The General Data Protection Regulation (“GDPR”) commenced on 25 May 2018 after passing the European Parliament in 2016. The GDPR introduced some of the most comprehensive and far reaching privacy obligations for businesses and consumers across the globe. A main concern arising since its implementation amongst Australian businesses is whether they are subject to the privacy regime and the risks associated for non-compliance.
The GDPR adopts a ‘privacy by design’ approach to protecting the privacy and data rights of individuals in the European Union. Through this, the GDPR confers rights on individuals with respect to how their information is handled, processed and treated, and requires those who collect personal data to implement a range of measures such as informed consent requirements, data protection systems and restrictions on how information may be used in decision making.
One of the more controversial aspects of the GDPR has been its application to entities outside of the European Union. Where an entity offers goods or services to, or monitors the behaviour of, European Union citizens, the entity may be subject to the GDPR obligations – this includes entities that market or retail goods and services on websites with international availability, even if European citizens are not the primary focus of that entity.
The GDPR has a variable penalty regime, with certain violations incurring more severe penalties than others. These fines are administered by the data protection regulator in each EU country.
Penalties for less severe infringements may result in the greater of EUR 10 million or 2% of the total worldwide revenue of the intriguing entity in the prior financial year. Penalties for serious infringements may result in the greater of 20 million euro or 4% of the total worldwide revenue of the entity in the prior financial year. These infringements include those which go against the right to privacy and the right to be forgotten which is the importance of the GDPR.
Since entering into force, there have been several fines issued for breaches of the GDPR. In July 2019, the United Kingdom’s Information Commissioner’s Officer announced its intention to fine British Airways 183.39m British Pounds, the largest fine to date for an incident involving the diversion of user traffic from the British Airways website to a fraudulent site. The malicious data breach resulted in approximately 500,000 customers having their log in, credit card and booking information stolen. The Information Commissioner for the United Kingdom commented that:
“when an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with person data you must look after it.”
Before British Airways, Google LLC held the record for the largest fine under the GDPR for its 50 million euro fine imposed by the French Data Protection Authority. Google LLC was penalised for failing to provide transparent information to data subjects via its android operating system and for having no legal basis for processing personal data for its personalised ad function. This was not the first fine imposed by the French regulator, who has already imposed fines on Bouygues Telecom, Uber, Dailymotion and Optical Centre for lack of technical measures relating to securing client data.
While the above examples are of large multi-national corporations, all entities operating into Europe and dealing with European citizens are required to comply with the GDPR. This includes the implementation of appropriate policies, internal compliance programs, and ensuring that privacy is at the forefront of all collection of personal information. It is also important to recognise that GDPR obligations are in addition to existing obligations under Australian privacy laws and the existing Australian turnover related thresholds do not prevent application to small businesses.
If you would like to understand your obligations under Australian and international privacy and data protection laws, contact the Corporate and Privacy Practice groups at Cowell Clarke.
This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.