The EU General Data Protection Regulation: Changing privacy law landscape
Today marks the enforcement day of the EU General Data Protection Regulation (GDPR). The GDPR significantly changes the privacy law landscape, implementing strict, prescriptive obligations for data controllers and processers, both in the EU and extra-territorially.
The GDPR modernises privacy protections for data subjects within the EU. In response to the increasing commodification of personal data in today’s connected economy, the GDPR maximises individuals’ control over their personal data. Introducing a series of enhanced, actionable rights for individuals, the GDPR provides individuals with a clear avenue for redress for any interference with their information privacy.
A key element of the GDPR is the express focus on meaningful consent within the Regulation, introducing requirements for entities captured by the GDPR to draft terms requiring consent in clear and plain language. Terms requiring individuals’ consent must be clearly distinguished from other provisions, meaning that controllers and processors can no longer bury consent provisions in lengthy, unintelligible terms and conditions. Individuals also have a positive right to withdraw consent at any time.
Additionally, the GDPR places a focus on demonstrated compliance and good privacy governance, to create an overall positive privacy culture. Under Article 25, controllers and processors are required to take a data protection by design and default approach to business practice. This requirement is underpinned by a statutory obligation to undertake a data protection impact assessment, where any processing of personal data “is likely to result in a high risk to the rights and freedoms” of individuals, under Article 35. The GDPR also provides for Board level oversight and awareness of an entity’s privacy practices. For example, where an entity is required to appoint a Data Protection Officer (DPO), under Article 37, the DPO is required to report directly to the highest level of management within the entity (under Article 38).
From a Victorian perspective, a key difference between the protections afforded under the Privacy and Data Protection Act 2014 (PDP Act) and the GDPR is that the PDP Act is principle-based legislation. The requirements under the 10 Information Privacy Principles (IPPs) are articulated in terms of ‘reasonable steps’ and offer a degree of flexibility for Victorian public sector (VPS) organisations in meeting their privacy obligations. The GDPR on the other hand, combines both a principle-based and prescriptive approach to privacy protections, with the privacy, data security, transparency and accountability requirements for controllers and processors clearly outlined within the text of the Regulation itself.
Our office has produced a factsheet outlining the key considerations for the VPS in light of the implementation of the GDPR. This factsheet includes a comparison between the IPPs and the GDPR as well as an exploration of the key themes of the GDPR. You can find the factsheet here.
Last year, our office also held a public forum on the GDPR, considering the key learnings the VPS can take away from the GDPR in terms of privacy best practice. You can view a recording of our public forum on our Periscope channel.