The changing legal landscape around data privacy offers opportunities for organisations to get ahead of the curve by tightening up their existing policies and practices.
In an interview with Intermedium, Sheila FitzPatrick, NetApp’s Chief Privacy Officer and Worldwide Data Governance and Privacy Counsel emphasised the need for organisations to be transparent in data collection and usage to maintain trust.
It is also important to keep abreast of global developments as governments respond to growing concerns about data privacy by introducing new regulations.
“We are certainly going to see an enhancement in data privacy laws”, she said. “There is a push towards more privacy regulations and more transparency around what you’re doing.”
Europe’s leading changes
At the forefront of this movement is the European Parliament, which adopted its General Data Protection Regulation (GDPR) in April 2016 – to come fully into force in May 2018. According to FitzPatrick, the GDPR is “the top tier” in terms of privacy requirements, as well as “the most aggressive and massive change of privacy laws in over 20 years”.
There are several elements that set the GDPR apart from regulatory schemes in other jurisdictions, including Australia.
Firstly, it is broad in its applicability. The regulation will apply to data processors and controllers in the EU, “regardless of whether the processing takes place in the EU or not”. Significantly, it will also apply to those not established in the EU, if their activities relate to:
- Offering goods or services to EU citizens (irrespective of whether payment is required); and
- the monitoring of behaviour that takes place within the EU.
Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU to liaise with supervising authorities.
“So even if you don’t have a presence in Europe, if you do business with European countries or you have a website that European citizens would go onto, or if you have any touchpoint with a person who is a EU resident, you’re going to be held accountable under this law”, explained FitzPatrick.
Secondly, it introduces harsh penalties for noncompliance. Organisations in breach of the GDPR can be fined up to 4 per cent of their annual global turnover, or €20 million (whichever is greater).
FitzPatrick also noted that “this is the first regulation that imposes equally as harsh sanctions on data processors as it does on data controllers”, as opposed to the current EU Data Protection Directive (which places the burden of legal compliance on data controllers). The wider ambit of the GDPR means that, for instance, cloud service providers will no longer be exempt from EU data privacy requirements.
Another key requirement is the mandatory appointment of a Data Protection Officer by organisations if their activities involve “regular and systematic monitoring of data subjects on a large scale”.
The GDPR also enshrined into law the individual’s ‘right to be forgotten’ or ‘right to erasure’, which “entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data”.
Once the GDPR becomes enforceable throughout the European Union from 25 May 2018, FitzPatrick expects it to “impact organisations all over the world, especially here in Australia where there is a lot of interaction between European businesses and Australian businesses”.
Other key players
Despite the current focus on the new GDPR regulations in Europe, FitzPatrick says there is also important privacy activity happening in other regions, like the Asia-Pacific. “China just released a new cybersecurity law that has a data protection and data localisation component in there. Japan just released their new Act on Protection of Personal Information.”
The Japanese legislation came into force at the end of May 2017, introducing an extraterritorial enforcement component for businesses processing the personal data of Japanese citizens, expanding the definition of ‘personal data’, and removing exemptions for small businesses.
The Chinese law took effect on 1 June 2017, standardising the approach to collection and usage of personal information and introducing criminal sanctions for unauthorised collection and disclosure of citizens’ information.
“It becomes an issue when you’re a global company and your internal regulation regime doesn’t equate to the more restrictive data privacy laws around the world”, FitzPatrick warned.
Privacy law in Australia
In Australia, data privacy is chiefly regulated by the Commonwealth Privacy Act 1988, which was amended to introduce thirteen Australian Privacy Principles (APP) in 2014. Compliance with the APP is mandatory, and applies to both Australian Government agencies and the private sector.
According to FitzPatrick, there is a move in Australia “to enhance the laws to mirror what we see in the GDPR” to entice European and Canadian companies to do business in Australia, “and make Australia the country of choice for development, for data centres, for outsourcing, for financial”.
Part of this push can be seen in the latest amendment to the Privacy Act, which was passed in February 2017. The Privacy Amendment (Notifiable Data Breaches) Act 2017 sets up the NDB scheme, which makes notification of “eligible data breaches” mandatory from 22 February 2018.
According to the Act, an eligible data breach happens if:
- There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An entity must give notification of this breach to the affected individuals if “it has reasonable grounds to believe that an eligible data breach has happened” or if it is directed to do so by the Privacy Commissioner.