Differences and Similarities between GDPR and APP/NDB Flashcards
What is the definition of “personal data” in the GDPR, and what is the definition in the Australian Privacy Act, and how do they differ?
GDPR:
Any information relating to an identified or identifiable natural person.
Australian Privacy Act:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
How is the Australian Privacy Act compared to the GDPR with regards to processing activity outside the direct territorial scope (respectively the EEA and Australia)?
GDPR:
The regulation applies to the processing of personal data of data subjects who are in the Union (EEA) by a controller or processor not established in the Union, where the processing activities are related to:
a. Offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union;
b. The monitoring of behaviour as far as their behaviour takes place within the Union.
Australian Privacy Act:
An entity operating outside Australia will still have obligations under the Privacy Act if the entity has ‘an Australian link’. An entity will have an Australian link for the purposes of the Privacy Act if, generally speaking, the entity was formed in Australia, has its central management and control in Australia, or is otherwise carrying on a business and collects or holds personal information in Australia.
This expands the reach of the Privacy Act to overseas entities, or Australian subsidiaries of overseas entities, who are engaging in business-related acts within Australia, even if the business is otherwise predominantly conducted outside of Australia.
The Australian Information Commissioner has also pointed to specific indicators that an entity is carrying on a business within Australia, including where an entity has an agent or agents within Australia, websites offering goods or services to Australia, purchase orders being actioned within Australia, or personal information being collected from a person who is physically in Australia.
Both the GDPR and the Notifiable Data Breach Notification Scheme (NDB) have a set period of reporting the breach when the organisation (for the GDPR, the set time period only applies to Controllers) has become aware of it. What is this period?
GDPR:
A Controller has 72hours to report a data breach to the Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the data subject.
NDB:
Any organisation with existing personal information security obligations under the Australian Privacy Act 1988 has 30 days to report a data breach to the OAIC.
NOTE: both state however, that the set period is only an absolute maximum of time, unless you can argue why the stated time was not enough. GDPR states that the breach must be reporten “without undue delay” and the NBD states the commissioner is to be notified “as soon as practicable”.
In short, the longer it takes to notify, the better arguments you will need to display accountability on why it took so long.
With processing of personal data outside the direct territorial scope of the GDPR and the Australian Privacy Act (respectively the EEA and Australia), how is ensured that
GDPR:
Only when an adequate level of security is realised, a transfer of personal data to a country outside the EEA is lawful. This may happen through an Adequacy Decision granted by the European Commission, or appropriate safeguards will be put in place like Binding Corporate Rules or Contractual clauses.
To ensure accountability towards the (mis)use of this data, the organisation who made the data available outside the EEA is liable should the recipient outside the EEA process unlawful in the eyes of the GDPR. If there is no organisation who made it available but an organisation outside the EEA offers e.g. goods and services in the EEA, then a representative must be appointed who has this accountability.
Australian Privacy Act:
APP 8 states that if an APP entity makes personal information available to a recipient outside Australia, it has to take ‘reasonable steps’ to ensure the recipient adheres to the Australian Privacy Principles. Often, this happens through contractual obligations.
Also here, to ensure accountability towards the (mis)use of this data, should the recipient outside Australia breach the APPs, the Privacy Act imposes liability on the organisation that made the personal data available.
