If you don’t target European customers stop panicking about GDPR says lawyer
Australian marketers may be overthinking the implications of the European Union’s new GDPR data protection rules, a lawyer has argued.
Speaking at the Mumbrella’s B2B Marketing Summit this week, DVM Law solicitor Jason Qian, told the audience most Australian businesses are unlikely to be liable under the EU’s rules. However, he warned that large clients may expect their local agencies to be GDPR compliance anyway.
Microsoft’s Mel Neilsen-Gerber and Jason Qian of DVM law at Mumbrella’s 2018 B2B marketing summit
GDPR – the General Data Protection Regulation – was introduced by EU lawmakers in July. Marketers around the world whose databases might include some customers who happen to be in Europe struggled to understand the implications, and whether it would affect them.
Qian said: “The advice I give to a lot of my clients is that you do have grounds to say GDPR doesn’t apply to you if you don’t have a relationship with the EU, if you aren’t targeting EU customers. I think it may well be a defensible position not to engage them.
“With respect to a website that’s open to everyone in the world, there’s material in the text of the GDPR which says there needs to be a bit more, you need to be offering goods and services to individuals and that extra bit that makes the GDPR cover you is that you accept Euros or target specific EU countries, but you can’t make a blanket statement.
“I would say the pressure is going to come from when you’re talking to (big companies like) Microsoft and they say ‘we need you to be GDPR compliant.’ The legal arguments won’t help you there. You’ll just need to negotiate with your customer.”
Qian’s reference to Microsoft came after earlier comments on the panel by Mel Neilsen-Gerber, head of Centre of Excellence & Operations at Microsoft’s Chief Marketer’s Office, where she explained the steps taken by global software giant to ensure compliance.
A key part of Microsoft’s strategy was to ensure suppliers and contractors had taken steps to comply with the GDPR.
Despite GDPR’s tight regulations, Qian pointed out it does give companies in the business to business sector some exemptions over those marketing to consumers.
“When you’re collecting data in a B2B context, that probably falls under ‘legitimate interests’,” said Qian. “It seems European privacy regulators have recognised that because they have said when it’s B2B, you don’t have to obtain consent as you do when it’s B2C.
“That doesn’t absolve you from the rest of the obligations under GDPR though, you still need to notifiy those individuals with a privacy policy.
If you’re transferring that BsB information to other organisations, you still need to abide by those contractural mechanisms that are in place. So it lets organisations off the hook, but only in one aspect of the GDPR requirements.
“The one thing is to know what you’re doing with the data, just know it in a granular way. When were you collecting it? How are you collecting it? What were consumers shown when you were collecting it? When do they get sent to your privacy policy? Who do you send it to?”
Sign up to be first to hear about Mumbrella's next B2B Marketing Summit
What I see easily happening is that the GDPR isn’t just a European-Union-specific measure. Here, the GDPR could be seen as a “gold standard” for data-protection regulation around the world. This could be more so with the UK when they complete their Brexit cycle — they most likely would be implementing a tight “data protection” regime underscoring the key tenets of the GDPR. Or California and New York, two highly progressive states in the USA, could use the GDPR as the template for a data-privacy law.
Similarly, the GDPR may be seen in a similar light when it comes to striking business contracts especially with privacy-minded organisations whether they are chartered in Europe or not.
User ID not verified.
Thanks for the article, Paul!
The relationship between consent, legitimate interest, B2B and B2C, and European privacy laws on top of the GDPR is quite complicated. I’ll just add that you shouldn’t drop the ball on your potential obligations just because you use personal information in a B2B context and have the words “legitimate interest” in their privacy policy.
Naturally – seek legal advice.
User ID not verified.
Websites do cross borders whether intended or not, ignorance is an excuse….. I too would suggest that the EU GDPR is a benchmark for good practice and one would be remiss in ignoring any impacts and opportunities of visibility elsewhere (market development).
Many businesses may well already be coming under the auspices of the GDPR, due to attracting EU web traffic (if you don’t know, install Google Analytics etc. on website and social media).
If you have information online in a European language (although intended for local audience), a product or service which maybe of interest etc. then it’s probably useful to follow GDPR.
It’s a pity the Australian and other governments don’t implement many of the good ideas the EU adopts for citizens’ rights, not corporate (including media).
User ID not verified.