GDPR and the Australian Privacy Act 101: What do they mean for your growing business?
So, you’re scaling to Europe and Australia. What now?
For years, data has grown into one of the most successful money generators for many companies. But it has always been met with a lot of resistance.
News of data breaches and misuse has ruffled feathers as consumers worry about what Big Data is doing with their personal information. Because of this, millions around the world have been pressuring both government and private sectors to impose stringent data protection laws.
Enter the GDPR and the Privacy Act — two data regulations that help prevent companies from improperly collecting and selling personal data they’ve obtained from their consumers.
But what exactly do these regulations entail? And, more importantly, what do they mean for businesses operating on EU and Australian soil?
In this article, we break down what the GDPR and the Privacy Act are all about and what scale-ups can do to stay compliant and earn their consumers’ trust.
Let’s begin.
GDPR, in a nutshell
The General Data Protection Regulation (GDPR) is a 2016 ruling that provides consumers within the European Union (EU) greater control over their personal data, including names, photos, email addresses, social media posts, personal medical information, IP addresses, bank details, or any other information that determines their identity.
International companies that operate across the EU were given a two-year transition period to comply with lengthy requirements, before individual data protection authorities (DPAs) started charging privacy and security standard violators in 2018.
The GDPR has been dubbed one of the toughest in history, and also the most expensive — with fines amounting to €20 million or 4% of worldwide revenues from the previous year (whichever is higher) imposed on any business that does not comply with their guidelines.
Organisations may also be fined an additional 2% of their global revenues for failing to keep the proper records in order.
Over the years, these fines have increased depending on the nature and level of violations, with tech giant, Amazon being charged a whopping €746 million for reasons not fully disclosed.
What the public does know is that part of their advertising system is not based on “free consent”.
Any information that is improperly processed and collected (whether in a cloud or in a physical location) by the data controller (company owner or employee) or data processor (third party that processes personal data on behalf of a data controller) is still subjected to fines as it may still be at risk for data breach and misuse.
If data breaches should occur, the GDPR gives data controllers and data processors a maximum of 72 hours to inform both the appropriate DPAs and the affected individuals.
Australian Privacy Act 1988, in a nutshell
The Australian Privacy Act of 1988 (Privacy Act) is Australia’s first legislation that regulates how federal and private entities (with an annual turnover of $3 million or more) collect, use, store, and disclose individuals’ personal online information.
It has evolved over the years to accommodate changing privacy needs.
In 2018, the Notifiable Data Breaches scheme was added to the Privacy Act to require public and private entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) for instances of data breach and/or data misuse.
In 2019 — as part of the government's response to the Australian Competition and Consumer Commission's Digital Platforms Inquiry — a review of the Privacy Act was done to ensure that online privacy settings provide consumers with a customisable way to protect their data while making sure the Australian economy also benefits.
In 2021, the Online Privacy Bill was passed into law to build on the Australian Government’s commitment to strengthen the Privacy Act by 1) introducing a binding Online Privacy Code for both social media sites and other online platforms and 2) increasing penalties and enforcement measures.
The Privacy Act issues 13 Australian Privacy Principles (APPs) that protect privacy without imposing inflexible prescriptive rules. They instead:
- regulate the entire data processing lifecycle by implementing standards for the collection, use, disclosure, quality, and security of personal information, and
- impose responsibilities on entities subject to the Privacy Act involving access to, and correction of, an individual's personal information.
In cases where APPs are breached, the OAIC is responsible for investigating cases and credit reporting provisions. The OAIC is also responsible for:
- embracing enforceable undertakings,
- pursuing civil penalties for serious or repeated privacy breaches, and
- carrying out privacy performance assessments for both Australian Government agencies and private businesses.
The GDPR and the Privacy Act in-depth: similarities and differences
Now that you have a basic understanding of the GDPR and the Privacy Act, we’ll delve into their similarities and differences to simplify things further.
Let’s start with the general similarities:
- Both require data controllers and APPs to make sure that personal data is complete, up-to-date, and accurate.
- Both protect all personal data of living individuals.
- Both cover businesses, private institutions, public bodies, and non-profit organisations.
- Both apply to external players. Specifically, the GDPR applies to all entities that have a presence in the EU, regardless of whether personal data processing occurs in the EU or not. While the Privacy Act applies to all APP players as well as all of Australia’s external territories.
- Both issue a list of what is considered “sensitive” data and impose specific requirements for how they are processed.
- Both exclude personal data processing for personal, household, or journalistic purposes.
- Both exclude purely anonymous personal information.
- Both exclude data processing activities that pertain to law enforcement or national security.
- Both exclude the collection, use, and disclosure of health information but only for the purposes of research and public health or safety, under specific guidelines.
Now, the general differences:
- The GDPR distinguishes between data controllers and data processors, while the Privacy Act specifies APP entities (individuals, corporate bodies, partnerships, unincorporated associations, trusts, and government agencies that act as a data controller or data processor).
- The Privacy Act excludes practices engaged in by an organisation directly relating to a current or former employee, while the GDPR does not.
- The Privacy Act excludes small business operators (with annual turnover for the previous financial year not exceeding AUD$ 3 million or approximately €1.8 million) as long as they are not processing health information or profiting off personal data, while the GDPR does not. However, the Privacy Act does cover tax file numbers, including those processed by small businesses.
- The GDPR imposes specific requirements when providing information to children, whereas the Privacy Act is more lenient (the only requirement is that individuals under 18 — but not younger than 15 — must have the maturity and understanding of the terms presented to them).
- The GDPR, being a consent-based law, provides consumers with the “Right to Erasure” of all personal data concerning them without undue delay. It also gives consumers the right to correct any misinformation held on them. The Privacy Act, on the other hand, only requires specific consent for the collection of sensitive personal information.
For more in-depth information, read the full list of GDPR guidelines here and the Australian Privacy Act 1988 here.
How they impact your growing business
When thinking about dealing or trading in Europe, businesses need to focus their attention on the key issues in front of them.
Otherwise, they can be subjected to hefty fines or expect a significant reduction in their access to emails and other forms of contact within the EU and Australian markets.
Ask yourself: How can we efficiently implement a privacy-by-design-and-by-default approach to complying with both the GDPR and the Privacy Act? How can we demonstrate our compliance with privacy principles and obligations to consumers and all regulatory bodies involved?
And, more importantly, how can we effectively adopt transparent information-handling practices across our platforms and business?
For one, you need to pay close attention to the differences and similarities between the GDPR and the Privacy Act.
Where do they contradict? Where do they intersect? And how do you fill in the gaps present in your organisation or business?
As a good practice, an experienced data protection officer should be appointed and given the responsibility of making sure your business is compliant with all the requirements.
Doing so can optimise your operations and profits when dealing within the EU and Australia without interrupting your day-to-day operations.
It goes without saying that scaling your business means newer, more complicated, and even bigger expectations and requirements from both your consumers and the law.
We at BeingIconic have partnered with multiple scale-ups across the EU and Australia. With our guidance, our clients were able to operate efficiently in all countries where the GDPR and the Privacy Act are in full effect.
This allowed them to focus on all the right things instead of getting lost in tedious compliance requirements. Partner with us if you want us to do the same for you.