Peter A Clarke

Enforceable undertakings are now an option available to the Privacy Commissioner as a result of his own motion investigation or in response to complaint.  Those powers are found at section 33E of the Privacy Act 1988.  It provides:

33E  Commissioner may accept undertakings

             (1)  The Commissioner may accept any of the following undertakings:

                     (a)  a written undertaking given by an entity that the entity will, in order to comply with this Act, take specified action;

                     (b)  a written undertaking given by an entity that the entity will, in order to comply with this Act, refrain from taking specified action;

                     (c)  a written undertaking given by an entity that the entity will take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.

             (2)  The undertaking must be expressed to be an undertaking under this section.

             (3)  The entity may withdraw or vary the undertaking at any time, but only with the consent of the Commissioner.

             (4)  The Commissioner may, by written notice given to the entity, cancel the undertaking.

             (5)  The Commissioner may publish the undertaking on the Commissioner’s website.

Enforceable undertakings have been a fixture of consumer protection proceedings at both the State and Federal levels in Australia. The Australian Securities & Investment Commission can accept undertakings under sections 93AA or 93A of the Australian Securities and Investments Commission Act 2001.  It is likely that the Federal Court will look to that body of cases relating to undertakings and enforcement action for breaches of enforceable undertakings in the event of a breach of an enforceable undertaking under the Privacy Act 1988.  But it is important to note that privacy law, particularly that grounded in statute, is  discrete and distinctive.  Many practitioners whose involvement in the area is sporadic (and some whose involvement is more) tend to cobble together principles from other areas of law onto privacy related matters.  That leads to strange arguments, not a few logical inconsistencies and the appearance of a round legal argument being rammed into a statutory square hole on a fairly regular basis.  A better way of approaching matters when looking for precedents is to look to how overseas regulators in the common law jurisdiction primarily approach enforceable undertakings and take action for breaches or civil penalty proceedings as well as Australian precedent.  In particular Read the rest of this entry »

For an age Apple users have felt more than a little special, if not smug, as they watched desktop devices were hit by viruses sent by hackers and other neer do wells of the cyberspace world.  That has changed over time with the feeling of invincibility giving way to a  general sense of superiority. Apple devices may not be perfect but they are not prone to wholesale hacking.

Based on 2 articles in the Sydney Morning Herald, Australian Apple iDevices hijacked, held to ransom and Apple device hijacking spreads to US as Aussies urged to change passwords, even that feeling of wellness may be misplaced.  Mac forums have been ablaze with commentary from less than enthused users (in My devices have been hacked. What do I do?) .  This is a significant data breach.  It will be interesting to see if it is reported to the Privacy Commissioner.  Under the current law there is no mandatory requirement to report data breaches.  Needless to say the Privacy Commissioner would look, if he looks, at compliance with Australian Privacy Principle 11.

The phenomena is best described in the Read the rest of this entry »

The Acting Victorian Privacy Commissioner has announced that from 1 July 2014 Privacy Victoria will be adopting Privacy by Design.  It is a welcome development but one that is not all that revolutionary.  Privacy by Design was developed Read the rest of this entry »

The Federal Trade Commission (the “FTC”) is the primary Federal agency regulating privacy and dealing with breaches. It is a misnomer to say that there is no privacy protection in the USA. It is however regulated more sectorely and privacy is weighed against other rights and interests.  The distinction between the USA’s approach to privacy protection, in particular of personal information, and that of the European Union is set out in Reconciling Personal Information in the United States and European Union by Daniel Solove, a privacy expert in academe and Paul Shwartz.  The Australian regulation of privacy is more consistent with the European Model and legislation however the Privacy Act 1988 has significant weaknesses and as such the extent of privacy protection is less effective than in EU countries.

Yesterday the FTC released a groundbreaking report DATA BROKERS A Call for Transparency and Accountability regarding the operations of and, more importantly, problems with data brokers.  It exposes significant problems with transparency and fairness in the way many businesses collect, use and disclose personal information.

The press release neatly summarises the issues and the need for Federal Legislation to properly regulate the industry.  It provides:

In a report issued today on the data broker industry, the Federal Trade Commission finds that data brokers operate with a fundamental lack of transparency. The Commission recommends that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the immense amounts of personal information about them collected and shared by data brokers.

The report, “Data Brokers: A Call for Transparency and Accountability” is the result of a study of nine data brokers, representing a cross-section of the industry, undertaken by the FTC to shed light on the data broker industry. Data brokers obtain and share vast amounts of consumer information, typically behind the scenes, without consumer knowledge. Data brokers sell this information for marketing campaigns and fraud prevention, among other purposes. Although consumers benefit from data broker practices which, for example, help enable consumers to find and enjoy the products and services they prefer, data broker practices also raise privacy concerns.

“The extent of consumer profiling today means that data brokers often know as much – or even more – about Read the rest of this entry »

The Age, in The Duchess of Cambridge in another privacy scandal, reports on the German Magazine Bild publishing an embarrassing photograph of the Duchess of Kent.  The Duchess has been the subject of long lens photography for a while now.  Some photographs have clearly been the result of a deliberate attempt to get her picture in a moment when she and everyone else would know she had a reasonable expectation of privacy.  The most notorious incident was her being photographed at a private resort in France in 2012 (recounted below).  Facts are always critical in determining what is or is not private and what expectation of privacy is reasonable.  A fashion malfunction, to use the euphemism in a relatively public place is not the same as being Read the rest of this entry »

The Guardian has kept up a fairly consistent interest in privacy issues.  Little wonder given it was involved in releasing much of the material leaked by Snowden, he who went from a low/mid level employee of the NSA to the biggest whisleblower of the current century.  The Guardian in Drones investigation: keeping up with the droneses, part one – video has produced a 4 minute or so video on drones.  Topical and quite informative.  It doesn’t add anything to the coverage to date but it is a very interesting synopsis.  In particular the privacy implications.

The internet interface with an organisations data, within an organisation or in the cloud, is always a potential target for hackers.  For those whose business is largely or exclusively on line and who hold significant amounts of personal information of customers the impact of a data breach in the form of a hacking attack the consequences can be immense. Reputationally and financially.  Ebay suffered damage to at least the former and probably the latter.  The unauthorised access to customer’s data occurred in the late February early March period.  Around 3 months ago.  There will be questions about the delay in notifying its clients of this breach.  In the USA there is no mandatory Federal data breach notification laws, although most states have such laws in place.  In Australia there is no mandatory data breach notification laws although there should be.  In the last sitting week of the last Parliament such a Bill came very close to being read a second time in the Senate and passed however the bill lapsed when Parliament was prorogued.

In the context of Australian Privacy Law a significant hacking attack does not, of itself, result in a breach of the Australian Privacy Principles.  That is clear from the guidelines.  That said if Read the rest of this entry »

Fitbits, pedometers and other fitness tracking devices in wearable wristbands, phone apps and other devices are becoming a regular feature of the keen, the fit and a few of the tragics.  What they all do is collect, analyse and dessiminate data.  The level of sophistication has improved markedly over time as has the audience for that data.  The more sensitive data going to third parties the more the potential for serious privacy intrusions.  The Washington Post in Privacy advocates warn of ‘nightmare’ scenario as tech giants consider fitness tracking raises the issue of fitness apps and the data they generate raising severe privacy problems.

Data about heart rate, weight and whatever details are keyed in by the user is personal information if it can be tied to an identified person.  It is probably sensitive information for the purpose of the Privacy Act.  Third parties having access to that data is a very serious issue.

The article provides:

Fitness tracking apps and devices have gone from an early adopter novelty to a staple of many users’ exercise routines during the past few years  — helping users set goals and measure progress over time. Some employers even offer incentives, including insurance discounts, when workers sign up.

“There’s been a tremendous amount of evolution in the app space, both generally and in the fitness app,” since she joined the Federal Trade Commission six years ago, Senior Staff Attorney Cora Han acknowledges. “It’s a completely different landscape.”

But as several major tech companies appear poised to disrupt that landscape, privacy advocates warn Read the rest of this entry »

Lifelock’s homepage says it all –Protecting Your Identity in an Always-Connected World Comprehensive identity theft protection from LifeLock helps safeguard your finances, credit and good name. In today’s always-connected world, that’s more important than ever.  The core of its business is data security.

In a post of 16 May Lifelock’s CEO explained that Lifelock’s mobile app is not secure.  Technically, it is not compliant with the payment card industry security standards.  The potential for a data breach was too great a threat to tolerate.  Accordingly the apps have been withdrawn and data deleted.

It is a salient example of why businesses must take as much care with developing their mobile apps as they do any other aspect of their data security architecture.  If anything the care should be greater given the additional potential threats in losing data, such as interception across unsecured wi fis.

In the Australian context a business, particularly a large operation whose core activity is data storage and protection, failing to be compliant with minimum industry standards relating to security would run the risk of breaching APP 11 at minimum.

The post provides

One thing I’ve learned in business and, for that matter, life is the importance of authenticity and transparency.

With that in mind, I want to make you aware of an issue that we identified related to our recently acquired LifeLock Wallet application. We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards. 

For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted Read the rest of this entry »

Privacy Regulators have undertaken a review of mobile apps.  And not before time. While mobile apps are becoming a necessary part of marketing a business, accessing services and a means of collecting data for business it is also an easy highway into personal data by those whose motives are less than pure.  App developers are often the weak link in data security.

The French Data Protection Authority reviewed 100 mobile apps during an internet sweep.  This was part of a global enforcement sweep which was announced on May 6 (found here)  which provides:

OTTAWA, May 6, 2014 — The exploding popularity of mobile applications is raising a number of privacy concerns, prompting the  Global Privacy Enforcement Network (GPEN) to focus its 2014 international Privacy Sweep on mobile apps.

The Sweep from May 12 to 18, 2014, involving 27 privacy enforcement authorities from around the world, is aimed at shedding light on the collection and use of personal information on mobile apps.

“The number of mobile applications offered to consumers is growing at an astonishing rate and many of them collect a great deal of personal information,” says Chantal Bernier, Interim Privacy Commissioner of Canada. 

“It is important that consumers have Read the rest of this entry »