15 May 2018

CU LAB: How worried should we be about the EU's new General Data Protection Regulation?

Alexandra Wedutenko says many non-EU businesses will be caught by the EU's new General Data Protection Regulation, but might not be ready for it.

Related Knowledge

Get in Touch

Get in touch information is loading


Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.


The EU GDPR is the new law that will come into place in the EU to cover all European members to give a consistent law about privacy and data protection. It is being implemented because they had a series of state based laws that have all become fragmented and there is a desire for consistency, particularly in the world of modern technology, where there is a massive increase in data flows across nations. The EU data protection law will cover entities in the EU, that's logical, but it actually has a very broad reach and it could pick up Australian organisations who are involved, and I will use that word loosely, in EU matters. So if for example you're a bank or an airline company that does business in Europe or engages with getting customers out of Europe, that law will apply to you. But say you're an Australian organisations that just stores your data overseas and uses a range of suppliers to store your data in data warehouses or you have your IT systems outsourced, that law could also apply to your data flows. The law is broad reaching and just to close the loop on how it works, in the EU the law allows individuals to bring their own personal actions for data breach. So an individual who is adversely affected by your breach could bring an action directly against you. That can't happen in Australian in relation to our privacy act. And secondly, the authorities could bring an action against you and the penalties are exceptionally large - up to potentially €20 million or four times your last year's revenue.

The key thing is do an examination of your data flows to see if that law could apply to you. You may find that it doesn't, so you've ticked that box. If you find that the law applies to you, then you need to investigate how to comply with the law and that would involve you in a range of data protections that you probably don't comply with already because that law is more stringent than the Australian privacy act.