HOW DO I KNOW IF IT WILL AFFECT ME?
The General Data Protection Regulation (‘GDPR’) applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. This means if your online website, application or business collects or processes data from a subject ‘based in the EU’ your business can be be liable under these new laws. In particular, these three types of businesses should be wary:
1. Australian businesses that have an establishment in the EU
2. Australian businesses that sell goods and services in the EU; and
3. Australian businesses that monitor behaviour of individuals in the EU.
If your business sells software you might fall under all three of these business categories.
However, it is only important to consider the GDPR in regards to any personal data your business might manage. The GDPR makes clear that a wide range of identifiers can be classified as ‘personal data’, including a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
WHAT DO I NEED TO DO?
If you have realised that you might be liable under the GDPR then there are a few steps you should take as soon as possible. The GDPR has a lot in common with Australia’s Privacy Act, so hopefully your business already complies with most of Europe’s regulation. However, WorkingMouse has noted three main differences between the laws that we have raised with our clients who have overseas customers. All businesses with software that is available to clients in Europe should ensure compliance with the following (in addition to Australia’s Privacy Act compliance):
Article 6 of the GDPR tells us that one of the conditions for the lawfulness of processing personal data is consent. This is defined in Article 4 as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The UK’s Information Commissioner’s Office further clarified what changes some of the terms in this definition will require for compliance. For example, “clear affirmative action” means that pre-ticked opt-in boxes for data collection will no longer be satisfactory. Consent requests must also:
- Be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Be specific in identifying the different types of data processing and requiring consent for each type.
- State any third parties who may be entitled to the data.
- Store all records of what the person consented to.
- Be easy to withdraw at any time. This includes telling people they have the right to withdraw at any time and making it easy to do so. It must be as easy to withdraw as it was to give consent.
Basically, while your website probably already has consent requests, they are likely less explicit or as obvious as required by the GDPR. Looking at solutions such as two-step verification can help demonstrate your business’ compliance with the regulation.
2. THE RIGHT TO BE FORGOTTEN
The entire regulation offers some serious restrictions for data controllers and affords heavy protection to individuals (data subjects). Perhaps one of the strongest protections is the data subject’s right to erasure (also known as the ‘right to be forgotten’). Article 17 of the GDPR affords the individual the right to data erasure without undue delay at their verbal or written request.
This means that if as a controller of data you are requested to erase an individuals data, and you have disclosed the personal data to others (a third party), you must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.
Applying this principle to an online environment where personal data has been made public can be challenging due to the vastness of the internet. For these circumstances the regulation requires that reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to copies or replication of that data. To determine what steps are reasonable you should take into account available technology and the cost of implementation.
In some circumstances a request for data erasure could be seen as manifestly unfounded or excessive. In these circumstances you might be able to request a “reasonable fee” to deal with the request or refuse to deal with it, if you can justify this decision. However, considering the focus on individual protection in these regulations, it is better to be more cautious and design your software to be able to erase data if requested.
3. THE RIGHT TO DATA PORTABILITY
Another significant difference to note between the Australian Privacy Act and the GDPR is Article 12, which grants an individual the right to data portability. This right is an extremely new idea and requires a controller to provide the individual with a copy of their personal data in a structured, commonly used and machine-readable format so that the individual may transmit the data to a different controller, or provide another controller direct access to transfer the data to their server.
Examples of structured, commonly used and machine-readable formats that are suitable for data portability under the regulation include CSV, XML and JSON. However, this does not mean you are obliged to use them. Other formats exist that also meet the requirements of data portability.
Providing data portability on your software platform may be quite complex to achieve. There are therefore some limits to transmitting data to another controller. For example, this right does not create an obligation for you to adopt or maintain processing systems which are technically compatible with those of other organisations.
All the big companies from Spotify to Instagram have had to implement ways for you to download a complete collection of your data on their platform, including a complete history of what photos you have liked and exactly which songs you have listened to.
The GDPR is now in full effect. Online business, even those based in Australia, should ensure they are prepared to deal with any requests or concerns raised by individuals interacting with their online presence from within Europe. Though some Australian businesses may not yet, or ever, feel the impact from this new legislation, it is important that businesses who currently or in the future plan to have an establishment in the EU, sell goods or services in the EU or collect data from the EU, begin to consider some of the significant changes to data collection from this regulation.