The popularity of online businesses has led to the rise in the collection, use and monetisation of personal information and data. The Australian Privacy Principles (APPs), which form part of the Privacy Act 1998 (Cth), govern the collection of personal information. The European Union’s (EU) General Data Protection Regulation (GDPR) also regulates the collection and use of information about customers. The introduction of the GDPR in May 2018 will affect many Australian businesses, especially the way they deal with information they collect about customers. This article outlines the main differences between the APPs and the GDPR to help your business comply with these new rules.
Business Affected by the APPs and GDPR
The APPs apply to APP entities. APP entities include:
- government agencies;
- private sector entities and not-for-profits with revenue of greater than $3 million;
- health service providers; and
- some small businesses, including those that have opted in to be bound by the APPs.
The GDPR applies to:
- all businesses established in the EU;
- any business that supplies goods or services to EU residents in a targeted way; and
- businesses that monitor the behaviour or activity of EU residents using their personal data.
For example, if your website is available worldwide and uses cookies to track browsers’ behaviour using their personal data, you need to comply with the GDPR. The size of your business is irrelevant.
If your business is compliant with the APPs, it is likely to already comply with the majority of the GDPR. You may only require minor tweaks to your business operations to completely adhere to the GDPR. However, if you are a small business that does not need to comply with the APPs, you may still need to adhere to the GDPR. Below, we address the differences between the APPs and the GDPR.
Terminology
The APPs refer to ‘personal information’ whereas the GDPR refers to ‘personal data’. There are minor differences between the two. Personal information under the APPs is information or an opinion about an identified individual, or an individual who is reasonably identifiable.
The GDPR defines personal data as any information relating to an identified or identifiable natural person.
Consent
Under the APPs, an individual must consent to the collection of their personal information. The consent can be either express or implied. The GDPR does not refer to consent being express or implied. However, it states that a data processor (a business that decides to collect information) must demonstrate that a person has given consent to the collection of their information. If the data processor asks for consent via a written document, they must do so directly, using clear and plain language.
In Australia, filling in a web form may pass as implied consent to the collection of personal information. In contrast, the GDPR requires businesses to clearly demonstrate that a person has given consent.
Tip: Getting customers click a ‘tick to accept’ box next to the statement: “I consent to the collection of my personal data under this Privacy Policy” ensures compliance with the consent requirement of the GDPR.
New Rights
The APPs do not reflect some of the new consumer rights in the GDPR. These new rights include a right to:
- the erasure of your personal data;
- data portability; and
- object to the processing of your personal data.
Erasure
Under the erasure right, a person can ask a business to erase their personal data in certain situations, such as where:
- the business no longer requires the personal data for the purpose of initial collection;
- the person withdraws consent to the processing of their data; or
- there was a wrongful collection of the personal data.
The right to erasure is also known as an expansion of the right to be forgotten.
Portability
The right to portability gives a person the right to ask for their personal data to be held by a data processor in a structured, commonly used and machine-readable format. It also gives a person the right to transmit their personal data to another business without any hindrance from the business they originally provided their data to.
Objecting to the Processing of Your Data
Finally, a person can object, at any time, to the processing of their personal data.
The APPs do not include similar rights, but state that businesses must take reasonable steps to destroy or de-identify personal information that they no longer need for a specific purpose. Additionally, where a business provides an individual with access to their personal information, the business must provide the information in the manner the individual requests.
Tip: Automatically store personal information in a format that is easy for you to extract and provide to a customer upon request. Set up automatic notifications where customers can let you know if they wish to withdraw their consent.
Data Breach Notifications
Australia has only recently introduced rules regarding data breach notifications under the Notifiable Data Breaches Scheme.The new scheme requires that APP entities inform the Australian Information Commissioner of all eligible data breaches. An eligible data breach is a breach likely to result in serious harm to the person to whom the information relates. In certain circumstances, the APP entity must inform the Commissioner as soon as practicable after they become aware of the breach.
In contrast, the GDPR provides a definite time frame for notifying authorities of a breach. Sometimes a data breach is likely to be a high risk to the rights and freedoms of individuals. In such circumstances, the business must notify:
- the relevant supervisory authority in the country of the affected EU resident; and
- the individual.
They must do so within 72 hours of becoming aware of the breach.
Tip: Ensure you have industry-standard, or better, security measures in place to prevent data breaches. Prepare a data breach plan, so your business is ready if a breach occurs. Therefore, you can isolate the damage and effect of a data breach.
Key Takeaways
The GDPR introduces many changes that may require you to tweak your operations to ensure compliance. Australian businesses complying with the APPs meet most of the GDPR requirements. However, small businesses that do not need to comply with the APPs may still need to abide by the GDPR.
If the GDPR affects your business, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
