Juha Saarinen: GDPR warning shot shows privacy matters

How many "updates to our privacy policy" emails have you had so far?

Ten? Twenty? Thirty or more?

I've lost count, but that's OK. I've been able to unsubscribe from heaps of mailing lists that I'd forgotten I was on, and ones that I'd never signed up for.

Ditto deleting old accounts that were just gathering dust and which could end up being hacked at some point.

Thank you very much, European Union and the General Data Protection Regulation (GDPR) that kicked into effect last week, for that.

The GDPR privacy rules have really rattled the cages of site admins all over the internet, and not before time.

Some of the reaction to the GDPR has been rather strange, like American newspapers blocking access to EU readers - and the Washington Post creating a special, non-ad-tracking subscription tier for Euro readers.

That said, all those privacy policy update emails point to organisations missing the point of the GDPR. The new rules don't say you have to update privacy policies and email all and sundry about it (although I'm glad that that happened, see above.)

Instead, GDPR is a warning shot that you have to take people's privacy seriously.

Furthermore, the EU insists that you do so, albeit in a gentle fashion to start with.

As tech and intellectual property lawyer Rick Shera of Lowndes Jordan points out, the EU regulators have indicated that they will work with businesses and to educate them, before handing down significant fines if GDPR rules are breached.

New Zealand is in a good position when it comes to the GDPR, as our privacy laws are not that far away from the EU regulation, Shera said.

As such, NZ privacy settings are well-respected by EU regulators. Unless NZ businesses have significant presence in the EU, they're unlikely to be targeted by regulators in the economic and political bloc for GDPR reasons.

All's safe then, and you can just ignore the GDPR and carry on as per before? Absolutely not.

"What the GDPR will do though is focus attention on whether there really is a lawful basis to collect information in the first place, and after that, whether that lawful basis continues," Shera explained.

That means NZ organisations should have applied the same rigour as their EU cousins need to do when it comes to information collection, storage and processing.

Unfortunately, the likelihood of any real penalties being applied has resulted in lackadaisical compliance, despite the Privacy Commissioners' best efforts over the years, Shera said.

New Zealand could follow in the footsteps of the EU and apply stiff, GDPR-style fines for breaches which means collecting user data in case it's useful is probably not a great idea.

"Why increase your risk by collecting and keeping information you don't really need?" Shera correctly asks.

Then there's the real sting in the GDPR tail: "the GDPR grants individuals the right to take their own action, without having to wait for a regulator," Shera says.

EU personal privacy rights guerilla Max Schrems was quick off the mark to do just that, and took legal action against Google, Facebook, Instagram and WhatsApp under the GDPR, in France, Belgium, Germany and Austria.

Schrems alleges that the four service providers are in breach of GDPR statutes, and should be penalised. By how much? Based on the four per cent of global revenue formula set out in the GDPR, the companies could in theory be liable for €8.9 billion ($15b) in penalties.

It's unlikely that Google and Facebook will be fined anywhere near that much given who they are and the EU regulator's stated intentions of working with organisations rather than penalising them to start with.

But, the threat is there and unless you're in Finland and Norway, you can't insure against GDPR fines. Take the GDPR intentions seriously in other words, and realise that privacy matters.