New rules for handling personal data in Europe are forcing a global rethink of digital rights and may result in better protection for Australians.
The General Data Protection Regulation (GDPR) came into force in the European Union on Friday 25th of May. The new rules for handling personal data are the strictest in the world and are an attempt to fix a power imbalance between the people who generate data and the companies that collect and process it. The rules are recognition of the value of personal data, the challenges of protecting it, and the increasing cross-border flow resulting from the common market and globalisation.
The GDPR lifts the standard of consent. Companies that use, collect and process data will now need to provide information on the purpose of their activities in an accessible format: the days of 400-page terms and conditions are over. Users also gain the right to withdraw consent, and this must be as easy as giving it. Consistent with the union’s recognition of a right to be forgotten, article 17 of the GDPR allows users to request their data be erased.
The rules also suggest minimum standards of security and require that if a breach occurs that creates a “high risk to rights and freedoms”, companies will need to notify regulators within 72 hours and users “without undue delay”.
Penalties for violating the GDPR are significant: fines can be imposed of up to four per cent of global annual turnover, or €20m – whichever is greater.
Any company that handles the data of people living in the EU is subject to the new rules, regardless of where that company is located. This is a deliberate shift from the old model. Previous regulation applied only at the place of processing, leading to companies shopping for the most lenient jurisdiction. Though some companies will continue to do this – Facebook has already moved most of its userbase out of Ireland and back to the United States – European residents, at least, will be protected.
Rules for moving personal data outside the EU for processing are also stricter. The European Commission can, on a case-by-case basis, prevent transfer to outside countries depending on their existing privacy safeguards. Some countries will be given blanket approval: Canada and New Zealand are already recognised as having sufficient protections in place. Adequacy talks are underway with Japan and South Korea. Australia, at least for the moment, is not under consideration.
That Australia is playing privacy catch-up to other common law countries shouldn’t surprise us.
Law reform in Australia has been slow. In its recommendation of a new tort for serious invasions of privacy in 2014, the Australian Law Reform Commission considered whether companies should be liable for losing the personal data of their users. The most likely form that a liability would take – negligence – was rejected in the final report. Regulatory responses are preferable to civil actions, it reasoned, and the Australian Privacy Principles exist for that purpose. Regardless, the new tort remains a distant hope.
The regulator responsible for enforcing the Australian Privacy Principles, the Office of the Australian Information Commissioner (OAIC), was defunded and targeted for dissolution by the Abbott Government. Though Abbott did not manage to close OAIC, it remains under-resourced, with a single Acting Commissioner responsible for both the privacy and information portfolios. The former Victorian Privacy Commissioner, Prof David Watts, has said that the federal office is ineffective as a regulator, and that it is “stretched beyond breaking point”.
Australia’s data retention scheme – the mandatory two-year storage period of telecommunication information – is also out of step with European expectations. The Court of Justice stuck down a similar scheme in the Union in 2014, and again in 2016.
This is known as the “Brussels effect”: the ability of the European Union to use its market power to set global normative and regulatory standards. Facebook, for example, despite moving its databases out of Ireland, has said that it will provide European protections “in spirit” to its entire userbase.
We can still assume that the introduction of the GDPR will bring limited benefits to Australians.
There are also further steps toward enhanced data control frameworks for Australia. In February this year the Notifiable Data Breaches scheme came into effect, creating an obligation for some Australian companies that hold personal data to inform users in the event of a breach. In the first six weeks, 63 notifications were made.
The scheme is certainly weaker than it should be. Most organisations with annual turnover under $3m are exempt, as are state-level entities like hospitals. A 30-day notification window prevents affected users from taking quick action to improve their security. Enforcement is overseen by the thinly-stretched OAIC. It is unknown whether the scheme will result in significant behaviour change, or if some companies will factor in the fines – up to $2.1m – as a cost of doing business and preferable to bad press.
Last year the Productivity Commission recommended significant changes to data access, desiring a shift from “a system based on risk aversion and avoidance, to one based on transparency and confidence”. There is “tremendous” potential value in personal data, it says, and in the new services that could be developed with better access to it. The Commission singled out health service provision as an area where significant efficiencies could be found. Up to ten per cent of pathology tests are duplicates, it suggests. Waiting times for radiology could halve.
In pursuit of these savings the Commission proposed the consumer data right: allowing individuals to view, change and make their personal data available to businesses, services and research.
In the 2018-19 budget, the federal government allocated $65m over four years to support reform and adopt many of the Commission’s recommendations, including consumer data rights, as well as the establishment of a National Data Commissioner to oversee the new system. The initial data rights proposed cover transaction information – for the moment limited to banking, telecommunications and energy – and are being implemented by Treasury.
The Commissioner will not be part of OAIC, though the office will handle privacy complaints. The system is expected to be available in July 2019.
Australia introducing a data right doesn’t signal the start of a new government commitment to digital privacy. It is easy to imagine the opposite: the misuse of very intimate information occurring under the guise of improving productivity or to justify cutting services. The Commission tells us this is the real incentive: the limited exercise of property rights over some data will be good for the economy. It is worth being optimistic, though, that this might be the first step toward a broader empowerment of people over their information.
And in the meantime, we’ll (sort of) have the GDPR.