General Data Protection Regulation privacy changes

EU General Data Protection Regulation (GDPR)

As per our previous publication, dated 22 January 2018, the European Union GDPR will be in effect from 25 May 2018, and will replace existing data protection rules set out in the 1995 European Directive 95/46/EC. While the GDPR will be law in the European Union (EU), it is nonetheless likely to impact on Australian businesses, as it applies to organisations that act within the EU or interact with its citizens.

These regulations apply generally to controllers and processors of data with an office inside the EU, entities operating outside which offer goods and services to individuals in the EU, or those which monitor the behaviour of individuals in the EU, such as through internet use profiling. In determining an approach, Australian based entities need to determine whether they are affected by GDPR. It is intended to operate beyond the borders of the EU, and EU regulators have the power to impose significant penalties for breach. Some Australian entities will have little interaction with EU based individuals. If services are provided to EU residents, or if web-based tracking technologies have been widely implemented, an Australian entity may wish to consider whether GDPR risks need to be mitigated.

In advance of the GDPR, many organisations have begun re-evaluating and restructuring the systems and policies currently in place to manage personal information. The following examples are based on public announcements made by the respective organisations, and may be useful in considering what changes should be made prior to 25 May 2018.

Google

Google has started a comprehensive review of its privacy policies, which begins with an updated user agreement, reflective of GDPR obligations. Google has also adopted a ‘security by design’ approach as encouraged by the GDPR. This has involved employing modern technical and organisational safeguards, forming dedicated security and privacy teams, and regularly undergoing third-party auditing of its digital systems.

The implementation of several ‘incident response systems’ has been aimed at preventing breaches from occurring and, where necessary, identifying breaches and automatically notifying those who are liable to suffer harm as a result.

Finally, client-facing tools will allow users to review all personal information stored on Google databases, and identify for what purposes the data is to be used. Control over personal information will also be extended to Google’s ad personalisation allowing consumers to restrict Google’s use of specific information.

Google Analytics

Google Analytics administrators (Admin) will be receiving several new tools, including data retention controls, customisable cookie settings, privacy controls, data sharing settings, the ability to delete data on account termination and IP anonymization.

Data retention settings allow Admin to determine how long user and event data is stored on Google’s servers for. After selecting a retention period, information will be automatically deleted from the system once the allotted period of time has elapsed.

Further, a user deletion tool will allow Admin to personally manage the deletion of all data associated with individual users from Google Analytics and/or Analytics 360 properties.

Google Analytics is also set to introduce an updated EU user consent policy which is reflective of the GDPR requirements. This is intended to make clear the information Google will be storing, and detail the purposes for which personal information will be used.

Apple

Updates to the Apple ID web page will allow users to download a copy of all of their personal information stored on Apple’s servers. This includes everything from data stored in applications including contacts, calendar, contacts, media, and music preferences, to personal information such as contact preferences, payment details, and residential addresses.

Further to being able to access the data, users will be able to use the site to temporarily deactivate, or permanently delete, the account and all of the associated personal information.

Separately, Apple has introduced a ‘splash screen’, which appears when certain applications attempt to gather or use personal information. Similar to previous examples, this screen provides details regarding what information will be gathered, and for what purpose.

Twitter

Twitter intends on updating the product details, and offering increased transparency as to what data is stored by Twitter, and how that information is used.

Twitter has also started updating its privacy policy to include sections relating to data portability, improved terms of access for EU users, and stricter adherence to data anonymity requirements.

Separately, Twitter has nominated a Data Protection Officer (DPO) who can be contacted confidentially regarding issues surrounding use of personal information.

Next Steps

Focusing on the recurrent trends identified above, companies should consider some of the following approaches to ensure that they are GDPR compliant:

1. Preparing transparent privacy notices which inform clients of what data will be stored, and for what purpose;
2. Updating IT systems to reflect the GDPR’s ‘security by design’ approach;
3. Allowing clients some degree of control over their personal data;
4. Updating user agreements to reflect stricter consent requirements;
5. Appointing a DPO to monitor and manage the organisation’s GDPR compliance;
6. Implementing appropriate technical safeguards and corporate policies to prevent unauthorised access to personal information;
7. Considering how they will respond to an exercise of a client’s ‘right to be forgotten’;
8. Ensuring that adequate procedures are in place to prevent, detect and report data breaches as they occur; and
9. Ensuring that systems are in place to process data access requests.

It is important to recognise that not every method will be applicable for each business. With the approaching deadline in mind, it may necessary to identify which GDPR obligations are immediately relevant, and seek advice as to how you can best ensure compliance.

HWL Ebsworth’s Data Protection team advises on the laws of each Australian jurisdiction and has considerable experience helping clients manage their compliance obligations arising from laws of Australia and their interaction with foreign legal requirements. Please contact a member of our team for further information on how we can assist you.

This article was written by Luke Dale, Partner, James Moore, Partner and Jonothan Cottingham-Place, Law Clerk.