Guidance: The new EU General Data Protection Regulation: Implications for Australia

Similar documents
The New EU General Data Protection Regulation (GDPR)

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

WHAT DOES THE GDPR MEAN FOR PENSIONS?

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Pension Trustees. Final Countdown to the GDPR

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

CHARITY & NFP LAW BULLETIN NO. 419

DATA PROTECTION LAWS OF THE WORLD. Czech Republic

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

The new data protection law main changes at a glance

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

Revising policies and procedures under the new EU GDPR

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

European Union General Data Protection Regulation

Data Processing Addendum

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

Pension Trustees Final Countdown To GDPR

GDPR CCPA LGPD. Protected information

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

Appropriate Policy Document

ARE YOU READY FOR THE NEW DATA PROTECTION LAWS?

Processing under the GDPR: risk and liability shifts

What U.S.- Based Investment Advisers Should Know

GDPR Data Processing Addendum

General Data Protection Regulation (GDPR)

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

2018 Australian privacy outlook

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

DATA PROTECTION LAWS OF THE WORLD. Angola vs Czech Republic

The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

All Sorts UK Limited Data Protection Policy 17 th May 2018

RBI GDPR DATA PROCESSING ADDENDUM

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

GDPR: The future of marketing and commercialisation of data. Alexander Brown & Matt Dyer, Simmons & Simmons

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

California s Consumer Privacy Act Vs. GDPR

New legislation brings changes to how data is handled

The Race to GDPR: A Study of Companies in the United States & Europe

A guide for the insurance industry

The EU-US Privacy Shield: A How-To Guide

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

Privacy Statement v 1.1

The General Data Protection Regulation s Impact on M&A

The Future of Data Privacy in Europe T H E E U R O P E A N G E N E R A L D ATA P R I VAC Y R E G U L AT I O N (G D P R)

General Data Protection Regulation. Asked Questions

Data Processing Agreement, the Contract

A survival guide for private equity

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

DATA PROCESSING ANNEX

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

The California Consumer Privacy Act: Overview and Comparison to the EU GDPR

Management of Personal Information Policy (Privacy Policy)

The BVRLA Guide to. The General Data Protection Regulation British Vehicle Rental and Leasing Association

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

HOW TO EXECUTE THIS DPA:

Data Processing Addendum

Data Processing Addendum

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

Data protection legislation back to the drawing board?

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

California Consumer Privacy Act: What you need to know now. July 24, 2018

Moxtra, Inc. DATA PROCESSING ADDENDUM

THE GENERAL DATA PROTECTION REGULATION

GDPR update and its impact on accountancy practices

International Privacy Day Global Privacy , the Year of Reform

GDPR Essentials. To Meet the May 25th Deadline. FIA Webinar March 1, 2018

Man and Machine - Data Protection Policy

Personal Data. Protection Policy

DATA PROCESSING ADDENDUM

EU General Data Protection Regulation

DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE

L 145/30 Official Journal of the European Union

Impact of the European General Data Protection Regulation on U.S. M&A

WELCOME TO TAXING ISSUES THE QUARTERLY BULLETIN FROM CAPITAL GES

Re: Electoral Legislation Amendment (Electoral Funding and Disclosure Reform) Bill 2017

North Yorkshire Pension Fund

Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.

Data Privacy Notice. Who are we and why do we register and use personal data?

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary

GDPR FOR PRIVATE EQUITY AND REAL ESTATE

Data Protection Cayman Islands

DATA PROTECTION POLICY

Data Processing Appendix

Your Right Hand Finance Ltd (YRH) Subject Request Policy

Your Data Your Rights

PRIVACY STATEMENT. For further details on PCB s privacy policy contact:

Guide to compliance with the Australian Privacy Principles. APP 1 Open and transparent management of personal information

ON24 DATA PROCESSING ADDENDUM

DATA PROCESSING AGREEMENT/ADDENDUM

DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT

Legal Compliance Education and Awareness. Privacy Act (Commonwealth)

PRIVACY NOTICE 1. WHAT IS A PRIVACY NOTICE & WHY IS IT IMPORTANT?

HOW TO MANAGE THE RISKS OF MASS DATA BREACHES UNDER GDPR

GENERAL DATA PROTECTION REGULATION (GDPR) MADE SIMPLE GUIDE

Transcription:

Guidance: The new EU General Data Protection Regulation: Implications for Australia Introduction After years of negotiations, the new EU General Data Protection Regulation (GDPR) was passed in 2016, bringing with it wide reaching changes to the EU data protection regime which has been in place for over 20 years, under the EU s Directive 95/46/EC. Much has been written about the changes (which come into effect in May 2018) and the wrangling that has preceded the final compromise but what effect, if any, will the new GDPR have for non-eu countries like Australia? Key take-aways: Australian organisations could be covered by the GDPR if their services are targeted at EU residents or they monitor their behaviour. A new definition of consent means that it will become difficult to rely on pre-ticked boxed, opt-out provisions or bundled consents. Australian entities should consider the extent to which they comply with this definition when relying on consent under the Australian Privacy Act. Information must be provided in a way which is concise, transparent, intelligible and easily accessible. It is possible that the Australian Privacy Commissioner will expect the same standard of disclosure from Australian organisations. To encourage compliance, the EU regulator will be able to impose much higher penalties than before, with the higher penalty regime being fines up to 20 million Euro or 4% of annual group turnover. The imposition of high penalties for significant violations may encourage the Australian regulator to take similar action. Data security measures are specified to include restoring availability and access and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures. The Australian Privacy Commissioner may incorporate similar expectations into the interpretation of reasonable steps for the purposes of APP 11. This whitepaper highlights some of the new provisions in the GDPR which are most relevant for Australian organisations.

You might be covered: Perhaps the most important change for Australian organisations is the extension of the scope of the new GDPR to include businesses with no physical presence in the EU. The GDPR will apply to non EU-based controllers who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). This could be your organisation. This extended scope reflects the expansionary view of jurisdiction taken by other regulators including the Australian Privacy Commissioner as demonstrated in the Ashley Madison data breach investigation. The Australian Privacy Commissioner determined that the Australian Privacy Act 1988 (Cth) applied to Ashley Madison a Canadian company, with no office or other physical presence in Australia and whose breached data servers were also located in Canada. The relevant considerations were that Ashley Madison advertised in Australia, targeted its services at Australian residents, and collected information from people in Australia. These activities were deemed to be sufficient for it to be carrying on business in Australia and so within the operation of the Australian legislation. On this basis, many organisations without any physical presence in Australia may be covered by the Privacy Act. Similarly, Australian organisations may be covered by the new European data protection laws which explicitly apply to organisations that target services to EU residents in the same way as Ashley Madison. So, be careful! Stricter definition of consent : Consent will be defined as any freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. This new definition suggests that bundled consents, opt-outs and pre-ticked boxes may no longer be appropriate. To be freely given individuals must also have a genuine choice as to whether or not to give their consent. Currently, there is a limited definition of consent in the Australian Privacy Act (i.e. it means either implied or express consent). In the future the issue of what is consent for the purposes of the Australian Act may well be interpreted on the basis of the requirements of the GDPR. Right to withdraw consent: Individuals will have the right to withdraw consent which will make any processing on the basis of consent highly risky. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing. The rules around withdrawal of consent are not clear in Australia but care should be taken in those situations where relying on consent, for example, where disclosing personal information to overseas service providers or collecting sensitive personal information. Additional rights for individuals: The GDPR expands data subjects existing rights such as the right to access, the right to rectification and the right to object. The GDPR also introduces important new rights for data subjects, including the right to erasure, the right to data portability and the right to restrict processing. Although it is not likely that these extended rights will be introduced into the Australian legislation, they certainly set a higher bar for how entities must deal with personal information and may become relevant in a practical sense if individuals in Australia expect the same protections, particularly in regard to rights such as the right to be forgotten. Restrictions on profiling: There are important new provisions covering the automated processing of data, including the right for individuals to object to decisions based solely on profiling. Australian entities should be aware of these provisions as they may be used by the Privacy Commissioner in considering what might be an allowable use of personal data under the Australian Privacy Act. Guidance: EU GDPR v1.0 July 2017 2.

Concise, transparent, intelligible and easily accessible: As well as specifying certain additional information that must be provided to individuals, controllers and processors are required to give that information in a concise, transparent, intelligible and easily accessible form, using clear and plain language communicate. This may become the expected standard for communicating with individuals in Australia. As well, it is worth considering the additional information required to be provided under the GDPR and whether it would be prudent to include the same sort of information in Australian privacy policies and collection notices. Security: The new GDPR provides specific requirements for the appropriate technical and organisational measures that need to be taken by data processors including: The pseudonymisation and encryption of personal data; The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Australian entities that hold or process personal information should consider whether they meet these requirements which could be referred to by the Australian Privacy Commissioner when considering whether entities have taken reasonable steps to secure personal information for the purposes of Australian Privacy Principle 11. Data breach notification: Controllers will have to report data breaches to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk for data subjects' rights and freedoms). Affected data subjects must be notified of a breach without undue delay if the breach is likely to result in a "high risk" for their rights or freedoms. The currently proposed Australian data breach notification obligations are different to these requirements but valuable guidance might be provided by the EU regulators on how to assess the risk to individuals from a data breach, a concept which underpins the Australian provisions. Enforcement and penalties: The GDPR will harmonise the tasks and powers of supervisory authorities and significantly increase fines. There will be a new 2 tier system with major penalties (20 million Euros or 4% of annual group turnover, whichever is higher) and lesser penalties (10 million Euros or 2% of annual group turnover whichever is higher). The hefty fines and penalties for infringement has been one of the most talked about feature of the new regulation. It is hoped that they will encourage greater investment in compliance. Fines at the higher threshold will apply to more serious violations including violating basic principles for processing data, consent, and data subjects rights. The lower tier fines apply to obligations such as data breach notification and appointment of a data protection officer. Other changes: Some other changes that are worth noting: Most data processors and controllers must have a Data Protection Officer who has a number of specified obligations and duties. These may be worth noting for Privacy Officers appointed by Australian organisations; Guidance: EU GDPR v1.0 July 2017 3.

Privacy by design and data protection impact assessments are now required. The Australian Privacy Commissioner has made it clear that these should be part of an organisation s Privacy Management Framework. Australian entities would be wise to start moving towards implementation of both of these important governance elements; and Cross border transfers from the EU will in many ways be simplified. The adequacy rule for transfers from the EU are unchanged and there is no suggestion that Australia might be regarded as an adequate jurisdiction. However, given the more stringent requirements of the GDPR, an Australian-based entity transmitting personal information to an EU country can continue to rely upon the APP 8.2(a)(i). Conclusion There are many reasons why Australian organisations should be aware of and consider the extent to which they might voluntarily adopt some of the changes to be introduced under the new GDPR. In particular, it is likely that the provisions in the new GDPR will influence the Australian Privacy Commissioner s approach to the interpretation and application of the Australian Privacy Principles, particularly in view of the growing international co-operation between privacy regulators in responding to data breach cases involving multiple jurisdictions. Organisations should also appreciate that Australians will be exposed to the new practices when dealing with European based organisations and they may come to expect the same kind of protections from Australian entities, setting a new hurdle for trust that will apply regardless of what may be required by the less stringent Australian Privacy Principles. In short, the GDPR flags a new direction in data protection and it would be prudent for all Australian organisations to pay attention. Resources: EU GDPR http://www.eugdpr.org/ Office of the Australian Information Commissioner: https://oaic.gov.au/media-andspeeches/news/general-data-protection-regulation-guidance-for-australian-businesses 27 July 2017 Guidance: EU GDPR v1.0 July 2017 4.

About the Author Jodie Siganto PhD CISSP Jodie graduated as a lawyer and after 8 years in private practice became in-house counsel for computer companies Tandem, Unisys Asia and Dell Financial Services. In 2000, she co-founded Bridge Point Communications where she worked in security management consultancy. Jodie has led IT Security Training Australia, a local training organisation, since 2010. For IT Security Training Australia, Jodie develops and delivers training directed at the intersection of technology, security and the law. Some of her courses include: Privacy and confidentiality law in Australia; Cloud computing contracts: Legal, privacy and security issues; ISO 27001 Information Security Management System: Overview; and Privacy Impact Assessment Workshop. Completing a PhD at QUT in 2015, Jodie is a keen researcher into privacy and information security issues, contributing to a range of projects including the Cyber Security Cartographies study with colleagues from Royal Holloway University of London and more recently to the AISA Cyber Security Skills Shortage report. How can we help? Join one of our webinars: What the new EU GDRP means for Australian organisations Attend a workshop: Security incident response workshop Consulting services: Have us review your privacy system to assess compliance with the EU GDPR. Contact Us P: 1300 41 20 50 E: enquiries@ringrosesiganto.com.au W: www. Itsecuritytraining.com.au or ww.ringrosesiganto.com.au Disclaimer Ringrose Siganto publications and communications constitute commentary and are for general information only. They should not be relied upon as legal advice. Formal legal advice should be sought for specific issues concerning this material. Listed authors are not admitted to practice in all Australian States and Territories. Guidance: EU GDPR v1.0 July 2017 5.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback