From gobsmacked to turned
Europe’s General Data Protection Regulation (GDPR) came into force in May last year and was there for all to see well before that. My initial reaction when learning about the application of the GDPR was to be a little gobsmacked at what I perceived as jurisdictional overreach on the part of the European Commission and Parliament.
Sure, it was fine to impose new and higher standards of data protection on businesses, government agencies and others in EU Member States, despite the costs and challenges that that presented, but the European Commission and Parliament were doing much more than that. Now, businesses outside of the EU with the lightest of presence in the EU, or that could be perceived as targeting EU customers, would be called upon to up their game, by changing their technologies if needed, re-writing agreements with the data controllers they serve, entering into potentially multiple data protection addenda with both controllers and their own processors, and updating their privacy policies.
The GDPR spawned a range of new industries and niche practices. Privacy consultants, lawyers, technologists, accounting firms and others all got on board the GDPR train as it went whistling around the world, tooting “comply or risk whopping great fines” as it went.
But here’s the thing. Despite the GDPR’s comparative complexity, despite the range of ‘re-papering’ it has required, and despite the costs and fears it has generated, when you get stuck into the GDPR, when you read it from cover to cover, when you see the dramatic impact it has had on how businesses design and protect their technology offerings and, above all, when you yourself feel the impact it is having on the protection of your and others’ personal data, you come to live and breathe the organisational and cultural change that the GDPR has engendered.
So what. What does this mean for New Zealand businesses?
What does this all mean for us here in New Zealand? Many law firms and others here (let’s call them the GDPR advocates) have already made the point that New Zealand businesses with a presence in the EU or targeting EU residents may need to undertake a self-audit. They may need to take a close look at:
- their personal information holdings;
- the agreements they have with EU customers;
- the online terms they have for online services selling into Europe;
- the ‘subprocessors’ they use to help them provide their services;
- whether those subprocessors and the terms in place with them are up to scratch;
- their privacy policies, and so on.
Despite the low likelihood of the European Commission hauling a non-compliant business at the bottom of the earth over the coals (not to mention the unanswered questions around their ability to do so), the GDPR advocates are right. But they are right not only because of the legal risk that arises when the GDPR’s tentacles are sticking to you (which is what many GDPR advocates focus on). They’re right because of the evolving global change to which the GDPR has given birth and the impact this could have on your business.
What do I mean by that? Well, take an online business based in New Zealand that wants to sell wherever it can around the world. The business might not have a local presence in Europe and might not be expressly targeting EU residents (e.g., by selling in EUR or referring to customers or users in EU member states) in a way that ensnares it in the long tentacles of the GDPR. As such, strictly speaking, the GDPR may not directly apply to it. At the same time, though, this New Zealand business won’t want to turn potential EU customers away. And now comes the kicker: at least some of these ‘non-targeted’ yet still commercially attractive potential European customers may have become so familiar with GDPR-led norms that they’ll be surprised if this online business, that has no obvious territorial sales boundaries, doesn’t meet them.
If we start with potential EU consumers, some of them might be surprised to find there’s no right to have their personal data deleted or provided to them in a portable format.
What about commercial customers? Well, whether you like it or not, if you’re processing personal information for a ‘data controller’ business in the EU, then under the GDPR you’re a ‘processor’ for that business. The EU-based controller is required to comply with the GDPR and, despite any argument you might try to raise that you’re not directly bound by it, the fact that the EU-based controller is bound has clear implications for you. For example:
- the controller “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject” (Article 28(1) of the GDPR); and
- “processing by a processor shall be governed by a contract … that is binding on the processor with regard to the controller and that sets out” a range of matters listed in Article 28(3) of the GDPR, many of which won’t be in pre-GDPR terms of service if the New Zealand business hasn’t put its mind to the GDPR.
If you don’t have a standard data processing addendum (or similar arrangement) in place that covers off what an EU data controller may expect to see, that data controller may frown at the prospect of having to put one in place with you or possibly even walk away.
Practical implications
Potential loss or gain of customers
The first practical implication here is this: even if you’re not, strictly speaking, directly subject to the GDPR, acting as if you’re not might lose you business (potential EU customers might just walk away) and acting as if you are might help you win business (as you’ll be showing them you’re at one with them in relation to GDPR compliance).
Updating your privacy policy
If you have a direct relationship with consumers and if you’re either acting as if you’re directly bound by the GDPR or if you are in fact bound by the GDPR, then you’re most likely going to need to update your public-facing privacy policies to reflect a range of rights conferred on EU residents (e.g., in relation to data deletion, withdrawal of consent, and data portability), that the residents of New Zealand and many other non-European countries don’t have. You’ll then need to make a call. Do you extend these ‘EU rights’ only to your EU-based customers or do you bite the bullet and extend the same ‘rights’ under your privacy policy to all customers the world over? The former approach might be appealing as a means of limiting the scope of your risk or administrative compliance requirements but, unless you have different privacy policies for different countries (based, for example, on a customer’s IP address or the like), treating customers in different countries differently might look a bit odd and require you to maintain more business processes than you’d like. It is for these very reasons that some businesses just bite the bullet and take a ‘one size fits all’ approach.
Data processing arrangements with EU-based controllers
The third implication is that, if you’re processing personal information for EU-based data controllers, they will (or should) expect that you’ll be putting in place with them the kind of contractual arrangements required by Article 28 of the GDPR. If you don’t already have these, you may wish to consider preparing them.
Boom goes the GDPR!
And boom! Right there, you see the practical global effect of the GDPR. It has clearly been crafted by clever minds who intended it to have the international impact it is having, despite initial objections from the likes of me about jurisdictional overreach. We can opine as much as we like about whether the GDPR goes too far territorially or whether the European Commission would ever take action against a business beneath the long white cloud but, ultimately, that may be utterly beside the point.
(Thanks to Daniel Ramirez who released his photo of Boz Schurr’s awesome octopus mural under a Creative Commons Attribution 2.0 Generic (CC BY 2.0) licence. I’ve cropped Daniel’s photo a bit to make it fit into this post. Thanks also to Boz Schurr for painting this awesome mural in the first place and agreeing to let me use this photo of it. You can find the mural on a wall in Honolulu, Hawaii, and you can see more of Boz’s work at bozschurr.com.)