Author's details

Date registered: December 30, 2013

Latest posts

  1. NORWAY: Preparing to implement the GDPR – Draft for new Personal Data Act — July 13, 2017
  2. FINLAND: Preparing to implement the GDPR — July 12, 2017
  3. UK: Commitment to introduce new Data Protection Bill in line with GDPR principles — June 22, 2017
  4. AUSTRALIA: OAIC call out for comments – draft resources for businesses and agencies regarding the Notifiable Data Breach Scheme — June 9, 2017
  5. GLOBAL: GDPR – One Year to Go! — May 25, 2017

Author's posts listings

NORWAY: Preparing to implement the GDPR – Draft for new Personal Data Act

By Jan Sandtrø, Partner, Norway

Last week the new Personal Data Act for implementing the GDPR in Norway was published. Norway has taken a similar approach to, for example, Ireland in translating the GDPR into Norwegian, but there are also some additional regulations proposed which are specific to Norway.

The specific regulations for Norway are proposed in the new Personal Data Act and include regulation based on the GDPR, as well as taking advantage of the margin of maneuverability to allow for the continuance of some of Norway’s existing legislation.

These are:

  • Sensitive data. As a general rule, use of “sensitive data” (special categories of personal data) will be prohibited, however it is proposed that the Data Inspectorate may authorize the processing of sensitive personal data where the processing is in the public interest.
  • Use of personal ID numbers. The rights regarding processing of ID numbers for physical persons and other national identification numbers are continued as under the previous act, meaning that personal ID numbers may only be used where there are reasonable grounds to require proper identification and the use of personal ID numbers is necessary for such identification.
  • Age limit for information society services. The minimum age for consent for information society services is set at 13 years of age (which is the same as in e.g. Sweden and Denmark).
  • Exceptions from a duty to provide information to registered persons under the GDPR are limited to some extent in the interests of protecting the public interest and the registered persons.
  • Confidential duties of DPOs. Additional duties of confidentiality are imposed on Data Protection Officers.
  • One-stop-shop. A data controller active in multiple EU countries may use the supervisory authority in the country where it has its main establishment for all personal data matters in the EU and EEA, including for data controllers processing Norwegian personal data where the controller is established in another EU/EEA state.
  • Surveillance cameras. There is a separate regulation on the use of surveillance cameras (CCTV) in the workplace and the use of dummy surveillance equipment. However, the detailed regulation under Norwegian law on the use of surveillance cameras will be repealed.
  • Credit information. The specific rules on credit information activities under the current regime are not continued, and the way credit information activities are regulated will be addressed by the Ministry at a later point.
  • Employer access to email etc. The specific Norwegian regulation on restrictions for employers’ access to emails and other electronic files used by employees on supplied hardware and systems will remain in force, with some minor adjustments.
  • Additional regulation. There will be additional regulation on the requirement to have a Data Protection Officer in place and the duty for the data controller to have advance approval by the Data Inspectorate on certain types of processing. However, no proposal on such regulation has been published yet.

Please also note that the previous regime on notification and the requirement of concessions in Norway will cease (however concessions given under the present Personal Data Act will remain in effect until the concessions expire). The previous penalties for breach of the Personal Data Act as an offence are removed, however a high level of administrative fines (up to four percent of annual global turnover or EUR 20 million, whichever is greater) according to the GDPR will be implemented.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/norway-preparing-to-implement-the-gdpr-draft-for-new-personal-data-act/

FINLAND: Preparing to implement the GDPR

By Päivi Niinimäki-Rastas, Senior Associate, Finland

The EU General Data Protection Regulation (GDPR) entered into force on 24 May 2016 and EU Member States are required to implement the Regulation from 25 May 2018. While the Regulation will be binding in its entirety and directly applicable in all Member States, there is a margin of maneuverability for Member States to specify their own rules or to restrict them via national legislation.

In Finland, the Finnish Ministry of Justice appointed a Working Group in February 2016 to prepare for the Finnish national implementation of the GDPR. The main focus of the Working Group was to prepare a proposal for national legislation in relation to the GDPR and a proposal for a national supervisory authority.

The proposal created by the Working Group was published on 21 June 2017. The Working Group assessed the articles of the GDPR which may allow a margin of maneuverability and four different sub-groups were established to assess specific topics in detail. In addition, the Working Group heard from relevant stakeholders and received a vast number of statements from sector specific organisations.

As a conclusion, the Working Group proposes a new general Data Protection Act to be passed. The Act would enter into force on 25 May 2018, when the GDPR shall also become applicable. The current Finnish Personal Data Act would be repealed.

The new Finnish Data Protection Act – what will change?

 I.  Finnish national provisions shall respect the coherent data protection framework

The Working Group has identified the true nature and the aim of the Regulation as the EU wide legislative instrument. The GDPR aims to ensure a consistently high level of protection for natural persons and to remove any obstacles that inhibit the flow of personal data within the EU. Even though some national rules are permitted, the level of protection of the rights and freedoms of natural persons with regard to the processing of personal data should be the same in all Member States.

The Working Group respects the binding nature of the Regulation by keeping the number of national rules to a minimum. First and foremost, the Working Group wants to limit any additional national legislation while implementing the Regulation. The Working Group has also co-operated closely with other Member States in order to form coherent policies and approaches regarding implementation.

The Working Group has emphasized that the Regulation itself already contains highly detailed rules. Due to the directly applicable nature of the Regulation, any specifications or restrictions by Member State laws are only allowed where explicitly stated. In addition, the Working Group also suggests that Finland aims to employ the widest possible application of the GDPR also in areas of personal data processing not directly covered by the Regulation, if not explicitly otherwise stated in the national legislation. Moreover, the Finnish Data Protection Act should always be applied in parallel with the GDPR as the material content is derived from the Regulation.

II.  New resources for Finnish Data Protection Authority

The Office of the Finnish Data Protection Ombudsman shall receive more resources as the new Data Protection Authority shall manage the increased duties that have been given to the national supervisory authority. The Data Protection Ombudsman shall still run the office but will have the help of one or more additional Deputy Data Protection Ombudsmen. These additional resources are required due to the many new tasks and powers invested in the national supervisory authority.

The current Data Protection Board shall be replaced by a new Sanctions Board, which shall act under the Data Protection Authority and decide on the administrative fines, limitations and bans on processing of personal data.

III. Rethinking the sanctions

The Working Group also proposes that the variety of sanctions should come under review. New criminal sanctions shall be established to supplement the administrative sanctions. However, the criminal sanctions shall only apply in limited situations when the administrative sanctions are not available. The aim is for national criminal legislation to be passed only in situations where necessary and where the remedies, liability and penalties provided by the Regulation cannot be applied. The new offence shall be called a data protection offence. In practice, this offence concerns the most common wrongdoings in connection to data processing, such as data processing for pure curiosity without a legitimate purpose.

IV. Special protection regarding privacy in working life shall be maintained

The Finnish Act on Protection of Privacy in Working Life shall stay inforce and will continue to guarantee the high level of privacy protection in working life. The Working Group has suggested maintaining the status quo so that the special legislation further promotes the protection of privacy and any other basic rights providing protection in working life. This covers, for example, the processing of employee personal data, the tests and checks taken by employees, technical surveillance in the workplace, and the retrieving and opening of employees’ emails.

Conclusions and further work

The Working Group strongly emphasizes the coherent implementation and application of the Regulation among Member States. For this reason, the Working Group has not yet confirmed its stance on every subject open under the national margin of maneuverability. One of these issues is the age limit applicable to children’s consent and to the consent of the holder of parental responsibility in relation to information society services. Regarding this and similar issues, the Working Group ideally hopes that Member States can agree on a coherent view amongst them.

According to the GDPR, in relation to the offer of information society services directly to a child, the processing of the personal data of a child is lawful when it is based on consent where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall only be lawful if the consent is given or authorised by the person who holds parental responsibility over the child. Member States may by law provide for a lower age for these purposes provided that the lower age is not below 13 years of age.

Defining the age limit requires further work and will only be clarified when it is known how the majority of the Member States have decided on the subject.

Furthermore, an additional task for the Working Group is to assess the functionality of the current Finnish data protection legislation. The Working Group has also researched the impacts of the GDPR on businesses and the relationship between the current Finnish special legislation and the GDPR. In the latter study the researchers examined over 800 Acts and assessed if these Acts, in their current state, are compatible with the GDPR regarding the legitimate purpose for processing. The core finding was that the Acts were reasonably compatible with the Regulation.

The Working Group still aims to reduce fragmented and unnecessarily detailed rules within the special legislation. The Working Group shall continue working on this task until 16 February 2018.

The statement of the Working Group of the Finnish Ministry of Justice will now be circulated for comments and the proposal shall be handed over to the Finnish Parliament in autumn 2017. The proposal for the supplementary Finnish Data Protection Act is expected to enter into force on 25 May 2018.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/finland-preparing-to-implement-the-gdpr/

UK: Commitment to introduce new Data Protection Bill in line with GDPR principles

Yesterday the UK Government set out its legislative programme for the next Parliamentary term, through the Queen’s Speech. Whilst Brexit will dominate the legislative agenda, data protection received special mention with a commitment to introduce a new Data Protection Bill.

The Bill will reiterate the UK’s commitment to implementation of the principles of privacy enshrined in the GDPR, regardless of Brexit. It will also add further clarity on how the UK intends to apply statutory controls to those areas of the GDPR where Member States have flexibility to develop complementary legal requirements or derogations.

The speech is an important message for anyone who may have had doubt about the UKs commitment to the GDPR after Brexit. It is a clear steer to UK business to get ready for the new privacy regime and a strong sign to any detractors, whether in Europe or the wider global community, that the UK remains focussed on maintaining a robustly regulated digital environment, at the forefront of emerging global standards.

Whilst we await with interest details of the specific regulatory controls within the Bill itself, this is a welcome message of clarity in otherwise uncertain political times.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-commitment-to-introduce-new-data-protection-bill-in-line-with-gdpr-principles/

AUSTRALIA: OAIC call out for comments – draft resources for businesses and agencies regarding the Notifiable Data Breach Scheme

Authors: Sinead Lynch, Jessica Noakesmith

On 2 June 2017, the Office of the Australian Information Commissioner (OAIC) released 4 draft resources for businesses and agencies regarding the Notifiable Data Breach scheme (NDB) scheme. Direct links to the draft resources are below:

These draft resources provide guidance to the NDB scheme with examples of how to prevent serious harm and avoid notification requirements with remedial action, examples of data breaches, definitions of unique terms and a practical approach to the requirements. The OAIC has noted that any information provided by entities can be requested to be confidential (and the OAIC will liaise with entities in case of an Freedom of Information (FOI) request).

The draft resources note ‘serious harm’ may include serious physical, psychological, emotional, financial or reputational harm. Unfortunately, the resources do not address some of the concerns around assessing when “suspected data breaches arises. The OAIC has confirmed however its plans to release a further guideline – “Assessing a suspected data breach – which it confirms will ” provide guidance about the process to follow when carrying out an assessment of ‘whether there are reasonable grounds to suspect that there may have been an eligible data breach of the entity’”.

Please see our key points below for further details on these 4 resources.

The OAIC is asking for any comments by 14 July 2017. You can make a submission here.

We are advising a number of our clients in this area. If you / your organisation would like any support or assistance in commenting on the draft resources, please do let us know.

The OAIC has posed some key questions to consider:

  • Are the draft resources clear, relevant and practical?
  • Do the draft resources meet the needs of agencies and organisations in understanding the new requirements under the NDB scheme?
  • Are there any topics that you believe the draft resources should cover that have not been covered, or should be covered in greater detail?
  • Are there any practical examples you could share to help illustrate the operation of the NDB scheme?
  • Are there any other ways in which the draft resources could be enhanced?

Key points

Entities covered by the NDB scheme

  • Notes that generally, agencies and entities that are covered by the Privacy Act 1988 (Cth) (the Privacy Act) must comply with the NDB scheme.
  • Outlines the applicability of the NDB scheme to Australian Privacy Principles (APP) entities, credit reporting bodies, credit providers and TFN recipients, and outlines the exceptions for the NDB scheme to apply to small business operators.
  • Defines ‘holding’ personal information disclosed overseas for the purposes of assessing an eligible data breach.

Identifying eligible data breaches

  • Notes that the NDB scheme requires entities to notify particular individuals and the OAIC about ‘eligible data breaches’.
  • Gives examples of how to prevent serious harm with remedial action and examples of data breaches.
  • Includes definitions of unauthorised access, unauthorised disclosure, loss and:
    • ‘Eligible data breach’ (objectively, from the viewpoint of a reasonable person in the entity’s position) is:
      • the unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds (including internal, independent contractors, hackers etc.);
      • that is likely to result in serious harm to one or more individuals; and
      • the entity has not been able to prevent the likely risk of serious harm with remedial action.
    • ‘Serious harm’ may include serious physical, psychological, emotional, financial or reputational harm. Section 26WG lists ‘relevant matters’ that entities may use in an assessment of the likelihood of serious harm. Entities should consider the types of personal information, the circumstances of the data breach and the nature of the harm (the resource expands these) when making this assessment. The resource does not define serious harm.
    • ‘Reasonable person’ means a person in the entity’s position who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. This definition can be influenced by relevant standards and practices and is also discussed in general terms in the APPs.
    • ‘Likely to occur’ means more probable than not (rather than possible).

Notifying individuals about an eligible data breach

  • Notes that when an entity experiences an eligible data breach it must provide a statement to the Commissioner and notify individuals at risk of serious harm of the contents of the statement as soon as practicable after completing the statement prepared for notifying the Commissioner. If the breach applies to multiple entities only one entity needs to comply, and the entities decide who. The Commissioner suggests the entity with the most direct relationship with the individuals at risk of serious harm should undertake the notification. If none of the entities do, each may have breached.
  • Defines ‘as soon as practicable’ to include considerations of cost, time and effort. The Commissioner expects expeditious notification.
  • Explores the three options to ‘notify’ individuals (notify all individuals affected, notify those at risk of serious harm or publish notification to website). An entity can use any reasonable method to notify individuals (call, SMS, mail, social media, in-person etc.). If it’s not practical to notify individuals, the entity must publish a copy of the statement on their website and take reasonable steps to bring this to the attention of the individuals at risk of serious harm. ‘Reasonable steps’ might include:
    • ‘ensuring that the webpage on which the notice is placed can be located and indexed by search engines’
    • ‘publishing an announcement on the entity’s social media channels’
    • ‘ taking out a print or online advertisement in a publication or on a website the entity considers reasonably likely to reach individuals at risk of serious harm’

Australian Information Commissioner’s role in the NDB scheme

  • The Commissioner acknowledges it will take time to become familiar with the NDB scheme and during the first 12 months operation of the NDB scheme the primary focus will be on working with entities to ensure they understand, and are working in good faith to implement, the NDB scheme. The priority is to offer advice and guidance to entities and provide assistance to individuals at risk of serious harm, however the Commissioner may make inquiries or take regulatory action.
  • Notes that entities may request that the information provided be confidential, and if an FOI request is made, the Commissioner will consult with the entity (or transfer the request if it is an agency).
  • Describes the content included in a notification statement. The OAIC comments that although the Privacy Act does not require it, entities may provide additional information to the Commissioner e.g. circumstances and further detail about the entity’s response.
  • Outlines the powers of the Commissioner under to NDB scheme to:
    • accept an enforceable undertaking (section 33E) and bring proceedings to enforce an enforceable undertaking (section 33F)
    • make a direction to notify
    • declare that notification need not be made or that it can be delayed (in exceptional cases) after a detailed application by an entity
    • make a determination (section 52) and bring proceedings to enforce a determination (sections 55A and 62)
    • seek an injunction to prevent ongoing activity or a recurrence (section 98)
    • apply to court for a civil penalty order for a breach of a civil penalty provision (section 80W), which includes any serious or repeated interference with privacy
  • Notes that the requirement under section 36 of the Privacy Act to investigate a complaint made by an individual about an interference with that individual’s privacy includes a failure to notify an individual under the NDB scheme.

For further information and commentary on the Notifiable Data Breach scheme generally see our post here.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/oaic-call-out-for-comments-draft-resources-for-businesses-and-agencies-regarding-the-notifiable-data-breach-scheme/

GLOBAL: GDPR – One Year to Go!

It is one year to the day until the European General Data Protection Regulation comes in to force. The clock is now ticking to fines of up to 4% of total worldwide annual revenue for failing to comply with the requirements of the EU GDPR. To assist your organisation with preparing for 25 May 2018 we have developed a suite of useful tools.














Explore GDPR Mobile App

  • Our Explore GDPR mobile app is now available for downloading from both Apple’s App Store and Google Play. The app has been developed to make the text of the new EU General Data Protection Regulation (GDPR) easily accessible. It not only provides the full Regulation text but is also fully searchable and links each article to each of the relevant recitals. In addition, articles from the EU GDPR are linked to corresponding articles from its predecessor, the EU Data Protection Directive 95/46/EC.

GDPR Microsite

  • We maintain a dedicated GDPR microsite where you can find useful information to help you learn about the EU GDPR – what it covers, the impact it is likely to have on organisations across different sectors, actions to take now to prepare, as well as regular updates and information on our webinars and events. You will also find our summary Guide to the GDPR which many organisations find to be a helpful quick guide to the key requirements of the GDPR.

Data Protection Officer Training Academy

  • We have developed a Data Protection Officer Training Academy aimed at IT, compliance and legal professionals, or those taking on the role of Data Protection Officer. The course provides practical, interactive guidance on how to establish and manage compliance as a DPO, consistent with the many requirements of the GDPR.

Data Privacy Scorebox

  • Our Data Privacy Scorebox is an online tool to help you assess your data protection maturity level. It requires completing a survey covering areas such as storage of data, use of data, and customers’ rights. Once completed, a report summarising your organisation’s alignment with 12 key areas of global data protection is produced. The report also includes a practical action point check list and peer benchmarking data.

Data Protection Laws of the World Guide

  • Our Data Protection Laws of the World Guide offers a succinct overview of the areas of data protection law that have the most practical significance to businesses. The Handbook covers over 90 jurisdictions.

About DLA Piper’s Data Protection, Privacy and Security Group
The DLA Piper Data Protection, Privacy and Security Group includes over 150 privacy lawyers worldwide. We provide business-oriented legal advice on achieving effective compliance wherever you do business. For more information, please do not hesitate to contact us at dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-gdpr-one-year-to-go/

EUROPE: Practical impacts of GDPR on the employment relationship

In this article we focus on some of the practical impacts of GDPR on the employment relationship and what businesses can do to manage these and prepare for implementation by May 2018.

Data subject access requests

Under the GDPR, employees will have the right to much more detailed, transparent and accessible information about the processing of their data. Data subject access requests will be easier for employees. In most cases employers will not be able to charge for complying with a request and normally will have just a month to comply, rather than the current 40 days. The removal of the £10 subject access fee is a significant change from the existing rules under the Data Protection Act (DPA).

Where requests are complex a two month extension is possible, giving a total of three months to comply. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, employers can  either charge a reasonable fee (not capped) taking into account the administrative costs of providing the information, or refuse to respond.

Guidance will hopefully give an indication in due course of what sorts of requests could be viewed as complex, unfounded or excessive. However, the ICO is very unlikely to consider a request from an employee as complex, unfounded or excessive, even if they are asking for all their data, unless they have made a previous request recently. The ICO will expect employers to keep information in a manner which means they can locate and supply information within the initial month.

Where an employer intends to delay the response or refuses to respond to a request, the employer must write promptly to the individual within the month explaining why the request is refused or delayed. The employer must also inform them of their right to complain to the supervisory authority and to a judicial remedy.

The DPA contains various exemptions to the duty to disclose such as in relation to legal privilege but at present, the GDPR contains no such exemptions which an employer can rely on to avoid provision of the employee’s personal data. It may be that, in the UK at least, the doctrine of privilege will ‘trump’ data protection rights, but that remains to be tested.

Employers need to update procedures and plan how to handle requests within the new timescales. The GDPR introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well. In any event the ICO will expect employers to keep employee personal data in a manner which means that requests for access can be responded to promptly.

What this means in practice is that employers will need sophisticated policies and IT systems to manage DSARs within reasonable timeframes. In order to prepare for compliance, employers should take steps now to:

  • Update procedures and plan how to handle SARs and provide any additional information within the new timescales;
  • Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are complied with;
  • Assess the organisation’s ability to isolate data pertaining to a specific individual quickly and to provide data in compliance with the GDPR’s format obligations;
  • Ensure that employees are trained to recognise and respond quickly and appropriately to SARs.
  • Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online.

Automated processing and profiling

Employees have a right under the GDPR to not be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as their performance at work, health, personal preferences, reliability, and behaviour).

The ICO recently published a discussion paper on profiling in which it set out its initial thoughts on where automated processing may significantly affect an employee. In their view this includes processing that:

  • Limits rights or denies an opportunity;
  • Affects individuals’ financial or economic status or circumstances;
  • Leaves individuals open to discrimination or unfair treatment;
  • Involves the analysis of the special categories of personal data or other intrusive data;
  • Causes, individuals to change their behaviour in a significant way; or
  • Has unlikely, unanticipated or unwanted consequences for individuals.

It is not difficult to see how these might be the outcome of automated processing of HR data. Areas where employers might currently use automated decision-making, which they should therefore review, include:

  • Recruitment, including automated rejection or shortlisting;
  • Performance management/triggers for sickness absence;
  • Eligibility for attendance bonuses;
  • Holiday or shift rostering;
  • Employee monitoring; and
  • Profiling, particularly where this may impact on selection for talent programmes or career progression rather than purely for development purposes.

From a practical perspective employers need to ensure that where they use automated decision making they can explain how it works and there is another way to make an equivalent assessment of the individual if he/she objects.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-practical-impacts-of-gdpr-on-the-employment-relationship/

AUSTRALIA: Privacy Awareness Week Update – Industry Debrief: Mapping the community’s privacy expectations

By Sinead Lynch and Jessica Noakesmith

Today our Australian IPT team attended the ‘Industry Debrief: Mapping the community’s privacy expectations’ presented by the Australian Information and Privacy Commissioner, Timothy Pilgrim, and Principal from The Wallis Group, Jayne Van Souwe.

We heard some of the key issues raised by the 2017 Australian Community Attitudes to Privacy Survey and part of the Office of the Australian Information Commissioner’s (OAIC) plan to address rising privacy concerns in Australia. It was also notable that the survey confirmed many Australians as being comfortable with and welcoming the new mandatory data breach notification rules due to come into effect in early 2018.

Survey findings:

  • 83% of all Australians viewed online interactions are inherently more risky in privacy terms (although many privacy breaches that the OAIC currently handle are offline and low tech).
  • 25% never ask why their personal information is being collected.
  • 9 in 10 Australians are concerned about personal information being transferred overseas and confirm they do not like it.
  • 79% are uncomfortable with sharing their data in a commercial sector.
  • Young Australians under 35 are the most likely to exchange data for benefit.
  • The health sector continues to be regarded as the most trustworthy, with financial institutions and government sector following closely behind.

Some notable key points:

  • there is a considerable gap between privacy concern and actions of all Australians;
  • consumer’s decision making relies on existing goodwill and trust in an organisation over detailed policies – for example, many Australians are not likely to read a long and complex privacy policy; OAIC confirming that simplifying privacy policies will be a core focus; and
  • there is significant personal responsibility in personal information protection. Everyone has a role to play.

The Commissioner, Mr. Pilgrim, highlighted some actions the OAIC has recently undertaken and some currently in progress, including:

  • working with CSIRO to develop tools to assist with de-identification of data and information – the OAIC posing the question “Can you really de-identify personal information?”;
  • preparing the OAIC response to the Productivity Commission report on Data Availability and Use that was released last week;
  • working with the Prime Minister’s public data groups to establish how data can be used for “good purposes” and how to avoid the impact on individuals – in line with a trend towards open and effective use of data;
  • exploring the social / economic use of personal information – a possible social licence for innovative data use, including options of notice and consent;
  • their recently published guide to “personal information” on the OAIC website;
  • the final Australian businesses and the EU General Data Protection Regulation guidance is to be released within the coming weeks. See the draft resource here – according to the Privacy Commissioner, the GDPR is “extraordinarily important” to Australian businesses; and
  • educating Australians about the Right of Access to personal information, indicating a potential focus point on data subject access right here also.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-privacy-awareness-week-update-industry-debrief-mapping-the-communitys-privacy-expectations/

GLOBAL: The GDPR at your fingertips – our new app

We are delighted to announce the launch of DLA Piper’s new Explore GDPR mobile app! It is now available for downloading from Apple’s App Store and Google Play.

The Explore GDPR mobile app has been developed to make the text of the new EU General Data Protection Regulation (GDPR) easily accessible. The app not only provides the full Regulation text but is also fully searchable and links each article to each of the relevant recitals. In addition, articles from the EU GDPR are linked to corresponding articles from its predecessor, the EU Data Protection Directive 95/46/EC.

It is suitable for use on smartphones and also works particularly well on tablets. After downloading the app the content is available even when you are offline.

The text is available in 13 languages, including Czech, Dutch, English, Finnish, French, German, Hungarian, Italian, Polish, Romanian, Slovakian, Spanish and Swedish.

The app requires iOS 8.1, Android 4.1, or later.

Privacy Matters GDPR App


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-the-gdpr-at-your-fingertips-our-new-app/

UK: Government triggers Article 50

After months of speculation and legal and political wrangling, Theresa May, the UK Prime Minister, has today triggered Article 50 and formally begun the process of the withdrawal of the UK from the European Union.

For latest insights on all aspects of Brexit, including the GDPR and data transfers to / from the UK after April 2019, please see our dedicated Brexit microsite.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-triggers-article-50/

AUSTRALIA: Mandatory data breach reporting comes to Australia

By Peter Jones (Partner, Sydney) and Josephine Gardiner (Associate, Sydney)

After a gestation period that would make African Bush Elephants proud, it is finally here…

It would be an understatement to say that data breach notification laws have been on the table for some years in Australia. The long-awaited mandatory data breach laws, which passed the Senate on Monday, are the result of a long and winding five year road through the Australian Parliament, three governments and many abandoned attempts. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which amends the Privacy Act 1988, will legally compel organisations to disclose a data breach to the Australian Privacy Commissioner and affected individuals in certain circumstances.

When will the regime start?

At the time of writing, an exact commencement date has not been set (though our bet is that it will be within the next 12 months).

What’s it all about?

Basically, the legislation requires an entity to report a ‘serious data breach’ to customers, the Privacy Commissioner and, potentially, the media.

What is a ‘serious data breach’ you ask? Well, given the importance of this term to the notification regime, it is not ideal that more objective certainty has not been provided. We do know that a serious data breach includes unauthorised access to, disclosure of, or loss of customer information held by the entity (for example personal information, credit reporting information or tax file information) and puts individuals affected at ‘real risk of serious harm.’ This will require judgement calls to be made by organisations as to when notification is required to be made, introducing compliance uncertainty, at least until a number of incidents have arisen and been considered by the Privacy Commissioner.

The notification should include specific details including the information involved and how those affected can respond to the incident (by cancelling credit cards or changing a passwords for example). The entity must not only make such a notification after a breach has been known to have occurred, but also when it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The entity must comply with these notification steps as soon as practicable. We note too that there are also quite robust obligations to undertake investigations into whether there has been a data breach where an entity has a ‘suspicion’ that there may have been such a breach.

It is recommended that entities currently bound by the Privacy Act review their internal procedures to update data breach response plans and related requirements to align with the new requirements. Easy, huh?

Well, not so fast. We all know that privacy provides fertile ground for legal exposure but also reputation and brand damage. If an obligation to notify arises, how do you manage the potentially competing demands of legally mandated notification with PR advice which, often, recommends against notification unless you have first identified the problem, resolved it/put in place workarounds and ideally come to some view on ‘customer compensation’. Crisis management advisers may well be popping the odd champagne cork or two (although probably not Krug or Cristal just yet).

Also, in a world where personal information is increasingly the subject of third party processing and storage arrangements, how will your compliance obligations be cascaded into the agreements with those third party suppliers? Do any existing ‘compliance with law’ obligations extend to cover the operational requirements of the new regime? Are contract amendments required? What leverage do you have to require those amendments?  How can you provide for contract certainty where the legislative requirements are not themselves absolutely crystal clear? Will third party providers, particularly global vendors such as cloud providers, accept obligations to ‘self-police’ breach and disclosure matters?

Maybe not so easy after all…

Consequences of non-compliance

If an individual or business fails to comply with the new notification legislation, it can be liable for serious or repeated interferences with the privacy of an individual and can face a civil penalty of up to $360,000 and $1.8 million respectively.

How will the new laws impact your business?

The US and EU have already established advanced regulation in this area. While Australia is late to the party, the overall effect of the laws for Australia will align – to some extent – privacy requirements with a wide range of other jurisdictions. For international companies operating already under other mandatory breach notification regimes, the changes may be minimal, such as tweaking internal compliance functions. However, for companies with local footprints only, these changes may be more significant.

We realise that the legislation has not yet commenced but reviewing your business’ privacy regime would not be a bad place to start. It should also be a priority to ensure your customers information is not compromised in any way and to ensure you have operational procedures in place to adequately manage a data breach event. Thinking this through your existing and future supplier environment and the nature of required upstream contract obligations will also be needed.

Response to the new laws?

Despite the bill only being passed yesterday, concerns with the legislation have already been expressed by legislators (Senator Cory Bernardi for one). Specifically, some have criticised the ability of the Office of the Australian Information Commissioner (OAIC) to manage the new regime given its current resourcing levels.

Additionally, others are concerned that the legislation is one of the strictest disclosure laws in the world. Its threshold is relatively low as disclosure must be made by the entity not only if it knows a breach has occurred but in the event they believe a breach may have occurred (plus the onerous investigation obligations that are triggered by having a ‘suspicion’ that a breach may have occured). This can be seen as both a positive and a negative depending on what which side of the privacy debate spectrum you sit on.

Senator Bernardi has also called out what he considers to be the unnecessary red tape and the ‘lack of specificity.’ Specifically, he claims that, ‘a serious breach’ is too broadly defined in the laws suggesting that someone with a mere ‘mailing list could fall foul’ of the new rules. Some of these arguments were supported by the recently formed group, Data Governance Australia, whose CEO Graeme Samuels (former head of the ACCC) stated that the legislation was ‘heavy handed’ and suggested a voluntary industry code of conduct instead.

On the other side are those who put the privacy of the individuals above the concerns of over regulation. Senator Penny Wong for example has pointed out that before these laws commence, a government agency, a bank or an online store can incur a breach of an individual’s data and would not have to alert the individual to protect themselves (mainly out of fear of damage to the corporation’s reputation).

So, what will the OAIC do? Again, if we were placing bets we would probably place a responsible wager on the Privacy Commissioner pursuing a suitable ‘example’ in the initial 12 months of the regimes.


In Timothy Pilgrim’s (Australia’s Privacy Commissioner as well as the Acting Information Commissioner) statement made yesterday, he welcomed the new data breach legislation and working with the government, businesses and consumer groups in preparation for commencement of the new laws.

However, as noted, it is difficult to escape the reality that the legislation adds further grey areas to an already difficult area of law for businesses to navigate (as the Privacy Act in Australia is largely a ‘principles-based’, as opposed to a prescriptive, regime). For example, the lack of specification as to what constitutes ‘serious harm.’ The interpretation of such ambiguities and the overall application of the laws can only be clarified through a combination of Privacy Commissioner guidance and eventual action.

On a practical level, another potential problem of this legislation is that the data breach scheme could lead to ‘notification fatigue’ among members of the public. This means that a bombardment of notifications could eventually undermine the effectiveness of the entire reporting scheme. As the cyber threat environment continues to evolve, and as ‘big data’ analytics and the internet of things continue to expand in Australia, the chances of a breaches occurring (and such breaches meeting the required standard) could increase dramatically and ‘notification fatigue’ could come with it.

Ultimately, if the new notification regime was in itself perceived to provide something of a panacea for individuals, and to provide greater clarity to business in terms of the Legislature’s requirements, in our view that perception can be challenged.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-mandatory-data-breach-reporting-comes-to-australia/

Older posts «