Snapshot
- The General Data Protection Regulation is the biggest reform of data privacy laws in 20 years.
- It is an EU privacy law, but it will have extra territorial reach, meaning Australian organisations will need to be ready for its commencement on 25 May 2018.
- Australian organisations will need to prepare for tougher rules when relying on ‘consent’ as the basis to use or disclose personal information; novel privacy rights for the individual; and management accountability for failures to take a proactive approach to data protection. Australian organisations will need to prepare for tougher rules when relying on ‘consent’ as the basis to use or disclose personal information; novel privacy rights for the individual; and management accountability for failures to take a proactive approach to data protection.
General Data Protection Regulation (‘GDPR’) is intended to replace, update and harmonise the privacy laws across 28 European Union (‘EU’) member states, including the UK, even post-Brexit. It will have deliberate reach well beyond Europe and will significantly increase penalties for breaches of privacy rules, with a right to judicial remedies including compensation for victims, and administrative fines up to €20 million or 4 per cent of annual global turnover, whichever is the greater. It will also introduce administrative fines for failure of management responsibilities, up to €10 million or 2 per cent of annual global turnover, whichever is the greater.
While the GDPR uses the language of ‘data protection’, laws in other countries including Australia use the language of ‘privacy’ to mean the same thing. Data protection law is much broader in scope than simply protecting data in an information security sense.