Privacy Laws – compliant? Who? Me?
Do you collect or process “personal information”? If you operate a business that collects “any information relating to an identified or identifiable natural person”, then you are required to comply with privacy laws. In Australia, that means the Privacy Act (1988) (Cth) and the 13 National Privacy Principles, mandated by the Privacy Act.
If you sell or promote your products and services in the EU and you “control” or “process” “any information relating to an identified or identifiable natural person” then, from 25 May 2018, you are required to comply with the General Data Protection Regulations (GDPR).
It’s hard to have missed the recent scandal surrounding Facebook and Cambridge Analytica in relation to their respective roles in mining, processing and selling the data of over 87 million Facebook users, to Donald Trump’s Republican pollsters. None of the Facebook users knew that their data was being sold to the third parties who profiled them, to push content to them that was intended to assist the Trump election cause. Many would say it was extremely effective.
Was it illegal?
Not if the data was rendered into a format where the owner of the data obtained could not be identified. But when you have a unique Facebook profile and that is sold to an advertiser, to sell you a “customized” product or service that matches your browsing history, your likes and shares, how could it not? International regulators are looking closely at this. Even our Australian Privacy Commissioner is investigating. Class action anyone?
What’s with the GDPR?
The GDPR has a lot in common with Australian privacy law. The scope of “personal data” covered by the GDPR is similar to “personal information” under our Privacy Act and applies to any business offering goods or services to, or monitoring the behavior of, individuals living in the UK. Individuals have various rights to access, rectification and deletion similar to here. But there are some marked differences under the GDPR:
- There is a right that individuals have to object to their data being processed for research or statistical purposes (Article 21). However, if the data is de-personalised and de-identified, it ceases to be “personal data”.
- To obtain consent to use personal data requires a serious “opt-in” action. It cannot be buried as a condition of obtaining a service or be bundled with standard terms and conditions.
- There are comprehensive obligations relating to privacy risk management and compliance, which require documentation and training around these obligations.
- There are strict data breach reporting obligations.
- There is an obligation to appoint a “Data Privacy Officer” – a person who understands the compliance obligations of the business and whose role should be “independent” within the organization. There should be a “Data Breach Response Plan”.
- There are also significant penalties for breaches, including administrative penalties of up to €20 million or 4% of annual global turnover.
How does this effect your business?
If you think you don’t need to worry because you’re not a bank, or an insurance company or a hospital – think again. If you rely on third parties to support your business, have you thought about your contracts with web servers and IT service providers? Do they contain indemnities for your benefit, for data breaches caused by their failures? Having detailed information from them about the security of their systems will also be required.
You can read more about Australian privacy laws at www.oaic.gov.au and for GDPR compliance https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection- or contact us.
This paper is a summary providing general information and is not specific legal advice. Each scenario is different and will require consideration of specific circumstances before legal advice may be provided.
22 May 2018
(02) 9318 6411
Surry Partners Lawyers