Australians enjoy an enhanced quality of life and share in the opportunities of a growing, globally competitive modern economy, enabled by technology
- Australian Government, 2018a
The Digital Revolution
The digital revolution is one of the defining characteristics of the 21st century – from Artificial Intelligence (AI), advanced robotics, Industry 4.0, the Internet, drones, uber and smart homes. The rise in digital life is having profound implications on local, regional, national and international relations. Today there are over three billion people online – almost half of the world’s population. In 2016, the Internet-based economic reached US$4.2 trillion in the G-20 economies (Elliott and Boyd, 2019).
The Australian Government’s 2017 roadmap ‘Australia 2030: Prosperity through Innovation’ and its forthcoming digital economy strategy, are some of the measures the Government is taking in response to the global digital transformations (Elliott and Boyd, 2019). The ‘Australia’s Tech Future’ 52-page document, for example, highlights the Government’s current initiatives in areas of digital infrastructure, data, cyber security, regulation, inclusion and digital government. The document also identifies further action which should be taken to ensure Australians can ‘thrive in a global digital economy’ (Australia Government, 2018b; Nott, 2018).
The EU’s Digital Agenda for Europe, which forms one of the seven pillars of the Europe 2020 Strategy and the Single Market Strategy, has prompted the establishment of policy platforms designed to seize the benefits and counterbalance the risks of digital transformations for EU citizens (European Commission, 2019). Central to the EU’s Digital Agenda has been the EU’s General Data Protection Regulation (GDPR) which has implications for Australian businesses particularly within the context of the current negotiations on the EU-Australia ‘Free Trade Agreement’ (FTA) (Elliott and Boyd, 2019).
EU General Data Protection Regulation
On May 25, 2018, the EU’s GDPR came into effect. As an ambitious legal framework, it aims to harmonise and streamline data protection laws for all individual citizens in the EU and in the European Economic Area (EEA) (Delegation of EU to Australia, 2018; Hughes and Sutherland, 2018). The new regulation is seen by the European Commission as an essential step towards strengthening citizens’ fundamental rights in the digital age and to facilitate business by simplifying rules for companies in the digital single market. The Regulation focuses on:
- Reinforcing individuals’ rights;
- Strengthening the EU internal market;
- Ensuring stronger enforcement of the rules;
- Streamlining international transfers of personal data; and,
- Setting global protection standards (Australia Government, 2019b).
The EU GDPR applies to data ‘processors’ and ‘controllers’ with an establishment in the EU or to ‘processors’ and ‘controllers’ outside the EU where their processing activities involve the offering of services to individuals in the EU or monitoring the behaviour of individuals in the EU By introducing clear and uniform data protection laws, EU officials contend that the GDPR is intended to build legal certainty for businesses and to increase consumer trust in online services (Hughes and Sutherland, 2018).
Australian businesses and EU General Data Protection Regulation
Australians are confident that their quality of life is enhanced, and businesses benefit from more effective, efficient and responsible use of data
- Australian Government, 2018a
Australian businesses are not exempt from the ramifications of the EU GDPR. Although some businesses may be covered by the Australian Privacy Act 1988, they may nonetheless, be required to comply with the GDPR if they:
- Have an establishment in the EU (irrespective of whether they process personal data in the EU); or,
- Do not have an establishment in the EU however offer goods and services or monitor the behaviour of individuals in the EU (Australian Government, 2018a).
EU GDPR and Australian Privacy Act
The Australian Privacy Principles (APPs), outline how most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than AUD$3 million, all private health service providers and some small businesses must handle, use and manage personal information (Australian Government, 2019a). While the GDPR and the Australian Privacy Act 1988 share common requirements such as fostering transparent information data handling practices and business accountability, to give individuals confidence that their privacy is being protected (Australian Government, 2016), there are notable differences between the two laws (EL-Atm and Barnes, 2018). The key difference between the GDPR and most other national privacy laws, such as the ‘Australian Privacy Principles’ (the APPS), is that the GDPR not only applies to businesses located within the geographical territory of the EU, but also to all businesses worldwide which collect the data of individuals based in the EU. It broadens the territorial scope of data protection rules, as it applies to:
- Organisations: data controllers and their processors with an establishment in an EU Member State, for processing in the context of activities of that establishment;
- Organisations not established in the EU, but which offer goods and services at the EU market, or monitor the behaviour of EU residents;
- Data controllers and processors not established in the EU but operating in contexts in which EU Member States law applies, as stipulated by public international law (Delegation of EU to Australia, 2019).
Under the GDPR, additional protections apply to the processing of ‘special categories’ of personal data. This includes personal data revealing an individual’s ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (Article 9) (Australian Government, 2018b).
The GDPR therefore not only applies to stakeholders located within the EU, but to companies and/or public authorities that process and hold personal data of EU citizens, even if entity is based outside of the EU. Drake-Brockman and Messerlin (2018, p.215) note how the new GDPR is not territorially limited to within Europe. It explicitly prohibits, at the outset, international transfers of personal information to any country outside the EU. Australian exporters must comply with EU laws by collecting explicit consent form each European citizen or use certain legal instruments (e.g. binding corporate rules or model constructs) (Drake-Brockman and Messerlin 2018, p.215).
The key GDPR requirements include:
1) Lawful, fair and transparent processing;
2) Limitation of purpose, data and storage;
3) Data and subject rights;
5) Personal data breaches;
6) Privacy by Design;
7) Data Protection Impact Assessment;
8) Data transfers;
9) Data Projection Officer;
10) Awareness and training (Voigt and von dem Busshe, 2017).
The penalties associated with failing to comply with the new requirements are fines to €19.68 million (AUD $31.4) or four per cent of the company’s total worldwide annual turnover. The GDPR clearly applies to Australian businesses that sell goods or services directly to customers in the EU and collect persona information from them. Some Australian companies that do not fall directly under the scope of the GDPR may have clients, partners or corporate customers that must fulfil direct obligations; the main challenge for these Australian businesses will be to comply with the new contrasting arrangements that their partners and corporate customers may ask them to sign (de Orte Julvez, 2018).
The Australia- EU FTA will undoubtedly increase digital trade and provide a more comprehensive platform for deeper ICT cooperation by promoting more effective e-commerce and cross-border data flows between both regions.
Dr Sophie Di Francesco-Mayot
RMIT EU Centre of Excellence
Australian Government 2019a, The Privacy Act, Office of the Australian Information Commissioner, viewed 25 July 2019, retrieved: https://www.oaic.gov.au/privacy/the-privacy-act/.
Australian Government 2019b, Services & Digital Trade, Department of Foreign Affairs and Trade, viewed 3 July 2019, retrieved: <https://dfat.gov.au/trade/services-and-digital-trade/Pages/e-commerce-and-digital-trade.aspx>.
Australian Government 2018a, Australia’s Tech Future: Delivering a strong, safe and inclusive digital economy, Australia’s Tech Future, Canberra.
Australian Government 2018b, Australian business and the EU General Data Protection Regulation, Office of the Australian Information Commissioner, Canberra.
Australian Government 2016, Australian businesses and the EU General Data Protection Regulation, Australian Government: Office of the Australian Information Commissioner, Canberra.
De Orte Julvez, I. 2018, The GDPR and Australia: Implications and Opportunities for Businesses, Australian Institute for International Affairs, viewed 3 July 2019, retrieved: < https://www.internationalaffairs.org.au/australianoutlook/the-gpdr-and-australia-implications-and-opportunities-for-businesses/>.
Delegation of the EU to Australia 2018, The new General Data Protection Regulation (GDPR): What does it mean for you? viewed 2 July 2019, retrieved: < https://eeas.europa.eu/delegations/australia/46895/new-general-data-protection-regulation-gdpr-what-does-it-mean-you_en>.
Drake-Brockman, J., Messerlin, P. 2018, The Potential Benefits of an Australia-EU Free Trade Agreement: Key Issues and Options, University of Adelaide Press, Adelaide.
El-Atm, S. & Barnes, R. 2018, GDPR: What is means for European Businesses, August, viewed 23 July 2019, retrieved: < https://www.august.com.au/blog/gdpr-what-it-means-for-australian-businesses/>.
Elliott, A. & Boyd, R. 2019, The Digital Revolution: New Challenges, New Thinking, Australian Institute of International Affairs, viewed 9 July 2019, retrieved: < http://www.internationalaffairs.org.au/australianoutlook/digital-revolution-new-challenges-new-thinking/>.
European Commission 2019, Digital Single Market: Europe 200 Strategy, viewed 15 June 2019, Retrieved: https://ec.europa.eu/digital-single-market/en/europe-2020-strategy>
Hughes, G. & Sutherland, A. 2018, Impact of the EU Global Data Protection Regulation in Australia, Davies Collison Cave, Canberra.
Nott, G. 2018, Government launches digital economy strategy, viewed 3 July 2019, accessed< https://www.computerworld.com.au/article/651016/government-launches-digital-economy-strategy/>.
Voigt, P. & von dem Bussche 2017, The EU General Data Protection Regulation (GDPR): a Practical Guide, Springer International Publishing, Switzerland.