Request a Proposal

Latest News

A Simple Comparison: GDPR vs. Privacy Act 1988 in Australia

05 February 2018

 

Background

GDPR 

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. It will enter in force 20 days after its publication in the EU Official Journal and will be directly application in all members states two years after this date. Enforcement date: 25 May 2018 - at which time those organisations will be required to comply and if non-compliance is detected then enforcement actions such as financial penalties can be applied. 

 

Privacy Act 1988 in Australia 

The Australian Privacy Principles (APPs) in schedule 1 of the Privacy Act, outline how most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.

 

Key Facts


  • The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018.
  • Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
  • The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:

        - implement a privacy by design approach to compliance

        - be able to demonstrate compliance with privacy principles and obligations 

        - adopt transparent information handling practices.

  • There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act.
  • Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement.

 

GDPR vs. Australian Privacy Act

 

 

 

EU GDPR

AUSTRALIAN PRIVACY ACT

Who does this apply to?

Data processing activities of businesses, regardless of size, that are data processors or controllers

Most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.

What does it apply to?

Personal data – any information relating to an identified or identifiable natural person: Art 4(1)

Personal information (PI) – information or an opinion about an identified individual, or an individual who is reasonably identifiable: s 6(1)

Jurisdictional link

Applies to data processors or controllers:

  • with an establishment in the EU, or
  • outside the EU, that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU: Art 3

Applies to businesses:

  • incorporated in Australia, or
  • that ‘carry on a business’ in Australia and collect PI from Australia or hold PI in Australia: s 5B

Accountability and governance

Controllers generally must:

  • implement appropriate technical and organisational measures to demonstrate GDPR compliance and build in privacy by default and design: Arts 5, 24, 25
  • undertake compulsory data protection impact assessments: Art 35
  • appoint data protection officers: Art 37

APP entities must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs and to enable complaints: APP 1.2

 

Businesses are expected to appoint key roles and responsibilities for privacy management and to conduct privacy impact assessments for many new and updated projects

Consent

Consent must be:

  • freely given, specific and informed, and
  • an unambiguous indication of the data subject's wishes which, by a statement or by a clear affirmative action, signifies agreement to processing: Art 4(11)

Key elements:

  • the individual is adequately informed before giving consent, and has the capacity to understand and communicate consent
  • the consent is given voluntarily
  • the consent is current and specific: OAIC’s APP GLs

Data Breach notifications

Mandatory DBNs by controllers and processors (exceptions apply): Arts 33-34

From 22 February 2018, mandatory reporting for breaches likely to result in real risk of serious harm

Individual rights

Individual rights include:

  • right to erasure: Art 17
  • right to data portability: Art 20
  • right to object: Art 21

No equivalents to these rights. However, business must take reasonable steps to destroy or de-identify PI that is no longer needed for a permitted purpose: APP 11.2. Where access is given to an individual’s PI, it must generally be given in the manner requested: APP 12.5

Overseas transfers

Personal data may be transferred outside the EU in limited circumstances including:

  • to countries that provide an ‘adequate’ level of data protection
  • where ‘standard data protection clauses’ or ‘binding corporate rules’ apply
  • approved codes of conduct or certification in place: Chp V

Before disclosing PI overseas, a business must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information: APP 8 (exceptions apply). The entity is accountable for a breach of the APPs by the overseas recipient in relation to the information: s 16C (exceptions apply)

Sanctions

Administrative fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher): Art 83

Powers to work with entities to facilitate compliance and best practice, and investigative and enforcement powers: Parts IV and V

 

 

Where can I get more information?

 

The following resources may assist Australian businesses to assess whether they are covered by the GDPR and the steps to be taken to comply:

  • Article 29 working group (from 25 May 2018, the European Data Protection Board) GDPR guidance (to be published soon)

 

 

bf806e3b-1473-43a5-8a76-c997f2b8c582-1.jpeg