How Does the GDPR Differ From Australian Privacy Law?
Understanding the differences between GDPR and Australian Privacy Law is important for Australian businesses. Read about them here.
The Australian Privacy Principles (APPs), which form part of the Privacy Act 1998 (Cth) (‘Privacy Act’), regulate how personal information can be collected and used within Australia. Similarly, the European Union’s (EU) General Data Protection Regulation (GDPR) was introduced for the same reason, but within the EU. The GDPR principles will affect many Australian businesses, especially those that are internationally focused. Therefore, it is important that you understand the differences between the GDPR and Australian Privacy Law, as you may unintentionally contravene some of the principles. This article will outline the differences between the two laws, so that you can ensure you’re in compliance with them.
Application of GDPR and APPs to businesses
The GDPR applies to data processing activities of businesses that are ‘data processors’ or ‘controllers’:
- With an establishment in the EU; or
- Outside the EU, that offer goods and/or services to individuals in the EU or monitor the behaviour of individuals in the EU
According to Article 4 of the GDPR, a ‘controller’ determines how and why personal data is processed, and a ‘processor’ processes data on behalf of the controller. Simply put, a data processor (or controller) is a business that decides to collect information and has a connection to the EU.
Some examples of Australian businesses that may be covered include:
- Australian businesses with an office in the EU
Australian Privacy Act
The APPs in schedule 1 of the Privacy Act apply to:
- Australian Government agencies;
- all private sector and not-for-profit organisations with an annual revenue of more than $3 million;
- health service providers; and
- some small businesses
It is important that you understand whether your business needs to comply with the GDPR, because sometimes, a small business that may not need to comply with APPs may still need to adhere to the GDPR.
The Types of Regulated Information
The GDPR applies to ‘personal data’, which means ‘any information relating to an identified or identifiable natural person’. Some examples of ‘personal data’ include a name, location data, and any factors specific to that natural person.
Under the Privacy Act, businesses or organisations that collect ‘personal information’ are subject to the APPs and regulations. This has been defined to mean ‘information or opinion about an identified individual, or an individual who is reasonably identifiable’.
While the two terms appear similar, they have been interpreted quite differently. Under the GDPR, ‘personal data’ has been broadly interpreted to include other types of information that may not be regulated under Australian law, such as tracking cookies.
There are slight differences in the way consent for the collection of personal data/or information can be given under the GDPR and APPs. It is important that you understand what these differences are, so that you know whether you have or have not validly gained the consent of others to collect such information in the running of your business.
Article 4(11) of the GDPR states ‘consent’ must be:
- freely given
- an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing
Thus, businesses (data processors or controllers) need to be able to demonstrate that the person has consented to the collection of their personal data. Requests for a person’s consent via a written document must also be easily accessible by that person and written in clear and plain language.
In Australia, consent to the collection of personal information can be either express consent or implied consent. This is different to the GDPR as it does not refer to express or implied consent. Furthermore, the GDPR requires businesses to clearly demonstrate consent has been given by the person. Therefore, Australian businesses covered by the GDPR may want to standardise their consent processes to ensure consistent privacy practices.
New Requirements in the GDPR
The APPs does not reflect thenNew rights for individuals under the GDPR. For instance, these include the right to:
- the erasure of personal data
- object at any time the processing of an individual’s personal data
- data portability
Erasure of Personal Data
Under the erasure right, a person can ask a business to erase their personal data in certain situations where:
- The information is no longer needed for the purpose it was originally collected for; or
- The individual withdraws their consent
Objecting the Processing of Collected Data
A person is able to object at any time to the processing of their personal data. Note that this right applies to only certain types of processing, such as where the reason for processing is for legitimate business interests or direct marketing.
A person can ask for their personal data to be held by a business in a structured, commonly used, machine-readable format. It also gives a person the right to transmit that data to another business.
Comparison with APPs
There appears to be no equivalent rights under the Privacy Act. However, businesses have to take reasonable steps to destroy or de-identify personal information where they are no longer needed for a specific purpose. The APPs also allows a person the right to request access to and correction of their personal information. If the business does provide the person with access to their personal information, then the information must be given in the manner requested by them.
Data Breach Notifications
The GDPR provides a time frame for when breaches should be notified to authorities. Data breaches that will likely result in a high risk to the rights and freedoms of the individual, should be notified within 72 hours of becoming aware of the breach, to:
- the affected individual; and
- the relevant supervisory authorities in the country of the affected person
Contrastingly, the APPs requires APP entities to notify the Australian Information Commissioner of all eligible data breaches as soon as practicable after they are aware of it. Here, an eligible data breach is a breach likely to result in serious harm to a person to whom the information relates.
Lola is a Legal Tech Intern at Lawpath as part of the Content Team. She is in her final year of a Bachelor of Laws and Bachelor of International Studies (Major in China) at the University of Technology Sydney. She is interested in understanding the future of law and innovations in the legal industry.