Privacy Law Update - The General Data Protection Regulation is coming
Recently I posted about Facebook and privacy. In that article I mentioned the General Data Protection Regulation (the GDPR) coming into effect in Europe soon.
Well the GDPR is now just over a month over from implementation, it comes into effect on May 25.
The GDPR was originally proposed back in 2012 and it will force all companies to notify if a "personal data breach" has occurred within 72 hours.
Gone are the days (in Europe at least) of finding out about large data breaches years later, like when Yahoo disclosed in September 2016 that a large data breach of 500 million customer accounts had occurred in 2014. This breach compromised the real names, email addresses, dates of birth and telephone numbers of the Yahoo customers.
Failure to comply by companies can result in fines in the billions of euros, depending on the severity of the breach.
As well as reforms on notification, the GDPR gives customers increased control over their data and how it's used by companies.
Included in this control is the ability of customers to opt out of data trade with third parties. For example, a Facebook user could opt out of their data being shared with third parties.
Although this regulation only applies to Europe it will almost certainly have an impact for Australian business and customers.
For Facebook users, it has already been announced that it plans to implement the GDPR reforms for users no matter where they live.
The GDPR only applies to any business that is "established" in the EU and any controller or processor of personal data who offers goods or services to individuals residing in the EU. Given the scope, Australian companies that have EU operations or offer services to EU residents from Australia will then they will need to comply.
The Office of the Australian Information Commissioner has released guidance for Australian business on the GDPR. It can be accessed via their website at www.oaic.gov.au.
The key messages set out by the OAIC on the GDPR (some of which reinforce what I've outlined above) are:
- The GDPR contains new data protection requirements that will apply from 25 May 2018.
- Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
- The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
1. implement a privacy by design approach to compliance
2. be able to demonstrate compliance with privacy principles and obligations
3. adopt transparent information handling practices.
- There are also some notable differences, including certain rights of individuals (such as the 'right to be forgotten') which do not have an equivalent right under the Privacy Act.
- Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement.
It is only a matter of time before further privacy reforms occur in Australia. The fallout from the Cambridge Analytica situation will almost certainly lead to calls for further reforms at some stage. Whether they go as far as the EU reforms remains to be seen.