In a March 4 speech, European Commission Vice-President, Viviane Reding, stressed that the proposed Data Protection Regulation “is about creating a level playing-field between European and non-European businesses. About fair competition in a globalised world.”
This argument does not lack merit. However, the idea that the regulation’s wide reach creates a “fair competition in a globalised world” is questionable. In fact, complying with the complex EU data privacy law is likely to be prohibitively expensive for small and medium sized non-EU businesses interacting on the European market on an irregular basis. The result will be that only large foreign businesses, and foreign businesses that do not care about complying with EU law, will be able to afford to enter the European market.
Improved data privacy protection is to be welcomed, but the problem is one of nuance. The proposed EU data privacy Regulation contains many different types of rules; some are aimed at preventing privacy abuse. Such rules are common in privacy laws around the world. There is of course nothing unreasonable about Australian companies wishing to benefit from the European market having to abide by EU law protecting against misuse of personal information.
But other rules are burdensome and require changes to business structures. For example, it seems absurd that an Australian organisation with some limited interaction with EU residents also has to implement potentially costly administrative measures as appointing a Data Protection Officer. Such rules should only apply to businesses that have a substantial presence on the European market.
The solution is obvious. Australia should encourage the EU to adopt more sophisticated rules as to when the proposed regulation applies outside the EU so as to avoid this type of all-or-nothing situation. We need to see the EU distinguish between the types of privacy rules it applies to everyone who deals with EU residents, and those rules that only apply to businesses substantially engaging on the European market.
But then again, Australia also takes an all or nothing approach in our privacy law – so maybe we should start the revolution on home soil.
Professor Svantesson is a Co-Director of the Centre for Commercial Law at the Faculty of Law (Bond University) and a Researcher at the Swedish Law & Informatics Research Institute, Stockholm University.
This article was originally published at The Conversation. Read the original article.
