With the continuing uncertainty following the UK general elections result, it will be interesting to see the new government's approach to Brexit and its future stance on European Union (EU) regulatory requirements, particularly in the areas of privacy and cyber-security. Cyber-security was, understandably, much heralded during the Conservatives' election campaign over the last few months. Given recent events, one would be forgiven for anticipating that the UK is poised to take a much harder line on its privacy and cyber strategy, more generally.
What is nonetheless clear is that regulators around the world are, and will be, taking a much closer look at rules on the protection of individual personal data and the security of their citizen's information. The onslaught of the new and arduous General Data Protection Regulation (GDPR) regime in Europe, the recent 'protectionist' changes to the PRC Cybersecurity Laws in China on 1 June 2017, anticipated changes in Singapore's data privacy regime, as well as rumblings from other Asia-Pac countries in this area, all confirm that these are issues where national regulators are sitting up and taking action. Recent cyber events, including the much-reported 'Wannacry' cyber-attack, add to global unrest in this area.
While Australia has traditionally to date adopted a more transparent and conciliatory approach to privacy and security, this is a position that is likely to face challenge now in light of international developments in this area. The introduction in Australia of the long awaited new mandatory Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) in February 2017 commencing from (at the latest) February 2018, as well as the Government's budget confirmation of the Productivity Commission's new law on personal data sharing and release, go some way to support Australia's renewed focus in this area.
The Office of the Australian Information Commissioner (OAIC) has also recently released their updated resource, General Data Protection Regulation Guidance for Australian Businesses (the Guide) to confirm that Australian businesses should, as a matter of priority, review the extent of their compliance obligations under the GDPR and take steps now to ensure their handling practices comply, prior to its commencement from 25 May 2018. At a conference hosted last month by the OAIC, the Privacy Commissioner, Timothy Pilgrim, expressly underlined the importance of GDPR for Australian businesses, and advised that the OAIC will be taking a closer look at compliance in this area.
Therefore, to the extent that an Australian company handles or processes EU individual data in the course of its operations and this processing falls within the scope of the extra-territorial reach of the GDPR (as described further in our blog post, see link below), this company will be required to comply with the onerous requirements of GDPR and may be subject to its sanctions.
The Guide confirms that Australian businesses "of any size" may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
The guide helpfully compares the GDPR and Privacy Act 1988 (Cth) principles in an easy to read comparison table. Certain similarities are highlighted, and both laws contain a shared focus on fostering transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.
However, there are notable differences in the GDPR. In addition to the myriad of broadly defined terms and wide scope of personal data, there are enhanced rights for individuals to their data, data portability obligations, a right "to be forgotten", enhanced consent requirements and a 72 hour mandatory data breach requirement in certain cases, not to mention the unwieldly fines and sanctions.
While some Australian businesses may already have certain measures in place that will be required under the GDPR, the Guide recommends that all organisations should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes well before commencement of the GDPR.
We have yet to see the full impact that the GDPR will have on non-EU businesses and there are of course practical implications and questions around enforceability of its extra-territorial obligations.
Nonetheless, for market-leading global organisations operating in Australia who process EU data, a review of your privacy compliance obligations pursuant to the GDPR will be warranted to minimise any risks of exposure to exponential fines for breach and to ensure your reputation and brand remain protected.
As the Privacy Commissioner has confirmed, privacy and data protection is an area that is likely to see further change in the coming years for Australian companies and this is one area where organisations can get ahead of the game by applying additional measures under the GDPR (even where not mandatory / required) to enhance privacy practices, engage consumer trust and ensure consistent internal privacy practices, procedures and systems across all businesses.
Please see our blog post for more information on the GDPR's implications for Australian organisations and on this Guide.