On 27 April 2016, the European Union (EU) introduced the General Data Protection Regulation (GDPR). A transition period of two years was allowed to give organisations time to make any necessary changes. This transition period ended on 25 May 2018.
This blog post provides a brief overview of the regulation and what it might mean for some Queensland public authorities.
What is it?
The GDPR is a regulation that imposes explicit recordkeeping requirements for any organisation that it covers.
EU data protection rules aren’t new. They’ve had a version of them since 1995 – the new regulation is intended to update the law for the information age.
What is it supposed to do?
The key purpose of the GDPR is to allow individuals greater control over their personal data.
It is also intended to:
- simplify the regulatory environment regarding personal data in the EU
- encourage accountability when it comes to the handling of personal data.
“Rapid technological developments and globalisation have brought new challenges for the protection of personal data… Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities… Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data… while ensuring a high level of the protection of personal data.
Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement… Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.”
Who does it affect?
Importantly, it does not only affect organisations with a physical presence in the EU.
It applies to any organisation that:
- offers goods or services (paid or otherwise) to individuals in the EU; or
- monitors the behaviour of individuals in the EU.
Note: there are exceptions. See Article 2 (2) of the GDPR for more information.
Queensland public authorities that may be affected therefore include ones who:
- offer education to students in the EU (e.g. external university students)
- provide goods or services to someone in the EU (e.g. a person in the EU who owns property in a Queensland local government area but does not reside in Queensland)
- monitor online behaviour (e.g. people in the EU whose use of visitor or tourist information provided by a public authority are tracked or monitored).
Please note that the Office of the Australian Information Commissioner has advised that it is not clear whether an EU law will apply to Australian organisations. Whether it will or not will depend on the laws of the particular jurisdiction and may include commercial transactions.
If you aren’t sure your agency’s activities are affected or not, seek independent legal advice.
What is personal data?
Personal data is any information that relates to a natural person (e.g. not a corporation) who can be identified, directly or indirectly.
Therefore personal data does not include anonymised information but will include any data from which the natural person can be determined (e.g. even if covered by a pseudonym).
What are the obligations?
If an organisation has activities that fall under the regulation, they are required to handle any personal data in certain ways.
The obligations that an organisation may need to meet depend on whether they are a ‘controller’ or a ‘processor’ of personal data. See Article 4 of the GDPR for definitions.
Obligations may include the need for an organisation to:
- obtain consent from individual to process their personal data
- confirm upon request what personal data was collected and why (among other things)
- give notice of certain things (for example, the purpose of and legal basis for processing the data)
- correct incorrect information
- erase personal data upon request (the ‘right to be forgotten’)
- stop processing personal data in certain circumstances
- tell anyone they’ve shared the personal data with of a request to erase personal data
- provide a copy of any personal data collected to the individual upon request
- allow the transmission of personal data collected on an individual to another controller upon request
- not make decisions about individuals that have legal or significant affects based solely on automated processing.
- notify a supervisory authority of any personal data breach.
What happens to organisations that breach the regulation?
There may be penalties for any breach of the regulation.
Individuals covered by the regulation can make complaints against organisations and be compensated for any damage or loss.
Google has been one of the first organisations to receive a €50m fine for a breach of the GDPR in France for failing to notify users about how their data is used  and is under investigation for additional alleged breaches in Sweden for collection of Android users’ location data . Google is appealing the €50m fine.
For more information, you may also wish to read:
- Does the EU General Data Protection Regulation (GDPR) apply to Australian government agencies?, Office of the Australian Information Commissioner
- GDPR & Queensland Government Agencies, Officer of the Information Commissioner (Queensland)
- Data Protection Laws European Union, Public Records Office of Victoria
 Phil Muncaster, Infosecurity Magazine https://www.infosecurity-magazine.com/news/googles-50m-gdpr-fine-heralds-a/
 Phil Muncaster, Infosecurity Magazine https://www.infosecurity-magazine.com/news/google-under-investigation-gdpr/