The GDPR: are you captured?
From this week, asset managers and super funds with customers or staff located in the European Union may need to comply with new European data privacy requirements, or risk facing significant fines.
The EU General Data Protection Regulation (GDPR) comes into effect on 25 May, lifting the standard of data protection not just in Europe, but more broadly through its significant extraterritorial reach.
Broadly speaking, the GDPR captures any entity that processes personal data of individuals located in the European Union (resident or tourist), whether through an EU-based subsidiary or other type of establishment, or by offering goods and services to, or monitoring the behaviour of individuals that are based in the EU.
It's the Australian Privacy Principles on steroids, both in terms of the way the GDPR is written and in terms of the obligations imposed on organisations
This captures asset managers with EU establishments, a category that comprises many of the larger Australian asset managers. However, it also means that an Australian-based asset manager targeting investors in the EU could be subject to the new regulation, which is not the case presently, save for particular circumstances. Similarly, a superfund that sends marketing material or monitors investment preferences or other behaviours of any individual member located in the EU may fall within the scope of the GDPR.
Alec Christie, partner and Asia-Pacific Digital Law Leader at EY in Sydney, told Fund Business that the full extent of the extraterritorial reach, which is contained in Article 3 of the GDPR, is not always fully understood.
"The GDPR compliance requirement is fairly obvious for institutions that have a presence in Europe, they get it. It’s the other two categories - are you offering goods and services into the EU or are you profiling or tracking people who are located in the EU online, that are catching Australian fund managers out,” Christie said.
“If fund members who work or have retired in Europe get sent the same information and marketing campaigns that Australia-based members are sent, and if those communications contain marketing information, the GDPR will likely apply. Similarly, if as a fund you are profiling your members with a view to targeting future sales and those members happen to reside in Europe, you are in scope, even if you are a wholly Australian fund.”
Whether breaches of this type are likely to result in actual fines remains to be seen.
Tanguy Van Overstraeten, partner at Linklaters in Brussels who is a member of the European Commission’s multi-stakeholder expert group on GDPR, said the application of the territorial scope is not entirely clear and enforcement may prove difficult in practice absent any presence in Europe, even for those who are targeting customers in the region.
“My assessment is that if you do not have any establishment in Europe, the exposure should remain relatively low. However, if you do have an establishment, the combination of the new rules with broad extra-territorial reach and the existing case law – such as for example the Google Spain case – may significantly increase the risk,” Van Overstraeten said.
GDPR in practice
From a content perspective, many of the GDPR requirements are not new. Compared to its European predecessor, the Data Protection Directive, the GDPR retains the same core rules and continues to regulate the processing of personal data through compliance with a set of general principles, albeit in a more detailed and often more stringent manner.
Compared to the Australian Privacy Act 1988, there are also similar requirements. Both laws share a focus on fostering transparency and business accountability to give individuals confidence that their privacy is being protected. Both laws require businesses to implement measures that ensure compliance with the key privacy principles and both take a “privacy by design” approach to compliance. Data breach notification requirements are comparable and both laws are technology neutral, which will preserve their relevance and applicability in a context of continually changing and emerging technologies.
What makes GDPR compliance complicated, for Australian firms as much as anyone else, is the sheer level of detail prescribed in the regulations.
“A lot of the GDPR principles are not new to Australians. With one or two exceptions, these principles are all captured in some form in the Australian Privacy Principles (APPs). The difference is that the GDPR imposes a different level of obligation and enforcement. It’s the APPs on steroids, both in terms of the way the GDPR is written and in terms of the obligations imposed on organisations,” Christie said.
Breaching the regulations could also be very costly. Under the GDPR, breaches could result in fines of up to 20 million euros or 4 percent of the global annual worldwide turnover of the group to which the violating company belongs, whichever is higher.
“Looking at the size of these fines, it is not surprising there are corporates in Australia who are spending more time, energy and effort on GDPR compliance than they ever have on Australian privacy compliance,” Christie said.
Tackling the GDPR
Minimising the risk of breaching the GDPR starts with a review of the status quo. “Are we caught? Why are we caught? How can we minimise the impact? I would conduct that impact assessment first, before leaping into what could be a million-dollar implementation programme,” Christie said.
In essence, Australian organisations that are caught under the new GDPR regime have a number of options. Taking steps to avoid the regime altogether by changing the way personal data on European residents is processed could be a first one. This is unlikely to be practical, however, as this would impact business models and hamper the globalised approach that is fundamental to many organisations today. The second option would be to isolate the European data operations and treat these in a GDPR compliant manner. The key to note here is that if data on European individuals is stored alongside all other (Australian) data subjects, the entire database may become subject to GDPR.
The third solution is to take a firmwide GDPR compliant approach to data processing on the grounds that going forward, GDPR will be seen as best practice globally. “That is an option that has been considered by a number of our clients. They are not necessarily doing it by the 25th of May but they are seriously thinking of implementing it over and above their current APP compliance,” Christie said.
While the deadline of 25 May has been known for two years, it’s unlikely that regulators will start strict enforcement from day one. That is to a large extent due to the fact that across Europe, the level of preparedness varies widely, not only as regards the private sector but also in relation to the public sector.
At this stage, countries are still rushing to adopt the legislative changes required to support the GDPR. While this number is growing and has done especially over the course of the past few weeks, it is clear that some countries will not be ready by the deadline. At this stage, around 20 countries out of the total 28 member states will have published their laws by Friday 25 May, with some – such as Belgium – due to publish their laws on the 25th itself.
Meanwhile, despite the fact that, as a regulation, the GDPR is directly effective in all member states, there are a number of areas where the GDPR leaves it to member states to adopt their own national rules. That could be because certain EU member states have constitutional rules in these areas, or because these issues fall outside the EU's legislative competence. What that means is that there are still areas in which organisations will face inconsistent regulatory requirements from one member state to the next and full harmonisation is still some way off.
These variations in implementation and national preparedness are likely to limit the effectiveness of the European Data Protection Board, the new regulatory agency in charge of European data protection, when it comes into effect on May 25. “The European Data Protection Board is supposed to be in charge as of May 25, but some regulators who are supposed to lead the European Data Protection Board may not even be up to speed themselves, so it is going to be quite an interesting time to see how this will really work in practice,” Van Overstraeten said.
One stop shop
Australian businesses that are captured by GDPR due to their presence in EU member states may refer to the “one stop shop” mechanism, which states that businesses that carry out cross border processing are primarily regulated by the supervisory authority in the jurisdiction in which they have their main establishment in the EU. However, that does not necessarily mean they are subject to just one supervisory regime. There are instances where even with the “one stop shop” applying, other regulators remain involved, for example where the processing also relates to data subjects located in their jurisdiction.
“Even though you have one single regulator which is in charge on the basis of the one stop shop, if you have activities that are spread over several member states, you could be subject to other concerned regulators. These regulators will also be competent and they may come with opinions that may be more strict than the lead regulator. In these cases you may need to escalate the matter to the European Data Protection Board under the consistency mechanism, which basically means that you may become subject to the opinion of all the European regulators at once,” Van Overstraeten said.
If you’d have to prioritise, Van Overstraeten recommends focusing on three core objectives:
Data minimisation - this is about identifying the data you hold on individuals and removing anything that is not necessary. Databasing your customers’ children’s birthdays or their favourite sports teams without any link to your business would fall in this category.
Transparency - making sure you are as transparent as possible about data collection, both towards your customers and towards your employees. That also requires an analysis of how data is actually being collected in practice.
Accountability - this is about creating a data protection culture, in which people are across the requirements in terms of data collection, protection and breach reporting and keeping evidence of all efforts being done in that respect.