If you are anything like me, you may be a little annoyed about the volume of email you have received over the last few weeks from businesses updating their privacy policies. The reason for the sudden flurry of activity is due to changes to privacy and data collection which have just commenced in Europe and the ensuing ripple effect of a strengthening global on-line economy.
The long-awaited new EU data rules, known as the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR imposes strict new rules on consumer data protection that businesses (including some in Australia) must adhere to.
The new regulation covers most forms of personal data, including basic identity information, through to biometric, health, genetic, racial or ethnic data, sexual orientation and political opinions, with an emphasis on the handling and storage of that information.
It is increasingly difficult to argue against the imposition of additional safeguards where we see the likes of Cambridge Analytica using the data of more than 87 million Facebook users without their consent with suspected involvement in more than 200 elections around the world.
The worldwide impact of the GDPR is not to be understated and it is not just businesses based in the EU who will need to comply with the new rules.
Examples of Australian businesses that may be subject to the new rules include those:
- with an office in the EU;
- whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros;
- whose website mentions customers or users in the EU;
- that track individuals in the EU on the internet and use data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
Many of the provisions are similar to those found in the Privacy Act 1988 (Cth) (the Privacy Act). However, there are some differences and, with tighter requirements under the GDPR, compliance with the Privacy Act does not necessarily mean you will meet the requirements of the GDPR.
There are some notable differences between the the Privacy Act and the GDPR, which include (to list a few):
- Consumers have the right to have their information erased, also known as the right to be forgotten. They can also ask for their data to be restricted: companies are entitled to store data but not use it in some circumstances.
- People will be able to move or copy their personal information from one source to another, known as data portability.
The following similarities also apply:
- Storing personal data of EU residents is only legal with their consent;
- People will be able to ask companies for the information they hold on them and businesses will have to provide this (for free);
- Consumers will have a right to be informed about the collection of their information;
- Consumers will have the right to object to how their data is used – including for direct marketing; and
- They can also object to profiling, when companies automatically process data (generally in an online environment) to make assumptions about a person for marketing.
Companies that fail to meet the requirements under the GDPR face potential fines up to €20,000,000 (approx. AU$30,948,549) or 4% of global turnover, whichever is the greater.
If businesses have a presence in the EU, they should consider taking the steps outlined in response to the GDPR:
- Review your current privacy policy (with emphasis on some of the additional requirements imposed in the EU, as outlined above);
- Ensure your business has appointed a data protection officer;
- Inform stakeholders of the changes which have come into effect through the GDPR; and
- implement a thorough risk assessment and have a compliance plan in place.
We can assist if you have queries as to how the GDPR will impact your business, or if you wish to discuss issues in relation to privacy/data protection and compliance.
