Phones the country over can be heard buzzing as emails filter through at an almost constant rate. Websites are reaching out to remind people to ‘stay in touch’ or ‘let them know that you want to hear more’.
The reason for this sudden burst of contact from online service providers and websites is not merely a meaningless reminder of their existence, but actually a result of new and strict privacy laws implemented recently in Europe. These laws have been introduced under the EU General Protection Data Regulation (GDPR).
What is the GDPR?
The General Protection Data Regulation (or GDPR) is a far-reaching and newly introduced European legislative instrument intended to increase privacy and personal data protection requirements within the European Union.[i]
The policy implications of the GDPR are significant. The now superseded data and privacy guideline that the GDPR replaces; the Data Protection Directive, was not legally enforceable without individual nation governments’ legislation (as it was a directive, as opposed to a regulation). In contrast, the GDPR is immediately binding across the EU.
In the wake of the Cambridge Analytica scandal, these laws are a necessary and important barricade to such privacy breaches reoccurring. For example, the GDPR provides directions as to how data controllers must disclose their data collection, how users are empowered to request copies of their data records, and how controllers are to protect data through pseudonymisation (the process of encrypting personal data so it is unreadable without a key).[ii] Further, the GDPR outlines a host of rights of data subjects, including the right ‘to be forgotten’ and the right to ‘data portability’. These new rights are designed to ensure that data subjects remain in control of their data, and that the data processors and controllers who interact with it must comply with the directions and demands of their data subjects.
If companies are found to be in breach of the GDPR, they can be fined up to 4 per cent of their global revenue.[iii] For context, online retail giant Amazon would face a fee of roughly $82 million.
What is personal data?
According to the European Commission, personal data is any information “relating to an identified or identifiable living individual.”[iv] This information includes names, contact information and location data. Any information collected by a website or online service provider that relates to a person – their payment information, their personal email address and their IP address – is all protected under the GDPR.
How are we affected in Australia?
The GDPR is so far reaching, in fact, that all data collecting organisations and data processing organisations, whether inside or outside of the EU, must comply if they collect or process data belonging to EU citizens. This means that Australian based and Australian run organisations; if they collect, monitor or process any personal data belonging to EU citizens, are subject to the legislation.[v]
The reason for your influx of privacy-related emails is in the wake of the implementation of the GDPR. Whilst the volume of emails may be annoying, the knowledge that companies with your data are now facing far stricter privacy obligations in respect to data collection and processing, is comforting.
For further information or for legal advice relating to privacy concerns, you can call us on (07) 5532 3199 or send us a message.
[i] Regulation (EU) 2016/679 (EU General Data Protection Regulation)
[ii] GDPR Report, Data Masking: Anonymisation or pseudonymisation? (7 November 2017) GDPR Report < https://gdpr.report/news/2017/11/07/data-masking-anonymisation-pseudonymisation/ >
[iv] European Commission Policies, Information and Services, What is personal data? (2018) European Commission < https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en >
[v] Office of the Australian Information Commissioner, General Protection Data Regulation guidance for Australian businesses (31 May 2017) Australian Government < https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entities-and-the-eu-general-data-protection-regulation/ >