Startups going global should go GDPR: Lawyer

Consumers now take privacy seriously. Businesses planning to go global should build their processes to follow the toughest privacy standards. Right now that's Europe's General Data Protection Regulation.
Written by Stilgherrian , Contributor

Privacy law is a "minefield", according to Alexandra Wedutenko, a partner at law firm Clayton Utz.

"Even within Australia, there are different state and Commonwealth laws, so you've got to look at a mixture," she said.

Internationally, privacy laws covers the spectrum, from places with no privacy laws whatsoever to those with a high degree of personal privacy protection. The latter group includes the European Union, where the General Data Protection Regulation (GDPR) came into force on 25 May, and now California, which recently passed GDPR-like privacy laws.

"My broad advice is if you want to go global, then you probably have to go for the toughest standard, because you could be caught by the toughest standard even if you haven't realised it," Wedutenko told the SINET61 cybersecurity innovation conference in Melbourne on Wednesday.

"I would use the GDPR as the gold standard at the moment, because you can't have a different rule for every app you've got, or every different system you've got. It'll be impossible to manage, impossible to comply with, and impossible to pay for."

Dali Kaafar, leader for information security and privacy at CSIRO's Data61, is one of those consumers who "certainly does not trust" organisations today to handle his sensitive personal data. He said that when we're building technology, the less reliant we are on the notion of trust, the better off we'll be.

The controversy surrounding Facebook and Cambridge Analytica earlier in the first half of 2018 shows that trust relationships are complex. Users know they have to explicitly trust Facebook with their data, but they must also have an implicit trust in every organisation and individual that Facebook might share that data with.

Facebook's recent share price drop, a "ridiculously huge number, in terms of billions of dollars", shows how much people do care about privacy. Organisations suffering a data breach can expect significant customer churn, he said. Privacy is "something that every organisation has to have in the core of the objectives".

That's not always the case. A recent analysis of the 100 fastest-growing companies in Australia showed that 44 percent did not appear to comply with Australia's privacy laws by publishing a privacy policy, or including a privacy notification wherever they collected personal information. One-third did not take the basic precaution of using HTTPS encryption on their website.

"We are all very trusting as customers," Wedutenko said. "But we have no idea what the data's being used for. Part of the problem is the way privacy policies are written."

"Speaking honestly, they're not very honest, [because] under the Australian privacy laws you just have to get a general consent," she said.

"It'll just say I can use it for my purposes of doing X, and then I might have outsourced providers, and then I might have contractors, and I may need to use it for other purposes. You'll find it's a very generic statement. And as lawyers, we draft it as a very generic statement, because that's what the client wants, because they don't know exactly what they want to use the data for."

A data salad made from consumers

Rachael Falk is chief executive officer of the Cyber Security Research Institute (CSRC), part of the Australian government's Cooperative Research Centre (CRC) program. She says that we all know there are plenty of ways that companies harvest data about us, but we may not be aware of the way it's then used.

"Everything they possibly legally can use, they will use for both business insights, but also to slice and dice, and make a veritable salad of customer data about each and every one of us," Falk said.

"Loyalty programs, in my personal view, are stealthy ways of building up customer profiles. They're also stealthy ways of data matching ... I don't think they're as innocuous as they make out to be, and I certainly don't put my date of birth down."

Falk also said that businesses often over-share personal data. Rather that sending filtered data to their business partners, they simply send the whole spreadsheet.

"That's not out of malicious intent. It's just easier to get things done," she said.

"What [the Facebook and Cambridge Analytica scandal] showed us is that companies all over the world -- some have very good hygiene around this, others less so -- don't think anything of turning the tap on and just leaving it running."

Related Coverage

GDPR's silver lining: Data-driven AI and innovation in the enterprise

IBM's Cristina Cabella explains why GDPR has the potential to promote AI and machine learning in the enterprise.

Google, Facebook hit with serious GDPR complaints: Others will be soon

Facebook nemesis Max Schrems is behind the first challenges to US giants under new European data privacy law.

Cybersecurity rundown: The 5 most critical threats to businesses in 2018 (TechRepublic)

Cybersecurity threats aren't just technical, but societal and political too. Here are the top threats to business in 2018, according to AlienVault.

India desperately needs a delayed data privacy law

Opinion: The law is imminent, but critics fear the committee responsible for its architecture may be too partial to the flawed and unconstitutional universal ID program, called Aadhaar, which has made sharing private information by and large mandatory.

How EU's new data privacy regulations tamed the big tech giants

Europe's new privacy regulations are already a success, whether you like it or not.

Editorial standards