The European General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will apply to all entities that process the personal data of individuals residing within the European Union (EU).
Australian entities will fall within the scope of the GDPR where they:
- Offer goods or services to individuals located in the EU (regardless of whether or not the entity has an establishment in the EU);
- Have an establishment in the EU; or
- Monitor the behaviour of individuals within the EU.
What is meant by “offering goods or services to individuals in the European Union”?
The Office of the Australian Information Commissioner (OAIC) has provided examples of where Australian entities may fall within the GDPR. Examples include but are not limited to:
- Having an office in the EU;
- Having a website which targets EU customers e.g. having a website which enables customers to order goods or services in a European language (other than English) or enabling customers to make payment in Euros;
- Having a website which mentions customers or users located within the EU.
What is personal data?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. This definition includes different pieces of information, which when put together, can lead to the identification of an individual.
Examples of personal data includes but is not limited to:
- First name and/or surname;
- Location data;
- IP address; and
- Residential address.
The European GDPR delegates supervisory authorities the power to issue fines for contraventions of the regulations. Supervisory authorities have the power to issue fines to the value of €20 million or 4% of annual worldwide turnover (whichever is greater).
The OAIC has published a business resource which provides further information on circumstances where Australian entities may fall within the scope of the GDPR, specific detail on the differences between the current Australian privacy regime and the GDPR and general information in relation to compliance with the GDPR.
For any questions in relation to the content of this post, please contact Sophie Grace.