19 Aug The scope of businesses that the GDPR covers is greater than you may think
The European Union General Data Protection Regulation (GDPR) contains new data protection requirements that have been in effect since 25 May 2018.
Australian businesses will need to comply with the GDPR if they:
- have operations in the European Union (EU);
- offer goods and services in the EU; or
- monitor the behaviour of individuals in the EU.
‘Monitoring behaviour’ refers to businesses collecting, recording, organising, storing or performing any operation connected with personal data in respect to an EU citizen. ‘Personal data’ may include names, addresses, email addresses, location data and IP addresses that are attained directly or indirectly.
Which Australian businesses are impacted?
Merely enabling users on your website to order goods or services in a European language (other than English) or enabling payment in Euros may attract GDPR compliance. Even mentioning EU customers or users on your business’ website may require GDPR compliance.
Businesses may face administrative fines of up to €20 million for non-compliance.
Australian businesses who have revenue in excess of $ 3 million may also need to comply (or continue to comply) with the Privacy Act 1988 (Cth) (Australian Privacy Act).
In this scenario, compliance with the Privacy Act will be in addition to any obligations under the GDPR. Despite similarities between the Australian Privacy Act and the GDPR, the GDPR is more onerous for businesses that meet the GDPR compliance requirements. Businesses required to comply with the GDPR are required to give individuals increased rights (such as the right to erasure of their personal data held by GDPR compliant businesses) and are subject to new requirements (such as additional measures to obtain consent of customers).
The Office of the Australian Information Commissioner released a paper outlining in detail the impact and terms under the GDPR.
Early trends of GDPR
GDPR has had a significant impact on organisations by changing the way they operate. It has forced organisations to seek consent from users to use their data and ask them to opt-in to continue to receive emails. This resulted in many companies frantically trying to adhere to the regulations prior to the May 25 deadline.
In the meantime, GDPR has had a more tangible effect with many organisations reporting decreased use and revenue. Facebook CFO David Wehner recently stated that “MAU and DAU (daily active users) in Europe were both down slightly quarter-over-quarter due to the GDPR roll-out” which equates to a decline of about one million monthly users.
While there is yet to be any fines handed down, many businesses are still in the process of ensuring compliance with the regulations and will no doubt sooner or later attract the attention of regulators.
This article was written by Commercial Senior Associate, Josh Kaplan and Clerks, Michael Termine and Olly Gagiero.