Proposed changes to Australia's privacy laws mean that organisations will face greater accountability for cross-border flows of information - including for overseas hackers' access and use of it - and they need to start getting ready now.
In a world in which more and more data is being collected, stored and disseminated online, and in which technological advancements and business globalisation are making geographic borders increasingly more redundant, the proposed changes in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 to the rules regarding cross-border data flows will have particular implications for businesses from a technical and operational perspective.
The proposed changes include tightening those rules, significantly altering the risk profile arising from cross-border data flows for Australian organisations. The key change is greater accountability for such flows of information – which in some cases would mean that you could be responsible for breaches of Australian privacy laws committed by an overseas hacker who gains unauthorised access to personal data stored on your systems.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which implements the Government's first stage response to the 2008 report of the Australian Law Reform Commission (ALRC), "For Your Information: Australian Privacy Law and Practice", was introduced into Parliament on 23 May 2012.
One of the key changes contained in the Bill is the replacement of the existing National Privacy Principles (or NPPs) with the new Australian Privacy Principles (or APPs).
A new focus on "disclosure" – and liability for others' hacking?
The focus of the proposed AAP 8 is the "disclosure" of personal information to overseas recipients, as compared to the current NPP 9, which restricts the "transfer" of personal information overseas.
The concept of "disclosure" is not defined for these purposes, and it remains to be seen how broadly that term will be applied if the Bill is enacted in its current form.
The Office of the Australian Information Commissioner's view on the current NPPs is that "in general terms an organisation discloses personal information when it releases information to others outside the organisation". It therefore seems clear that the new APP 8 will apply at least when an organisation's data is made accessible by that organisation to a person overseas, even if at all times it remains stored on an Australian server.
However, the Explanatory Memorandum (EM) for the Bill raises the prospect of APP 8 going further, and applying to scenarios where access to the relevant information is unauthorised.
It states that APP 8 is not intended to apply to the routing of information through servers located outside Australia, but goes on to say that organisations "will need to take a risk management approach to ensure that personal information routed overseas is not accessed by third parties", and that "if the information is accessed by third parties, this will be a disclosure subject to APP 8".
This is a departure from the OAIC's current approach to NPP 2, which is that an organisation has not "disclosed" information to a person who gains unauthorised access to that information by hacking the organisation's computer systems.
Regrettably, it would appear that the EM confuses the role of APP 8 with that of the new APP 11 (which deals with security measures), and falls short of providing any real clarity on exactly how far the cross-border data flow principle will apply to common situations in the electronic handling and transmission of data, despite calls for guidance on this issue in an earlier Senate Committee Report on an exposure draft of the Bill. The following matters, for example, are not made clear by the Bill or the EM, so we will need further detailed guidance from the OAIC:
- the status of caching (ie. the temporary storage of data for the purpose of facilitating communications) unclear; and
- is APP 8 breached if a person outside Australia gains access to information in the course of its passage over an Australian network (as opposed to where the information is being routed over a network located outside of Australia, which is referred to specifically in the EM)?
The accountability principle - a new paradigm for risk allocation
One of the most significant changes contained in the Bill involves the introduction of a new "accountability" approach to cross-border data flows.
Under current laws, once an entity can show that it is permitted to transfer personal data to an overseas recipient, it generally will not be held accountable under the legislation for subsequent privacy breaches by the overseas recipient.
However, under the proposed amendments, an organisation disclosing personal information to an overseas recipient will be treated as having breached the APPs itself if the overseas recipient does anything with that information which is contrary to the APPs. This is regardless of whether it has taken all of the steps required by APP 8 prior to making the relevant disclosure. (There are some limited exceptions).
Where disclosure is being made to a known entity, such as a service provider, an organisation is able to manage the exposure this creates, through the inclusion of risk allocation mechanisms in the contract. But what if the relevant disclosure is being made to an unknown entity, as would be the case where a hacker gains unauthorised access to personal information?
If the concept of "disclosure" does, as suggested by the EM, cover scenarios involving unauthorised access to personal information held by an organisation, APP 8 would require the organisation to take reasonable precautions to guard against the unauthorised access. That may include:
- due diligence in relation to the organisation's choice of service providers (and the security measures they use); and
- a re-evaluation of the organisation's own security standards and protocols, to ensure they are reasonably appropriate for reducing the risk of unauthorised access.
Even if all of those steps are taken, however, the organisation will still be liable for any breaches of the APPs committed by that overseas recipient of the relevant information. This, coupled with the enhanced powers provided to the OAIC under the Bill, gives rise to some significant concerns for organisations dealing with personal information electronically, and reinforces the need for clarity on precisely what constitutes a "disclosure" of personal information for the purposes of APP 8.
Consent must be really, really informed
As with the current NPP 9, obtaining a person's consent to the "disclosure" of his or her personal information to an overseas recipient can avoid the application of APP 8 (and, by extension, the accountability principle described above).
To rely on such consent, however, the organisation must have first informed the person that a consequence of his or her consent is that the organisation will not be required to take reasonable steps to ensure that the APPs are complied with by overseas recipients of the information.
At present, most organisations, in their terms and conditions of service and privacy policies, refer obliquely to the fact that the information may be disclosed to an overseas recipient for certain purposes, and seek consent for that to occur. This approach will no longer suffice under the proposed new regime, and a far more specific disclaimer in relation to the organisation's responsibility for what happens to data made available to overseas recipients will be required.
It may be that, in this context, organisations are tempted to make additional statements aimed at reassuring individuals about how their personal information will be dealt with to soften the required disclaimer. In those cases, care should be taken to ensure that those statements are complied with, as they will be likely to constitute representations or commitments which themselves may lead to liability if not complied with.
Where to from here?
The Bill has been read a first time in Parliament, but has now been referred to the House of Representatives Standing Committee on Social Policy and Legal Affairs for an Inquiry. The Committee has sought submissions from any interested persons and organisations by 20 July 2012, with a report expected in September 2012. This process may result in changes to the Bill, although given the multitude of inquiries and reports that have occurred to date as part of the Government's privacy reform process, significant changes seem unlikely.
If the Bill is enacted in its current form, businesses should:
- review their contracts with service providers (such as telecommunications service agreements, cloud computing agreements, offshore business process outsourcing agreements and any others which involve the transmission or hosting of data overseas) to ensure at least that appropriate security requirements are contained within the agreements, and that risk in relation to privacy issues is allocated appropriately between the business and the relevant service provider in light of the accountability principle;
- review their internal security controls and processes to identify any additional measures that may need to be taken to comply with the incoming rules; and
- review privacy collection statements and terms and conditions to ensure that any consent to cross border disclosure is accompanied by the required disclaimer. Given that the new laws will apply to all information held by an organisation (with no exceptions for historical data), consideration should also be given to whether existing consents should be revised.