Review of the Privacy Act 1988 (Cth)
On 12 December 2019, the Attorney-General announced that the Australian Government would conduct a review of the Privacy Act to ensure privacy settings empower consumers, protect their data and best serve the Australian economy. On Friday 30 October, the Attorney-General’s Department released its terms of reference and timeline for the review, along with an Issues Paper. The review will consider:
- The scope and application of the Privacy Act, including what is "personal information";
- Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices;
- Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act;
- Whether a statutory tort for serious invasions of privacy should be introduced into Australian law;
- The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives;
- The effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other Commonwealth regulatory frameworks; and
- The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
Learn more: Australian privacy law reforms – what you need to know
National Institute of Standards and Technology (NIST) Cybersecurity Report
In October, the NIST (a part of the US Department of Commerce) released a report, "Integrating Cybersecurity and Enterprise Risk Management (ERM)" that addresses cybersecurity risk management in the face of the increasing frequency, creativity, and severity of cybersecurity attacks.
The report is intended to assist risk managers to better understand and practice cybersecurity risk management within their ERM programs. It identifies that most businesses do not communicate their cybersecurity risks in consistent, repeatable ways and that methods such as quantifying risk in dollars and aggregating cybersecurity risks are not performed with the same rigour as methods for other types of risk.
The NIST propose that, through the use of a risk register, enterprises can better identify, assess, communicate, and manage their cybersecurity risks in the context of their stated mission and business objectives using language already familiar to senior leaders. This will improve the quality of the risk information provided to their ERM programs and support enterprise-level decision-making.
Cyberattack strikes Isentia
On Tuesday 27 October, Isentia, a media-monitoring and analytics firm used by the Federal Government, notified the Australian Stock Exchange that it was "urgently investigating a cybersecurity incident” that was “disrupting services” involving its media portal. The Guardian reports the incident was a ransomware attack, meaning Isentia's systems are encrypted and an attacker will only release it once money is paid. Isentia's media monitoring work requires clients to give it information on sensitive topics to properly brief it on what to look for in the media. Isentia's Australian clients include “most government departments and large corporations”. It is not known whether this information provided by its clients has been compromised and clients have been told they will be formally notified at the end of Isentia’s investigation how they have been impacted.
Data Availability and Transparency Bill 2020
On Monday 14 September, the Office of the National Data Commissioner released an exposure draft of the Data Availability and Transparency Bill 2020 (DATB) for public comment, with submissions closing on 6 November 2020. The DATB enables a foundational change for government services, letting consumers advise government just once of their details, allowing application fields to be pre-filled and offering more relevant and personalised services to citizens. On 6 September, a Privacy Impact Assessment was published by Information Integrity Solutions (engaged by the ONDC), which concluded that although the privacy risks in the scheme are "potentially high", a layered approach mitigated most of this risk.
The PIA noted that the privacy risks for individuals could include mishandling of personal information (i.e. data breaches or re-identification), loss of control (ie. individuals don’t know how their information is used) or personal information is used in ways that are unexpected, unwelcome, disadvantageous, or harmful.
However, a range of "defences" mitigate most of the risk, including:
- Participants must be accredited and data can only be shared with Accredited Users;
- Participant entities must maintain privacy law coverage;
- Data may only be shared for delivery of government services, government policy and programs, and research and development. Enforcement related purposes, including compliance, law enforcement and national security, are excluded;
- Data sharing is not mandatory – the draft DATB would give Data Custodians the authority to share and the obligation to first make sure data sharing is safe;
- Data sharing must be governed by detailed, publicly available Data Sharing Agreements specifying the purpose for sharing data and must address the five Data Sharing Principles; and
- There is regulatory oversight by the National Data Commissioner, who will have a range of powers and the ability to seek civil and criminal penalties where data sharing fails to comply with the draft DATB.
OAIC Annual Report 2019-2020
On Thursday 15 October, the Office of Australian Information Commissioner (OAIC) released its 2019-20 annual report, which among other things highlighted OAIC performance in relation to the Notifiable Data Breach scheme.
In relation to the Notifiable Data Breach scheme, OAIC received 1,050 notifications in 2019-20, which is an 11% increase from the previous year. The OAIC failed to achieve their target of finalising 80% of the notifications within 60 days, only managing to finalise 62% within the timeframe. The average time taken to finalise an NDB was 77 days.
EU rules on intersection of data retention and criminal proceedings
On Tuesday 6 October, the Court of Justice of the European Union (CJEU) published a press release in relation to the decisions in Case C-623/17 (the UK Case) and the joined cases C-511/18, C-512/18 and C-520/18 (the French and Belgian Case). The ruling may have an effect on any criminal proceedings where evidence was obtained by means of indiscriminate data retention in breach of EU law. The ECJ noted that EU law requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data in breach of EU law, in the context of such criminal proceedings, where those persons suspected of having committed criminal offences are not in a position to comment effectively on that information and evidence.
Background and issue
Under Directive 2002/58/EC, metadata may be kept by electronic communications service providers (ECSPs) to provide value add services and for security purposes. Once the metadata is no longer necessary for these purposes, ECSPs must delete it or make it anonymous. Derogations are permitted for national security or detection of crime purposes if they are necessary, appropriate and proportionate. These cases concerned the lawfulness of legislation adopted by the UK, France and Belgium, which gave rise to an obligation for ECSPs to transmit or retain users' traffic data and location data in a general or indiscriminate way.
Decision
The CJEU confirmed that EU law precludes national legislation requiring an ECSP to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime or safeguarding national security, subject to specific exceptions.
When a member state is facing a serious threat to national security, legislation requiring the general and indiscriminate retention of that data is permitted if the following conditions are satisfied:
- the threat to national security is genuine and present or foreseeable;
- the retention of data is limited in time to what is strictly necessary, but can be extended if the threat persists; and
- the legislation must be subject to effective review either by a court or by an independent administrative body whose decision is binding, in order to verify that the threat exists and that the conditions and safeguards laid down are observed.
The CJEU also clarified that the following measures are permitted by EU law (subject to specific restrictions): the targeted retention of traffic and location data, ie. categories of persons or using a geographical criterion; general and indiscriminate retention of IP addresses assigned to the source of a communication; general and indiscriminate retention of data relating to the civil identity of users of means of electronic communication; and expedited retention of data available to service providers.
ICYMI: Privacy implications for COVID-safe use of QR codes
Using a QR code for COVID-safe check-in to your business premises? Five tips for staying privacy safe, too. The Privacy Act continues to control how, when and why you can collect personal information, even in a pandemic.