Privacy and data protection compliance overseas
This holiday season has seen major changes to the trade and compliance space that require immediate action from businesses. So, the team at Macpherson Kelley is making sure you’ve made a list and you’re checking it twice!
We’ll be releasing a series of accessible guides and articles on what your business needs to do to stay on Santa’s nice list this year – with the help and guidance of our trade and compliance team.
If you are carrying on a business not only in Australia but overseas, there are new and different strict privacy and data protection laws in other countries that you should consider. Our team has compiled a short list of some of the latest privacy law changes and the associated compliance requirements. While some resemble the legislative changes in Australia, others may seem completely unfamiliar to a business expanding overseas for the first time.
If you are doing business in New Zealand, China, India or a country within the European Union (EU), you’re going to need to make sure you have the following correct policies and procedures in place.
New Zealand
In 2020, New Zealand’s privacy and data protection laws were enhanced to bring the New Zealand Privacy Act more in line with Australia’s privacy and data protection laws and closer to the EU’s General Data Protection Regulation (GDPR).
Much like Australian privacy legislation, the New Zealand Privacy Act includes 13 Information Privacy Principles (IPPs), which closely align to the Australian Privacy Principles (APPs). The IPPs in New Zealand govern how businesses should collect, handle and use the personal information of New Zealanders.
The Principles are:
- Principle 1: Purpose of collection
- Principle 2: Source of information – collection from the individual
- Principle 3: What to tell the individual about collection
- Principle 4: Manner of collection
- Principle 5: Storage and security of information
- Principle 6: Providing people access to their information
- Principle 7: Correction of personal information
- Principle 8: Ensure accuracy before using information
- Principle 9: Limits on retention of personal information
- Principle 10: Use of personal information
- Principle 11: Disclosing personal information
- Principle 12: Disclosure outside New Zealand
- Principle 13: Unique identifiers
What’s changed?
If you have not updated your documented privacy policies and data protection practices since the changes made in 2020, you may not be compliant with New Zealand privacy legislation.
Some of the 2020 changes include:
- The introduction of IPP 12 in relation to disclosure of personal information overseas (which is similar to APP 8). In both Australia and New Zealand, there are restrictions on the transfer of personal information overseas without consent.
- The introduction of a mandatory data breach notification regime. It is mandatory to notify the New Zealand Privacy Commissioner where there has been a data breach that is likely to result in serious harm to any individuals to whom the personal information relates.
Although the changes were made to align more closely with Australian privacy legislation, you should note that there are still significant differences and advice should be sought in relation to complying with New Zealand privacy and data protection legislation.
China
In 2021, China implemented its “Personal Information Protection Law” (PIPL), which was seen as being comparative to the GDPR. The obligations imposed by the PIPL are substantial, and if not complied with, businesses can face significant penalties.
The PIPL was introduced as China’s first comprehensive law on data protection and operates along with the Cyber Security Law (CSL) and the Data Security Law (DSL). The laws apply where businesses collect or process the data of Chinese nationals (whether the business is located in China, or offshore).
What does it do?
The PIPL:
- defines personal information;
- implements nine principles for personal information processing;
- sets out rights of personal information subjects;
- provides rules on data localisation and cross-border transfer; and
- sets out personal information processor obligations.
It is expected that China will continue to implement further regulations and guidance on privacy legislation and companies with businesses or operations in China should be prepared for these changes.
India
India continues to circulate and refine draft legislation to introduce privacy and data protection laws in the near future (currently called the Digital Personal Data Protection Bill (DPDP)). The proposed laws will apply to businesses in India, as well as extra-territorially (eg, where a business sells to Indian citizens, or processes the data of Indian citizens).
What are some interesting developments?
Notably, under the DPDP, data breaches would need to be reported to the relevant authorities within a mere 6 hours! By way of comparison, the GDPR specifies a time period of 72 hours, and Australia works on a guidance timeframe of 30 days.
The penalties proposed for non-compliance with the DPDP are:
- approx USD$30 million for failure to take reasonable security safeguards to prevent personal data breach; and
- maximum penalties of USD$60 million.
As the DPDP is in discussion draft form, it is likely further amendments will be made.
European Union
In 2018, the GDPR was introduced and may apply to Australian businesses of any size if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor behaviour of individuals located in the EU.
Whilst the GDPR has some similarities to Australian privacy legislation, it also has some notable differences, such as the “right to be forgotten”, which does not (yet) have an equivalent under the Australian Privacy Act.
What changed?
The changes brought about by the GDPR included:
- expanded accountability and governance requirements;
- a new definition of consent, which states that it must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing;
- a requirement on data controllers to advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach;
- a requirement on data controllers to give individuals a range of prescribed information about the processing of their personal data;
- expanded rights for individuals, such as the right to erasure of personal data where it is no longer necessary; and
- strict prohibitions against the transfer of personal data outside the EU (unless an adequate level of data protection is provided in the recipient country).
How can Macpherson Kelley help?
With business and trade becoming increasingly global, it is becoming all the more important to consider and comply with the privacy and data protection laws of the countries of your vendors and customers.
The focus on strengthening privacy and data protection laws right around the world – and the significant and growing consequences of breach – means that you simply can’t afford to ignore or get compliance wrong.
As the only Australian law firm member of global and regional legal networks such as PrivacyRules, Multilaw and the Pacific Legal Network, we can connect you with relevant, trusted and local expertise right across the world.
For advice and further assistance, please contact our privacy experts.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
Spotlight on Real Estate: Anti-Money Laundering and Counter-Terrorism Financing Regime
Professional Services face extra compliance requirements as Anti-Money Laundering and Counter-Terrorism Financing Regime gets green light
AI adoption in business: Unveiling the Senate’s blueprint for regulation
stay up to date with our news & insights
Privacy and data protection compliance overseas
This holiday season has seen major changes to the trade and compliance space that require immediate action from businesses. So, the team at Macpherson Kelley is making sure you’ve made a list and you’re checking it twice!
We’ll be releasing a series of accessible guides and articles on what your business needs to do to stay on Santa’s nice list this year – with the help and guidance of our trade and compliance team.
If you are carrying on a business not only in Australia but overseas, there are new and different strict privacy and data protection laws in other countries that you should consider. Our team has compiled a short list of some of the latest privacy law changes and the associated compliance requirements. While some resemble the legislative changes in Australia, others may seem completely unfamiliar to a business expanding overseas for the first time.
If you are doing business in New Zealand, China, India or a country within the European Union (EU), you’re going to need to make sure you have the following correct policies and procedures in place.
New Zealand
In 2020, New Zealand’s privacy and data protection laws were enhanced to bring the New Zealand Privacy Act more in line with Australia’s privacy and data protection laws and closer to the EU’s General Data Protection Regulation (GDPR).
Much like Australian privacy legislation, the New Zealand Privacy Act includes 13 Information Privacy Principles (IPPs), which closely align to the Australian Privacy Principles (APPs). The IPPs in New Zealand govern how businesses should collect, handle and use the personal information of New Zealanders.
The Principles are:
- Principle 1: Purpose of collection
- Principle 2: Source of information – collection from the individual
- Principle 3: What to tell the individual about collection
- Principle 4: Manner of collection
- Principle 5: Storage and security of information
- Principle 6: Providing people access to their information
- Principle 7: Correction of personal information
- Principle 8: Ensure accuracy before using information
- Principle 9: Limits on retention of personal information
- Principle 10: Use of personal information
- Principle 11: Disclosing personal information
- Principle 12: Disclosure outside New Zealand
- Principle 13: Unique identifiers
What’s changed?
If you have not updated your documented privacy policies and data protection practices since the changes made in 2020, you may not be compliant with New Zealand privacy legislation.
Some of the 2020 changes include:
- The introduction of IPP 12 in relation to disclosure of personal information overseas (which is similar to APP 8). In both Australia and New Zealand, there are restrictions on the transfer of personal information overseas without consent.
- The introduction of a mandatory data breach notification regime. It is mandatory to notify the New Zealand Privacy Commissioner where there has been a data breach that is likely to result in serious harm to any individuals to whom the personal information relates.
Although the changes were made to align more closely with Australian privacy legislation, you should note that there are still significant differences and advice should be sought in relation to complying with New Zealand privacy and data protection legislation.
China
In 2021, China implemented its “Personal Information Protection Law” (PIPL), which was seen as being comparative to the GDPR. The obligations imposed by the PIPL are substantial, and if not complied with, businesses can face significant penalties.
The PIPL was introduced as China’s first comprehensive law on data protection and operates along with the Cyber Security Law (CSL) and the Data Security Law (DSL). The laws apply where businesses collect or process the data of Chinese nationals (whether the business is located in China, or offshore).
What does it do?
The PIPL:
- defines personal information;
- implements nine principles for personal information processing;
- sets out rights of personal information subjects;
- provides rules on data localisation and cross-border transfer; and
- sets out personal information processor obligations.
It is expected that China will continue to implement further regulations and guidance on privacy legislation and companies with businesses or operations in China should be prepared for these changes.
India
India continues to circulate and refine draft legislation to introduce privacy and data protection laws in the near future (currently called the Digital Personal Data Protection Bill (DPDP)). The proposed laws will apply to businesses in India, as well as extra-territorially (eg, where a business sells to Indian citizens, or processes the data of Indian citizens).
What are some interesting developments?
Notably, under the DPDP, data breaches would need to be reported to the relevant authorities within a mere 6 hours! By way of comparison, the GDPR specifies a time period of 72 hours, and Australia works on a guidance timeframe of 30 days.
The penalties proposed for non-compliance with the DPDP are:
- approx USD$30 million for failure to take reasonable security safeguards to prevent personal data breach; and
- maximum penalties of USD$60 million.
As the DPDP is in discussion draft form, it is likely further amendments will be made.
European Union
In 2018, the GDPR was introduced and may apply to Australian businesses of any size if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor behaviour of individuals located in the EU.
Whilst the GDPR has some similarities to Australian privacy legislation, it also has some notable differences, such as the “right to be forgotten”, which does not (yet) have an equivalent under the Australian Privacy Act.
What changed?
The changes brought about by the GDPR included:
- expanded accountability and governance requirements;
- a new definition of consent, which states that it must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing;
- a requirement on data controllers to advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach;
- a requirement on data controllers to give individuals a range of prescribed information about the processing of their personal data;
- expanded rights for individuals, such as the right to erasure of personal data where it is no longer necessary; and
- strict prohibitions against the transfer of personal data outside the EU (unless an adequate level of data protection is provided in the recipient country).
How can Macpherson Kelley help?
With business and trade becoming increasingly global, it is becoming all the more important to consider and comply with the privacy and data protection laws of the countries of your vendors and customers.
The focus on strengthening privacy and data protection laws right around the world – and the significant and growing consequences of breach – means that you simply can’t afford to ignore or get compliance wrong.
As the only Australian law firm member of global and regional legal networks such as PrivacyRules, Multilaw and the Pacific Legal Network, we can connect you with relevant, trusted and local expertise right across the world.
For advice and further assistance, please contact our privacy experts.