General Data Protection Regulation – What is it?

In 1995, the European Union (EU) adopted the Data Protection Directive (95/46/EC) which protected the rights of individuals with “regard to the processing of [their] personal data and on the free movement of such data.”1

It has since been superseded by the General Data Protection Regulation (GDPR), which came into force on 24 May 2016 and applies as at 25 May 2018. As explained by the European Commission, the GDPR was designed with the intention to “enhance data protection rights of individuals and to improve business opportunities by facilitating the free flow of personal data in the digital single market.”2  In its Joint Statement on the adoption of the GDPR, the European Commission submitted that the “new rules will ensure that the fundamental right to personal data protection is guaranteed for all … [and will] foster trust in online services by consumers and [provide] legal certainty for businesses based on clear and uniform rules.”3

Ambit of the GDPR

The GDPR has a deliberately wide extraterritorial reach, and its ambit embraces companies who have an establishment in the EU, or do not have an establishment in the EU, but otherwise offer goods and services or monitor the behaviour of individuals within the EU. Illustrative examples are helpfully provided by the Office of the Australian Information Commissioner (OAIC), but as Hern correctly observes, the GDPR “affects every company, but the hardest hit will be those that hold and process large amounts of consumer data.”4

Does our organisation already comply?

The OAIC has observed that the GDPR shares similar obligations with our Privacy Act 1988 (Cth). Although coextensive in some respects, Australian businesses should not assume that compliance with the domestic legislation will ensure compliance with the GDPR.5

For example, under GDPR Article 17, individuals have the “right to be forgotten” – there is no statutory analogue of this article under our domestic legislation (see below).

There are also a variety of “dissuasive” sanctions that can be imposed under the GDPR, and specifically under Article 83, the maximum penalty for severe breaches includes a fine of up to 20 million euros, or 4% of annual worldwide turnover of the preceding financial year (whichever is greater).

Key differences

Although this article will not attempt to outline the various obligations imposed by the GDPR, it is important to briefly identify, at a high level, some individual rights that have been introduced (beyond the Privacy Act 1988 (Cth)).

In contrast to our domestic legislation:

  1. Individuals have the right to be forgotten. Under certain circumstances, including where the data ceases to become relevant for the original purpose, individuals are entitled to have their data erased (Article 17 of the GDPR).
  2. Individuals have the right to data portability, that is, to receive their personal data which has been previously provided, and to transmit that data to another data controller (Article 20 of the GDPR).
  3. Individuals have the right to object.  Individuals have the right to object, at any time, to the processing of personal data, and if such an objection is raised, the controller of the data must not process it unless it can be demonstrated that there are “compelling legitimate grounds for processing” (Article 21 of the GDPR)

It is important therefore, that organisations undertake a rigorous evaluative process to determine whether their current systems are capable of upholding all the articles of the GDPR which are applicable to them.


1 Directive 95/46/EC of the European Parliament and of the Council (24 October 1995)

2 Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council on protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) 9565/15 (11 June 2015)

3 European Commission, Joint Statement on the final adoption of the new EU rules for personal data protection, European Commission (14 April 2016)

4 Alex Hern, “What is GDPR and how will it affect you”, The Guardian (online) 21 May 2018 Read more

5 Office of the Australian Information Commissioner, Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation, Australian Government, June 2018 – Agencies and organisations/business – resources Read more

Related News

Walton Construction Class Action – Media Release

MEDIA RELEASE 16 May 2024 Subcontractors Alliance confirms that Williams & Kersten Pty Ltd, the Lead Applicant in a Federal Court class action against National

Read More

The duty of utmost good faith

In life, they say that honesty is the best policy. But did you know that it is actually also one of the most important provisions in

Read More

Recoveries against third party insurers direct

Did you know? When an at-fault third party cannot be found or is dead, or a third party company is deregistered, a cause of action

Read More

Get in touch

Contact our team today

Stay informed

Keep up-to-date with our regular news and insights

This field is for validation purposes and should be left unchanged.
William Roberts Lawyers


Level 22
66 Goulburn Street


Level 21
535 Bourke Street


Level 8
300 Ann Street


Level 19
Singapore Land Tower
50 Raffles Place