Peter A Clarke

Google and privacy.  Not a neat or natural fit, whether it is google’s modus operandi or its devices, most recently the google glass.  Now Google’s driverless car has tech heads excited and privacy practitioners worried. Again.  The Guardian in Google’s driverless cars are a boon for safety and climate, but not for privacy highlights the privacy issue, being the unremitting collection of data about individuals using the car.  It is no longer a means of transportation but a data collecting module whose data is invaluable for all manner of secondary purposes, such as insurers, nosey employers, embittered or just curious spouses not to mention advertisers and retailers.  A mass of data identifying where one travels, how fast one travels, where one stops and for how long can be used for the purpose of predictive analytics.  That can lead to inferences about someone’s behaviours and likely exposure to risk. Predictive analytics is just that, a form of prediction.  The accuracy can be questionable.  More importantly Read the rest of this entry »

Senate estimates are both a valuable part of the democratic process, holding governmnents accountable and reviewing expenditure, and good media fodder.  It can also be tedious.

The Legal and Constitutional Affairs Committee quizzed the Information Commisioner and the Privacy Commissioner on 29 May 2014.  It is found here.  Noteworthy comments were:

Data Breach notification.

Senator SINGH: Professor McMillan, I want to ask about privacy alerts and whether you support the introduction of mandatory notification requirements for serious breaches of data.

CHAIR: Senator Singh, this might have to be your last question because I have four other senators and 15 minutes left. So could you make this your last question?

Prof. McMillan : Legislation was introduced into the parliament under the previous government for mandatory notifications.

Senator SINGH: Yes, I have now introduced a private member’s bill.

Prof. McMillan : It was called the privacy alerts bill. At the time the Office of the Australian Information Commissioner put out a statement saying that it supported the passage of that legislation. We have made no subsequent statement on the issue.

Senator SINGH: You obviously stand by that previous statement. Are you aware of what significant data breaches have occurred in the last few years?

Prof. McMillan : I will transfer that question to the Privacy Commissioner.

Mr Pilgram : Yes, we are aware, obviously, of a number of major data breaches that have occurred over the last few years. Just to give you an idea, they will vary in severity and the number of people that have been impacted. For example, in the current year, 2013-14, we have become aware of Read the rest of this entry »

The Guardian in Privacy call for internet browsing in the wake of Edward Snowden leaks reports on a poll commissioned by the Joseph Rowntree Reform Trust.  That internet users are concerned about their privacy is hardly new.  Privacy Commissioners have been undertaking surveys over the years that consistently highlight public concern about privacy.  This poll shows a heightened level of concern in Read the rest of this entry »

Proper data security policies, programs and protocols are not a one-off event.  Organisations and agencies change. They develop.  At minimum such changes should involve a privacy impact assessment.  Unfortunately some bodies, public and private, are frequent fliers when it comes to poor data handling practices and privacy protections.  One such agency was Wolverhampton which ignored or didn’t heed warnings about its practices.  That ultimately prompted the attention of the Information Commissioner’s Office and resulted in an enforcement notice.

The ICO’s press release (found here) provides:

The Information Commissioner’s Office (ICO) has ordered Wolverhampton City Council to provide adequate data protection training for its staff following a series of warnings dating back over two years.

The enforcement action follows Read the rest of this entry »

Consumer’s having confidence that their personal information, confidential communications and sensitive data should be a given.  The revelations about the collection of meta data as well specific data by government agencies (and a data brokers) has caused disqueit by consumers, privacy specialists and, as importantly, technology companies.  Technology companies don’t want to be part of a data storage program against their will. This has been highlighted in the he New York Times article  Technology Companies Are Pressing Congress to Bolster Privacy Protections.

The article provides:

WASHINGTON — A law that allows the government to read email and cloud-stored data over six months old without a search warrant is under attack from technology companies, trade associations and lobbying groups, which are pressing Congress to tighten privacy protections. Federal investigators have used the law to view content hosted by third-party providers for civil and criminal lawsuits, in some cases without giving notice to the individual being investigated.

Nearly 30 years after Congress passed the law, the Electronic Communications Privacy Act, which government officials have interpreted to cover newer technologies, cloud computing companies are scrambling to reassure their customers, and some clients are taking their business to other countries.

Ben Young, the general counsel for Peer 1, a web hosting company based in Vancouver, British Columbia, said his customers were keeping their business out of the United States because the country “has a serious branding problem.”

“We’ve enjoyed a competitive advantage in Canada,” he said, “because the public perception in the business community is that American law enforcement has more access to data than in other parts of the world.”

Places such as Germany, Iceland and Switzerland are trading on a reputation of stronger protections for companies, but such safeguards are not universally tighter than those in the United States. “Some countries are stricter on privacy, and some of them are not,” said Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, a technology advocacy group.

Privacy has been an increasing concern since Read the rest of this entry »

The UK Information Commissioner has recently told the BBC that the reputational damage from a data breach can be far more significant than any penalty emanating from a regulator. And it is relevant to note that the Information Commissioner has the power to issue businesses with fines of up to £500,000 for serious breaches of UK’s data protection legislation. He said:

“It’s our information, it needs to be protected and the brands that get it wrong will trash their reputation – that’s the real threat for the eBay’s and the Sony’s of this world” and  “.. the real hit is reputation, the real hit is the brand,”

He also said:

• that both individuals and businesses are “not sufficiently alert to what is going on in the 21st century”.

• “Cyber crime is real. Hacking is real. Watch out, there’s a data thief about…the personal information that is there online – practically everything we do, social, business, work, buying stuff, holidays – the data imprint is huge and none of us are taking this seriously enough. None of us are as good as we should we about passwords, [from] changing passwords regularly, [to setting] credible, hard passwords … and companies aren’t taking this seriously enough and they should be.”

That experience is all very true in Australia. The UK protections are more comprehensive and effective than those under the Privacy Act but the Privacy Commissioner does now have enhanced powers to deal with breaches arising from inadequate security.  The general level of understanding of what proper privacy protection by organisations involves is generally poor.  With some notable exceptions, the level of sophistication of systems, training, protocols and policies is also quite poor. Part of that is due to Read the rest of this entry »

The New Zealand legislature will be outlawing identity theft with major improvements in privacy regulation according to stuff.  That includes mandatory data breach notification legislation.

Identity theft is to be outlawed with a fine of up to $10,000 under an overhaul of privacy laws.

The Government is to Read the rest of this entry »

Enforceable undertakings are now an option available to the Privacy Commissioner as a result of his own motion investigation or in response to complaint.  Those powers are found at section 33E of the Privacy Act 1988.  It provides:

33E  Commissioner may accept undertakings

             (1)  The Commissioner may accept any of the following undertakings:

                     (a)  a written undertaking given by an entity that the entity will, in order to comply with this Act, take specified action;

                     (b)  a written undertaking given by an entity that the entity will, in order to comply with this Act, refrain from taking specified action;

                     (c)  a written undertaking given by an entity that the entity will take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.

             (2)  The undertaking must be expressed to be an undertaking under this section.

             (3)  The entity may withdraw or vary the undertaking at any time, but only with the consent of the Commissioner.

             (4)  The Commissioner may, by written notice given to the entity, cancel the undertaking.

             (5)  The Commissioner may publish the undertaking on the Commissioner’s website.

Enforceable undertakings have been a fixture of consumer protection proceedings at both the State and Federal levels in Australia. The Australian Securities & Investment Commission can accept undertakings under sections 93AA or 93A of the Australian Securities and Investments Commission Act 2001.  It is likely that the Federal Court will look to that body of cases relating to undertakings and enforcement action for breaches of enforceable undertakings in the event of a breach of an enforceable undertaking under the Privacy Act 1988.  But it is important to note that privacy law, particularly that grounded in statute, is  discrete and distinctive.  Many practitioners whose involvement in the area is sporadic (and some whose involvement is more) tend to cobble together principles from other areas of law onto privacy related matters.  That leads to strange arguments, not a few logical inconsistencies and the appearance of a round legal argument being rammed into a statutory square hole on a fairly regular basis.  A better way of approaching matters when looking for precedents is to look to how overseas regulators in the common law jurisdiction primarily approach enforceable undertakings and take action for breaches or civil penalty proceedings as well as Australian precedent.  In particular Read the rest of this entry »

For an age Apple users have felt more than a little special, if not smug, as they watched desktop devices were hit by viruses sent by hackers and other neer do wells of the cyberspace world.  That has changed over time with the feeling of invincibility giving way to a  general sense of superiority. Apple devices may not be perfect but they are not prone to wholesale hacking.

Based on 2 articles in the Sydney Morning Herald, Australian Apple iDevices hijacked, held to ransom and Apple device hijacking spreads to US as Aussies urged to change passwords, even that feeling of wellness may be misplaced.  Mac forums have been ablaze with commentary from less than enthused users (in My devices have been hacked. What do I do?) .  This is a significant data breach.  It will be interesting to see if it is reported to the Privacy Commissioner.  Under the current law there is no mandatory requirement to report data breaches.  Needless to say the Privacy Commissioner would look, if he looks, at compliance with Australian Privacy Principle 11.

The phenomena is best described in the Read the rest of this entry »

The Acting Victorian Privacy Commissioner has announced that from 1 July 2014 Privacy Victoria will be adopting Privacy by Design.  It is a welcome development but one that is not all that revolutionary.  Privacy by Design was developed Read the rest of this entry »