Opinion_

New EU privacy rules could lead to better protections in Australia

24 May 2018
There's an imbalance in the personal data market: University expert
Could the tough General Data Protection Regulation (GDPR) lead to better protections in Australia? Professor Vince Mitchell from the University of Sydney Business School explains how the regulations might create pressure for change in Australia.

Major personal data breaches, such as those that occurred recently at the Commonwealth BankCambridge Analytica and Yahoo, have taught us how vulnerable our privacy is.

Like the cigarette and alcohol markets, it took a long time to prove that poorly regulated data collection can do us harm. And as with passive smoking, we now know that data trading can harm those around us as well as ourselves.

Regulators in the European Union are cracking down on the problem with the introduction the new strict General Data Protection Regulation (GDPR) from May 25. The hope is that the new rules will shift the balance of power in the market for data away from companies and back to the owners of that data.

The GDPR applies to companies who trade in the EU or process the data of people in the EU. This includes some of Australia’s biggest companies, such as the Commonwealth Bankand Bunnings Warehouse. Since companies that don’t operate in the EU or process the data of people in the EU aren’t required to comply, Australian consumers could soon be facing a two-tier system of privacy protections.

That isn’t all bad news. By choosing to deal with companies with better data protection policies, Australian consumers can create pressure for change in how personal data is handled across the board.

How the GDPR empowers consumers

The GDPR makes it clearer what companies should be doing to protect personal data and empowers consumers like never before.

When dealing with companies operating in the EU, you will now have the right to:

  1. access your own data and any derived or inferred data
  2. rectify errors and challenge decisions based on it, including to object to direct marketing

  3. be forgotten and erased in most situations

  4. move your data more easily, such as when changing insurance companies or banks

  5. object to certain types of data processing and challenge significant decisions based purely on profiling, such as for medical insurance or loans

  6. compensation.

This final right will lead to another profound improvement in regulation of the market for personal data.

Consumers as a regulating force

As a result of these new rights and powers, consumers themselves can help regulate company behaviour by monitoring how well they comply with GDPR.

In addition to complaining to authorities, such as the Information Commissioner, when consumers encounter breaches they can complain directly to the company, share stories online and alert fellow users.

This can be powerful – especially when whistleblowers actually work in the industry, as was the case with Cambridge Analytica’s Christopher Wylie.

Companies that don’t protect people’s personal data will face fines from the regulator of up to 4% of global turnover, or €20 million. In addition, they could be required to pay compensation directly to consumers who have asked investigating authorities to claim on their behalf.

This potentially means that all those millions of EU citizens who were caught up in the Facebook Cambridge Analytica scandal could, in the future, be able to sue Facebook.

From the viewpoint of empowering and motivating consumers to monitor what companies do with their data, this is a momentous change.

A shift in our expectations of data privacy

The way things currently stand, there is an imbalance in the personal data market. Companies take all the profit from our personal data, yet we pay the price as individuals, or as a society, for privacy breaches.

But as a result of GDPR, we are likely to see expectations of how companies should act begin to shift. This will create pressure for change.

You’ve probably already been sent notifications from companies asking you to re-consent to their privacy policies. This is because GDPR expects consent to be more explicit and active – default settings and pre-checked boxes are considered inadequate.

Consumers should also expect companies to make it just as easy to withdraw consent as it is to give it.

Unlike New Zealand, which has strong privacy laws, personal data protections in Australia – and the massive data markets of BRIC countries – are not considered “adequate”, and fall below EU standards.

Consumers should be wary of vested interest arguments, such as Facebook’s claim that it just wants to connect people. To use an analogy, that’s comparable to an alcohol manufacturer saying it just wants people to have a good time, without highlighting the potential risks of alcohol use.

If you want these greater rights and protections, now is the perfect time to lobby your Members of Parliament and demand the best available protection from all the companies you deal with.

 

This article was written by Professor Vince Mitchell from the University of Sydney Business School's Disicipline of Marketing. It was first published on The Conversation as 'Tough new EU privacy regulations could lead to better protections in Australia'.

Related news