EU Privacy Regulator Flexes Her Muscles In Foreign Lands

Try this for a bad day at the office! Canadian company Aggregate IQ ServicesLimited recently received an Enforcement Notice from the UK Information Commissioner demanding that:

“AIQ shall within 30 days of this notice: Cease processing any personal data of any UK or European citizens obtained from UK political organisations or otherwise for the purpose of data analytics, political campaigning, or any other advertising purposes”.

I am sure their management had a few sleepless nights over this. An EU Privacy regulator flexing her very powerful rights under GDPR. This case will be a good test of the regulators’ powers to enforce GDPR in countries outside of the EU, especially as AIQ did not have a “representative” appointed under Article 27.  (Businesses outside of the EU are required to have a “representative” in most cases if the business’processing of the relevant EU personal data was subject to GDPR. Fines of up to€10m or 2% of worldwide turnover apply for breach of this requirement).

Be warned, the EU regulators have the power to force non-compliant businesses to stop processing EU personal data, as well as the power to issue multi million Euro fines.

Surely the EU GDPR can’t apply to a small Australian business? And should they care?

Put simply, it probably does! And yes, they absolutely should care!

Image result for eu australia

The new EU Privacy law came into force on 25 May 2018, and applies to all Australian business (irrespective of size) if any one of the following apply:

  1. The business has a presence (office or people) in the EU, OR
  2. The business offers goods or services to individuals in the EU (whether at a fee or not), OR
  3. The business monitors behaviour of individuals in the EU (which includes using analytics software on its website).

And the business should care, or at least it should care, for a couple of reasons.  Firstly, customers prefer to deal with companies that respect their privacy and their data so without complying the business is likely to lose customers. Secondly, if you don’t comply the company is exposed to fines of up to €20 million or 4% of global group turnover, whichever is the higher.  Worse still, the EU privacy regulator could order the business to stop processing any EU personal data immediately.

The GDPR is the tough new gold standard of privacy compliance, and requires a complete “privacy by design and default” approach to the business, its customers, employees and suppliers; it demands transformational change.  It is not a case of a quick update to the company’s privacy policy, and she’ll be right. There are no quick fixes or silver bullets. The business will need to go through a carefully planned and fully documented compliance program encompassing all departments within the business. Even using outside experts, this will take 3-6 months for a small organisation and will cost $10,000s if not $100,000s of dollars.

Large companies in the US, for instance, are spending around USD 1-10 million on their GDPR compliance programs. And of course as the law has already come into effect (there is no “transition period”), businesses need to start with their compliance programs immediately as they are, no doubt, already in breach!