GDPR compliance in Australia: busting the data privacy myths

In 2017, The Economist called personal data “the world’s most valuable resource” ahead of oil due to its huge impact on how companies interact with their customers. The GDPR fundamentally changes how that data is collected, stored and used in the EU. But what does that mean for Australian marketers?

Europe’s move to regulate companies processing of personal data and improve an individual’s privacy rights, the General Data Protection Regulation (GDPR), has caused deep confusion among marketers worldwide since it came into effect in May this year. The regulation increases fines, specifies breach notifications, and changes consent rules and responsibility for data transfer outside of the EU.

The CGOC’s Top Corporate Data Protection Challenges survey, released mere months before the compliance deadline, found that only six per cent of organisations felt ready.

Jason Qian is a lawyer specialising in intellectual property, privacy, confidentiality, marketing and technology at DVM Law. He says GDPR compliance, or even skilled adoption, is a continuous effort.

“In fact, it’s probably an effort that will increase as companies in Europe and in Australia get more comfortable with applying the GDPR and their relationship with the GDPR,” Qian predicts.

“I suspect that Australian companies will start feeling the pressure from clients and data controllers based in Europe or with a strong European link, who want everyone in their personal information process chain to comply with the GDPR.”

Here, we bust the myths around GDPR compliance.

Mahlab Have you seen confusion around whether the GDPR is applicable for Australian companies?

Jason Qian I think there has been a lot of confusion in terms of whether the GDPR applies to Australian companies, and the resulting agreements with third parties that are required. Although, with every passing month I think the confusion is reducing as privacy regulators, industry organisations and private companies in Europe and Australia clarify their approach to the GDPR. For example, some companies in Australia are finding that their clients are requiring them comply with the standards and obligations in the GDPR through contract, and where the Australian company is not in a position to push back on that demand, the question of whether Article 3 of the GDPR applies directly to the Australian company becomes a moot point because the Australian company is contractually required to comply.

M What are the most common misconceptions or continual questions that you’ve encountered from Australian marketers about GDPR?

JQ There are many, but I’ll highlight the top three misconceptions that pop up again and again. First, for people in Australia, it’s that the GDPR will automatically apply. For a lot of Australian companies, if they’re targeting people in Australia and if they don’t have a European connection, then there’s a good chance the GDPR may not apply at all.

The second misconception is probably around pseudonymisation. This is a small one, but I hear a lot of people talk about pseudonymisation as a sort of ‘out’, or as an option that they can rely on to possibly avoid some of the obligations of the GDPR. But that’s not really how pseudonymisation is treated in the GDPR.

The third big misconception is the idea that you can independently comply with the GDPR. There seems to be a conception that you can, as a company, just talk to your lawyers about GDPR requirements, internally develop some policies and procedures, and then come out a month later being GDPR compliant.

While your internal policies and practices are essential, the GDPR is also very much about your relationships with other companies, both practically and contractually. It requires that you have certain contracts in place with the organisations which process the personal data you hold. And, if you are processing personal data received from other companies, equivalent agreements should be in place there.

M How do you make sure that your relationships are in line? Is there any typical process?

JQ Well, you’d have to first identify which of your third-party contractors are actually receiving personal data from you. Many companies will have some contractors that don’t do that, and they don’t need to be concerned about that. But if you’re giving personal information of individuals in the EU, like an email list, to a subcontractor, then you need to think about how you’re going to ensure that the subcontractor is GDPR compliant.

What we find is that a lot of companies address it upfront. So, for example, if you use Salesforce or Eventbrite you might search their GDPR pages and they will have published something about how they’re taking steps to comply with those laws, and how you can sign up to a GDPR-compliant agreement with them. But other subcontractors may not be so forthright. That’s probably a situation where you need to get your own legal advice and go to that subcontractor yourself with a contract that satisfies your GDPR obligations. All assuming, of course, that the GDPR actually applies.

M You mentioned pseudonymised data. Is that treated like other personal data under the GDPR?

JQ In short, yes. In most cases, pseudonymised data is treated like personal data under the GDPR.

The GDPR has a set of operative legal terms and there are also a set of what is called recitals – those are the explanatory paragraphs of the GDPR. In one of those recitals, it says pseudonymised personal data that could be attributed to a natural person by use of additional information should be considered to be information on an identifiable natural person.

That’s actually a pretty clear statement: if you can link information you’ve pseudonymised to an individual, which I imagine you often can because it would be linked to an email address or phone number or perhaps an activity, then you have traded personal information under the GDPR.

M What is a data processor and controller?

JQ Explaining data controllers or processors is probably best done by way of example – take a mailing company like MailChimp that gets a list of emails and names from a client, and sends out marketing material to those people but doesn’t have an actual relationship with the recipients.

Australia and Europe deal with this situation quite differently.

In Europe, under the GDPR, the client and MailChimp are defined as different types of entities. The client is defined as a data controller, meaning it determines why and how personal information is used. So, they’re the company that gives MailChimp the list of emails. Mailchimp, in the context of that transaction, is defined as a data processor, which really just does what the controller tells them and nothing else. The GDPR has different rules for the controllers and the processors because if you are a processor you don’t do anything other than what controllers tell you to do.

So, the buck theoretically stops with the controller. It is a foundational question for companies as to whether they are controllers and/or processors of the various personal data that they process.

In Australia, there is no explicit equivalent to the data controller and data processor concept in the Australian Privacy Principles. Broadly speaking, all Australian organisations covered by the Australian Privacy Act need to collect, use and disclose personal information in compliance with the same Australian Privacy Principles.

M There was some news earlier in the year that companies were defining themselves as data controllers instead of as processors, or vice versa. Why is this?

JQ Interesting question. It’s interesting because to avoid responsibility you might expect that a company would try to define itself as a processor, to try to wash their hands of determining the how and why of the information use and compliance obligations under the GDPR. Essentially this is saying, ‘look, you gave me the personal information. You’re the one who is responsible for, for example, providing a privacy policy to the individuals in question and lawfully collecting and using that personal information’.

On the other hand, you’ve also described the opposite direction, where companies are asserting that they are data controllers, even where you might expect that they should just be providing a service to the actual controllers of the personal data. That’s because companies which work with personal data find it valuable and want to control and use it for their own purposes, even if they might not have originally collected it

That leads to some interesting negotiations and agreements between the companies in question and their relationships with the individuals whose personal data they are processing.

M Do Australian marketers have to gain explicit consent to process data and how does the GDPR define consent?

JQ It’s an excellent question and I think I actually need to unpack that a bit, because there are a lot of different types of marketers. There are in-house marketing teams, marketing agencies, programmatic marketers and the answer for each of them might be different.

It also depends on where and how you’re collecting information in the first place and whether, at that point, you’ve been clear about what you’re going to do with that information. In some cases, you may be able to rely on other lawful bases of processing personal information under the GDPR, like legitimate interest or contract.

In terms of how the GDPR defines consent, it’s an interesting issue because Australia and the GDPR define consent differently. In Australia, consent can be explicit or implicit. You can get implied consent which means that you don’t need to jump through as many hoops and risk providing a negative user experience to consumers.

Under the GDPR, consent must be explicit. It is given ‘by a clear affirmative act establishing a freely-given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data’. So, you can see that that it’s more robust. What that means is that things like silence, pre-ticked boxes or inactivity don’t constitute consent.

M So, what is legitimate interest and how is it defined in the GDPR?

JQ Legitimate interest is another lawful basis for processing personal information, like consent. Legitimate interest is a flexible basis of processing personal information without gathering consent.

But you can’t just assert it and leave it at that. You need to apply a further test and demonstrate that you have balanced your legitimate interest in processing the personal information with the fundamental rights and freedoms of the data subject. The ICO, which is the privacy body in the UK, puts forward a three-part test where you need to identify the legitimate interest to you, and then demonstrate that the interest is strictly necessary and that it doesn’t override the interests of individuals.

The reason why so much attention is focused on consent and legitimate interest is that the other lawful bases are less flexible. For example, performance of a task carried out in the public interest, generally speaking, is more limited in scope than legitimate interest or consent.

There are some instances of legitimate interest which are clearly identified by the GDPR – those include processing for network security, sharing evidence of a possible criminal act and fraud prevention. But, for the most part, it’s not entirely clear how far you can use legitimate interest and at what point the “fundamental rights and freedoms of the data subject” override the legitimate interest you have claimed. That lack of clarity is probably the essential point. It may not be resolved until companies which have been bullish on the use of legitimate interest have been brought up before privacy authorities for going too far.

Hannah Dixon contributed to the writing of this piece.