contact our team Search Search
why mk
find out more
corporate social responsibility
find out more
macpherson kelley foundation
find out more
why choose mk?
find out more
are you a graduate?
find out more
work with us
view vacancies
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400

 
get directions find a lawyer
dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

 
get directions find a lawyer
melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

 
get directions find a lawyer
sydney

grosvenor place
level 11, 225 george st,
sydney nsw 2000
+61 2 8298 9533

 
get directions find a lawyer
adelaide

naylor house
3/191 pulteney st,
adelaide sa 5000
+61 8 8451 6900

 
get directions find a lawyer

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

 

 

Home > News & Insights > How the GDPR affects Australian Businesses

How the GDPR affects Australian Businesses

21 January 2019
kelly dickson
Read Time 4 mins reading time
Kelly Dickson principal lawyer, commercial
Mark Metzeling principal lawyer, commercial

Many in the Australian business community, and especially those trading internationally or with a technology or data focus, will be coming to grips with (or at least have heard about) last year’s ‘once in a decade’ changes to the European Union (EU) equivalent of the more familiar Privacy Act applying in Australia.

Effective from 25 May 2018, the General Data Protection Regulation (GDPR) of the EU mandates comprehensive requirements for the protection of personal data.  The GDPR gives teeth to European data protection law by allowing for the imposition of significant penalties for contraventions of the GDPR by controllers and processors of personal data.  In some cases, these penalties include fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

Australian businesses may be caught by the GDPR even where they do not have a European parent or subsidiary.  This is significant as it may require compliance with the GDPR in a wider range of situations than previously applicable, and potentially impose significant sanction on non-EU trading entities if in breach of the rules.

Importantly, the small business exemption that applies to many Australian businesses under the Privacy Act does not exempt them from complying with the GDPR if they are caught within the GDPR’s territorial scope.  Indeed, the Australian small business exemption is a key reason why the EU does not consider Australian law as having adequate protection for the safeguarding EU personal data in respect of crossborder transfers.  Australian businesses therefore should not simply assume that compliance with or exemption from the Privacy Act is enough for them to comply with the GDPR.

Is my Australian business caught by the GDPR?

Controllers and processors of personal data can fall within the territorial scope of the GDPR in two main ways, essentially by either being ‘established’ in the EU through stable arrangements, or by ‘targeting’ individuals in the EU.  The second of these ways has caused much confusion among non-EU businesses as to whether or not they need to comply with the GDPR, both in terms of what constitutes targeting, and who counts as an individual ‘in the EU’ for the purposes of the targeting test.

Although an Australian citizen on holidays in Europe using goods or services exclusively directed at the Australian market is unlikely to fall within the scope of the GDPR, the offering of goods or services by an Australian business in multiple European languages, or in return for payment in euros, may well be.  Your business might also be caught by having websites under European domain names, or by making mention of international clientele comprising customers in various EU member states.

To be clear, not every activity connected to Europe will necessarily be caught by the GDPR, and there may be ways for businesses to mitigate against the risks of being caught.  Single elements taken alone may not be enough to come under the GDPR.  At the same time, Australian businesses falling within the scope of the GDPR need to ensure they are aware of their obligations, and have in place appropriate measures to comply, even if they do not have a physical European presence.

What do I need to do?

Seek advice taking into account all your relevant operational and commercial circumstances, and which makes an objective, legally informed and technically aware assessment of your position and any relevant obligations you have under the new laws.

We have experienced information privacy and data protection lawyers who have worked in Europe, advising European, Middle Eastern and US businesses prepare for and implement compliance with the GDPR, as well as providing businesses with ongoing day to day GDPR advice.

Macpherson Kelley is also the only Australian member of international alliance PrivacyRules Ltd., allowing us to draw on local expertise relating to privacy compliance, cybersecurity and data protection matters in the overseas jurisdictions our clients do business.  We are here to help as required, whenever needed.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.

Kelly Dickson principal lawyer, commercial
Mark Metzeling principal lawyer, commercial

more
insights
05 December 2025

Chat GPT is coming to town: The use of AI in retail

read more
04 November 2025

Australia’s 2024-25 Privacy law reboot: Rewiring data protection, security and enforcement

read more
15 September 2025

From copyright dispute to data governance crisis: What NYT v. OpenAI means for corporate AI strategy

read more

stay up to date with our news & insights

 

How the GDPR affects Australian Businesses

21 January 2019
kelly dickson

Many in the Australian business community, and especially those trading internationally or with a technology or data focus, will be coming to grips with (or at least have heard about) last year’s ‘once in a decade’ changes to the European Union (EU) equivalent of the more familiar Privacy Act applying in Australia.

Effective from 25 May 2018, the General Data Protection Regulation (GDPR) of the EU mandates comprehensive requirements for the protection of personal data.  The GDPR gives teeth to European data protection law by allowing for the imposition of significant penalties for contraventions of the GDPR by controllers and processors of personal data.  In some cases, these penalties include fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

Australian businesses may be caught by the GDPR even where they do not have a European parent or subsidiary.  This is significant as it may require compliance with the GDPR in a wider range of situations than previously applicable, and potentially impose significant sanction on non-EU trading entities if in breach of the rules.

Importantly, the small business exemption that applies to many Australian businesses under the Privacy Act does not exempt them from complying with the GDPR if they are caught within the GDPR’s territorial scope.  Indeed, the Australian small business exemption is a key reason why the EU does not consider Australian law as having adequate protection for the safeguarding EU personal data in respect of crossborder transfers.  Australian businesses therefore should not simply assume that compliance with or exemption from the Privacy Act is enough for them to comply with the GDPR.

Is my Australian business caught by the GDPR?

Controllers and processors of personal data can fall within the territorial scope of the GDPR in two main ways, essentially by either being ‘established’ in the EU through stable arrangements, or by ‘targeting’ individuals in the EU.  The second of these ways has caused much confusion among non-EU businesses as to whether or not they need to comply with the GDPR, both in terms of what constitutes targeting, and who counts as an individual ‘in the EU’ for the purposes of the targeting test.

Although an Australian citizen on holidays in Europe using goods or services exclusively directed at the Australian market is unlikely to fall within the scope of the GDPR, the offering of goods or services by an Australian business in multiple European languages, or in return for payment in euros, may well be.  Your business might also be caught by having websites under European domain names, or by making mention of international clientele comprising customers in various EU member states.

To be clear, not every activity connected to Europe will necessarily be caught by the GDPR, and there may be ways for businesses to mitigate against the risks of being caught.  Single elements taken alone may not be enough to come under the GDPR.  At the same time, Australian businesses falling within the scope of the GDPR need to ensure they are aware of their obligations, and have in place appropriate measures to comply, even if they do not have a physical European presence.

What do I need to do?

Seek advice taking into account all your relevant operational and commercial circumstances, and which makes an objective, legally informed and technically aware assessment of your position and any relevant obligations you have under the new laws.

We have experienced information privacy and data protection lawyers who have worked in Europe, advising European, Middle Eastern and US businesses prepare for and implement compliance with the GDPR, as well as providing businesses with ongoing day to day GDPR advice.

Macpherson Kelley is also the only Australian member of international alliance PrivacyRules Ltd., allowing us to draw on local expertise relating to privacy compliance, cybersecurity and data protection matters in the overseas jurisdictions our clients do business.  We are here to help as required, whenever needed.