Developments in Australian Privacy Law and Responses to Data Flows
Zach McLoughlin examines contemporary developments in Australian privacy law in the wake of high-profile data breaches and the ‘vibrating’ Internet of things.
This piece was originally included in the first 2016 edition of The Full Bench: Do Lawyers Dream of Electric Sheep. To view the magazine, please visit https://issuu.com/utslawstudentssociety/docs/2016_the_full_bench_ed_1
There are few words which evoke scandalous thoughts to the same degree as the phrase ‘data breach’.
One of the most well-known cases, the Ashley Madison data breach of 2015, saw a hacking group threatening to publish the usernames, passwords, credit card information, and addresses of all 37 million users of the extramarital dating site. The hackers demanded that the site be shut down permanently. However, the data hostage crisis took a dramatic turn after the site’s owners refused this demand, ultimately leading to a $578 million dollar class action from the users who had previously paid for the ‘permanent deletion’ of their personal information, at least two suicides linked to the breach, and a $500,000 reward posted by Ashley Madison for information leading to the arrest of the hackers.
More recently, US remote control vibrator company, We Vibe, settled a class action lawsuit for $3.75 million US dollars after it was discovered that the company was collecting and storing information about its customers ‘usage patterns’. The data vulnerable to access included not only the text chat logs and ‘custom vibes’ created by users, but included the capacity for an eavesdropper to seize control of the device through the vibrator’s linked app. Aside from the criminal ramifications of what could potentially constitute a sexual assault, the incredibly intimate nature of the communications is clearly beyond any cognisable interest of the manufacturer.
These controversies conform to the great tradition of companies who collect, store, process, and in some cases sell data about users in a way which is completely out of step with community standards and expectations. So what is being done to regulate the retention of online data?
First, some background.
If you, like me, are one to leave items in your cart while shopping online, then you have no doubt noticed the ads of online retailers populating your Facebook feed or other screen real estate after having left their site. Sometimes this retention mechanism uses cookies, other times your IP address is stored on the server alongside your purchase, but one thing remains — this company knows who you are and what you like. If you save your details, make a purchase, or have a profile, then that retailer might also have your address, your name, and your order history.
Enter, personal data.
For most of us, the retention of personal data is a convenience. The data is held by the company and is (quite innocuously) used for a marketing purpose, but this hasn’t always been the case with the use of personal information about individuals. Internment of Japanese Americans during World War II was only possible due to the co-operation of the census bureau in surrendering the ancestry information of American citizens, and it would be remiss to leave unmentioned the consequences of race disclosure during the same period in continental Europe. In this sense, information can be either: relevant for a specified purpose (think of advertising), or sensitive information about a person’s identity (race, religion, political affiliation etc.).
Naturally, the response to developing technologies and the rise of automated information indexing has varied depending on each region’s privacy culture and historical experience, however the increasingly global activities of e-commerce are placing many businesses within the jurisdiction of multiple data directives.
European regulations around personal data have evolved to contain explicit protections for the processing of data involving political affiliation, ethnic origin, and other beliefs which may render an individual subject to political discrimination. 5 Other general protections to privacy fall within a human rights framework, where privacy is assumed and the state carries a general capacity to regulate private organisations who deal with European citizens’ data, regardless of their location.
Regulations in the United States — where such protections are sorely needed given the extent of automatic data processing — are incredibly decentralised and, with the exception of California, severely lacking. While a constitutional right to privacy has been recognised in some case law, this right only protects against state actors, leaving the remainder of data disputes to be protected through the traditional privacy tort framework and through the ‘sectoral approach’ to data regulation, which combines private sector self-regulation with specific, reactive legislation about particular industries.
The Australian framework is slightly more restrictive with the Australian Privacy Principles requiring Australian ‘APP Entities’ (pretty much everyone except ‘small businesses’) to collect only data which is required for that entity’s function, and to disclose where that data might be sent overseas or to another organisation. Additional protections on ‘sensitive information’ in line with the European model further restrict the collection of, inter alia: political, religious, and medical records of individuals.
Complications then arise where a US-based company, let’s say Facebook, analyses your activity on the Sydney Bartender Exchange discussion group, and shows you sponsored ads for a Keep Sydney Open protest. Is that a political opinion, or is that because of your employment status as a bartender? What happens if an eavesdropper intercepts and copies this data without discovery for several years?
The capacity of regulators to enforce the strict delineation of sensitive and regular data remains to be seen, and further legislative difficulties presented by the attribution problem in digital crime are leading to an intensely pragmatic regulatory response.
This response is to police the data hosts, to stem the distribution of personal data, and commence the remediation of harm as early as possible. Recent amendments to the Commonwealth Privacy Act pertaining to mandatory data breach notification are likely only the start of a long line of policy changes where the onus is shifted onto the data host to protect users from, and in cases where it can not protect, to notify users of threats to their personal data rather than to deregulate the market and prosecute the eavesdroppers themselves.
At the time of writing, proposed amendments are being debated in the Senate regarding the criminalisation of the re-identification of de-identified data. These amendments are unlikely to be successful unless the capacity of law-enforcement to deter individuals from maliciously procuring personal data can be proven, either through re-identification of public datasets or through unauthorised access to private storage — in either case an unlikely scenario.
In summation, the malicious procurement of data protected by the above legal
instruments is an increasing concern, as the retention of personal data is becoming more crucial to the strategy and operations of many businesses, especially those operating online. The regulatory environment is likely to be shaped by an increasing onus on data collectors to protect information, rather than an allocation of resources to assist with the prevention of personal information’s malicious procurement, and in the case of de-identified data sets, on the development of de-identification techniques in the pursuit of pseudonymity as cyber attackers are inherently difficult to prosecute.
We are also likely to see the emergence of very harsh penalties for non-compliance, and the tendency for early offenders to ‘be made an example of’ as lawmakers try to hide the fact that their bark is louder than their bite.
A word to the wise: make sure your business has adequate privacy safeguards, and as always, Cave Canem.
