GDPR & Queensland Government Agencies
The European Union’s (EU) General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It aims to harmonise data privacy laws across Europe and replaces existing national data protection rules. The UK Information Commissioner’s Office (ICO) has issued a formal enforcement notice in an extra-territorial area (to a Canadian data analytics firm). This confirms that the GDPR regime not only applies to companies within the European Union, but also other areas so long as the processing activities relate to data subjects within the EU.
Does it affect my agency?
Although the GDPR is a European privacy law, it could apply to Australian businesses and government agencies that offer goods or services to, or monitor the behaviour of, individuals in the EU. For example, if your agency:
sells tickets to attractions, conferences or events online to individuals in the EU
offers educational packages to students in the EU
offers goods or services relevant to the agency to individuals in the EU (regardless of whether payment is required).
Online behavioural advertising, profiling or tracking users are less obvious activities that could potentially fall within GDPR’s scope.
Your agency’s functions and current privacy practices will determine how you implement the GDPR requirements. Generally, your agency should consider the geographical reach of its activities and seek independent legal advice regarding its data processing activities.
- The Office of the Australian Information Commissioner (OAIC) published a resource for Australian businesses explaining their obligations in June 2018 and has information for Australian government agencies.
- The EU GDPR Portal contains helpful summaries of the Articles of the GDPR and a FAQs series.
- The Information Commissioner’s Office (UK) published a Guide to the General Data Protection Regulation.
- The Information and Privacy Commission NSW published a factsheet on NSW public sector agencies and the GDPR in April 2018.
- The Office of the Victorian Information Commission published a factsheet on The GDPR – Considerations for the Victorian public sector in July 2018.