Tag Archive: Australia

AUSTRALIA: Privacy Awareness Week Update – Industry Debrief: Mapping the community’s privacy expectations

By Sinead Lynch and Jessica Noakesmith

Today our Australian IPT team attended the ‘Industry Debrief: Mapping the community’s privacy expectations’ presented by the Australian Information and Privacy Commissioner, Timothy Pilgrim, and Principal from The Wallis Group, Jayne Van Souwe.

We heard some of the key issues raised by the 2017 Australian Community Attitudes to Privacy Survey and part of the Office of the Australian Information Commissioner’s (OAIC) plan to address rising privacy concerns in Australia. It was also notable that the survey confirmed many Australians as being comfortable with and welcoming the new mandatory data breach notification rules due to come into effect in early 2018.

Survey findings:

  • 83% of all Australians viewed online interactions are inherently more risky in privacy terms (although many privacy breaches that the OAIC currently handle are offline and low tech).
  • 25% never ask why their personal information is being collected.
  • 9 in 10 Australians are concerned about personal information being transferred overseas and confirm they do not like it.
  • 79% are uncomfortable with sharing their data in a commercial sector.
  • Young Australians under 35 are the most likely to exchange data for benefit.
  • The health sector continues to be regarded as the most trustworthy, with financial institutions and government sector following closely behind.

Some notable key points:

  • there is a considerable gap between privacy concern and actions of all Australians;
  • consumer’s decision making relies on existing goodwill and trust in an organisation over detailed policies – for example, many Australians are not likely to read a long and complex privacy policy; OAIC confirming that simplifying privacy policies will be a core focus; and
  • there is significant personal responsibility in personal information protection. Everyone has a role to play.

The Commissioner, Mr. Pilgrim, highlighted some actions the OAIC has recently undertaken and some currently in progress, including:

  • working with CSIRO to develop tools to assist with de-identification of data and information – the OAIC posing the question “Can you really de-identify personal information?”;
  • preparing the OAIC response to the Productivity Commission report on Data Availability and Use that was released last week;
  • working with the Prime Minister’s public data groups to establish how data can be used for “good purposes” and how to avoid the impact on individuals – in line with a trend towards open and effective use of data;
  • exploring the social / economic use of personal information – a possible social licence for innovative data use, including options of notice and consent;
  • their recently published guide to “personal information” on the OAIC website;
  • the final Australian businesses and the EU General Data Protection Regulation guidance is to be released within the coming weeks. See the draft resource here – according to the Privacy Commissioner, the GDPR is “extraordinarily important” to Australian businesses; and
  • educating Australians about the Right of Access to personal information, indicating a potential focus point on data subject access right here also.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-privacy-awareness-week-update-industry-debrief-mapping-the-communitys-privacy-expectations/

AUSTRALIA: Mandatory data breach reporting comes to Australia

By Peter Jones (Partner, Sydney) and Josephine Gardiner (Associate, Sydney)

After a gestation period that would make African Bush Elephants proud, it is finally here…

It would be an understatement to say that data breach notification laws have been on the table for some years in Australia. The long-awaited mandatory data breach laws, which passed the Senate on Monday, are the result of a long and winding five year road through the Australian Parliament, three governments and many abandoned attempts. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which amends the Privacy Act 1988, will legally compel organisations to disclose a data breach to the Australian Privacy Commissioner and affected individuals in certain circumstances.

When will the regime start?

At the time of writing, an exact commencement date has not been set (though our bet is that it will be within the next 12 months).

What’s it all about?

Basically, the legislation requires an entity to report a ‘serious data breach’ to customers, the Privacy Commissioner and, potentially, the media.

What is a ‘serious data breach’ you ask? Well, given the importance of this term to the notification regime, it is not ideal that more objective certainty has not been provided. We do know that a serious data breach includes unauthorised access to, disclosure of, or loss of customer information held by the entity (for example personal information, credit reporting information or tax file information) and puts individuals affected at ‘real risk of serious harm.’ This will require judgement calls to be made by organisations as to when notification is required to be made, introducing compliance uncertainty, at least until a number of incidents have arisen and been considered by the Privacy Commissioner.

The notification should include specific details including the information involved and how those affected can respond to the incident (by cancelling credit cards or changing a passwords for example). The entity must not only make such a notification after a breach has been known to have occurred, but also when it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The entity must comply with these notification steps as soon as practicable. We note too that there are also quite robust obligations to undertake investigations into whether there has been a data breach where an entity has a ‘suspicion’ that there may have been such a breach.

It is recommended that entities currently bound by the Privacy Act review their internal procedures to update data breach response plans and related requirements to align with the new requirements. Easy, huh?

Well, not so fast. We all know that privacy provides fertile ground for legal exposure but also reputation and brand damage. If an obligation to notify arises, how do you manage the potentially competing demands of legally mandated notification with PR advice which, often, recommends against notification unless you have first identified the problem, resolved it/put in place workarounds and ideally come to some view on ‘customer compensation’. Crisis management advisers may well be popping the odd champagne cork or two (although probably not Krug or Cristal just yet).

Also, in a world where personal information is increasingly the subject of third party processing and storage arrangements, how will your compliance obligations be cascaded into the agreements with those third party suppliers? Do any existing ‘compliance with law’ obligations extend to cover the operational requirements of the new regime? Are contract amendments required? What leverage do you have to require those amendments?  How can you provide for contract certainty where the legislative requirements are not themselves absolutely crystal clear? Will third party providers, particularly global vendors such as cloud providers, accept obligations to ‘self-police’ breach and disclosure matters?

Maybe not so easy after all…

Consequences of non-compliance

If an individual or business fails to comply with the new notification legislation, it can be liable for serious or repeated interferences with the privacy of an individual and can face a civil penalty of up to $360,000 and $1.8 million respectively.

How will the new laws impact your business?

The US and EU have already established advanced regulation in this area. While Australia is late to the party, the overall effect of the laws for Australia will align – to some extent – privacy requirements with a wide range of other jurisdictions. For international companies operating already under other mandatory breach notification regimes, the changes may be minimal, such as tweaking internal compliance functions. However, for companies with local footprints only, these changes may be more significant.

We realise that the legislation has not yet commenced but reviewing your business’ privacy regime would not be a bad place to start. It should also be a priority to ensure your customers information is not compromised in any way and to ensure you have operational procedures in place to adequately manage a data breach event. Thinking this through your existing and future supplier environment and the nature of required upstream contract obligations will also be needed.

Response to the new laws?

Despite the bill only being passed yesterday, concerns with the legislation have already been expressed by legislators (Senator Cory Bernardi for one). Specifically, some have criticised the ability of the Office of the Australian Information Commissioner (OAIC) to manage the new regime given its current resourcing levels.

Additionally, others are concerned that the legislation is one of the strictest disclosure laws in the world. Its threshold is relatively low as disclosure must be made by the entity not only if it knows a breach has occurred but in the event they believe a breach may have occurred (plus the onerous investigation obligations that are triggered by having a ‘suspicion’ that a breach may have occured). This can be seen as both a positive and a negative depending on what which side of the privacy debate spectrum you sit on.

Senator Bernardi has also called out what he considers to be the unnecessary red tape and the ‘lack of specificity.’ Specifically, he claims that, ‘a serious breach’ is too broadly defined in the laws suggesting that someone with a mere ‘mailing list could fall foul’ of the new rules. Some of these arguments were supported by the recently formed group, Data Governance Australia, whose CEO Graeme Samuels (former head of the ACCC) stated that the legislation was ‘heavy handed’ and suggested a voluntary industry code of conduct instead.

On the other side are those who put the privacy of the individuals above the concerns of over regulation. Senator Penny Wong for example has pointed out that before these laws commence, a government agency, a bank or an online store can incur a breach of an individual’s data and would not have to alert the individual to protect themselves (mainly out of fear of damage to the corporation’s reputation).

So, what will the OAIC do? Again, if we were placing bets we would probably place a responsible wager on the Privacy Commissioner pursuing a suitable ‘example’ in the initial 12 months of the regimes.

Commentary

In Timothy Pilgrim’s (Australia’s Privacy Commissioner as well as the Acting Information Commissioner) statement made yesterday, he welcomed the new data breach legislation and working with the government, businesses and consumer groups in preparation for commencement of the new laws.

However, as noted, it is difficult to escape the reality that the legislation adds further grey areas to an already difficult area of law for businesses to navigate (as the Privacy Act in Australia is largely a ‘principles-based’, as opposed to a prescriptive, regime). For example, the lack of specification as to what constitutes ‘serious harm.’ The interpretation of such ambiguities and the overall application of the laws can only be clarified through a combination of Privacy Commissioner guidance and eventual action.

On a practical level, another potential problem of this legislation is that the data breach scheme could lead to ‘notification fatigue’ among members of the public. This means that a bombardment of notifications could eventually undermine the effectiveness of the entire reporting scheme. As the cyber threat environment continues to evolve, and as ‘big data’ analytics and the internet of things continue to expand in Australia, the chances of a breaches occurring (and such breaches meeting the required standard) could increase dramatically and ‘notification fatigue’ could come with it.

Ultimately, if the new notification regime was in itself perceived to provide something of a panacea for individuals, and to provide greater clarity to business in terms of the Legislature’s requirements, in our view that perception can be challenged.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-mandatory-data-breach-reporting-comes-to-australia/

AUSTRALIA: New privacy code for the market and social research industry

In late 2014 the Australian Privacy Commissioner registered the Privacy (Market and Social Research) Code 2014 (Code) in accordance with the Privacy Act 1988 (Cth) including the Australian Privacy Principles (APP) (Privacy Act).

The Code is the first code registered under the new Australian privacy regime/the APPs which became effective on 12 March 2014. The Code replaces the previous Association of Market and Social Research Organisation code of practice in force since 2003 (as amended in 2007) made under a previous part of the Privacy Act. 

Click here to read more.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/new-privacy-code-for-the-market-and-social-research-industry/

AUSTRALIA: Privacy commissioner to audit 21 privacy policies for compliance: it may be you!

The Australian Privacy Commissioner (Commissioner) is preparing to conduct an assessment of 21 online privacy policies at random. The Commissioner also noted:

“[we’ve] been talking for a long time about the need to build privacy into ‘business as usual processes’, and how essential it is to include in business and project planning … but now that we have had almost a year to settle into the changes to privacy laws, we’d like to start talking about more than just basic compliance, and shift the conversation to ongoing governance. A key component of a successful end-to-end privacy program is regular monitoring. This will ensure that privacy policies, procedures and guidance are being followed and that they remain relevant to your business and the privacy risks it faces.

Also, in a re-affirmation of prior comments and views on where the responsibility for privacy compliance lays (and possibly hinting at those individuals in a company that may be targeted for personal fines), the Commissioner said:

responsibility for privacy governance sits firmly with the CEO, the Executive, the board or the management of any organisation. It is these roles that must promote privacy as an asset to be respected, managed and protected.

Is your organisation compliant?

These audits will look at whether your online policies are clearly expressed and up-to-date, cover the content and contact requirements, are available in an appropriate form and are compliant with all other requirements of the Australian Privacy Principles (APPs). Based on our experience and our recent survey of a number of online privacy policies, we estimate that around 50 percent of the privacy policies accessible online are not compliant with the APPs.

If you would like assistance to determine if your existing privacy policy is APP compliant or advice on any of your privacy/privacy governance obligations, please do not hesitate to contact any of our Privacy & Security team.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-privacy-commissioner-to-audit-21-privacy-policies-for-compliance-it-may-be-you/

Developing US privacy trend that will soon impact Australian businesses

Authors:
Alec Christie

 

Key points

  • Californian/US privacy enforcement strategy to ensure companies comply with/implement their privacy policies
  • If strategy is applied to Australian businesses on basis of similar laws, significant damages could be awarded for a first time or one–off failure to comply with/implement their privacy policies
  • Review your current practices and existing privacy policy to ensure you have implemented and are complying with your privacy policy

Background

During the author’s recent presentation and attendance at the International Association of Privacy Professionals’ Privacy Academy in San Jose California, it became apparent that a privacy enforcement strategy (Strategy) was being considered to be ‘ramped up’ by the Californian Attorney General and the Department of Justice (which may spread to other US States). The Strategy uses the Californian state and the US federal ‘misleading or deceptive conduct’ or unfair trade laws, similar to Section 18 of the Australian Consumer Law (ACL), to ‘prosecute’ those companies operating in California that do not implement or comply with their own privacy policies.

While this Strategy has occasionally been considered in Australia under the old Trade Practices Act 1975 (Cth) provisions, it has to date not been actively and vigorously pursued in Australia by the relevant regulators or by individuals. However, based on the presentation by a representative of California’s Department of Justice and a talk by a senior member of the California Attorney General’s Office, it seems that the Strategy may now be aggressively pursued, in the state of California at least, in order to ensure that companies doing business in California actually do what they say they will do in their privacy policy.

Given the similarities with the ‘misleading or deceptive conduct’/unfair trade provisions in Australian law and the expectation that use of the Strategy in California will soon become widely known to Australian regulators and individuals, we believe it is only a question of time before the Australian Competition and Consumer Commission (ACCC) and/or individuals (and possibly business competitors) in Australia start to take action for misleading or deceptive conduct under Section 18 of the ACL where a company carrying on business in Australia does not implement/comply with its privacy policy.

The previous US experience

Some of the early US federal cases have involved consideration of the statement in a company’s privacy policy that it takes ‘reasonable measures’ to protect the security of the information provided to it (a common term in Australian privacy policies). US courts have held that where information has been hacked or leaked and an investigation of the security measures actually taken by that company revealed that they were not ‘reasonable’ in the context of the (then) current industry practice, this statement has been found to be unfair/misleading and therefore actionable.

Implications for Australian business v current situation

In Australia, the Strategy could be used to maintain an action in respect of any failure by a business to implement/comply with the provisions of its privacy policy. For example, in addition to the ‘reasonable security measures’ representation, statements such as ‘we do not share your information’ (if it turns out that you do), ‘we do not use your information for marketing purposes’ (if it turns out that you do) etc will be actionable. The implementation of the Strategy could also be fuelled by the recently proposed move to mandatory breach notification for data breaches in Australia.

A contravention of the prohibition on misleading or deceptive conduct in Section 18 of the ACL is subject to remedies including injunctions, damages and compensatory orders. Using the Strategy will enable the aggrieved individuals to seek damages for the harm caused by the breach of Section 18 of the ACL by the business. These damages could include any economic loss resulting from the breach, such as losses suffered from losing an opportunity (or chance). For example, loss of a prospective employment opportunity due to disclosure of one’s personal information in circumstances where the promises/representations in the privacy policy were not actually implemented.

Even though the recently enacted Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Amendment Act) introduces fines of up to $340,000 for an individual and up to $1.7 million for an organisation for a serious invasion or repeated invasions of privacy from March 2014, the Strategy will continue to be available to aggrieved individuals, giving individuals direct redress against the business.

The concern for business if the Strategy does take off in Australia is that, whereas currently no penalties exist and even under the Amendment Act penalties will only apply to serious or repeated invasions of privacy, the Strategy may result in significant damages (including for lost opportunity/chance) being awarded against the business for a first time or one–off (and likely considered by the business as a ‘minor’) failure to implement/comply with its privacy policy

Key practical concern

In practice, the main worry at present is that the privacy policies of many Australian businesses have not been reviewed, amended/revised or updated to accord with changed circumstances (many for in excess of five years). That is, not reviewed and amended to reflect changes to the purposes for collection of/the use of the information collected, the business undertaken or the arrangements for the processing of the information and/or the security measures taken by the business in respect of such.

While the new privacy regime will, from March 2014, require companies to ‘maintain’ their privacy policies (ie keep them up to date as a living document), any failure to implement/comply (even with an updated policy) will still lend itself to an action and potentially substantial damages under the Strategy.

What action is required now?

In a previous update dealing with the amendments to be introduced from March 2014 under the Amendment Act, we suggested that you consider reviewing your privacy policy and processes and update them now in order to be ready for the new law. However, given the likelihood that the Strategy may soon come to Australia, we now advise that you urgently consider/audit your current practices and existing privacy policy to ensure that your policy is reflective of your current circumstances, business purposes and processes and your security arrangements in order to minimise the risk of an action for misleading or deceptive conduct under the ACL as a result of any failure by your business to implement or comply with its privacy policy.

Please do not hesitate to contact us if we can assist with this review/audit of your current practices and your privacy policy.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/developing-us-privacy-trend-that-will-soon-impact-australian-businesses/