by Ted Ringrose BA LLB MPA
I recently participated in a debate, speaking for the proposition that Australian businesses should not be concerned by the EU GDPR. The debate was at King Wood Mallesons and, being a polite guest, I was happy for my KWM opponent to speak against that proposition. Though I’m pretty sure that, according to the principles of debating, I won the debate, I confess to having the indefensible side of the argument.
The GDPR comes into force on 25 May 2018. Many Australian companies don’t think it will affect them. Aside from the legal reasons why a large number of Australian businesses will be caught, here are some of the forces at play which could mean your business will have to comply. By the way, Dr Jodie Siganto’s guidance note on the GDPR explains the legal reasons for its relevance to Australian companies.
Like the rest of the world, EU member states are resentful that US law has become the de facto international legal standard for many areas of business activity. Companies dealing with US corporations have laboured under Sarbanes-Oxley Act requirements, US restrictions on technology exports and the burdens imposed by the Foreign Corrupt Practices Act, to name but three.
Many US corporations have sought to mitigate their risk of infringing these laws by imposing obligations on their foreign counterparties by means of contract, questionnaire, audit or all three. Often US corporations have entrenched these requirements in their procurement processes. The result is that requests by foreign companies to be exempted from them on the (not unreasonable) basis that they are irrelevant are usually ignored or not understood by lowly procurement box tickers. Yes, you can tell – I’ve been on too many late night calls explaining to Americans why their law is not aimed at and therefore is irrelevant to my client, with limited success. It should be noted that, unlike the US laws I have mentioned, in many cases it will not be possible to say that the GDPR does not apply to your company.
Privacy is one area of law in which the Europeans hold the moral and legal high ground and, in this, they are supported by their citizens. US privacy law is a mosaic of state and federal regulation and tends to be aimed at protecting citizens from identity theft and economic damage. In contrast, European (and Australian) privacy law is concerned with the protection of the individual’s privacy rights. This has led to a very strong European privacy culture among its citizens which has been embraced by European businesses.
European businesses take privacy seriously. That means they want their suppliers to take it seriously. As 25 May 2018 approaches, European business are requiring that their international suppliers explain to them how they will meet the GDPR requirements. Every one of the GDPR compliance questions we have received from clients has been driven by the demands of European customers.
They want to understand how the GDPR affects the Australian business and what the Australians are doing about it. Though some European businesses are realistic that it will be difficult to become fully compliant by 25 May, they want to see a compliance roadmap with specific milestones and to receive progress reports.
The GDPR compliance burden is onerous but not insurmountable. By developing a compliance roadmap which prioritises certain activities, European customers can be placated. Of course, they still will demand ultimate compliance and the real work must be done.
In the light of renewed scrutiny on American social media and internet companies’ privacy practices, the Europeans are more alert than ever to how foreign companies discharge their privacy obligations. As the GDPR is regarded by many as the high water mark of international privacy law, some Australian businesses are embracing it as matter of adopting world’s best practice.
Though I believe that European organisations are genuine in their commitment to privacy, I’m confident quite a few of them are quietly enjoying turning the tables on the Americans, by having them step up to the GDPR standard.
Whether American companies’ self-certification that they adhere to the EU – US Privacy Shield principles achieves that level of compliance is a matter for future comment. I can say that, according to a European in-house privacy officer I spoke to recently, the answer is “No!” and that “The shield will fall!”.
Ringrose Siganto provides non-legal consultancy advice on GDPR issues and can help your company develop a roadmap to GDPR compliance.
Educate yourself about the EU GDPR and how it might affect your business by attending our webinar: What the new EU Data Protection Regulation means for Australia
About the Author – Edward Ringrose BA LLB MPA
Ted Ringrose has provided legal and regulatory advice to IT, media and telecommunications companies and national governments and their agencies in Europe, Asia and Australia. He has assisted his clients to expand their businesses, restructure their operations and conclude transactions with their suppliers, customers, peers and competitors. He has advised multi-national corporations of their regulatory and legal obligations, including privacy compliance, across markets in Asia and Australia.
Ted read history and law at the University of Queensland and is a Master of Public Affairs from the University of Sydney. He has held senior positions in broadcasting and telecommunications companies and in law firms in Europe, Asia and Australia. After many years working in the cable communications industry in London for subsidiaries of Bell Canada International, he became broadcasting and telecommunication law consultant to the Government of the Hong Kong SAR. He has been General Counsel Asia Pacific for MCI WorldCom (now Verizon), which counted OzeMail as a subsidiary, and was a partner of Ashurst Morris Crisp (now Ashurst) in Singapore and of Squire Sanders in Hong Kong. Most recently Ted was a senior lawyer at Optus working on its most significant projects.