These days, it seems like you can't scan the headlines without seeing news of another hack or data breach. It's happened to government agencies like the Australian Bureau of Statistics and to companies like Uber.
Of course, these events aren't restricted to Australia. They happen in Europe, the U.S. and everywhere else. It has become so common that consumers are beginning to feel like their data is constantly vulnerable and under attack.
Source: Statista.
Federal governments the world over understand that there is a problem. This is why many of them are enacting legislation to help protect people's personal information. These laws further are aimed at putting individuals back in control with regard to when, where and how their data is used.
In Australia, the main legislation that serves this purpose begins with the Privacy Act of 1988, which has been updated in more recent years. The European Union enacted sweeping legislative reform in 2018 that is called General Data Protection Regulation or GDPR. Many cybersecurity experts are calling the GDPR a major leap forward in putting the control of data back in the hands of individuals. Additionally, the GDPR is supposed to provide a swifter, more comprehensive response when a data breach occurs.
Australia's Privacy Act and the GDPR actually have quite a bit in common, but there are some substantial differences as well. If you are part of an Australian company that does business in the EU, then you must comply with the GDPR regulations. Accordingly, it is critical to be aware of both of these pieces of legislation and how they may affect how you do business.
Taking a closer look at both the Australian Privacy Act and the EU's GDPR will provide a better starting point from which to compare these laws.
The Australian Privacy Act of 1988
When it was passed in 1988, this Australian law listed numerous privacy rights that the government called Information Privacy Principles or IPPs. The law applied the principles to federal government agencies as well as Capital Territory agencies and private sector organizations that had contracts with government agencies. The IPPs dictated when and how these agencies and organizations could collect personal information about consumers. Agencies could only collect information if it was relevant to their function, and citizens had a right to know why the data was being collected and who would see it.In 2000, the law was amended to cover private sector organizations. Another amendment established National Privacy Principles that were applied to any private sector organization that had an annual turnover in excess of three million dollars.
Further changes came in 2017 with a Privacy Amendment that related to Notifiable Data Breaches. The amendment further defined how and when organizations that are affected by the Privacy Act are required to notify consumers about a data breach if the incident is likely to cause "serious harm" to the individual.
The EU's GDPR
GDPR is the result of years of work toward data protection reform across the EU. Overall, the new law was created to provide citizens with a greater degree of control over their data. Simplifications to the regulatory environment also were made so that businesses would have an easier time of understanding how the law applies to them.
Chart courtesy of Statista.
Under the new law, organizations are required to take steps to legally gather personal data and are obligated to protect that data from being exploited or misused. GDPR applies to all organizations that operate in the EU. Organizations outside of the EU that do business there also must be compliant.
Additionally, the law states that consumers have the right to know when a data breach occurs. Organizations that suffer a hack are compelled to notify the national authorities so that EU citizens may take prompt and appropriate action.
How Are the Two Laws Different?
One of the most notable differences between the two laws is the organizations to which they apply. In Australia, the Privacy Act applies only to companies that have in excess of three million dollars in turnover annually. The GDPR applies to all organizations regardless of their size or profit. Even non-profit organizations are subject to the GDPR.Another essential difference relates to how the laws define personal information. The Privacy Act applies specifically to "personal information," which may be information that makes a certain person identifiable. By contrast, the GDPR manages "personal data," meaning any data that relates to an identified natural person or an identifiable living individual. This difference seems like splitting hairs, but data and information are not necessarily interchangeable. Data is akin to the raw material that forms the foundation for statistics. Information is more akin to an end result in which statistics have been used to reach a conclusion.
One key difference between the two laws is the way that the GDPR puts the power in the hands of the individual. Under the law, the consumer has the absolute right to delete, change or protest any data that pertains to them. The APA puts the onus on businesses to make alterations, to destroy or to find a way to de-identify information pertaining to an individual upon the person's request or upon the information becoming no longer useful.
Another dividing line between the two laws is Australia's use of "serious harm." Under the Privacy Act, organizations only have to report data breaches to the authorities if they believe that "serious harm" may be suffered by the consumer. The GDPR doesn't make any stipulations concerning the severity of the possible consequences. Instead, organizations are required to report any and all breaches.
With the requirement to report all breaches to the authorities and its application to all organizations regardless of size, the GDPR clearly is the more all-encompassing piece of legislation. As recent amendments to Australia's privacy law suggest, more changes may be on the horizon to ensure greater protection of data across the continent.
In light of the draconian measures taken by government entities around the world citizens are looking towards 3rd party software providers that can help protect individuals data sovereignty. While government events like Safe Internet Day hosted by the Australian Government look to educate schools and businesses community-based organizations such as Privacy Australia help educate Australians on the best VPNs (virtual private networks) to protect themselves while shopping or surfing the web.
