Do we always know when companies collect personal information about us? When we choose to provide personal information, do we know how it will be used and stored? Often we do not. The scale of the problem of improper data collection was illustrated by recent revelations that Cambridge Analytica, a research and marketing firm, likely improperly gained access to the personal data of approx. 87 million Facebook users globally. A Cambridge AnalyticaApp collected information not just about App users, but also about the users’ friends, without their knowledge or consent.
Currently our personal information protection depends on where we reside, as different countries have different privacy and data protection laws. When we deal with an international company, it is not necessarily clear which laws apply. Companies can treat personal information differently, depending where it was collected or where the individual lives.
On 25 May 2018, the General Data Protection Regulation (GDPR) comes into force, to update and harmonise legislation across the 28 members of the European Union (EU). An alliance of United States and European consumer and privacy rights groups have asked Facebook to make the EU GDPR data protection framework the “baseline standard for all Facebook services…in all jurisdictions for all users.”
Given the international nature of information collection, use and transfer, it makes sense to have one clear global standard of protection adopted by different countries.
Why should the GDPR be the standard? What are the obligations?
The GDPR is similar to the Australian Privacy Act 1988 but contains important additional requirements and protections. The key principles are as follows:
- Clearer consent
- Companies must clearly request consent to collect and use personal data. There should be separate requests for each collection. It needs to be easy to withdraw consent.
- Greater transparency
- Stronger procedures
- Companies must process data securely, and have clear internal data procedures on data use, these can be set out in an internal Privacy Procedures Manual.
- Narrower collection and use
- Companies can use personal data for legitimate purposes and only for the purposes they informed people of. Companies must not collect personal information that they do not need.
- Greater accuracy
- Companies need to maintain data accuracy, and to correct data that is out of date.
- Storage and deletion
- Companies must not store data for longer than needed and must delete it securely when not needed.
- Third party requirements
- Where a company discloses personal data tothird parties such as a marketing company, the company needs to investigate the third party’s data protection capabilities. Your business may be liable if the third party discloses data and breaches the GDPR (unless you were not responsible and you did adequately investigate the third party).
- Better access and portability
- People have a right to view, amend and delete personal data about themselves, and to obtain a copy of data held about them in a portable format, to assist them to switch between providers.
- Mandatory breach notification
- If a personal data breach could have detrimental effects on a person, such as loss of confidentiality, financial loss, or damage to reputation, the company must report the breach within 72 hours to the affected individuals and the regulator.
- Greater liability:
- Companies could be liable if their security systems are weak and customers’ data is hacked. The maximum fine for a privacy breach is 20 million eurosor 4 per cent of a company’s annual global turnover (whichever is greater). There are administrative fines of up to 10 million euros or 2 per cent of global turnover for failures by company management to protect data.
Which Australian business need to comply?
From 25 May 2018, Australian businesses need to comply with the GDPR if they:
- have a business in the EU; or
- are not established in the EU but offer goods and services in the EU. This includes free or paid goods and services, including by accepting payment in euros, and/or
- are not established in the EU but monitor the behavior of EU residents, for example via a health tracking gadget.
There is no revenue exemption. All Australian businesses that meet the GDPR criteria must comply. By comparison in Australia thePrivacy Act 1988 and Australian Privacy Principles do not apply to certain companies with revenue of less than $3 million per year.
The GDPR requirements are comprehensive and designed to solve current data privacy issues. If other countries adopt or mirror the requirements, it would provide greater clarity for businesses that transfer personal data B2B, and greater transparency and stronger protections for the public.
About the author
Ursula Hogben and the IT Legal team, LegalVision
Ursula is a co-founder and Practice Leader at LegalVision, a multi-award winning legal startup. LegalVision is a commercial law firm that provides Australian businesses with cost-effective and high-quality legal services through an innovative model. LegalVision was recently awarded fastest growing law firm in APAC by the Financial Times and NewLaw firm of the year at the Australian Law Awards. Ursula has over 15 years’ experience in corporate law and investment banking in Asia, the United States and Australia and is a trusted advisor for startup launch and growth including structuring, intellectual property, hiring, scaling and capital raising.