European Privacy Law Compliance

8Feb

Australian Businesses and European Privacy Law

by Fabian Hoffmann Commercial Law

Picture of a legal document, the European Privacy Law Compliance for Australian Companies

European Privacy Law Compliance for Australian Business

Why would an Australian firm need to achieve European Privacy Law Compliance? The General Data Protection Regulation (GDPR) is the European Union’s overarching privacy law. It imposes strict obligations on organisations that handle the personal data of EU citizens. The privacy rights under the GDPR attach to the EU citizens’ data and apply anywhere in the world. This means, that if your business holds/processes the personal information of EU citizens, you are subject to the GDPR. You must take steps to comply with its obligations or risk significant fines.

[D]ata protection must be considered in the design and implementation of any new product or activity.

The GDPR came into effect in 2018 and introduced stringent privacy obligations on all businesses dealing with EU citizens’ data. The GDPR requires companies to consider data protection “by default and by design” in everything an organisation does. In practice, this means that Companies must consider data protection in the design and implementation of any new product or activity.

Seven principles to achieve European Privacy Law Compliance

Anyone who handles data must do so according to seven principles to achieve European Privacy Law Compliance:

Lawfulness, fairness, and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — Companies must process Data for the legitimate purposes specified explicitly to the data subject.
Data minimization — A company must only collect and process as much data as absolutely necessary for the purposes specified.
Accuracy — A company must keep Personal data accurate and up to date.
Storage limitation — A company must only store Personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — A company must process data in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for demonstrating compliance with all these principles.

The principle of accountability requires that data controllers be able to show positive steps they have taken to be Compliant.

Businesses need a lawful basis to process a person’s data under the GDPR. The simplest basis is consent, which must be specific and unambiguous. In most cases, express consent is the best basis for processing a person’s data.

Once a company has determined the lawful basis for data processing, it must document the basis, and the company must notify the data subject. If there are Changes to the basis, it requires a good reason. The Company must document the Reason, and it must notify the data subject again.

Storage of collected Data

The GDPR also introduced the concept of “data portability”. The company must store personal data so it can share the data in a way the user can understand. Data portability also requires data controllers to send relevant data to a third party if the data subject requests it. This is the case even if the third party is the controller’s competitor.

Firms must handle data securely by implementing “appropriate technical and organisational measures”. Technical measures include two-factor authentication and end-to-end encryption. Organisational measures might mean training staff to handle personal data or implementing a data privacy policy.

Firms must handle data securely by implementing “appropriate technical and organisational measures”.

The Legal Requirements

The following articles of the GDPR impose specific requirements on data-controlling firms:

Article 12 – Transparency and communication: data processing must be explained in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”. Firms must also make it easy for data subjects to make requests (e.g., a right to erasure request) and respond to those requests quickly and adequately.
Articles 13 and 14 – When collecting personal data: when a firm collects personal data it must provide the data subject with information, including the identity of the data controller and their contact details, the purposes for which the data are being collected, the length of time the data will be retained and their right to lodge a complaint with a supervisory data authority.
Article 15 – Right of access: data subjects have the right to know how and why their data are being processed, as well as a right to access the data that firms hold about them.
Article 16 – Accuracy: data subjects have the right to correct inaccurate or incomplete personal data held about them.
Article 17 – Right to erasure: also known as the “right to be forgotten”, data subjects have the right to request that firms erase the data held about them.
Article 18 – Right to restrict processing: data subjects can also request that a firm temporarily change the way they process the subject’s data if they believe the information is inaccurate, being used illegally, or is no longer needed for the purposes claimed by the firm.
Article 21 – Right to object: data subjects have the right to object to a firm processing their data.

Recommended Steps

To demonstrate European Privacy Law Compliance a data controller could, for example:

Maintain detailed documentation and record what data is collected
Have Data Processing Agreement contracts with any third parties they’ve contracted to process data
Add a form for customers to make a “right to erasure” request on their website
Provide the information GDPR Articles 13 and 14 require on the screen where customers consent to the collection of their personal data
Update their privacy policies to reflect current best practices around the use of cookies, the right to object to processing and information about third parties who may access personal data for marketing purposes