How does the GDPR differ from the Privacy Act?
The key concepts that underpin the GDPR are broadly similar to the Australian Privacy Act 1988 (Cth) (Privacy Act), however some requirements of the GDPR go above and beyond the requirements of our Privacy Act. The Office of the Australian Information Commissioner (OAIC) has confirmed that, whilst the GDPR contains similar requirements to those in the Privacy Act, organisations that are impacted by the GDPR will need to put additional compliance measures in place.
For example, the GDPR imposes more stringent obligations on organisations which include:
- Restrictions on data processing – ie. the requirement to have a 'lawful basis' under Article 6, for all processing activities they engage in, in relation to the data of EU individuals;
- Collection notices – providing EU individuals with a collection notice that includes the information prescribed in Article 13 and 14 (which goes beyond the requirements of Australian Privacy Principle 1.4);
- Consent – obtaining a higher standard of consent from EU individuals in respect of the processing of their personal data (ie. consent must be 'freely given', 'specific' and 'informed' and not implied);
- Transfers to third parties/countries – limiting the circumstances in which an organisation can transfer personal data to a third party and to a third country (in particular where that country has not been deemed by the EU Commission as having adequate privacy protection);
- EU Representatives and Data Protection Officers – requiring organisations to appoint an EU Representative and/or Data Protection Officer (unless an exception applies);
- Record keeping and PIAs – requiring organisations to keep a record of their data processing activities (unless an exception applies) and undertake Privacy Impact Assessments in certain circumstances; and
- Mandatory data breach notification – imposing a narrower timeframe for notifying the relevant supervisory authority of a suspected data breach (ie. 72 hours) and imposing a lower threshold for when notification is required.
The GDPR also grants a number of additional rights to EU individuals in respect of their personal data, such as the 'right to be forgotten', the right to object to processing or withdraw consent, the right to data portability and the right not to be subjected to automated decision making and profiling.
The penalties for non-compliance with the GDPR are staggering compared to other jurisdictions (including Australia). Australian organisations bound by the GDPR should carefully assess the risk of enforcement against them.
Individuals are also empowered to take direct action against an organisation if they believe their rights have been infringed by non-compliance. It is also possible action taken against an organisation by the EU authorities or an EU individual, may in turn trigger a co-operative effort or separate regulatory action by the Office of the Australian Information Commissioner.
When will GDPR apply to Australian universities?
Many Australian universities are not strictly bound by the Privacy Act 1988 (Cth), although they choose to 'opt in' to its requirements as a matter of best practice.
Conversely, the GDPR applies to any Australian organisation (whether private or public sector) if they:
-
have an “establishment” in the EU, and process personal data in the “context of the activities” of that “establishment”; or
-
do not have an “establishment” in the EU, but:
-
handle personal data relating to EU individuals in the course of offering them goods or services; or
-
monitor the behaviour of individuals in the EU.
The GDPR may also apply to universities indirectly where they provide services to organisations that are bound by the GDPR, and those organisations seek to impose compliance obligations contractually (ie. through a data processing addendum).
Are you offering goods and services to individuals in the EU?
Broadly, an Australian organisation will be said to be offering goods and services "to individuals in the EU" if it has some intention of offering goods and services to those individuals.
The following factors are a strong indication that a business is offering goods or services to individuals in the EU and so are subject to the GDPR:
- Language – using the language of a Member State and that language is not relevant to customers in the home country.
- Currency – using the currency of a Member State, and that currency is not generally used in the home country.
- Domain name – website has a top level domain name of a Member State.
- Delivery to the Union – delivering physical goods to a Member State.
- Reference to citizens – using references to individuals in a Member State to promote the goods and services.
- Customer base – having a large proportion of customers based in the Union.
- Targeted advertising – targeting advertising at individuals in a Member State.
There are also weaker indications that goods and services are being offered to individuals in the EU, such as accepting payment using a credit card with a billing address in the EU or delivering goods and services electronically to individuals who may be located in the EU or if targeted internet.
However, the mere fact that an organisation's website is accessible in the EU or is in a language generally used in the EU, is insufficient to demonstrate the relevant intention.
In a university context, the following factors may indicate that goods and services may be being offered in the EU:
- a representative of your organisation has a physical presence in, or visits, a Member State to offer the goods or services;
- your organisation actively recruits and accepts applications from students who are located in the EU;
- your organisation employs teaching or other staff from EU countries (note that unlike the Australian Privacy Records there is no exemption for employee records under GDPR);
- your organisation invites and hosts individuals from the EU at its events or conferences;
- your organisation has students participating in study-abroad programs located in the EU;
- your organisation offers distance learning to individuals located in the EU;
- your organisation conducts research utilizing personal data sets from the EU;
- your organisation has ongoing contact with alumni located in the EU (eg. for fundraising requests, sending even invitations and newsletters etc.).
Are you monitoring the behaviour of people in the EU?
Article 3.2(b) extends the operation of the GDPR to organisations located outside the EU if they monitor the behaviour of people in the EU, in so far as the behaviour takes place in the EU.
Recital 34 of the GDPR (which accompanies Article 3(2)) states that:
"In order to determine whether a processing activity can be considered to monitor the behaviour for data subjects it should be ascertained whether natural persons are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” Recital 30 further provides that "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such 'as internet protocol addresses, cookie identifiers […]." (our emphasis)
'Profiling’ is a defined term within the GDPR and is composed of three elements:
-
it has to be an automated form of processing;
-
it has to be carried out on personal data; and
-
the purpose of the profiling must be to evaluate personal aspects or traits about a natural person.
The above definition suggests that where individuals in the EU are tracked and their personal data collected which is then the subject of any processing by a university with an intention to analyse or predict their behaviours, preferences or attitudes or make decisions about them, this will amount to 'monitoring' for the purpose of Article 3.2(b). This is also the case where the data is processed by automated means. Therefore there would need to be something more than a passive incidental tracking.
Key compliance steps
- Confirm whether or when GDPR applies – investigate and confirm whether the GDPR applies – ie. because you have institutions, students, research participants or employees based in the EU, or have some means of monitoring the behaviour of individuals in the EU.
- Uplift policies and procedures – uplift your existing privacy policy and collection notices to include GDPR requirements.
- Identify lawful basis for processing – identify a lawful basis for processing personal data and, where relying on consent, ensure your organisation’s processes reflect the strict requirements for obtaining this from data subjects.
- Appoint an EU Representative and Data Protection Officer – formally assess whether an EU Representative or Data Protection Officer is required and (if so) make the necessary appointment/s.
- Update your existing data breach response plan – to ensure compliance with the prescribed timeframes and thresholds prescribed under GDPR.
- Audit data flows and build a data processing activities register. For most universities, this will be a significant challenge – given the size and structure of their organisation. However, this process will be critical to complying with other requirements of the GDPR
(eg. record-keeping obligations, the principle of data minimisation, facilitating the rights of individuals and determining if consent is required for specific processing activities).
- Review third party arrangements – Universities will also need to consider GDPR in the context of their third party arrangements (eg. with research partners, business partners, outsourced service providers and student-placement organisations, to whom personal data of EU individuals is potentially transferred).
- Facilitate the rights of EU individuals – establish processes that will enable your organisation to give effect to requests from data subjects if they exercise any of their additional rights (such as the right to be forgotten or cease processing).
- Provide additional training for staff – so they understand and comply with the new requirements.