9 min read

EU – GDPR fallout in Australia

Featured Image

On 25 May 2018 the EU General Data Protection Regulation [GDPR] came into effect. The GDPR is the EU equivalent of the Australian Privacy Act 1988 (Cth) and APP however compared to the Australian Privacy Act and APP’s requirements this is a sledge hammer approach to the ‘tap and go’ equivalent of Australia’s legislation.

Many Australian businesses will be affected by the GDPR and compliance is not a simple matter.

Territorial scope of the GDPR

The GDPR Article 3 identifies and addresses the territorial scope of the GDPR, that is, scope outside of the EU. Explanations are detailed, however the Australian Information Commissioner OAIC has a simplified explanation of who may be affected:

  • an Australian business with an office in the EU, or

  • an Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in Euros, or

  • an Australian business whose website mentions customers or users in the EU, or

  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes



The GDPR is about personal data, whereas in Australia, it’s about personal information.

Australia is pretty straightforward


In Australia, ‘personal information' means information relating to an identifiable or natural person [data subject] who can be identified [directly/indirectly] through information such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.


The EU is pretty complex


In the EU personal data applies to a natural or legal person [such as a company] that is either a:


  • controller who generally determines personal data processing needs of collected information, and a

  • processor who processes/manipulates data either manually or automatically including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


There are no limits to business size with the GDPR as there is with the Australian Privacy Act [$AU3 million].




Many of the obligations imposed by the GDPR are more extensive or different from the Privacy Act and it is not possible for an entity that is required to comply with the GDPR to rely solely on measures taken to comply with the Australian Privacy Principles APPs.

Although all aspects of the GDPR must be observed accordance with business needs, take note of the following key issues:


Article 5 Principles of processing


  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality


Article 6 Lawful processing: consent


The data subject has given consent to the processing of his or her personal data for one or more specific purposes.


Articles 17, 20 & 21 Individual rights: erasure/portability/objection


The GDPR contains rights of individuals which do not generally equate to the Privacy Act. These are:


  • Erasure of data [A17]

  • Portability of data [A20]

  • Objection to processing of data [A21]


Article 3.2 [+ 27] Appointment of EU representatives


Must have in place a designated representative in the EU with the authority to be addressed by authorities in all matters relating to the GDPR. However, this does not apply to processing which is occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, scope and purposes of the processing.


Article 33 Mandatory data breach notification


Similar to the APP: organisation without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify a personal data breach to the (competent) supervisory authority … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.