  About 7 million related to UK residents.

What is very clear is that in Europe, breaches are:

  • likely to attract the regulator’s attention; and
  • now very likely to be met with penalties, rather than any form of educational program.

This is relevant for Australian organisations conducting business in the EU and holding personal data of EU residents.  It sends a clear message that those Australian organisations whose activities may attract the GDPR, need to have policies in place to comply with it. While the existence of policies cannot ensure compliance, failure to do so inevitably increases the risk of breach.

It is also instructive for the way in which the OAIC may act in the future in Australia.  It is likely that the educational phase within Australia is drawing to a close and the likelihood is that penalties will more readily be imposed in the future where breaches have occurred. Coupled with that, there will be the attendant publicity and reputation hardship caused.

Lavan Comment

Australian organisations who conduct business in the EU or hold data about EU residents should be very mindful about the trends within the EU under the GDPR.  Other organisations who are subject only to the Australian regime ought to be mindful that what is occurring under the GDPR is likely to occur under the Privacy Act. Any organisation that does not have in place proper policies needs to take urgent remedial action to become compliant.