Europe’s new privacy legislation GDPR

GDPR – the new ‘General Data Protection Regulation’ from the EU.

The EU has new legislation that comes into effect on May 25 (yes few days time) that is targeting the international social media companies, but is impacting on all companies, all around the world.

Essentially, the legislation tries to deal with any entity anywhere in the world that deals with data about EU Citizens or residents, and these worldwide entities are impacted by this new privacy legislation.

Here is some info from the Office of the Australian Information Commissioner (OAIC) about the new EU legislation. Personally I believe that the some of the legislation in Australia says the exact opposite of what the EU-GDPR says, especially around the topic of ‘right to be forgotten’, and the specified time frames around things like reporting data breeches. In Australia the Data retention laws say the specific information MUST be kept for 2 years.

The real problem is the definitions of citizen vs resident of The EU. Is a citizen of the EU that lives in Australia some of the time subject to these laws? Does a medical centre adding this EU Citizen’s email address to a mailing list without written opt-in consent, breach this new EU-GDPR? ‘Probably’, is the answer I’d suspect.

What if the EU Citizen was a permanent resident of Australia?

What if the EU Citizen is a dual citizen? The High court in Australia has ruled these dual citizens are ineligible to hold an Australian political office, so we have a precedent of dual Citizens being seen as beholden to foreign states.

This computer security website talks about these definitions.
They sign off with this gem of a quote

“There are a few perfectly valid interpretations out there,” noted Schroeder. “[GDPR] is so massive, and… so broadly-worded, that no one can be really sure how the DPAs will interpret the minutiae of it until they start applying it in May.”

On this point, at least, GDPR pundits can agree.

Interesting days ahead. Watch this space.