Australia: Impact Of The EU Global Data Protection Regulation In Australia

Last Updated: 11 June 2018
Article by Gordon Hughes and Andrew Sutherland

The European Union General Data Protection Regulation ("GDPR") came into effect on 25 May 2018. Its primary objective is to harmonise data protection laws across the EU. In the process, existing EU data protection laws have been updated, and Australian organisations with European connections may in some circumstances be required to adjust their existing privacy practices in order to comply.

In many respects, Australia's privacy laws are already consistent with the updated European requirements, and to this extent, the potential impact on Australian businesses will be contained. The primary question is whether, and under what circumstances, Australian businesses will become subject to the new European regime at all.

Despite considerable conjecture, it is our view that for most Australian businesses, the impact will be minimal.  In some circumstances, however, existing data protection practices may have to be adjusted.

Key provisions

The issue arises because of Article 3(2) which provides:

"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union."

Recital 23 provides some guidance as to what constitutes "the offering of goods or services" by entities not established in the EU:

"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."

Recital 24 provides some guidance as to what constitutes "monitoring the behaviour" of an individual in the EU:

"The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes."

Is an Australian business bound by the GDPR?

The GDPR applies to data "processors" and "controllers" with an establishment in the EU, or to processors and controllers outside the EU, where their processing activities involve the offering of services to individuals in the EU, or monitoring the behaviour of individuals in the EU.

The terminology "processor" and "controller" is unique to European law and does not have a direct equivalent in Australian law.  In essence, however, a typical Australian business will be the equivalent of a "controller" to the extent that it is responsible for the collection and use of personal information (e.g. information relating to individual clients) in the normal course of its operations;1 and typically, it will not be a "processor", unless it has outsourced the handling of client data to a European-based entity.2

Obviously, many Australian businesses do not have an establishment in the EU. Accordingly, they will only be subject to the GDPR if they are offering services to, or monitoring the behaviour of, individuals in the EU.

With respect to "offering services" for the purposes of Article 3(2)(a), Recital 23 suggests that the following activities may fall under this umbrella:

  • an Australian business whose website targets EU customers, for example by enabling them to order goods or services in a European language (other than English), or enabling payment in Euros; or
  • an Australian business whose website mentions customers or users in the EU.

As to whether an Australian website is "targeting EU customers", the examples contained in Recital 23 are not exhaustive. Nevertheless, applying those criteria, the following considerations will normally be taken into account:

  • whilst the fact that the website is accessible from Europe and that customers are intermittently sourced from Europe will not be relevant, a business strategy which demonstrably seeks to solicit work from Europe may be;
  • the fact that the website uses languages other than English is not determinative, but it will be relevant if the reason for doing so is to facilitate access by European-based clientele; and
  • the fact that a business invoices European customers in Euros will not itself be indicative of "targeting EU users", but the advertising of fees in Euros on the website may be.

If it can be concluded that, on this basis a business is targeting EU users, then it may be "offering services"  to European individuals in the manner envisaged by the GDPR, and this, in turn, would make it subject to the GDPR.

What is the gap between current Australian privacy obligations and the GDPR requirements?

To a large extent, an Australian business will meet the GDPR requirements if it complies with the Australian Privacy Principles (APPs).

Nevertheless, despite a considerable amount of overlap, the obligations arising under the APPs and under the GDPR are not quite aligned in the following respects.

Accountability and governance

It is a requirement to appoint a data protection officer located in the EU in some circumstances.  Under Article 37, this obligation only applies to businesses whose core activities "consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale".  This is a focussed scenario which will not capture a majority of Australian businesses, but which will nevertheless do so if, for example, it has an outsourcing facility based in Europe.

Other new "accountability and governance" obligations introduced by the GDPR are:

  • an obligation to undertake compulsory data protection impact assessments prior to certain types of data processing activities.  Unless a business were to outsource the processing of personal information to a European-based entity, this is unlikely to be an issue for Australian businesses;
  • an obligation to keep records of processing activities. The Office of the Australian Information Commissioner (OAIC) states that this is addressed by APP 1.23 although this may be an overstatement – it is in fact addressed by the OAIC's recommendations as to how an organisation should comply with APP 1.24. Most Australian businesses should already comply with this obligation in any event; and
  • an obligation to draw up a code of conduct in relation to compliance with the GDPR. This is not a mandatory obligation, however, and will not necessarily trouble a business with only incidental European links.

Accordingly, it appears that the inconsistencies between the GDPR and the Privacy Act 1988 in relation to accountability and governance will not be of significant consequence to a typical Australian business.


The GDPR introduces special provisions for obtaining consent from individuals below the age of 16 years. The Privacy Act 1988 does not have an equivalent stipulation, even though the OAIC APP Guidelines suggest that an individual aged 15 years or over has the capacity to consent, thus giving rise to a potential inconsistency.5

In practical terms, unless a business has occasion to obtain consent of individuals under the age of 16 years, this will not be an issue.

Mandatory Data Breach Notification

The GDPR requires the reporting of "high-risk" data breaches within 72 hours of detection, whereas the Privacy Act 1988 requires the reporting of "serious" data breaches "as soon as practicable". Whilst these two obligations are almost aligned, an Australian company would have to ensure that, in the case of a serious data breach involving personal information stored in Europe, notification was provided within 72 hours even in circumstances where it would otherwise have formed the view that it was impracticable to do so.

Right to erasure

Under the GDPR, individuals can require the deletion of personal information which they consider is no longer necessary.6 There is no equivalent provision in the Privacy Act 1988 but it is instructive that when a similar right was proposed in Australia by the Australian Law Reform Commission in 20147, the OAIC resisted change to the APPs on the basis that an equivalent right was already encompassed by APP 11.2.  APP 11.2 requires the destruction or de-identification of personal information when no longer required in connection with the original purpose of collection.

Accordingly, there does not appear to be a need for an Australian business to adjust its current practices in order to comply with the new European standards.

Data Portability

Under the GDPR, an individual has a right to require that their personal information be transferred to another "controller" in a "structured, commonly used, machine-readable format".8 There is no equivalent right under the Privacy Act 1988, although a similar concept has been recommended in Australia by the Productivity Commission.9

This issue would typically confront a business in circumstances where a customer seeks to transfer to a competitor, and wants their personal information to be transferred in the process.  Whilst most businesses would normally accede to such a request, those which don't would need to adjust their practices.

Right to object

The GDPR includes a right of an individual to object to the continued processing of their personal information in certain circumstances.10 The right only applies, however, where the individual contests the accuracy of their personal data, considers the processing to be unlawful or considers the information to be no longer required.11 Whilst the Privacy Act 1988 operates in a different manner, the effect of APP 10 (quality of personal information) and APP 13 (right to correct personal information) means that coverage under Australian privacy law is essentially the same.  Again, there should be no need for an Australian business to alter its existing practices in order to accommodate this change.

Overseas transfers

The GDPR regulation of transborder data flows is structured differently to APP 8, although the effect is ultimately similar.12

Transfers of data from Australia to the EU are unaffected by the new Regulation. For different reasons, transfers of data from Europe to Australia will also remain unaffected – whilst complications arise where data is transferred from the EU to a country which lacks an "adequate" level of data protection13, Australia has in fact been in that category since the former EU Article 29 Committee determined in 2001 that Australia's data protection laws were "inadequate" as a consequence of their failure to match European standards.14  This in effect means that it will still be necessary (as has always been the case in theory) for an Australian business to provide certain contractual undertakings to European based entities which are forwarding personal information to it.

In other words, the GDPR does not alter the existing position regarding overseas transfers of personal information or the receipt of personal information from a European source.


1  See definition of "controller" in GDPR Article 4(7)

2  See definition of "processor" in GDPR Article 4(8)

3  APP 1.2 deals with "Open and transparent management of personal information" and is headed "Compliance with the Australian Privacy Principles"

4  See OAIC's Australian Privacy Principles Guidelines, paras 1.4 – 1.7

5  See OAIC's Australian Privacy Principles Guidelines, paras B50 – B52

6  GDPR Article 17

7  ALRC Discussion Paper, Serious Invasions of Privacy in the Digital Era, March 2014.  The recommendation was made in light of the decision of the European Court of Justice in Google Spain SL v Gonzalez (2014) c- 131/12

8  GDPR Article 20

9  See Productivity Commission, Data Availability and Use, Report No 82 (2017)

10  GDPR Article 21

11  GDPR Article 6(1)

12  See GDPR Article 45

13  GDPR Article 45(1)

14  Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act.  Although the Privacy Act has since been substantially revised, the principal European objections remain – particularly the small business exemption and the employee record exemption

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions