INTERVIEW

INTERVIEW

The GDPR: A perspective from Down Under

An interview with Professor Graham Greenleaf, University of New South Wales and Anna Johnston, Salinger Privacy

During their visit to  Brussels in June 2018,  we took a few minutes to discuss  the perspective of the GDPR from Down Under with  Professor Graham Greenleaf, University of New South Wales and Anna Johnston, Director of Salinger Privacy.

1. What has been the most important aspect about your visit to Brussels as a LSTS visiting scholar?

Anna Johnston (AJ): I relished the opportunity to meet with LSTS staff and other privacy experts and practitioners – such an amazing concentration of privacy expertise in the one city is unique.  Being at VUB during the privacy summer school was particularly valuable. I was impressed at how VUB offered its students an incredible range of expert speakers and topics.  On a lighter note – it is always a pleasure for me to return to Belgium, where I lived for a year in my teens, so that I may visit with my old friends: les frites, gaufres, et pralines.

Graham Greenleaf (GG): I have for a long time appreciated what an amazing concentration of privacy scholars are at (or associated with) VUB and LSTS. This is the most impressive concentration anywhere, as far as I am aware. It has made me very interested in future collaboration and involvement - but not to the extreme of being willing to leave Sydney in January to come to Brussels for CPDP :-)

2. What do you think is the biggest challenge concerning the GDPR for the EU? What would it be for Australia?

GG: For the EU: One of the biggest challenges is to maintain the GDPR’s currently very high credibility both within and outside the EU. This should be done through very serious enforcement actions, while at the same time avoiding over-zealous enforcement on small companies that are still getting used to the concepts and requirements (large companies have no excuses and have had two years to prepare).  Both the first billion penalty, and the first multi-million compensation payments are needed in order to send the correct signals to all parts of the market for regulation.

Another big challenge is to maintain the credibility of adequacy assessments, through decisions which demonstrate a principled approach, and not an opportunistic bargaining process (despite disavowals). Adequacy decisions must be context-dependent and not too rigid, but they must also uphold the principled basis of the GDPR. The Japanese and Korean decisions will be vital for this credibility to be established, and will present quite different challenges.

For Australia: To obtain a credible law in GDPR terms is the main problem. The GDPR has ‘moved the goalposts’, and Australia’s law is now further away from adequacy than it was a decade ago when its initial adequacy assessment did not succeed (I published on this in June).

A further important challenge is the obtaining of a credible Privacy Commissioner (position currently vacant) who is willing to enforce the law by making binding decisions under section 52 of the Australian Privacy Act. Such an enforcement is necessary but unlikely to occur. The four Commissioners since 2001 have made an average of less than two such decisions per year. The Commissioner usually dismisses complaints without making section 52 decisions, and refuses to make them on  request of the complainant. Without such decisions, there can be no appeals, and so no case law results from the higher courts (so far there have been two decisions of substance on the Privacy Act in 30 years). The increased administrative penalties remain unused.

AJ: For the EU: The biggest task is indeed enforcement. Laws mean nothing until they are enforced.

For Australia the biggest challenge linked to the GDPR is coherent guidance. Businesses in Australia and elsewhere outside of the EU are impacted by the GDPR, because for example they have customers inside the EU. They need coherent guidance coming from the EU. For Australians the obvious choice, because of both common language and common legal heritage, would be the UK’s ICO. However, if Brexit goes ahead, the ICO will not be speaking for the GDPR in the same way. Therefore, we will be looking increasingly to the EDPB for guidance about interpreting the GDPR. The challenge for the EDPB is to produce guidance that is concise and easily implemented in practice by businesses.

There is a terrible sense of frustration in Australia (and, I am sure, elsewhere) about the incoherence of the laws affecting cookies and email/SMS marketing, which surely the EDPB could make more easily understandable with concise, plain language guidance (even while waiting for the new ePrivacy Regulation to be finalised).

3. What needs to be done for data protection globally in the forthcoming years?

AJ: The revelations about Facebook and Cambridge Analytica exposed data protection’s dirty little secret: for all its talk about being tough on data protection, DPAs in the EU have thus far failed to stop the rampant abuse of personal data by companies like Facebook. The American model of ‘notice and consent’ is an abject failure, and the primary responsibility for regulatory failure rests with the US, but to date enforcement of the 1995 Directive (and, I might add, privacy laws in Australia and elsewhere around the world) has been so patchy that nothing has really stopped Facebook from becoming more and more invasive. Isolated actions by DPAs in Germany and Belgium have dragged on for years, and Facebook has so much money to fight regulators, that alone such actions cannot be effective. I hope that the GDPR will herald a new era of tougher and more consistent enforcement of data protection law for EU consumers at least, and if that succeeds then hopefully the ripple effects will be felt around the world.

GG: There are four steps that will be necessary: Firstly, only the EU has the capacity to challenge and perhaps break the underlying structures of surveillance capitalism built by US companies. The GDPR has started this, but it will require competition laws to break up the monopolistic practices of social networks, search engines and ancillary services so that alternative business models not based on privacy invasions may succeed.

Secondly, as explained above, the EU needs to maintain the credibility of the GDPR, which will underpin the globalization that I mention below, even if the GDPR does not remain the ‘gold standard’ for emulation.

Thirdly, the increasing globalisation of Convention 108, and its strengthening (as 108+ or ‘GDPR Lite’) may mean that it will evolve into the only global data protection Convention and become a means of resolving the deadlock in facilitating exports of personal data with a reasonable degree of safety. If the UN Special Rapporteur on the Right of Privacy assist the re-alignment of UN instruments to accord with Convention 108+, Convention 108’s position will consolidate.

Finally, the current and accelerating trend of countries outside Europe enacting new or revised GDPR-influenced legislation will need to continue, thus facilitating the adoption of global standards. Strong enforcement of such laws will take longer to evolve, but I think it will also occur.

A lingering danger is that the US, and perhaps other countries, may succeed in attacking data export restrictions through the GATS or other FTAs. Attacks on data localisation provisions are more likely to succeed, and may be supported by the EU.

4. From the point of view of your practice and experience, what are the most noticeable differences between European and AU/NZ perception of data protection/privacy?

GG: The crucial difference is that Australians have no enforceable privacy/data protection rights under constitutional law, neither by virtue of treaties, nor in common law/equity. This is in stark contrast with Europe generally (Art. 8 ECHR and consequent domestic civil law rights as well), and particularly with the EU. New Zealand is slightly different, due to the courts holding that there is a tort of wrongful disclosure.

For reason of the factors explained above, and the blockage on appeals under the Privacy Act, Australians have no access at all to the courts to pursue privacy issues. The contrast with everywhere in Europe could not be more stark. In New Zealand the situation differs, both under tort law, and because of actions before the Human Rights Review Tribunal.

5. From the point of view of your practice and experience as a PIA practitioner, how does the practice of D/PIA in Europe differ from AU/NZ?

AJ: There is a weakness at the heart of privacy law in Australia, which is the absence of a Bill of Rights or similar instrument, which would ground our law in enforceable human rights.  However perhaps there is an upside to this, which is that the concept of ‘privacy’, and by extension PIAs, can be taken quite broadly, since there is no other statute or court likely to tell us otherwise. Therefore, although our key privacy statute is about information privacy with privacy principles similar to the GDPR, we end up with a conception of information privacy which is perhaps broader than the European notion of ‘data protection’. The potential scope for any particular PIA is therefore a little broader than a DPIA under the GDPR.  For example, I see the principles of collection limitation, use limitation and data quality as gaining much more attention in Australia than in the EU (from my limited understanding of practices in the EU, I must admit). Data subject rights like access and correction are there in our law as well, but perhaps play a lesser role when conducting a PIA.

PIAs as a methodology are perhaps also more established in Australia and New Zealand, having been promoted by our privacy regulators for some 15 years or so. Nonetheless, only now, from 1 July 2018, are they becoming mandatory for Australian government agencies, in relation to ‘high risk’ projects. They will continue to be recommended as best practice, rather than legally mandatory, for the private sector, as a way of meeting the Accountability principle.