Can you see them slowly roaming and moaning in French, German and other private languages in Sydney, Melbourne, Brisbane or in other parts of Australia?
Look around! It is here! We should all be afraid and prepare for an ultimate onslaught of privacy regulation that has been compared to the upcoming winter in Game of Thrones. Not even Jon Snow and his feisty fellow Rangers of the Night’s Watch could do anything to help the careless unprepared.
It may be too late. You may already draft a cheque of €20 million addressed to the European Union. You may also consider ruling out doing business with those hypersensitive privacy European Unionist snobs!
Alternatively, you could assess the real risk of non-compliance to your business and the opportunity that complying could provide. You could then make an informed business decision to either ignore it or make the most of it.
GDPR is Confusedly Here!
Welcome General Data Protection Regulation (GDPR)! Congratulations to the European Union, the proud collective parent of the awaited privacy regulation. The regulation weighs 88 pages (in English) and is now enacted following months of apocalyptic level warnings. We have certainly be warned that “GDPR is coming!” and “The biggest change you’ve never heard of“, asked “Are you prepared?”, and reminded “It’s not too late to get ready”.
You may also have been confused on the subject and wondering whether you should care about it at all. For example, an article published on the Australian Computer Society (ACS) website quotes a cybersecurity vendor representative, supposedly positioned as a GDPR expert, on the criteria of applicability of the regulation. The article states that “Officially, GDPR will only apply to companies with over 250 employees“. It is unfortunately inaccurate and ill-informed. The regulation provides no provision for such full exemption. It officially applies to all businesses managing EU residents’ personal data, independently of the business sizes and at least for the most part of the regulation requirements. The only exception applies to some record-keeping requirements under specific conditions.
Other “advisors” also provide misleading information on social media, such as that the applicability of the regulation would depend on whether a business would have local office in the EU. There is also no such provision in the regulation.
To avoid any confusion on GDPR, consult:
- The official regulation text from the EU Law website; or for a shorter version
- The excellent summary provided by the OAIC under Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation.
Ruling out business with the EU?
I got privy to a passionate debate on the subject of GDPR held within an Australian FinTech startup community where a CEO said he was considering excluding the EU from his business plan. GDPR would bring his business challenges outweighing potential business benefits in the EU region in the short term.
Key GDPR challenges
The CEO shared his assessment. He would face the following two biggest GDPR challenges:
- ‘Right to be forgotten’, “which causes all sorts of issues when trying to design systems where payments (for which data must be kept) and non-payment information (which users can demand to be deleted) is involved”; and
- ‘Access to own data’, “you have to give people access to their own data. Sounds easy, right? Unless you transform their data in a way that reveals internal business processes, and even worse if you create data that joins individuals who can both demand their data be released yet are required to have their data kept secret.”.
The startup assessed that “Both of the above will require you to create new interfaces, new business processes and new security systems to prevent abuse (e.g. when someone asks for all their data, how do you give it to them if they can’t access their account for whatever reason?)”.
EU Privacy Compliance vs AU Business Priority
Challenged on his assessment, “can you really *afford* not to care about the privacy of your customers as a priority?”, the CEO added:
“I care about my user’s privacy deeply, to the point of making it harder for me to develop my product”, but “the ‘right to be forgotten’ adds substantial overhead to the management of legitimate collection and use of data (it might even make it impossible to legally run some businesses!).”.
He also added that the EU only represented 10% of his target market globally.
The CEO conducted a thoughtful assessment of the implications of GDPR compliance on his business, and tested those implications against potential business return in the EU. He made an informed business decision to de-prioritise the EU market, for now, in view of the effort and cost of complying with the regulation.
What is the risk for Australian companies?
Businesses may find it difficult to appreciate how GDPR sanctions could eventually be enforced upon them in Australia, and consider disregarding the regulation because:
- Local privacy sanction precedents are few and minor;
- Local maximum sanctions poorly compare with the EU;
- The protocol for GDPR sanction enforcement to non-EU members relies on a desired international collaboration (good will); and
- For Australian organisations with a turnover lower than $3M: they are exempt from complying with local privacy regulation.
- Telstra was fined $10,200 in 2014 and warned over privacy breaches after an information leak exposed almost 16,000 of its customers’ private data online.
- Freelancer was fined $20,000 in 2016 by the Office of the Australian Information Commissioner (OAIC) for damages to a European former account holder and for breaching the Privacy Act.
- Any other disclosed cases?
In comparison, EU countries have numerous cases of example-setting sanctions. For example in France, the CNIL (French local privacy watchdog and supervisory authority under GDPR) maintains a public list of sanctions (23 cases at the time of writing), including hefty fines such as €100,000 (~$155,000) for Darty in January 2018 (before GDPR).
The maximum penalty under Australian regulation also poorly compares with the scale of the GDPR regulation administrative fines by a factor of 15 (€20 million ~$31M or 4% global turnover, whichever is greater with GDPR vs $2.1M with the Australian Privacy Act).
In addition, the Australian Privacy Act provides an exemption of compliance for Australian organisations with a turnover of less than $3M. There is no turnover threshold under GDPR.
Enforcing sanctions in Australia
Under GDPR, the applicability of administrative fines or sanctions to non-EU jurisdictions relies on a desired international cooperation based on reciprocity.
“supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders… there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts”. GDPR clause (116).
OAIC resources on GDPR, such as this article, provide no clarification on a potential enforcement protocol, aside of a generic statement of commitment to internationally coordinated approaches to privacy regulation.
I enquired directly to the OAIC and asked in writing: “How would GDPR sanctions be enforced in Australia?”. The OAIC kindly replied that in essence they could not advise on the subject (well, who can then?).
The Bright Side of Consumer Data Protection
Complying with consumer data protection and privacy regulations, such as the EU GDPR or the Australian Privacy Act may come at a cost of changing processes, technologies and importantly organisational cultures.
Australian businesses doing, or contemplating doing business overseas have the choice to comply with local regulations such as GDPR, disregard them and accept a risk, or forfeit doing business in some countries. It is a business risk decision.
Whether opting to comply or not with privacy regulations, investing in better consumer data protection practices has a very bright upside because customers have growing privacy concerns and business is lost over privacy concerns according to the OAIC’s Australian Community Attitudes to Privacy Survey 2017 (ACAPS).
Mounir Mahjoubi, the ‘geek’ who saved Macron’s French presidential campaign from cyber attacks and now French Secretary of State for Digital, brilliantly called the opportunities that GDPR and better consumer data protection practices provide to businesses. Mahjoubi suggests (in a speech) to make the most of compliance requirements. With better data protection, businesses can:
- Serve their clients in better ways;
- Build new services and innovative ways to manage data;
- Optimise the usage of data; and very importantly
- Improve data security and better manage business risk.
When it can be prioritised and afforded, complying with consumer data protection and privacy regulations such as GDPR can be a very valuable business risk management practice and a valuable business differentiator at the same time.