The UK is scheduled to exit from the EU on 29 March 2019
There are substantial negotiations underway for transitioning of legal, trade and other relations between the UK and the EU after Brexit happens. At this stage, many of the negotiations have been unsuccessful either within the UK’s own parliamentary system or between the UK and the EU. Without agreements for transitioning and new agreements for interacting with the EU, the UK faces numerous disruptions to trade, security, medicine availability, travel, workplace regulations and citizenship of UK citizens in other parts of the EU.
There are a few options between now and 29 March 2019.
The first is that a deal will be put together for transitioning. This would be the most favourable outcome for continuity of business transactions and commerce. The second is, if no deal can be agreed upon, the date of Brexit may be extended by agreement to allow more time for negotiations. The third scenario is what is being called a ‘no deal Brexit’.
What does a ‘no deal Brexit’ mean?
If no agreement for transitioning can be reached and the exit date is not extended, the UK exit from the EU will happen on 29 March 2019 and there will be a degree of chaos attached.
For the many laws and rules currently intertwining the UK within the EU, there will be no deals in place for transitioning and planning. This will affect many laws and current practices, however for the purpose of this article, we are only looking at the management of data under the GDPR.
Why is a ‘no deal exit’ important for privacy legislation and who would this effect?
Under the GDPR (General Data Protection Regulations), the UK is currently part of the EU however from 29 March 2019 (or later date if this is extended), the UK will be an independent country.
If a no deal exit happens, the transfer of data between the EU and the UK will be restricted under the GDPR from 29 March 2019. It is possible that the UK will be granted adequacy status (yes, that is a technical term), but this cannot be assessed until after the exit has happened (and will likely take several months). In the meantime, the transfer of personal information from the EU into the UK must be completed using a standard contractual clause (‘SCC’) in the format approved by the EU.
Sounds complicated? Let’s break it down and look at the implications:
Location of business receiving personal data
Scenarios and action required prior to 29 March 2019
Head office of business within the UK and collecting data from any person within the EU or monitoring the behaviour of any person within the EU
You operate any kind of online membership subscription service that has EU resident subscribers.
You have an online retail store that is open for EU residents to make a purchase.
You provide advisory services and have clients resident in the EU.
Head office of business within the EU (but not in the UK)
Look carefully at where your data goes. There will no longer be a free flow of data from EU to UK. Do you transfer data to the UK? Data subjects will have to be told.
Head office of business outside of the UK and EU and collecting data from any person within the EU or monitoring the behaviour of any person within the EU
Any business relying on the US Privacy Shield for the transfer of data in or out of the UK
How can Onyx Legal help you?
We can help you work out if you have to comply with GDPR and prepare approriate privacy and cookie policies to comply with GDPR requirements. Contact us to find out more.
If your business is not in Europe, should you be worried about GDPR?
GDPR has the potential to impact any business that might be doing business with a European resident, whether the business is online or not. This article covers some of the most frequently asked questions we have received from clients, to help you decide what level of action you need to take to protect your business, and how soon.
For those of you who haven’t heard anything about it yet, GDPR is the General Data Protection Regulation introduced by the European Parliament back in April 2016, and came into effect on 25 May 2018.
What is GDPR?
GDPR is the General Data Protection Regulation (GDPR) is an European Union law which came into effect on 25 May 2018 across all European Union nations including the UK. The GDPR is designed to strengthen privacy rules and requirements around how information relating to individuals can be collected and used and updates and unifies data protection laws across Europe.
How does GDPR apply to Australian business?
Australian businesses may need to comply with the GDPR if:
they have an office in the EU (regardless of where they actually process personal data); or
they offer goods or services to individuals of the EU (these services can be free or for money); or
they monitor the behaviour of individuals in the EU.
A business will be considered to offer goods or services if they have actual clients or members who live in the EU or if their business could be used by and is intended to be used by individuals in the EU eg. you sell goods online and have a shopping cart that displays as an option the purchase amount in Euros.
How is GDPR different from current Australian Privacy Laws?
The good news is that both the Australian Privacy Act 1988 (Cth) and the GDPR have similar requirements. This means many businesses will have already started the process required to be GDPR compliant. The GDPR does however have additional requirements. It introduces higher standards for the manner and basis on which data is collected and gives more rights to an individual to control their data.
We have European customers, does GDPR affect us?
Short answer – yes. The intent of the legislation is to protect personal data of data subjects in the European Union. If you already have that data, you should comply.
On the other hand, if you don’t already have that data, the legislation appears to consider your intent about collecting it.
Does your business ‘envisage offering services’ to people in Europe?
If you have random purchases from European residents, or surprise inquiries from European residents, then you might not actually have planned to do business in Europe, it could merely be coincidental. The recitals for GDPR (the 173 introductory paragraphs before the Regulation provisions) talk about whether a business ‘envisages offering services’ to people in Europe and infers that there must be an intent to do business in Europe, not merely happenstance.
Just because people in Europe can find your website, or contact details, that is not enough to demonstrate that you plan to do business in Europe. On the other hand, if you’ve designed your business so that it can be translated, or has pages in languages most commonly used in Europe, enables people to pay with Euros and is otherwise targetting European customers in some way, you are demonstrating an intent to do business with EU residents and must comply with GDPR.
It is all very up in the air at the moment as to what some of the regulations actually mean, and there will be a period of settling in, as well as prosecutions of non-compliant companies, before we have a clear idea about how GDPR will be enforced.
Australian business not affected by GDPR
You have a website that displays pretty pictures about growing fruit in Queensland, Australia. When individuals go onto your site, cookies collect information about them and google advertising gets this information and uses it to target advertising to that individual about fruit trees.
In this example it is not clear if a goods or services are being offered as there is no actual connection between individuals viewing the site and the site owner. Potentially there is a service of information being offered but really it is not clear. Then you would go and use the next part of the article to determine if in fact the site owner does envisage offering goods or services in EU – you would look at the text languages on offer, currency (although not selling anything) and would conclude, no, they are not providing goods or services to individuals in EU.
Non-European business affected by GDPR
An accountant in the United States does tax work for a client in the United Kingdom for money and keeps personal information of the client on file. Does the accountant offer goods or services to an individual in the EU – yes. We don’t think you then have to look any further at the business intentions etc. to decide if GDPR applies.
To avoid HAVING TO BE GDPR COMPLIANT, should I go through my client list and just delete anyone who is in Europe?
GDPR is certainly an opportunity to clear out those old email lists. I know of one person who never deletes their unsubscribed people and then ends up with them back on his list every time he changes auto-responder systems. Really annoying! Not to mention completely disrespectful of the people who’s information he holds. This is part of the reason for GDPR – encouraging business to be more aware of the value of the personal data they have collected, and giving individuals greater control over what happens to it.
There are lots of businesses that are taking action delete EU residents from their lists, and block EU access to their websites. If Europe isn’t your target market and you don’t want another regulatory burden, this is certainly an option. If other countries decide to adopt any of the GDPR provisions however, you may still face greater compliance burdens in future.
How do we let people know we don’t want personal information from people in Europe?
EU – GDPR
We do not promote our business in the European Union and aim not to collect personal information about EU residents. We have not taken action to comply with the General Data Protection Regulation (GDPR). We have taken reasonable action to block access to our services from EU residents.
Who is GDPR intended to protect?
Although the GDPR will have worldwide impact on business, it is only designed to protect the use of personal information for people in the EU.
There is no time limit on how long a person has to be in Europe for their collected data to be protected. The GDPR cover information collected about natural persons in The European Union, or their behaviour in the EU.
If you think about travelers to Europe, local business that they collect personal data will have to comply with the protection of information about anyone in Europe, however temporarily. The collection must relate to the offer of goods or services to data subjects. So a tour operator who takes you name and passport number for a one day stopover will have to comply with GDPR.
What is a ‘data subject’ under GDPR?
A data subject for GDPR is a natural person whose personal information has been collected.
A tourist coming through any European Union airport or seaport who is captured on surveillance video, even if they only transit through Europe, will be a ‘data subject’ because their personal information (image) has been captured on the way through.
For business, a data subject is any natural person whose personal information you have collected, however briefly.
What data does GDPR cover? What data does GDPR not cover?
GDPR covers personal data about natural persons. Personal data is any information relating to a natural person that identifies that person, or can be used to identify that person. Some examples are set out under the next question below.
You don’t have to worry about the birthday diary you keep (for those who don’t rely on social media reminders), because information collected by a natural person for purely personal or household activity is specifically excluded.
What is Personal Data for GDPR?
Personal data is , in general, any information relating to an individual. It can identify the person either directly (eg their name) or indirectly, in combination with other data (eg a location marker in combination with other information known about the individual may identify them).
Personal data includes obvious information such as an individual’s name, address and contact details however it also includes things such as online identifications like IP addresses and location data.
There is a special category of Sensitive Personal Data that includes information on racial or ethnic background, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, physical or mental health and sexuality or sexual orientation. The rules regarding Sensitive Personal Data are much stricter.
Should I keep personal data about European Union residents separate from data about my customers in other parts of the world?
You could put in place systems to separate the information you hold about people in different countries, but consider which is the highest cost and most difficult for your business – having one set of policies you comply with, with different systems, or multiple policies and systems?
What are the GDPR principles?
There are 6 key principles. Data must be:
Processed lawfully, fairly and transparently.
Collected for specific and allowable purposes and only used for these purposes.
Adequate, relevant and limited to what is necessary.
Accurate and kept up to date.
Only kept for as long as necessary for the purpose it was obtained.
Processed in a manner which ensures appropriate security.
What does processing of personal data mean?
Processing is anything that is done with personal information whether by electronic means or otherwise. The term is very wide and includes everything from collection through to storage, use, manipulation and destruction.
What is the difference between a data controller and a data processor?
Basically, the data controller is the person or entity that determines the purpose and means of the processing ie. they control why the information is collected and what it is used for.
The data processor stores or manipulates the data at the request of the controller.
Both the controller and the processor have significant obligations under the GDPR and your business may be a data controller, a data processor or both.
What are some examples of personal data under GDPR?
Some personal information typically collected by businesses are:
• name and contact details – phone, email, social media profile link • role or title, school, occupation, employer, qualifications • age, date of birth, gender, ethnicity • residential address, business address, postal address, location • photograph, likeness, identification number • allergies, health conditions, dietary requirements • finger print, facial recognition, DNA scan • opinions and beliefs collected via surveys and questionnaires
What risk to my business if I don’t apply an EU geo-blocker to my website?
It’s not worth me being in breach of the GDPR
If you have a small business, located outside Europe, that is not intentionally aimed at European residents, your risk of prosecution under GDPR is likely to be very low.
It is likely that the EU regulators have already identified target companies for audit and potential prosecution to test the enforce-ability of their new provisions. As with all government regulators, they will only have limited funding available and will be looking to make an impact that gets picked up and shared in popular media. As with any new laws, there is usually a settling in period while everyone gets used to the new regime. Lots of regulators look for cooperation rather than prosecution, simply because it is cheaper and less time consuming.
On what basis can I collect personal data under GDPR?
The allowable reasons that data may be collected/processed are:
By consent of the individual giving the data
Because it is necessary to take steps to enter into a contract with the individual or for the performance of a contract with the individual.
It is necessary for compliance with a legal obligation.
It is necessary to protect the vital interests of the individual or another person (eg. in an emergency you access a data base you wouldn’t otherwise have access to, to check for allergies and call 000/ 411/ 911 or the applicable emergency number to save the individual’s life)
It is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority.
It is necessary for the legitimate interest of the controller (so long as this doesn’t harm the interests, rights or freedoms of the individual)
The allowable reasons for Sensitive Personal Data are even narrower and are quite specific.
how does GDPR affect google analytics?
If you use Google Analytics you should have received an email recently suggesting you check and update your account settings. If you don’t your historical data will disappear. It is worth reading through the email from Google to better understand the impact on your account.
Do I need to collect consent from my database again for GDPR?
There are competing schools of thought here.
There are a bunch of Articles (commentary to the GDPR) that absolve you of liability if you have consent, so for the risk averse, consent is what you want. However, there are also a bunch of Articles that say provisions don’t apply if…
One of the ‘ifs’ is if the processing of information is necessary for the performance of a contract the individual is party to, which is what a lot of organisations appear to be relying on to avoid seeking consent. You already have an existing contract for services in place, and to be able to continue to provide those services, you do so under contract. If you are happy to ‘hang your hat’ on that provision, then you can do what a lot of other organisations are doing and just give notice of update.
The benefit of recording consent again is you then have a record of it…
Some businesses are actually including in their policy update notices that users can change their settings and opt out at any time, rather than asking for renewed consent.
Does GDPR mean websites must first ask for consent before placing cookies?
The GDPR is set out in the Articles (rather than the recitals), which make no mention of cookies.
GDPR doesn’t actually address cookie usage it deals only with personal information. Most cookies don’t collect personal information – session cookies and those used to remember login details are likely to collect personal information. GDPR works alongside cookie legislation.
What is and is not consent is discussed in the recitals rather than the articles. For example recital 42 refers to ‘For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.’
That is not dealing with cookies necessarily, but addresses the use of personal information. So, if a person wants to have their login details remembered for next time, they need to be asked if they want them remembered (which is already what usually happens) rather than the details automatically being retained without their knowledge.
Should I appoint a Data Protection Officer?
No! Well, not unless you have to.
The GDPR is very specific on the qualifications and experience required of a data protection officer and you are only required to appoint one as a government entity or if you are processing sensitive personal data on a large scale.
However, you can opt-in and it is easy to do so. If you call someone in your business a Data Protection Officer, you opt-in. The trouble there is that you then have to meet all the obligations around the qualifications and experience that person must have and can be in breach of the Regulation if you don’t. You can appoint someone external who is qualified and these businesses are now popping up around the world.
How can Onyx Legal help you?
Contact us if you are not sure whether you have to comply with GDPR, or know you do, and need your policies brought up to appropriate compliance standards.
Mandatory Data Breach Notification Laws Australia – FAQs
Do mandatory data breach notifications apply to you?
If you are in Australia and collect personal information from clients, customers, suppliers, partners or anyone else for that matter, then maybe they do. But a compliance perspective, these laws don’t affect you unless you are already required to comply with Australian Privacy law. Which means, you must comply if:
you operate a public, private or not for profit organisation with more than $3m turnover per year
you are a health service provider (not just doctors, this can include gyms, childcare centres, life coaches and schools), regardless of turnover
you are part of a federal government agency
you are part of a credit reporting agency
your business buys or sells personal information
What are mandatory data breach notifications about?
Data breach falls within Australian privacy laws and is all about cyber security.
The objective of the new law is to give individuals (those who care) confidence that their privacy is being protected. The laws apply regardless of technology, and encourage transparency and accountability.
What does it mean if you have an eligible data breach?
Mandatory data breach notifications only related to personal information. Personal information is defined in the Privacy Act as:
Personal information is –
information or an opinion about an identified individual, or an individual who is reasonably identifiable:
– whether the information or opinion is true or not; and– whether the information or opinion is recorded in a material form or not.
So if your business is hacked and you lose commercial information, that is irrelevant to this law.
The key components of a data breach are:
it involves personal information
it does not have to be bulk data, personal information about one person may be enough
the data has been accessed or disclosed
the data has been lost in circumstances where it is likely to be accessed or disclosed (like when NASA employees left a laptop containing access codes to the space station in a cab…)
there is a likely risk of serious harm to the people who have had their personal information accessed, disclosed or lost
What does ‘Serious Harm’ mean for a data breach?
Serious harm is a broad concept including physical, psychological, emotional, economic, financial or reputational harm (like when Ashley Madison got hacked and all those people cheating on their partners risked being exposed…)
What is serious harm is likely to be different for each organisation and probably associated with the reason why data has been collected. Customers of a financial institution might risk economic loss, and customers of a medical clinic might risk psychological, emotional or reputation damage.
Think about what is important to your customers, or the people who’s personal information and data you collect.
What should you have in place to handle mandatory data breach notifications?
Not surprisingly, a large proportion of small businesses have adhoc systems in place and no real understanding of what they collect, or how they control their data. This is particularly the case when using third party systems that also store data, like Eventbrite.
IT, management and communications teams will need to work together for data breach notifications.
The top 10 things to consider are:
Every organisation covered by these laws should have a clear understanding of how their data is collected, stored and used and the vulnerabilities of those systems.
Identify ‘who’ in the organisation is responsible for managing data.
Identify the likelihood and consequence of an eligible data breach.
Put in place staff training and security measures to reduce the chance of an eligible data breach.
Understand what ‘serious harm’ could arise if there was a breach.
Work out what would need to happen to avoid ‘serious harm’ and how quickly that could be implemented if there was a breach.
Put in place a recovery plan in case of a breach.
Put in place a communications plan that includes (as a minimum) the communication to those affected, a press release to reduce reputational damage, and the notification to the Privacy Commissioner.
Check the business cyber insurance to see that it covers data breaches and the consequences.
Test a data breach scenario to ensure your business has the ability to manage an eligible data breach.
Remember that data breach laws are technology neutral.
Just because you still operate with a largely paper based system does not mean that this law will not apply.
As someone pointed out to me, most filing cabinets can be unlocked with a paperclip.
How can Onyx Legal help you?
If you need help identifying risks to disclosure of personal information in your business and procedures to manage those risks, or need support developing policies and procedures for managing personal information, then contact us to find out how we can help you.
Delay in Action for Defamation Could Affect Your Claim
You need to be quick if you are worried about being defamed.
A couple of quick tips today that have come out of our work.
We had an inquiry about defamation. Now, if you are going to get upset about what somebody says about you, you need to take action quickly.
The person who spoke to us was concerned about something that was said back about six months before their call. It may be too late to take action. It may be implied that the defamatory statements were not that serious because the complainant knew about them for a long time and didn’t complain or take action earlier.
On the other hand, it should also be possible in that length of time to work out whether or not the complainant has actually suffered any damage to their reputation and it may be possible that a culmination of repeated publications over that length of time start to have a negative impact on the complainant so that action to stop defamation does become necessary.
We’ll have to look at the enquiry we have received more carefully before deciding how to proceed, but if someone is going to defame you, you need to take action. You need to decide what you’re going to do quickly. Don’t sit on it.
So your tip for today, if you feel you’ve been defamed, do something about it now.
How can Onyx Legal help you?
If you are concerned that you have been defamed on social media, or you are managing a social media group and have received a request to remove defamatory material, contact us so we can let you know what steps to take next.
5 Ways To Check Whether Questionable Email Is Spam
Are you one of those people who can’t help opening emails, even when you don’t know who they are from and suspect the email might be spam? Or worse, do you actually waste your time responding to people and telling them not to bother you any more with their offers to get your website on the first page of Google, send you cheap pharmaceuticals or get you a date?
Don’t waste time responding to emails that you should just delete.
With a little practice you can get your delete button working much quicker, saving you time and aggravation. Some spam is obvious and your junk mail filter will pick it up. Other emails somehow get through the filter, but are just as obvious from their title and you can simply run through the list and delete. But what do you do with those that look like they might be legitimate? The Australian Communication and Media Authority is the government entity responsible for monitoring anti-spam compliance in Australia. Despite the difficulty in navigating their website, they receive an average of 27,350 Spam Act breach complaints per month (ACMA Spam statistics January 2015). 100% of complaints currently under investigation relate to lack of consent.
100% of complaints about junk email or SMS investigated by ACMA are about
lack of consent.
You can add your spam complaint to ACMA’s ever increasing list simply by forwarding spam-SMS to 0429 999 888 or emails to the Spam Intelligence (oxymoron right there) Database at firstname.lastname@example.org. Unfortunately that isn’t going to solve the problem. Of all the complaints received, only about 1 investigation per month gets finalized. An average of only 570 informal warning letters per month are sent out to offenders. Since the beginning of 2015, ACMA has only taken formal action against two companies – Club Retail and GoDeals. Club Retail has been required to establish a double opt-in system for adding people to their email lists and GoDeals have been warned to ensure their unsubscribe system does work and people who unsubscribe don’t continue to receive their emails. Under the legislation, ACMA can issue informal warnings, formal warnings (which require a business to take action in a specified time-frame, or else), enforceable undertakings (the alternative to being fined), infringement notices (fines) or start court action. Fines can be as high as $1.7 million for repeat offenders. What this means for your inbox? Unless the company sending you spam SMS or emails is doing it at a high volume and there are lots of complaints to ACMA, or they have a big enough business to make it worthwhile to threaten them with fines, your most effective course of action is to mark the email as junk mail, block the sender and hit delete. So, how can you tell whether an email is Spam or not?
Junk email that is not anti-spam compliant.
Do You Know Who Sent You The Email?
If your email system shows that you’ve received an email from ‘Hugh Jackman’ you might suspect that its spam. But if you get an email from say ‘David Thompson’ or a name of someone you think you should know, then you might be more inclined to open it. Have a look at the email I received recently from Sarah and Creative AUST Pty Ltd. Sounds like someone I could know, fairly innocuous and looks official with the company name alongside. If you have any hesitation, a quick online search of the sender will bring up Facebook and LinkedIn results and a bundle of images associated with the name. If it really is someone you know, or should know, you’ll find out quickly. No time wasted in deciding whether or not to take the message seriously. I recently received an email from Jade Capital, a company that sounded legitimate and who’s email looked like something I might possibly have agreed to receive. When I searched the name of the sender, I couldn’t find any details linking them with the company. Nothing. Delete. Funnily enough a week later I received another email naming both my husband and I. So I took a moment to write back and suggest they implement some spam-compliance into their system. Things like:
let the recipient know where you got their name (in that case through buying another company)
if this is a first communication, provide an opportunity to opt-in to regular communications instead of automatically adding people in
clearly identify the company and its contact details
make sure the sender is identified as part of the company, particularly if it is a sales manager or other person who might not appear in the ‘About Us’ page of your website
ensure you have an unsubscribe facility on the email
It was a useful conversation, for both of us.
Does the email address match the Sender Name?
The first thing I check is whether or not the email address next to the name is even remotely related. In this example, the alarm bell starts ringing immediately because the email is a fairly stock standard gmail address rather than a proprietary site address. What is worse is if the email address has absolutely no relation the name of the sender, like email@example.com *ding ding ding* Depending on what email system you are using, you might also be able to hover over the email address of the sending and check the hyperlink to see that the listed address and the actual address are the same. This is easy in Outlook but not straightforward in Gmail. If it the hyperlink is different – delete.
Who was the email addressed to?
If your name or one of your usernames appears in the salutation of an email, there is a good chance you signed up to receive communications somewhere along the line, even if you don’t remember it now. If the name is just what comes before the @ in your email address, it could either be something you signed up for, or it could be spam. It is possible that your email address was picked up by a robot scraping email addresses from different sites across the internet. If the salutation is generic, ‘Dear Friend/ Business Owner’ or simply ‘Hi/ Hello’ or no salutation at all, then there is a higher chance that it is spam.
Is the company sending the email legitimate?
DO NOT click on any links in the email. That is possibly the quickest way to get a virus into your system. If you want to check a company, open a browser and search it! I have seen some rather clever operations that have established company websites to support their scamming emails, but they are relatively easy to spot. The language on the site tends not to read well and other search results don’t tend to support the business details. You may need to do a little digging with international companies. If appears to be a registered business and I’m really not sure, I would generally check government sites like the Australian Securities and Investment Commission (ASIC) and the regulatory site for checking Australian Business Numbers. It depends on how obvious the fake is. In this example the company name looks a little unusual and an ASIC organisations and business name search doesn’t show an exact match
Are contact details listed?
The quickest way to check a company out is to call a telephone number listed in their email. If it is a legitimate business and you get through, at least you know. They might even appreciate the feedback that their emails look like spam. Next check the address. In this attached email you can see that headquarters are identified as a Sydney address. A quick search of the address shows that it doesn’t even exist. Yes, there is a Foveaux Street in Surrey Hills, but there is no number 30. At number 28 there is a college listed, and then another business from number 38. Any legitimate company will include an appropriate address in their emails. If the address is not real, the company probably isn’t either. Just be aware that in Australia the use of PO Boxes is legitimate and accepted. In the US, their anti-spam compliance seeks a street address. For a lot of small businesses set up by people working from home, that just didn’t work, so there are companies in the US that provide bulk site addresses rather than proper street addresses. So this search might not give you a definitive answer. And if you are still worried about whether or not the email you’ve received is legitimate? Perhaps you should ask yourself how the message helps you in your business and whether or not it is worth your time. If it is potentially an incredible lead, or something you do want to follow up and you continue to be concerned, we can help investigate further. For more information on working with us to protect your online business, please contact-us or book a short advice strategy session.