By Christina Krantz and Sonja Van Der Steen
It took less than a day for the GDPR (also known as the European Union General Data Protection Regulation) to see its first lawsuit.
Coming into force on 25 May 2018, the GDPR is a new regulation aimed at enforcing stricter rules concerning the use of EU resident’s personal information, and on that same day, Austrian privacy activist Max Schrems filed lawsuits against both Facebook and Google for a total of $7.6 billion euro ($11.6 billion AUD) for allegations of coercion by the two companies.
The fines filed in these lawsuits are no doubt a significant amount of money and while most companies will not see fines that high, it is important for all entities which interact with personal information (which includes information such as first name last name as well as digital cookies) of EU residents to be aware of the GDPR.
Some of the main components of the GDPR are:
- Privacy by Design: The GDPR requires companies to not only know why they are collecting personal information but also how it is being used and how it is managed. One way to achieve compliance is to have documented policies and procedures in place which details the lifecycle of the personal information collected. This process should also be undertaken each time a new process or system is introduced to the company.
- Consent for All Use: Entities must obtain consent for all the contemplated usage. This means that if you have consent to do one activity (such as fulfilling a customer’s online shopping order), consent is not automatically granted to do another activity (such as remarketing ads). This step is easier to obtain compliance if a company has properly documented their data processes and have implemented a Privacy by Design approach.
- Right to be Forgotten: In addition to a company’s normal procedure relating to the removal of personal information once it is no longer needed, if an individual requests to be removed, that company must comply unless there are explicit reasons to the contrary (for example, another law prevents you from deleting the information).
The Right to be Forgotten also extends to third party software integration. If a company passes personal information to a third party and an individual requests to be forgotten, the first company must request the third party to remove the personal information as well.
The first lawsuits are only examples of the potential consequences of non-compliance with GDPR which can be either 20 million euro or 4% of the total worldwide annual turnover of the company for the preceding (European) financial year. The suits filed by Schrems have yet to be decided and it remains unclear that if Facebook and Google are found to be in breach of the GDPR, if the full fine will be applicable.
Facebook and Google have both responded to the lawsuits advising they are compliant with the GDPR.
How the GDPR will affect your compliance responsibility will depend on the type of personal information held by your company and proposed use for the personal information. At minimum, all companies should review how it uses personal information and if it captures EU resident data.
If you’d like to discuss the GDPR, call Rouse Lawyers’ technology team on 07 3667 9696.