privacy – Page 13 – Cyber Law Watch

Update: Mandatory Data Breach Notification Laws closer to being introduced

Feb 07 2017

By Cameron Abbott and Allison Wallace

As foreshadowed by the Attorney General’s Department last year, the Australian government is pushing ahead with its plan to introduce mandatory data breach notification laws, with Parliament today agreeing to a third reading of the Privacy Amendment (Notifiable Data Breaches) Bill 2016. You can find more about the proposed legislation here. We’ll keep you updated as the bill makes its way through parliament.

SAP criticises impending EU data protection laws

Jan 18 2017

By Cameron Abbott and Allison Wallace

SAP has expressed concerns over the implications of the landmark EU data privacy regulations, saying the penalties that will be imposed are too high, and could impede the development of Europe’s start-up culture.

The data privacy regulation will be implemented in May 2018, and includes fines for EU companies up to 4 per cent of their global revenues if they commit a significant breach of data privacy.

In an interview with the Financial Times, SAP’s head of products and innovation, Bernd Leukert said he believes the penalties are too high, and put companies at risk of losing their entire revenue if they commit multiple breaches.

Mr Leukert said he also fears that the EU regulations were not properly aligned with laws in other jurisdictions, such as the US.

Privacy Commissioner investigates alleged sale of telco customer information

Nov 21 2016

By Cameron Abbott and Allison Wallace

Australia’s Information and Privacy Commissioner Timothy Pilgrim is making enquiries into allegations that the personal information of customers of three Australian telcos is being sold online.

Fairfax uncovered an alleged rort involving ‘corrupt insiders’ at the offshore call centres of Telstra, Optus and Vodafone, which has allegedly seen details including customers’ addresses, dates of birth and billing statements leaked to at least one private company in India, which is then allegedly selling the information for up to $1000.

Commissioner Pilgrim has said in a statement that he is working to determine what further action may need to be taken.

All three telcos have also released statements, reiterating that they take the privacy of their customers seriously. Vodafone and Optus have met with the AFP, which has now passed the matter on to Indian authorities.

Victorian ruling clarifies application of privacy principles to social media accounts

Oct 13 2016

By Cameron Abbott and Rebecca Murray

The Victorian Supreme Court recently confirmed that an employer was not obliged to immediately notify an employee that it was accessing her Facebook messages during a disciplinary investigation. This case clarifies the manner in which the Victorian Information Privacy Principles (IPPs) apply to social media.

In this case, an employer conducted an investigation into an employee after a colleague reported her for making a number of abusive remarks over Facebook. During the investigation, the employer accessed the employee’s Facebook messages without her knowledge. She was subsequently found guilty of misconduct and given a final warning.

The employee appealed the case to the Supreme Court of Victoria after the Victorian Civil and Administrative Tribunal (VCAT) found that her employer had complied with the IPPs. In her appeal, she questioned whether the ways her employer collected and used the information was necessary “for the purposes of a workplace disciplinary investigation” and whether accessing it without her knowledge or consent was “necessary for one or more of the organisations functions or activities’ for the purposes of IPP 1.1”.

The Supreme Court of Victoria confirmed VCAT’s finding that collecting further information was necessary under IPP 1.1 as the employer was conducting a misconduct investigation “which was a legitimate purpose” and said there was nothing to suggest its approach was inconsistent with the right to privacy. Furthermore, the court found that VCAT was correct in finding that IPP 1.3 (and 1.5) did not impose an obligation of immediate notification on the employer as it could have jeopardised the integrity of the disciplinary investigation. Access the IPPs here. and read the court’s decision here.

Importantly, this case demonstrates that privacy law doesn’t automatically prevent employers from accessing the social media accounts of their employees to conduct investigations in appropriate circumstances.

Ashley Madison data breach joint findings released

Sep 01 2016

By Cameron Abbott and Rebecca Murray

The Australian Privacy Commissioner, Timothy Pilgrim and The Privacy Commissioner of Canada, Daniel Therrien have released a joint report on the data breach of cheating website Ashley Madison which affected approximately 36 million Ashley Madison user accounts last year. Read our post on the breach here.

Controversially, despite the company not having a physical presence in Australia, the Commissioners found that Ashley Madison’s parent company Avid Life Media (ALM) was regulated as an “APP entity” due to the fact that it carried on business and collected personal information in Australia. This finding was based on the fact that ALM conducted marketing in Australia, targeted Australian residents for its services and collected the personal information of Australians.

ALM agreed to a number of enforceable undertakings to the Commissioner. Amongst other things, ALM has undertaken to augment its security framework, provide extensive security training for staff and cease its practice of retaining the information of users with deleted, deactivated or inactive accounts. Consistent with the trend in undertakings it requires independent verification of certain compliance steps. Find the undertakings here.

It also seeks to address the accuracy of the records, which is a challenge for a cheating website. Letting someone sign up using for example Tony Blair’s email address captured the attention of the regulators. They focused on the interests under Privacy laws of those whose email addresses were falsely added to the sign up. A confirming email with an option to opt out was not considered an adequate measure.

Government committed to introducing Mandatory Data Breach Notification laws

Aug 22 2016

By Cameron Abbott and Rebecca Murray

After much delay, a spokesperson for Attorney-General, George Brandis has said the government is committed to introducing the Mandatory Data Breach Notification laws this year. We will be sure to look out for it during the next term of Parliament. You can find more information on the proposed scheme and its regulatory impact on the Attorney General’s Department consultation for Serious Data Breach Notification webpage.

Was Mickey Mouse hacked?

Aug 02 2016

By Cameron Abbott and Rebecca Murray

Disney Interactive has notified users of its Playdom Forum that hackers have stolen personal information, which could put their privacy and online security at risk. The hackers acquired usernames, email addresses, and passwords for playdomforums.com accounts as well as IP addresses. Disney has not disclosed how many users have been affected, although the forum is said to have over 350,000 members. Read Disney Interactive’s statement here.

What Pokémon ‘needed’ to know about you

Jul 22 2016

By Cameron Abbott and Rebecca Murray

The hugely popular Pokémon GO app is at the centre of privacy and security concerns after recent media reports noted that its installation required access to a significant amount of users’ personal information. This prompted Australian Privacy Commissioner, Timothy Pilgrim to make enquiries with the developer of the app, Niantic Labs, to “ensure the personal information of users is being managed in accordance with the Australian Privacy Act.” Read the OAIC statement here.

Available on iOS and Android platforms, the smash-hit game uses augmented reality technology and your smart-phone GPS and camera to display fictional Pokémon which users then aim to find and capture.

Privacy concerns arose after users noted that installing the iOS version of the app required full access to users’ Google accounts. In response, Niantic Labs reported that the access was requested erroneously and that Google would reduce Pokémon GO’s permission to only the basic profile data that it needs. Niantic and Google have since corrected the permissions. Read Niantic’s statement here.

Commissioner Timothy Pilgrim warned that the security scare was a “timely reminder that people need to read the privacy policies of all smartphone apps before signing up. This way people can make an informed decision about if they want to use an app.” However, we will wager that 99% of people just click “accept”.

Microsoft welcomes big win against government information requests

Jul 19 2016

By Cameron Abbott and Simon Ly

Last week, the US Court of Appeals for the Second Circuit reversed a previous lower court decision and found in favour of Microsoft in a long running dispute over a government information request.

In 2014, the US government successfully received a warrant for email records sought in connection with a drug case. Microsoft refused to comply with the orders and was subsequently found to be in contempt of court. However, the Court of Appeal has now ruled that the US government could not force Microsoft to hand over customer emails stored in an offshore server in Ireland because, amongst other things, the Stored Communications Act did not intend to legislate to allow for such warrant provisions. This decision comes hot off the heels of the EU-approved Privacy Shield, and it will be interesting to see how a similar decision will be dealt with moving forward in light of this regime.

This represents a big win for Microsoft and the tech sector more broadly as service providers now have a basis for maintaining the position of protecting its users’ privacy. This decision also highlights that legal regimes are territorial notwithstanding the global nature of new technology offerings.

To read Microsoft’s news release following the decision, please see here.

EU-US Privacy Shield approved

Jul 12 2016

By Cameron Abbott, Rob Pulham, Simon Ly and Rowena Baer

When the Safe Harbour arrangements were struck down the EU and US worked to create a replacement and flesh out the details of this new arrangement (see our last article on this issue here). We have all been somewhat nervously watching to see if the new ‘Privacy Shield’ would get final approval amid some criticism from some quarters. Good news, last Friday the EU member states on the Article 31 Committee voted to approve a revised Privacy Shield.

The new arrangement provides a welcome measure of certainty for businesses whose Trans-Atlantic data transfers have been left in legal limbo since the European Court of Justice declared the longstanding Safe Harbor Framework invalid in October 2015.

The European Commission has released a statement expressing their confidence in the adoption of the new Privacy Shield, noting that the new pact is “fundamentally different” from its predecessor. The new Privacy Shield imposes “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice”.

International tech industry groups have also praised the move as a win for both consumers and businesses as the pact provides robust consumer privacy protections. Voicing their support of the Privacy Shield, Microsoft released a detailed blog post on how the Privacy Shield is progress for privacy rights, declaring that the regime is an “important achievement for the privacy rights of citizens across Europe, and for companies across all industries that rely on international data flows to run their businesses and serve their customers”.

Whilst we are still at the early stages, companies should begin assessing the Privacy Shield’s impact on their existing agreements and also more broadly their data strategy, keeping in mind that the regime relates only to EU-US data transfers. In particular, consideration should be given to the transitional arrangements in the Privacy Shield. Companies should also be aware of the potential challenges to this regime (and related issues post-Brexit) as there is concern about the shelf life of the Privacy Shield.

For more information, please see the EU’s page here and the US’s page here.

Tag:privacy