The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. The GDPR is set to shake up the privacy law landscape across the EU and in the UK, with individuals being handed power and control over their data that they do not have under the existing EU privacy law regime. This tightening of data privacy laws will significantly impact most major global data giants, and in particular for the corporations whose business model is heavily reliant on a relatively unrestricted ability to collect, store and analyse data such as Amazon, Facebook and Google.
How will the GDPR change the privacy law landscape in Europe?
The GDPR will restrict the collection of personal data by making it unlawful to process personal data except for the specific purpose that a “data subject” has consented to, or in circumstances where there is a contractual obligation or where it is necessary to achieve one of a few “limited interests”. Moreover, under the GDPR, data subjects have the right to demand to know whether or not their personal data is actually being processed, and may also restrict the processing of their data by a data controller. Consent to data collection and use is a major theme of the GDPR.
How will these changes affect the big players?
Facebook’s conduct concerning user privacy has been seriously and publicly called into question over the past few months (read our article about ), but behind that public inquisition, Google has also been under the microscope of lawyers and regulators who are asking how Alphabet Inc. (Google’s holding company) intends to deal with the GDPR. The response of Google - the company that processes upwards of 2 trillion searches per year and categorises its results based largely on data collected about individuals (and separately uses that information to conduct targeted advertising) - is not only intriguing from a privacy law perspective, but is also fundamentally important to understanding the effectiveness of the GDPR generally.
Google has chosen to pass the burden of consent imposed by the GDPR to the publishers of its targeted advertisements. This defence of the status quo has drawn controversy from various commentators, who have alleged that Google has not found a solution, but rather that the targeted advertising model adopted by Google is inherently GDPR non-compliant.
Given the ubiquity of Google’s advertising throughout the internet, it seems almost inevitable that the GDPR will be tested against Google’s interpretation. The resulting determination (or determinations) could change the way we interpret our privacy law obligations in relation to cross-border interactions, and may also shape the way that future data security and privacy legislation is drafted at home.
I’m an Aussie business – should I care about GDPR?
The GDPR applies to organisations located within the EU, but it will also apply to organisations located outside of the EU if they offer goods or services to persons located within the EU (including via the internet) or monitor the behaviour of individuals in the EU. This reach is significant enough to touch many Australian businesses, particularly those operating in the digital economy, and the privacy and data protection requirements generally represent a higher expectation than the Australian Privacy Principles. This means that Australian agreements that relate in any way to the processing of data in or from the EU should be reviewed to ensure compliance with the GDPR.