Australia’s weaker privacy protection laws will be unsustainable when tough new measures giving individuals “the right to virtually disappear”, come into force in the European Union tomorrow (Friday), according to a senior researcher at the University of Sydney Business School.
The EU’s General Data Protection Regulation (GDPR) will give individuals access to all data collected on them, the ability to correct errors and the right to move data between organisations such as banks and insurance companies.
Companies found in breach of the new regulations could face fines of up to € 20 million ($A31 million) or four per cent of their global turnover.
The Business School’s Professor Vince Mitchell (below) said the regulations, which effectively give individuals the right to “disappear”, will have a significant impact on Australian companies with EU connections and on EU Companies dealing with Australia.
“Major personal data breaches like CBA, Cambridge Analytica and Yahoo show how vulnerable our privacy is,” said Professor Mitchell. “Now, the regulators in Europe are adopting the world’s toughest measures and Australia may have no choice but to follow suit.”
“EU companies will have to ensure that Australian firms comply with the GDPR before transferring data to them and will then have to obtain explicit consent from EU regulators to do so,” said Professor Mitchell. “Australian companies that gather data on individuals will have to comply with the GDPR before doing business with the EU or an EU firm.”
“This could create a two tiered system of privacy protection with people enjoying more rights when they deal with an EU based company or one with EU connections and this is just unsustainable,” Professor Mitchell warned.
Australia is currently not included on the European Commission’s list of non-EU countries considered to have adequate data protection laws and is, therefore, not permitted to deal freely with the EU.
“It’s worth noting that while New Zealand does make the grade, Australia is not even amongst those countries with which the EU is currently holding so called adequacy talks,” Professor Mitchell said.
The new EU regulations shift the balance of power away from companies and towards individuals who will have the right to know what data is being collected on them and to challenge its intended use.
They will also have the right to opt out of certain types of data processing such as profiling and have the ability to challenge any decisions on such things as medical insurance or bank loans primarily based on data based profiling.
“The GDPR will, for example, provide protection in high risk situations where individuals are required to give passport, drivers licence or visa information to estate agents, banks, immigration agents, employers and accountants,” Professor Mitchell said.
“It will also apply to sensitive data such as political opinions, religious affiliation, sex life, gender identity, union membership, ethnicity, physical or mental health or criminal convictions.”
This requires consumers and companies to undergo a shift in mindset,” Professor Mitchell said. “Under these regulations, a person never really gives their data to a company, they simply allow them to process it, and so companies should never consider it their data.”