What does GDPR mean for Australians?

In a time of technological mistrust, who can you really trust with your personal information online?

While not a part of the European Union, except perhaps for the Eurovision Song Contest, Australians are feeling the effects of the General Data Protection Regulation (GDPR) which came in to effect on 25th May 2018.

You will have received emails from many sites that you’ve given your details to in the past asking you to confirm that you agree to them holding and using your details. While not a requirement, it’s often easier for an online organization to ask everyone rather than trying to figure out who’s actually in the EU.

The reason for all the activity is that the penalties for contravening the GDPR are large and have been described as “eye watering”. Penaltiesare up to 20 Million Euros or 4% of the company’s global annual turnover for the previous financial year. For multinational companies like Google, Facebook, Apple and many others this has helped to focus their attention. Some online sites have chosen to simply block access to EU users rather than take the risk.

What is the GDPR?

The new regulations gives control of personal data back to citizens and residents of the EU. Personal information includes things like your name, address, email, location data, IP address, cookie ID, advertising tracking id and medical data that can identify you.

Collection of personal data can only be done with the person’s explicit permission, which is why we’re all being inundated with requests to confirm our agreement, and the collection and sharing must have a lawful basis and be clearly disclosed.

Citizens have the right to request a copy of the data collected about them and the right to have that data erased.

Data breaches, where personal data has been leaked or stolen, must be reported within 72 hours.

Is GDPR good for Australians?

The avalanche of requests to confirm permission for sites to hold our data has been a positive as this information is often sold or aggregated as part of mergers and acquisitions.

While some sites such as Google have long offered a way to see what they track, others like Apple have had to add this feature as a result of the new regulation.

Tracking done by advertisers has long been a mystery and it is expected that some of their dark power will be reduced as a result of the GDPR and other technical improvements in both browsers and operating systems.

Should Australia have it’s own GDPR?

We already have some parts of the GDPR in the form of mandatory data breach notification laws which came in to effect in February 2018. Australia also has the “Spam Act” of 2003 that requires that all commercial electronic messages (including email) must have been sent with the recipient’s agreement and that they contain a functioning unsubscribe mechanism.

The attention drawn to the collection and use of our private data by Facebook has led many to re-consider their use of free social media services. Browsers, while declining is use compared to apps, are improving their ability to protect us from some secretive tracking. Ad blockers are becoming mainstream and we do appear to be entering a period where transparency is a positive feature of a tech company.

The GDPR is a shock to the tech industry which has gone beyond what any of us dreamed. That shock is good but may have a chilling effect on startups causing them to avoid the EU jurisdiction in their early days.

It looks like countries outside the EU including South Korea, Japan and Brazil are planning to enact similar legislation and it’s possible that Australia too will act to smooth future trade deals with the region.

Written by Peter Marks for GovHack.
Peter Marks is a software developer and technology analyst.
He is a regular contributor to ABC Radio National and blogs at http://blog.marxy.org