Have you received a message from Twitter lately about protecting your data?
Has eBay contacted you about your privacy rights?
These companies, and others, are getting on the front foot ahead of a new privacy law coming into effect in the European Union this month.
The new law is a major upgrade to online privacy rights, but what is it and why are Australian consumers on the other side of the world getting emails about it?
What is the GDPR?
GDPR stands for General Data Protection Regulation. It’s a new privacy law that takes effect on May 25, to update and harmonise legislation across the 28 members of the European Union.
Experts say it will update laws from the mid-1990s, tackle privacy concerns by increasing transparency, and codify concepts such as “the right to be forgotten online”.
What does that mean in practice?
The GDPR will significantly increase penalties for breaching people’s online privacy.
Anna Johnston, director of Sydney-based consultancy Salinger Privacy, says that could include leaking a customer’s information — deliberately or accidentally — as well as losing data.
It could also make companies liable if their security systems are weak and customers’ data is hacked.
“You could have all the best external information security controls in the world, but you might still have a disgruntled employee who goes rogue and does the wrong thing with your customers’ data, for example,” Ms Johnston said.
“It’s also about whether or not it was lawful to collect [the data] in the first place, whether you were transparent about why you’re collecting it, what you’re going to do with it, how you’re going to use it.”
What are the penalties for breaching the GDPR?
Under the GDPR, the maximum fine for a privacy breach is 20 million euros or 4 per cent of a company’s annual global turnover — whichever is greater.
On top of that, there are administrative fines of up to 10 million euros or 2 per cent of global turnover for failures by company management to protect data.
Experts say the huge increase in penalties is squarely aimed at global technology firms.
How is it relevant to Australia?
Given the GDPR is a European law, it would seem to have little relevance for Australia. But any company with customers in the EU will be affected.
“You might be an Australian company trying to sell your product online to customers in the EU and it doesn’t matter that you don’t physically have, you know, a shop in Spain,” Ms Johnston said.
Any business that operates online and allows customers to pay with euros, or translates its website into a European language, may fall under the remit of the GDPR, Ms Johnston said, because that would be regarded as marketing to EU customers.
“As a result, even a very small business in Australia might come within the scope of the GDPR,” she said.
Are companies already complying with the new law?
The evidence to date is mixed, according to the University of Western Australia’s David Glance.
Instagram, for instance, recently allowed customers to download photographs, which they were not previously authorised to do.
But Professor Glance said Facebook’s decision last month to move some of its jurisdictions was aimed at circumventing the GDPR.
“[Australia has] been shifted now from being covered by the Irish office of Facebook, which is in Europe, to the US one,” he said.
“That’s not necessarily a good thing for us because essentially if we’d stayed in Ireland then we may have got the benefits of GDPR.”
Will the average internet user be better off?
The effectiveness of the new law, Professor Glance said, may depend on how willing authorities are to apply the maximum penalties for breaches.
He said the privacy breaches exposed in the Cambridge Analytica scandal, for example, may have played out differently under GDPR.
If Cambridge Analytica had happened today … [Facebook] potentially would have pursued it more aggressively and more openly than they did at the time,” Professor Glance said.
“The potential losses from things like this are much greater.”
Some in the technology sector believed the GDPR would set a new international standard for privacy.
“My clients in Australia are being pressured by their customers in the US to make sure that they’re going to meet the GDPR, because it’s simply seen as almost a de facto, new global standard,” Ms Johnston said.
Others, however, say the onus is still on internet users to be vigilant about what information they share online.
“What’s clear is that the companies still really don’t care about privacy, despite what we’re seeing with the flurry of activity,” Professor Glance said.
“It’s really down to individuals and the good news is that generally Australians are getting smarter about what they share and what is protected.”