Tough new EU privacy regulations could lead to better protections in Australia
- Written by Vincent Mitchell, Professor of Marketing, University of Sydney
Major personal data breaches, such as those that occurred recently at the Commonwealth Bank, Cambridge Analytica and Yahoo, have taught us how vulnerable our privacy is.
Like the cigarette and alcohol markets, it took a long time to prove that poorly regulated data collection can do us harm. And as with passive smoking, we now know that data trading can harm those around us as well as ourselves.
Regulators in the European Union are cracking down on the problem with the introduction the new strict General Data Protection Regulation (GDPR) from May 25. The hope is that the new rules will shift the balance of power in the market for data away from companies and back to the owners of that data.
Read more: Online privacy must improve after the Facebook data uproar
The GDPR applies to companies who trade in the EU or process the data of people in the EU. This includes some of Australia’s biggest companies, such as the Commonwealth Bank and Bunnings Warehouse. Since companies that don’t operate in the EU or process the data of people in the EU aren’t required to comply, Australian consumers could soon be facing a two-tier system of privacy protections.
That isn’t all bad news. By choosing to deal with companies with better data protection policies, Australian consumers can create pressure for change in how personal data is handled across the board.
How the GDPR empowers consumers
The GDPR makes it clearer what companies should be doing to protect personal data and empowers consumers like never before.
When dealing with companies operating in the EU, you will now have the right to:
access your own data and any derived or inferred data
rectify errors and challenge decisions based on it, including to object to direct marketing
be forgotten and erased in most situations
move your data more easily, such as when changing insurance companies or banks
object to certain types of data processing and challenge significant decisions based purely on profiling, such as for medical insurance or loans
compensation.
This final right will lead to another profound improvement in regulation of the market for personal data.
Consumers as a regulating force
As a result of these new rights and powers, consumers themselves can help regulate company behaviour by monitoring how well they comply with GDPR.
In addition to complaining to authorities, such as the Information Commissioner, when consumers encounter breaches they can complain directly to the company, share stories online and alert fellow users.
This can be powerful – especially when whistleblowers actually work in the industry, as was the case with Cambridge Analytica’s Christopher Wylie.
Read more: GDPR: ten easy steps all organisations should follow
Companies that don’t protect people’s personal data will face fines from the regulator of up to 4% of global turnover, or €20 million. In addition, they could be required to pay compensation directly to consumers who have asked investigating authorities to claim on their behalf.
This potentially means that all those millions of EU citizens who were caught up in the Facebook Cambridge Analytica scandal could, in the future, be able to sue Facebook.
From the viewpoint of empowering and motivating consumers to monitor what companies do with their data, this is a momentous change.
A shift in our expectations of data privacy
The way things currently stand, there is an imbalance in the personal data market. Companies take all the profit from our personal data, yet we pay the price as individuals, or as a society, for privacy breaches.
But as a result of GDPR, we are likely to see expectations of how companies should act begin to shift. This will create pressure for change.
You’ve probably already been sent notifications from companies asking you to re-consent to their privacy policies. This is because GDPR expects consent to be more explicit and active – default settings and pre-checked boxes are considered inadequate.
Consumers should also expect companies to make it just as easy to withdraw consent as it is to give it.
Read more: Why your app is updating its privacy settings and how this will affect businesses
Unlike New Zealand, which has strong privacy laws, personal data protections in Australia – and the massive data markets of BRIC countries – are not considered “adequate”, and fall below EU standards.
Consumers should be wary of vested interest arguments, such as Facebook’s claim that it just wants to connect people. To use an analogy, that’s comparable to an alcohol manufacturer saying it just wants people to have a good time, without highlighting the potential risks of alcohol use.
If you want these greater rights and protections, now is the perfect time to lobby your Members of Parliament and demand the best available protection from all the companies you deal with.
Authors: Vincent Mitchell, Professor of Marketing, University of Sydney