The European Union is set to enforce new data privacy rules. Here's why they should benefit New Zealand too.
On May 25, the 28 EU nations will begin enforcing sweeping new data-protection laws known as the General Data Protection Regulation (GDPR). It was enacted by the European Parliament in 2016, and companies that process, store and use the data of people based in the EU have had two years to get their systems in order to comply with it.
By early June, the sort of reckless behaviour that resulted in the personal details of at least 87 million Facebook users being given to British political consulting firm Cambridge Analytica could result in crushing fines not just for EU companies but for any firm mistreating the data of people in the EU.
The provisions include a requirement to inform oversight authorities and victims of serious data breaches within 72 hours of breaches being discovered, the right for service users to be told within 30 days exactly what information a company has on them and allowing users to download their data in a format they can take to a rival provider.
The GDPR will tighten the long-winded terms-and-conditions statements that most of us click through without reading. Companies will have to outline exactly what data they are collecting, minimise its collection and gather information only for the purposes of providing the intended service. This will limit data-harvesting by companies that use weasel words to extract user information so adverts can be aimed at them.
There will be regular audits to keep data processors honest, and the big players will have to appoint a data-protection officer to oversee data policies and answer requests for information.
The laws have teeth: non-compliance will be met with fines of up to €20 million or 4% of a company’s turnover, whichever is larger. This is the strongest measure to check the power of Big Tech to date.
The US has accepted a laissez-faire approach to data protection and regulation of its tech giants in general, something unlikely to change under President Donald Trump.
Not so Brussels, which in the past few years has slapped a US$2.7 billion fine on Google for anti-competitive behaviour, introduced a “right to be forgotten” law that lets EU citizens have search-engine results about them erased and proposed increasing the taxes paid by tech giants in the EU.
Although the laws are aimed at protecting EU citizens, we will benefit by default. Already, Apple has rolled out new privacy features to become GDPR-compliant. Facebook’s Mark Zuckerberg, who has been under pressure since the data scandal came to light, said changes applied to EU users would take effect globally. Many other companies will be asking you over the next couple of months to read their updated data privacy policies. Take a moment to do so.
The GDPR’s reach will extend to New Zealand companies with customers in the EU, such as accounting software provider Xero and Air New Zealand. The laws will also apply in post-Brexit Britain. The compliance costs will be significant and the complexities of how data is processed and stored will generate plenty of business for lawyers and IT consultants.
But the timing of the GDPR’s arrival is uncanny. Facebook’s woes are a catalyst for change. The EU has the mandate to act, and New Zealand privacy legislation is before Parliament for an overhaul, with provisions such as data breach notifications on the cards here too.
Finally, enough of us are waking up to the implications for our private lives and democracy of the big-data swindle. GDPR should be a spur to better behaviour and greater trust worldwide when it comes to safeguarding our data.
This article was first published in the April 21, 2018 issue of the New Zealand Listener.