EU GDPR and Australian ADIs

Introduction

On 25 May 2018 the European Union (EU) General Data Protection Regulation (GDPR) will enter into force and harmonises data privacy laws across Europe. Importantly it puts power in the hands of EU citizens and residents and imposes heavy penalties on organisations in breach. This article explains why this is relevant to Australian Deposit-taking Institutions (ADIs) and summarises the regulation and how that compares to our own privacy regulation.

Applicability to Australian ADIs

The Office of the Australian Information Commissioner (OAIC) has reviewed the GDPR and stated that “Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.”

However, there is potential for Australian ADIs to be caught by this regulation as there are many potential customers who are EU citizens, who may reside in the EU (even temporarily) or who may use online banking services as an EU citizen while in the EU or in Australia. Matthew Quick from KPMG said “if an Australian bank customer uses their mobile banking app in Europe and the lender uses data analytics on transactions, there is the potential for that bank to be captured by GDPR”.

With 1.9 million Australian residents born in the EU (Australian Bureau of Statistics 2016) plus temporary workers, if it reasonable to expect that Australian ADIs should review their compliance to GDPR or at the very least undertake compliance to OAIC Australian Privacy Principles (APP), and have a statement of record regarding compliance or not to GDPR and monitor how GDPR implementation develops in Australia.

Contentious points

There are a number of contentious points that have yet to be fully clarified or legally tested:

  1. The GDPR has extended jurisdiction to companies processing data of Data Subject residing or with citizenship in the EU regardless of the company’s location. Processing of data in Australia is therefore covered by the GDPR where the activities relate to: offering goods or services to EU citizens or residents and monitoring the behaviour that takes place within the EU e.g. an Australian ADI EU citizen using their ADI banking app in Europe (or maybe in Australia).
  2. The regulation allows for serious penalties amounting to the higher of 4% of revenue (or €20m – $30m). This is the maximum fine for the most serious infringements but fines are tiered. The GDPR also applies to “cloud-based processors” as well as Data Controller’s themselves.
  3. Consent conditions are strengthened and companies will need to use legible terms and conditions (without overt legalese) for a customer to consent to the processing of personal data. The withdrawal of consent should be similarly clear and as easy as consent.

Definitions

  • Data Subject – individual customer.
  • Data Controller – the company or organisation e.g. ADI.
  • Processor – a third-party processor of customer data on behalf of a Data Controller.

Data Subject Rights

The key features of the GDPR and its impact on business are described below (including a comparison to the OAIC APP March 2014):

Breach Notification
  • GDPR – Breach notification to customers and supervisory authority is mandatory where a breach is likely to “result in a risk for the rights and freedoms of individuals”. Time limit: 72 hours.
  • OAIC –  From 22 February 2018 (Notifiable Data Breaches scheme) – Notification to the Information Commissioner and customers is mandatory for most ADIs (turnover greater than $3m) where a breach is at “likely risk of serious harm”.  Time limit: As soon as practical.
Right to Access
  • GDPR – Right for customers to obtain Data Controller confirmation that personal data is being processed and providing such data in electronic form at no charge.
  • OAIC – APP Principle 5 gives customers the right to access their personal information within 30 days of the request. There are a number of exceptions and reasonable costs are permitted.
Right to be Forgotten
  • GDPR – Customers can request the Data Controller deletes their personal data (Data Erasure) upon removal of consent or no longer being relevant to original purpose e.g. cease to be a customer.
  • OAIC – No equivalent.
Data Portability
  • GDPR – Customers can request electronic data from a Data Controller (as above) and transmit that data to a new Data Controller e.g. transferring to a new bank.
  • OAIC – No equivalent.
Privacy by Design
  • GDPR – Inclusion of data protection from the onset in designing systems.
  • OAIC – The APP 1.2 adopts a privacy by design approach to privacy protection in the design of their information handling practices.
Privacy Protection Officers
  • GDPR – Appointment inside the EU will be mandatory for Data Controllers who regularly monitor Data Subjects on a large scale.
  • OAIC – APP requires businesses to appoint key roles for privacy management.
Sanctions
  • GDPR – Fines up to the higher of 4% revenue or €20m ($30m).
  • OAIC – Powers to work with entities for compliance or enforcement. Civil penalties for serious or repeated offences are $1.8m.

Sources

https://www.eugdpr.org
https://www.oaic.gov.au
https://www.rfigroup.com/australian-banking-and-finance/news/new-eu-privacy-laws-capture-aussie-banks
https://www.lifehacker.com.au/2017/10/what-is-gdpr-and-why-should-you-care/