With the amendments to Australia’s privacy law coming into force, it is only natural that our attention is firmly focused on the domestic privacy scene at the moment. However, perhaps the bigger challenge for Australian businesses will come from abroad.
With a slow but steady pace, the European Union’s data privacy reform moves forward. One of its key features is that violations of the forthcoming Data Protection Regulation can result in fines of up to 2-5% of the offending company’s annual global turnover – a serious amount of money for most Australian businesses.
Having introduced its trailblazing data protection Directive in 1995, the EU is now looking to modernise its privacy law through a regulation that will harmonise the law across Europe. Several parts of the proposal have been controversial. and progress has been slow since the proposal was first released in January 2012. However, in a European Commission Memo released at the end of January, it was suggested that we may see an agreement on the data protection reform before the end of this year.
Dealing with Europe
So why should Australians care about a new law being introduced on a struggling market on the other side of the world? For the Australian business community, the answer lies in the effect the EU law may have in Australia. The EU has specifically stated that one aim of the reform is to ensure that companies based outside Europe will have to apply the same rules as European companies when they do business on the European market.
Any Australian business offering goods or services to EU residents in the EU will need to take account of the regulation. Similarly, any Australian organisation that processes the personal information of EU residents in the context of “the monitoring of their behaviour”, such as through internet tracking, are required to abide by the proposed EU law. And failure to comply may as mentioned have serious implications.
This also means that an Australian business which happens to sell something to a customer in the EU on a one-off basis must comply with the entire Data Protection Regulation.
Levelling the playing field?
In a March 4 speech, European Commission Vice-President, Viviane Reding, stressed that the proposed Data Protection Regulation “is about creating a level playing-field between European and non-European businesses. About fair competition in a globalised world.”
This argument does not lack merit. However, the idea that the regulation’s wide reach creates a “fair competition in a globalised world” is questionable. In fact, complying with the complex EU data privacy law is likely to be prohibitively expensive for small and medium sized non-EU businesses interacting on the European market on an irregular basis. The result will be that only large foreign businesses, and foreign businesses that do not care about complying with EU law, will be able to afford to enter the European market.
Improved data privacy protection is to be welcomed, but the problem is one of nuance. The proposed EU data privacy Regulation contains many different types of rules; some are aimed at preventing privacy abuse. Such rules are common in privacy laws around the world. There is of course nothing unreasonable about Australian companies wishing to benefit from the European market having to abide by EU law protecting against misuse of personal information.
But other rules are burdensome and require changes to business structures. For example, it seems absurd that an Australian organisation with some limited interaction with EU residents also has to implement potentially costly administrative measures as appointing a Data Protection Officer. Such rules should only apply to businesses that have a substantial presence on the European market.
The solution is obvious. Australia should encourage the EU to adopt more sophisticated rules as to when the proposed regulation applies outside the EU so as to avoid this type of all-or-nothing situation. We need to see the EU distinguish between the types of privacy rules it applies to everyone who deals with EU residents, and those rules that only apply to businesses substantially engaging on the European market.
But then again, Australia also takes an all or nothing approach in our privacy law - so maybe we should start the revolution on home soil.