EU – GDPR General Data Protection Regulation – US – Australia

Featured

In the US and Australia there seems to be much ignorance and complacency on the potential impact of the EU GDPR General Data Protection Regulation on private data, data collectors e.g. government agencies, and commercial entities, accessing and using data for commercial reasons; underpinned by lack of citizens’ rights?

‘Data privacy rules in the EU may leave the US behind

January 24, 2019 8.03am AEDT

France made headlines on Jan. 21 for fining Google US$57 million – the first fine to be issued for violations of the European Union’s newly implemented General Data Protection Regulations. GDPR, as it’s called, is meant to ensure consumers’ personal information is appropriately used and protected by companies. It also creates procedures to sanction companies who misuse information.

According to French data privacy agency the National Commission on Informatics and Liberty (CNIL), which levied the fine, Google didn’t clearly and concisely provide users with the information they needed to understand how it was collecting their personal data or what it was doing with it. Additionally, CNIL said Google did not obtain user consent to show them personalized advertisements. For its part, Google may appeal.

In other parts of the EU, similar investigations are currently underway against FacebookInstagram and WhatsApp.

This case demonstrates the increasingly prominent role that the EU intends to play in policing the use of personal information by major companies and organizations online. The U.S. lags behind Europe on this front. As a researcher who studies computer hacking and data breaches, I’d argue the U.S. may have ceded regulatory powers to the EU – despite being the headquarters for most major internet service providers. Why has the U.S. not taken a similarly strong approach to privacy management and regulation?

Do individual Americans even care?

There’s no single answer to why the U.S. hasn’t taken similar measures to protect and regulate consumers’ data.

Americans use online services in the same way as our European counterparts, and at generally similar rates. And U.S. consumers’ privacy has been harmed by the ever-growing number of data breaches affecting financial institutions, retailers and government targets. The federal government’s own Office of Personnel Management lost millions of records, including Social Security numbers, names, addresses and other sensitive details, in hacks. My research demonstrates that hackers and data thieves make massive profits through the sale and misuse of personally identifiable information….

Companies don’t want these regulations

Social media sites’ and internet service providers’ resistance to external regulation is also a likely reason why the U.S. has not acted.

Facebook’s practices over the last few years are a perfect example of why and how legal regulation is vital, but heavily resisted by corporations…..

….Should the U.S. continue on its current path, it faces a substantial risk not only to personal information safety, but to the legitimacy of governmental agencies tasked with investigating wrongdoing.’

 

For more related blogs and articles on digital literacy, digital marketing, digital or e-consumer behaviour, EU GDPR and social media marketing, click through

 

Advertisements

EU GDPR – Digital Marketing – European Commission – General Data Protection Regulation

What impact will the EU General Data Protection Regulation (GDPR) have upon advertising, media, marketing and social media channels in both the EU and outside?

How important is involvement of IT/web teams, customers, legal, financial, communications and marketing?

EU EC GDPR 2018 description for business and marketing

European Commission GDPR General Data Protection Regulation (image copyright European Commission)

The European Commission GDPR

According to the European Commission:

Fundamental rights

The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data.

Legislation

The new data protection package adopted in May 2016 aims at making Europe fit for the digital age. More than 90% of Europeans say they want the same data protection rights across the EU and regardless of where their data is processed. (European Commission, 2018)

Scope of the GDPR

From the technology consultancy Trunomi (2018):

‘The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.

An overview of the main changes under GDPR and how they differ from the previous directive

  • IncreasedTerritorial Scope (extra-territorial applicability)
  • Penalties
  • Consent
  • Data Subject Rights
  • Breach Notification
  • Right to Access
  • Right to be Forgotten
  • Data Portability
  • Privacy by Design
  • Data Protection Officers’

 

Australian context for the GDPR

From the Office of the Australian Information Commissioner (OAIC 2018):

Key messages

The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018.

Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:

  • implement a privacy by design approach to compliance
  • be able to demonstrate compliance with privacy principles and obligations
  • adopt transparent information handling practices.

There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act.

Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement.

Issues of non-compliance

However, Hern in The Guardian (2018) when observing large personal data using companies states:

Privacy policies from companies including Facebook, Google and Amazon don’t fully meet the requirements of GDPR, according to the pan-European consumer group BEUC.

An analysis of policies from 14 of the largest internet companies shows they use unclear language, claim “potentially problematic” rights, and provide insufficient information for users to judge what they are agreeing to.

“A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law,” said Monique Goyens, BEUC’s director general. “This is very concerning. It is key that enforcement authorities take a close look at this.”

Impact on Email marketing

Email marketing software company MailChimp (2017):

The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors…… relevant to MailChimp…

 

…..Expansion of scope; definitions of personal and sensitive data; individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability and stricter processing requirements’

 

However, the most significant issue are the stricter consent requirements:

Stricter consent requirements

Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis, such as those found in number 5 below. The surest route to compliance is to obtain explicit consent. Keep in mind that:

1 Consent must be specific to distinct purposes.
2 Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must
explicitly opt-in to the storage, use and management of their personal data.
3 Separate consent must be obtained for different processing activities, which means
you must be clear about how the data will be used when you obtain consent. (MailChimp 2017).

Consent would appear to be both central to compliance and rights of privacy yet problematic for much existing practice in ‘marketing’.

Best Practice Marketing

Meanwhile in Australia Hanson (2018) argues in ‘Mumbrella’ that it’s best practice for both business and customers:

For Australian businesses that want to better serve their customers, the GDPR signals the end of activities that marketers should have abandoned long ago. This means that it’s no longer good enough to buy a mailing list, nor is it appropriate to send cold-call emails or, heaven forbid, actually send spam.

Under the new rules, customers have to explicitly opt-in to getting your communications. In the old days, it was fine to pre-tick boxes on a web form allowing you to send a customer marketing emails. Now you can’t do that. Instead, customers have to give consent to you communicating with them, and that consent needs to be clear, in plain English, as well as informed, specific, unambiguous and revocable.

How to implement GDPR?

What does this mean for marketing in a digital environment or system? According to the Digital Marketing Institute (2018):

Step 1. Get your privacy policy page up to scratch

Step 2. Audit your current databases for opt-in consent

Step 3. Re-opt-in campaigns for current databases

Step 4. Create a process for opt-in consent

Step 5. Get the sales team on board

Step 6. Review third-parties who have access to your databases

Step 7. Have a streamlined process for information requests

Step 8. Prepare for a security breach.

 

In the short term the direct impact is neither selling nor buying of client email lists, but clear or voluntary consent or opting-in, through organic collection of prospective and existing clients’ details, how?

Using digital marketing techniques for organic inbound SEO search engine optimisation traffic as not just strategy but a living system to attract prospective clients over time. This will ensure compliance and allow prospective clients to opt-in voluntarily for newsletters, follow up etc. with the peace of mind their data will be private and not be shared.

However, organic inbound SEO requires cooperation and input across departments to share inter disciplinary expertise whether strategic management, IT, legal, finance, logistics, marketing, communications and importantly, customers or clients.

 

Reference List:

Digital Marketing Institute, 2018, ‘Trends & Insights: The Definitive GDPR Checklist for Marketers’, 5 April, viewed 7 July 2018, < https://digitalmarketinginstitute.com/en-au/blog/05-04-2018-the-definitive-gdpr-checklist-for-marketers >

European Commission, 2018, ‘Data protection in the EU’, viewed 7 July 2018, < https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en >

Hanson, G 2018, GDPR is a great thing for Aussie marketers, Blog, 13 June, viewed 7 July 2018, < https://mumbrella.com.au/gdpr-is-a-great-thing-for-aussie-marketers-522988 >

Hern, A 2018, ‘Privacy policies of tech giants ‘still not GDPR-compliant’’, The Guardian, 5 July, viewed 7 July 2018, < https://www.theguardian.com/technology/2018/jul/05/privacy-policies-facebook-amazon-google-not-gdpr-compliant >

MailChimp, 2017, Getting ready for the GDPR, MailChimp Blog, 9 Oct 2017, viewed 7 July 2018, < https://blog.mailchimp.com/getting-ready-for-the-gdpr/ >

OAIC Office of the Australian Information Commissioner, 2018, ‘Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation’  <  https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation > 7 July 2018.

Trunomi, 2018, ‘EU GDPR key changes’, viewed 7 July 2018, < https://www.eugdpr.org/key-changes.html >