You may have suddenly started receiving privacy updates from all the internet sites, apps and services you use. That’s because the European Union’s General Data Protection Regulation becomes law on May 25, 2018. It’s the clearest statement yet from any regulator on what consequences companies could face in dealing with their customers’ personal data.
The regulation has been introduced to counter the power and prevalence of data collection and online surveillance techniques. It contains strict new rules of data protection, and severe penalties for breaches.
The regulations apply to the data processing activities of any business that is a data processor (like US based Amazon Web Services or India based Habiledata) or data controller (like Ebay and Facebook) with an establishment in the EU.
It also applies to any processor or controller, wherever they are located, that is processing the personal data of EU residents. This is regardless of where that data is processed and is irrespective of whether payment is required.
By forcing non-EU companies to comply, the EU is ensuring that EU and non-EU businesses compete on the same terms.
Australian businesses will not be forced to comply with or fall foul of the new data regulation merely because they maintain websites accessible in the EU. However, those with an office in the EU, or whose website is aimed at or tracks the data of EU residents, will be affected.
These include businesses with an EU footprint, for example retailer Harvey Norman operates in Ireland, Croatia and Slovenia. It also covers data processors in Australia whose business includes EU or EU based clients, and startups which trade globally.
Australian businesses may benefit from the fact that the new rules are consistent with the Australian Privacy Principles. Both promote transparency and accountability in information handling and require businesses to notify of any privacy breaches.
By contrast, businesses in countries where data handling requirements are less comprehensive (notably the US) will have to make changes to become compliant.
Nevertheless, the new EU law will impose new burdens on Australian businesses. For example, the EU laws specify encryption and pseudonymisation - where personally identifiable information is replaced by one or more pseudonyms - to ensure data is not identifiable.
The new EU law will also change the standard practices of online businesses by outlawing pre-ticked boxes, required consent and bundled consent. Businesses must now seek (in clear and plain language), and individuals must give, active, specific, free and informed consent to each purpose for which their data is collected.
The data law also require all businesses to demonstrate that they have procedures for notifying regulators and customers of data compromises: within 72 hours in the case of high risk breaches and without undue delay in all cases.
The EU law includes new or enhanced rights for individuals. Many have no equivalents in other jurisdictions, including Australia.
People have a right to demand that businesses erase and cease disseminating personal information, and to halt its processing. However, this “right to be forgotten” is balanced against the public interest in the information remaining available.
The right to data portability in the legislation enables individuals to obtain personal information they have given by consent to one controller in a “structured, commonly used, machine-readable format” and transfer it to another. This will make it easier for customers to switch between businesses.
However these rights impose regulatory burdens on businesses. It may be technically and organisationally difficult without sophisticated and expensive data handling processes.
For businesses that rely on things like cloud backup and third party customer support, deleting or making copies of transferable data will be difficult.
The commercial value of data is such that some companies may simply try to avoid the consequences of the new EU laws by processing information outside the EU, and applying different standards of data protection to customers depending on their location. Facebook has done this.
On the other hand, given how complex double standards can be to apply in practice, they may simply make the EU rules the new normal of global privacy. In that case businesses should be using it as an opportunity to build more sustainable business models in the emerging era of respect for privacy.