Should businesses in Australia and other non-EU countries care about 24 versions of GDPR?
In Stuff GDPR!?, I call out the over-hype and the confusion surrounding the European Union (EU) General Data Protection Regulation (GDPR) in Australia. I suggest that businesses in scope for GDPR based in Australia, and in other non-EU countries, have the opportunity to make an assessment of business risk and opportunity. Businesses can then make an informed decision to either:
- Comply with the regulation, and make the effort and investment for it;
- Skip business with EU residents, and avoid the regulation (I share a concrete example in Stuff GDPR!?); or
- Accept the risk of GDPR sanctions, as it applies to specific businesses operating from outside the EU, and ignore the regulation for now. I argue that the risk of sanctions for most businesses in Australia is rather low.
I importantly still make a point on the bright side of better consumer data protection. Business is simply lost with poor privacy practices. I am also fully committed to stronger privacy regulation and enforcement, and a GDPR fan – I want the same regulation in Australia!
In Stuff GDPR!?, I also suggest consulting with two official GDPR references to avoid any further confusion on the regulation – calling out that even the Australian Computer Society (ACS) had published ill-informed advice on the subject.
The best and authoritative regulation reference is the official text from the EU Law website.
GDPR lost in translation?
The EU Law website provides 24 versions of the regulation, in different languages. The International Association of Privacy Professionals (iapp) has published GDPR: Lost in translation authored by Jeroen Terstegge.
Terstegge warns that privacy professionals may “run into nasty surprises”, because of translation discrepancies. His research reports a non-negligible level of translation errors across the different versions of GDPR. He provides some examples of ambiguous translations, such as the following one, amongst others.
In article 10, the English term “offence” has been translated into the Dutch equivalent of the term “criminal fact” (in German: criminal act). This poses a problem, as Dutch law disposes of many minor offences, like simple speeding, using administrative law rather than criminal law. Terstegge in GDPR: Lost in translation.
Terstegge provides the following advice amongst his recommendations:
- “Do not solely rely on the English version of the GDPR… and always consult the applicable language version for the relevant jurisdiction.”
- “When in doubt, compare the local language version to the (original) English version and, if possible, with the German and French versions, the other major languages in the EU.”
What does it mean for non-EU countries?
Like Terstegge, I am a polyglot and I find great interest in the impact of culture and linguistic with regulations and behaviours associated with technology. His research is grounded. There is indeed an opportunity for ambiguity on some elements of the regulation, some of which could present a level of risk.
However, I think the advice of consulting the GDPR in multiple languages is overdone for most Australian and other non-EU businesses unless the business services were to target a small number of EU countries (e.g. France only). To the point of my views in Stuff GDPR!?, and despite my love for privacy and polyglotism, I would say “Stuff the multi-GDPR languages!?”.