GDPR Australia: The EU Data Protection Regulation (GDPR) comes into effect on 25 May 2018. In order to ensure that you are GDPR compliant we are offering a series of articles responding to some key questions you might have with respect to the GDPR. For a general overview of the GDPR and whether it might apply to your organisation see https://www.compliancequarter.com.au/understanding-gdpr-opportunities-risks/. You should also check out the comprehensive resource created by the Office of the Australian Information Commissioner at https://oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation.
Access our Exclusive & Free GDPR Australia checklist
Simply provide your details below to be sent our free GDPR Self Assessment Checklist.
Today we ask: When can personal data of EU origin be transferred to an organisation based in Australia?
We divide the justifications provided by the GDPR for transfer to any other country in to four distinct categories: adequacy, appropriate safeguards, derogations and other. We consider each in turn:
Adequacy in GDPR Australia
Personal data can be transferred to any country that has been judged ‘adequate’ under Article 45(1) of the GDPR (henceforth all Article references are to the GDPR). This includes New Zealand but does not include Australia. Therefore, personal data cannot be transferred to Australia on this ground.
Personal data can be transferred to a controller or processor outside of the EU provided that that organisation has appropriate safeguards in place, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (see Art 46(1)).
Adequate safeguards under the GDPR include:
- Legal Instrument. a legally binding and enforceable instrument between public authorities or bodies. There is no such instrument in place in Australia at this time.
- Binding Corporate Rules (BCR). Under Art 47, BCR are a mechanism that permit multinational corporations, international organizations, and corporate groups to make transfers of personal data across borders, but within the broader organisation. They must be approved by a relevant data protection authority (such as the United Kingdom’s Information Commissioner);
- Standard Data Protection clauses. These are clauses that an organisation can incorporate into a contract with a data supplier that have been adopted by the European Commission (Commission), or a data protection authority, in accordance with Art 93(2).
Thus far, there have not been any standard clauses developed by the Commission that created under this power within the GDPR. However, there have been standard clauses (sometimes called ‘model’ clauses) that have been developed in accordance with the existing EU Data Protection Directive which can be relied on in accordance with Art 46(5).
Note, however, that there is some disagreement as to whether the standard clauses developed under the old Directive are fully GDPR compliant. Any organisation seeking to rely on these clauses must ensure that they will protect personal data in full compliance with the GDPR.
- Approved Code of Conduct. Industries have the ability to develop a Code of Conduct for their industry which is approved by data protection authorities under Art 40. Organisations can make binding commitments to these codes (if they exist), and associated GDPR protections, in order to fulfil their obligations under the GDPR.
- Certification Mechanism. This mechanism, developed under Art 42, allows data protection authorities to set up certification processes to approve of specific processors and controllers. Australian organisations should check whether the data supplier’s member state has such a certification mechanism in place.
- Specifically approved contractual clauses. Under Art 46(3), the data protection authority in a jurisdiction could approve of specific clause between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
- Specifically approved administrative provisions. Under Art 46(3) these can be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. There are no such provisions between the EU and Australia.
Even if the conditions specified in categories (1) and (2) are not met, it is still possible for transfer to Australia to happen in accordance with the GDPR. This category, set out in Art 49, applies where the circumstances mean ‘derogation’ from the usual rules is acceptable. This can be used where:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Under art 49(1) if the derogation conditions above are not met, transfer may take place only if the following conditions are met:
- the transfer is not repetitive;
- concerns only a limited number of data subjects;
- is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject; and,
- the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
Note, this article is general in nature and does not constitute legal advice. If you are in need of specific assistance in order to comply with the GDPR Australia, please get in touch with us.
 For a list of the countries that have been judged ‘adequate’ see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).
 For applicable standard contractual clauses see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.