2016: The year of privacy?
Originally Published by Andrew Sharpe and Ahrani Ranjitkumar on Tuesday, April 26, 2016 4:33:08 PM
Cyber-attacks are designed to obtain unauthorised access to an information system, often resulting in the unauthorised release of that information. Such action is a common example of a 'data breach'[1] by that 'victim' business.
Data breaches are costly to Australian businesses, having resulted in $0.66m in losses in 2010 (measured against customer turnover, reputational losses and diminished goodwill).[2] This figure increased to $0.89m in 2015.[3] Globally, cyber-attacks are perceived by businesses to be the seventh greatest risk[4] and are ranked as the second greatest risk for Sydney and Melbourne.[5]
In reaction to the prevalence of cyber-attacks in Australia, the Government has implemented various systems, which we predict will see 2016 as a benchmark year for the evolution of privacy law.
Our three top predictions for privacy law in 2016 are:
While Australia has essentially mirrored the US in respect of regulatory bodies and frameworks to work under, it diverges from the US in respect of legislation in response to data breaches and resulting privacy concerns.
Australian Privacy Principles
Privacy law in Australia is governed by the Australian Privacy Principles (APP), a set of broad principles governing the collection, management, use, security and disclosure of personal information. These principles have direct relevance and application to data breaches.
The APP are augmented by a series of regulatory Guides published by the Office of the Australian Information Commissioner (OAIC). In 2008 the OAIC, in recognition of the global trends relating to data breach notification published its guide entitled ‘Data breach notification guide: A guide to handling personal information security breaches’ which was most recently updated in August 2014[6] (OAIC Data Breach Guide).
The metadata retention scheme
In October 2015, a new metadata retention scheme was introduced by way of amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIAA). For the purpose of combating terrorism, espionage and cyber-attacks, the scheme requires telecommunication carriers and internet service providers to retain (for two years) metadata that outlines details of communications, such as account holder details, sources from which the communication comes from, duration, location and type of the communication. Contents of communications need not be retained. In order to protect the privacy of individuals, section 187BA of the TIAA requires stored metadata to be encrypted and protected against unauthorised interference or access.
Serious data breach notifications
On 4 December 2015, the Government released for consultation its Discussion Paper and Exposure Draft relating to the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Serious Data Breach Bill). The Serious Data Breach Bill imposes an obligation on entities governed by it (being those currently bound to the Privacy Act including most government agencies and businesses with a turnover of over $3million) to report 'serious data breaches' that involves personal customer information in their control.
Under the Serious Data Breach Bill, a 'serious data breach' occurs if certain personal information held by the entity is subject to unauthorised access or disclosure or alternatively lost, and disclosure of such information would put an individual at 'real risk of serious harm'. What exactly amounts to 'real risk' is subjective (in that it is not a risk that is remote) and takes into consideration, amongst other things, the sensitivity of the disclosed information, any security measures attaching to that information and the type of security measures in place (for example if the information was encrypted). 'Harm' includes physical, psychological, emotional, reputational, economic and financial harm.
The Serious Data Breach Bill requires entities to notify the Australian Information Commissioner (Commissioner) and affected customers 'as soon as practicable' if there are reasonable grounds to believe (or a person ought to have believed) a serious data breach has occurred. This will likely raise concerns as to whether the data has been sufficiently cleansed of content in accordance with the TIAA, prior to handing it over to the Commissioner if required.
Specifically, the notification to the Commissioner must include:
Any failure to comply with the Serious Data Breach Bill would fall within the existing civil penalties framework of the Privacy Act and could result in the Commissioner applying to the Federal Court to impose such penalties.
The US’s position
In comparison, the US has introduced draft federal legislation namely, the Personal Data Notification & Protection Act (US Bill), which seeks to replace existing state-based laws. If passed, the US Bill will apply to a niche of businesses that handle 'sensitive personally identifiable information' (as defined) for more than 10,000 persons per year.
The US Bill provides that if a business experiences a 'security breach', it must notify individuals affected by the breach within 30 days unless:
The US Bill has a narrower scope than its Australian counterpart in that it applies to a certain group of businesses that meets its threshold (notably excluding government agencies), and is more discretionary as it allows businesses to subjectively consider whether they believe that breach ought to be notified to the affected individual(s), creating a lower notification threshold. The US Bill, which has been sitting with the Constitution and Civil Justice subcommittee since April 2015, does not call for intervention by a Government body/representative.
Beyond the Serious Data Breach Bill
The Serious Data Breach Bill, together with the APP, provide a solid foundation for the development of a dynamic data breach notification system. Once the Serious Data Breach Bill takes effect, there will be a need to tailor its operation, and inter-related APP compliance, to the circumstances of key industries/sectors.
The following issues/trends are likely to emerge:
A new cause of action?
The Commissioner has the powers to investigate a breach of privacy complaint put forward by an individual. However, the Commissioner’s powers are limited to making determinations and enforcing civil penalties. While the APP endeavour to protect the interests of Australian residents, it has limited application; applying only to ‘APP entities’.
While the equitable action for breach of confidence provides a potential avenue of recourse to protect individuals from the unauthorised disclosure of confidential information, there is still some uncertainty in Australia as to its sufficiency to address all breach scenarios and the form and extent of remedy available.
The Australian Law Reform Commission in its report regarding the Serious Invasions of Privacy in the Digital Era[11] (ALRC Report), concluded that there was a strong argument for addressing the uncertainty around the existing laws protecting individuals from serious incursions upon their privacy.
In particular, it noted that the current laws providing for affected individuals to obtain monetary compensation, including in respect of emotional distress, were not fully developed. The ALRC Report recommended that Australia introduce new torts of:
It proposes various thresholds to establish the breach of privacy as well as possible defences to such breaches.
Tort of ‘intrusion upon seclusion’
In Canada, the courts have used the incremental development of the common law to recognise the tort of ‘intrusion upon seclusion’. This is a privacy tort concerning an intrusion by a person into the private affairs/concerns of another person that would be offensive to a reasonable person.
The tort was first recognised by the Ontario Court of Appeal in 2012 in the judgment in Jones v Tsige[12]. The Court held that the relevant Ontario privacy legislation[13], which did not apply to breach of privacy laws by individuals during the course of non-commercial activities, was not exhaustive and that the plaintiff was entitled to assert a common law claim for the tort of ‘intrusion upon seclusion’.
The Canadian tort appears to resemble the US tort of the same name which has been expressly cited in US cases and is defined as:
"One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.”[14]
Condon & Ors v Canada[15], a class-action currently before the Canadian courts, is likely to shed further light upon the operation of the tort of ‘intrusion upon seclusion’ and, perhaps, provide a blueprint for the development of the common law in other countries such as Australia.
Given the lack of clarity in current Australian laws as to the extent to which individuals have an available cause of action which would permit them to obtain monetary compensation (including in respect of emotional distress), there is a risk that Australian rights may be falling dangerously behind those available in other jurisdictions.
The introduction of a tort of ‘intrusion upon seclusion’ is one recommendation which has been made in the ALRC Report to address this deficiency. The other alternative is to allow the further judicial development of the common law to recognise such torts.[16]
[1] Office of the Australian Information Commissioner, Data breach notification - a guide to handling personal information security breaches (August 2014) <http://bit.ly/1XVFk9h>
[2] Ponemon Institute 2015 Cost of Data Breach Study: Global (May 2015) <http://ibm.co/1FStqBu>
[3] Ibid.
[4] Cambridge Centre for Risk Studies, University of Cambridge Judge Business School, Lloyd's City Risk Index 2015 - 2025 (15 February 2016) Lloyd's <http://www.lloyds.com/cityriskindex/threats/cyber_attack>
[5] Ibid, <http://www.lloyds.com/cityriskindex/locations/city/sydney>; <http://www.lloyds.com/cityriskindex/locations/city/melbourne>
[6] Office of the Australian Information Commissioner, above n1.
[7] Denise E Zheng & James A. Lewis, Cyber Threat Information Sharing: Recommendations for Congress and the Administration (March 2015) Center for Strategic & International Studies http://csis.org/files/publication/150310_cyberthreatinfosharing.pdf
[8] Ibid.
[9] Ibid.
[10] Office of the Australian Information Commissioner, above n1, page 13.
[11] Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, Report 123 (2014).
[12] Jones v Tsige, 2012 ONCA 32 an action brought by the plaintiff against a bank employee for the unauthorised access and review of the plaintiff’s financial information, which the employee did for personal reasons.
[13] Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5.
[14] Section 652B of the US Restatement of the Law Second, Torts.
[15] 2014 FC 250. The substantive class action is in progress.
[16] The High Court has left open the possibility of such development in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199 per Gummow and Hayne JJ with whom Gaudron J agreed at [110], [132]; see further discussion in the ALRC Report op cit.
Data breaches are costly to Australian businesses, having resulted in $0.66m in losses in 2010 (measured against customer turnover, reputational losses and diminished goodwill).[2] This figure increased to $0.89m in 2015.[3] Globally, cyber-attacks are perceived by businesses to be the seventh greatest risk[4] and are ranked as the second greatest risk for Sydney and Melbourne.[5]
In reaction to the prevalence of cyber-attacks in Australia, the Government has implemented various systems, which we predict will see 2016 as a benchmark year for the evolution of privacy law.
What's in store?
Our three top predictions for privacy law in 2016 are:
- Mandatory data breach notification laws will come into existence and will meet the Government's preliminary needs in respect of understanding the types and nature of threats faced by its population.
- Policy decisions will be made in relation to the form and detail of the information required to be notified. It is likely that this will further develop over time by way of amendments, regulations, guidelines and/or industry codes with a view to better capture industry/sector specific information.
- A new cause of action will come into existence, allowing individuals to sue for damages stemming from the breach of their right to privacy. This will likely be modelled off similar developments in the US and Canada whose courts have developed the tort of 'intrusion upon seclusion'. It will see an increase of class actions in response to a cyber-attack.
Australia’s privacy landscape
While Australia has essentially mirrored the US in respect of regulatory bodies and frameworks to work under, it diverges from the US in respect of legislation in response to data breaches and resulting privacy concerns.
Australian Privacy Principles
Privacy law in Australia is governed by the Australian Privacy Principles (APP), a set of broad principles governing the collection, management, use, security and disclosure of personal information. These principles have direct relevance and application to data breaches.
The APP are augmented by a series of regulatory Guides published by the Office of the Australian Information Commissioner (OAIC). In 2008 the OAIC, in recognition of the global trends relating to data breach notification published its guide entitled ‘Data breach notification guide: A guide to handling personal information security breaches’ which was most recently updated in August 2014[6] (OAIC Data Breach Guide).
The metadata retention scheme
In October 2015, a new metadata retention scheme was introduced by way of amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIAA). For the purpose of combating terrorism, espionage and cyber-attacks, the scheme requires telecommunication carriers and internet service providers to retain (for two years) metadata that outlines details of communications, such as account holder details, sources from which the communication comes from, duration, location and type of the communication. Contents of communications need not be retained. In order to protect the privacy of individuals, section 187BA of the TIAA requires stored metadata to be encrypted and protected against unauthorised interference or access.
Serious data breach notifications
On 4 December 2015, the Government released for consultation its Discussion Paper and Exposure Draft relating to the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Serious Data Breach Bill). The Serious Data Breach Bill imposes an obligation on entities governed by it (being those currently bound to the Privacy Act including most government agencies and businesses with a turnover of over $3million) to report 'serious data breaches' that involves personal customer information in their control.
Under the Serious Data Breach Bill, a 'serious data breach' occurs if certain personal information held by the entity is subject to unauthorised access or disclosure or alternatively lost, and disclosure of such information would put an individual at 'real risk of serious harm'. What exactly amounts to 'real risk' is subjective (in that it is not a risk that is remote) and takes into consideration, amongst other things, the sensitivity of the disclosed information, any security measures attaching to that information and the type of security measures in place (for example if the information was encrypted). 'Harm' includes physical, psychological, emotional, reputational, economic and financial harm.
The Serious Data Breach Bill requires entities to notify the Australian Information Commissioner (Commissioner) and affected customers 'as soon as practicable' if there are reasonable grounds to believe (or a person ought to have believed) a serious data breach has occurred. This will likely raise concerns as to whether the data has been sufficiently cleansed of content in accordance with the TIAA, prior to handing it over to the Commissioner if required.
Specifically, the notification to the Commissioner must include:
- a description of the serious data breach;
- the kind(s) of information concerned; and
- recommendations about the steps that customers should take in response to the data breach.
Any failure to comply with the Serious Data Breach Bill would fall within the existing civil penalties framework of the Privacy Act and could result in the Commissioner applying to the Federal Court to impose such penalties.
The US’s position
In comparison, the US has introduced draft federal legislation namely, the Personal Data Notification & Protection Act (US Bill), which seeks to replace existing state-based laws. If passed, the US Bill will apply to a niche of businesses that handle 'sensitive personally identifiable information' (as defined) for more than 10,000 persons per year.
The US Bill provides that if a business experiences a 'security breach', it must notify individuals affected by the breach within 30 days unless:
- there is no reasonable risk of harm or fraud; or
- the information is adequately encrypted.
The US Bill has a narrower scope than its Australian counterpart in that it applies to a certain group of businesses that meets its threshold (notably excluding government agencies), and is more discretionary as it allows businesses to subjectively consider whether they believe that breach ought to be notified to the affected individual(s), creating a lower notification threshold. The US Bill, which has been sitting with the Constitution and Civil Justice subcommittee since April 2015, does not call for intervention by a Government body/representative.
Beyond the Serious Data Breach Bill
The Serious Data Breach Bill, together with the APP, provide a solid foundation for the development of a dynamic data breach notification system. Once the Serious Data Breach Bill takes effect, there will be a need to tailor its operation, and inter-related APP compliance, to the circumstances of key industries/sectors.
The following issues/trends are likely to emerge:
- Industries should be encouraged to use the framework established by Part IIIB of the Privacy Act to self-regulate their compliance requirements under the Serious Data Breach Bill. There is no 'one-size-fits-all' approach to information sharing. Information sharing should be informed by a cost-benefit analysis that takes into account industries and risk profiles.[7] When considering risk profiles, attention should be given to certain businesses/sectors and the importance of extracting information from them. For example, organisations that have nation-state involvement and are the target of state-sponsored data breaches will likely need closer sharing of information.[8] The same applies for businesses that own and operate critical infrastructure.
- There is need for private-to-private or peer-to-peer, industry sharing with minimal government intervention. These methods can promote voluntary information sharing and alleviate privacy concerns that information provided to the government could be used for regulatory actions or as a 'backdoor' for law-enforcement.[9]
- Some guidance is required as to the Commissioner’s application of the 'as soon as practicable' test in respect of mandatory notification of serious data breaches. The OAIC Data Breach Guide[10] suggests that:
- Notification to the Commissioner may need to occur at an early stage following initial containment steps and preliminary assessment (at least where it is clear at that stage that the breach meets the ‘serious data breach’ threshold).
- Notification of affected customers may, in some circumstances of immediate concern, need to be made at that stage. Otherwise such notifications may be made following a more detailed evaluation of the breach. - There should be an express requirement that entities take reasonable efforts to eliminate personal information irrelevant to the data breach in accordance with the TIAA. This could be incentivised by providing indemnities from penalties under the Privacy Act to companies that take appropriate measures.
- Information sharing should be bi-directional (not symmetrical) and demonstrate value by, say, providing incentives for accurate and timely participation or alternatively, an annual breakdown of the data collated. The Serious Data Breach Bill currently does not provide any incentives.
A new cause of action?
The Commissioner has the powers to investigate a breach of privacy complaint put forward by an individual. However, the Commissioner’s powers are limited to making determinations and enforcing civil penalties. While the APP endeavour to protect the interests of Australian residents, it has limited application; applying only to ‘APP entities’.
While the equitable action for breach of confidence provides a potential avenue of recourse to protect individuals from the unauthorised disclosure of confidential information, there is still some uncertainty in Australia as to its sufficiency to address all breach scenarios and the form and extent of remedy available.
The Australian Law Reform Commission in its report regarding the Serious Invasions of Privacy in the Digital Era[11] (ALRC Report), concluded that there was a strong argument for addressing the uncertainty around the existing laws protecting individuals from serious incursions upon their privacy.
In particular, it noted that the current laws providing for affected individuals to obtain monetary compensation, including in respect of emotional distress, were not fully developed. The ALRC Report recommended that Australia introduce new torts of:
- misuse of personal information; and
- intrusion upon seclusion.
It proposes various thresholds to establish the breach of privacy as well as possible defences to such breaches.
Tort of ‘intrusion upon seclusion’
In Canada, the courts have used the incremental development of the common law to recognise the tort of ‘intrusion upon seclusion’. This is a privacy tort concerning an intrusion by a person into the private affairs/concerns of another person that would be offensive to a reasonable person.
The tort was first recognised by the Ontario Court of Appeal in 2012 in the judgment in Jones v Tsige[12]. The Court held that the relevant Ontario privacy legislation[13], which did not apply to breach of privacy laws by individuals during the course of non-commercial activities, was not exhaustive and that the plaintiff was entitled to assert a common law claim for the tort of ‘intrusion upon seclusion’.
The Canadian tort appears to resemble the US tort of the same name which has been expressly cited in US cases and is defined as:
"One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.”[14]
Condon & Ors v Canada[15], a class-action currently before the Canadian courts, is likely to shed further light upon the operation of the tort of ‘intrusion upon seclusion’ and, perhaps, provide a blueprint for the development of the common law in other countries such as Australia.
Given the lack of clarity in current Australian laws as to the extent to which individuals have an available cause of action which would permit them to obtain monetary compensation (including in respect of emotional distress), there is a risk that Australian rights may be falling dangerously behind those available in other jurisdictions.
The introduction of a tort of ‘intrusion upon seclusion’ is one recommendation which has been made in the ALRC Report to address this deficiency. The other alternative is to allow the further judicial development of the common law to recognise such torts.[16]
[1] Office of the Australian Information Commissioner, Data breach notification - a guide to handling personal information security breaches (August 2014) <http://bit.ly/1XVFk9h>
[2] Ponemon Institute 2015 Cost of Data Breach Study: Global (May 2015) <http://ibm.co/1FStqBu>
[3] Ibid.
[4] Cambridge Centre for Risk Studies, University of Cambridge Judge Business School, Lloyd's City Risk Index 2015 - 2025 (15 February 2016) Lloyd's <http://www.lloyds.com/cityriskindex/threats/cyber_attack>
[5] Ibid, <http://www.lloyds.com/cityriskindex/locations/city/sydney>; <http://www.lloyds.com/cityriskindex/locations/city/melbourne>
[6] Office of the Australian Information Commissioner, above n1.
[7] Denise E Zheng & James A. Lewis, Cyber Threat Information Sharing: Recommendations for Congress and the Administration (March 2015) Center for Strategic & International Studies http://csis.org/files/publication/150310_cyberthreatinfosharing.pdf
[8] Ibid.
[9] Ibid.
[10] Office of the Australian Information Commissioner, above n1, page 13.
[11] Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, Report 123 (2014).
[12] Jones v Tsige, 2012 ONCA 32 an action brought by the plaintiff against a bank employee for the unauthorised access and review of the plaintiff’s financial information, which the employee did for personal reasons.
[13] Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5.
[14] Section 652B of the US Restatement of the Law Second, Torts.
[15] 2014 FC 250. The substantive class action is in progress.
[16] The High Court has left open the possibility of such development in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199 per Gummow and Hayne JJ with whom Gaudron J agreed at [110], [132]; see further discussion in the ALRC Report op cit.