As Australia’s Notifiable Data Breaches scheme marks its fourth year of operation, the Office of the Australian Information Commissioner (OAIC) is urging organisations to put accountability at the centre of their information handling practices. Australian Information Commissioner and Privacy Commissioner Angelene Falk said doing so would give individuals greater confidence that their personal information will be handled fairly and securely when they engage with an organisation.
Accountability and enforcement
When considering accountability in the context of data breach it is helpful to consider trends arising from recent enforcement activity more broadly as these point the way to risk mitigation. Some 4 years after Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) came into force on 25 May 2018, these trends are shaping behaviour, even for us in Australia.
- Generally, trends to be monitored include:
- Cookies and behavioural advertising
- Adequacy and transfer of Personal Information (PI), noting that 148 countries now have privacy protection laws
- Competition vs privacy, where regulation and market forces are beginning to overlap
- New regulatory activity, for example in areas of functionality and enforcement of mobile apps, AI, ML, facial recognition and surveillance
- Greater cooperation between regulators
Summary of some important activity
- The Irish Data Protection Commission (DPC) fined Whatsapp €225m for GDPR infringements relating to a series of cross-border data protection infringements under the GDPR. The fine followed a lengthy investigation and enforcement process which began in 2018 and involved the DPC’s proposed decision and sanctions being rejected by its counterpart European data protection regulators, resulting in a referral to and ruling from the European Data Protection Board.
Aside from its contentions that WhatsApp’s approach was aligned with the approach adopted by many industry peers, and that WhatsApp had engaged with the Commission pre-GDPR with a view to ensuring compliance both of which were rejected, the outcome demonstrates new levels of cooperation between regulators and also, that every business process must withstand judicial scrutiny.
Prepare to review the use and provision of platform security and privacy settings, age verification, and technical and legal consent. Information classification, record keeping and the ability to provide evidence is imperative.
- The Dutch Data Protection Authority (DPA) fined TikTok € 750,000 for violating the privacy of young children. The information provided by TikTok to Dutch users (many of whom are young children) when installing and using the app was in English and thus not readily understandable.
TikTok subsequently implemented a number of changes to make its app safer for children under the age of 16, but the issue is that children can still pretend to be older by filling in a different age when creating their account, and by doing so they put themselves at greater risk.
Expect to see more stringent technical, administrative and parental rigour around digital platforms and consent, which will impact the services you provide and use.
- The Irish DPO submitted an Article 60 (cooperation between the lead supervisory authority and the other supervisory authorities concerned) draft decision on an inquiry into Instagram. The Irish DPO examined certain processing of the personal data of children by Facebook Ireland Limited in the context of the Instagram social networking service, including whether or not there were adequate safeguards in place. A final decision on Instagram may be expected mid-2022.
Aside from compliance issues, this case points to implications for data protection and design by default from the outset on any new project.
- The Austrian DPO upheld a complaint against a website related to its use of Google Analytics. The decision raises concern over the routine use of tools that require the transfer of EU personal data to the US for processing because of the DPO finding that IP address and identifiers in cookie data are the personal data of website visitors, meaning that transfers to the US and other countries (like Australia, which is not adequate by EU standards) fall under the purview of GDPR.
In this case, while an IP address anonymisation function had not been implemented correctly on the website, the DPO nevertheless found that IP address data is personal data because of the potential for it to be combined with other digital data and result in the identification of an individual visitor to the website.
US intelligence services use online identifiers (such as IP addresses or unique identification numbers) as a starting point for the surveillance of individuals, and in this case, the Austrian DPO did not find sufficient safeguards had been put in place to effectively block US intelligence services from accessing the data, as required to meet the GDPR’s standard.
This decision is likely to impact not only the use of US cloud services in Europe but also in other countries. Notably, Australia is in a similar position to the US in relation to surveillance legislation. Furthermore, the NIS 2 Directive includes specific requirements in relation to transparency about surveillance.
Prepare to address all these issues.
- The French Data Protection Supervisory Authority finds Google Analytics breaches GDPR. In a decision similar to the one reached in Austria, the National Commission on Informatics and Liberty (CNIL) ruled that the transatlantic movement of Google Analytics data to the U.S. is not sufficiently regulated, citing a violation of the data protection decree which governs the transfers of personal data to third countries or international entities.
Specifically, CNIL highlighted the lack of equivalent privacy protections and the risk that “American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.” The same conclusion will apply in relation to Australia.
Despite Google adopting additional measures to regulate data transfers in the context of the Google Analytics functionality, these were still not sufficient to exclude the accessibility of this data for U.S. intelligence services”.
- German Court rules that Websites Embedding Google Fonts Violates GDPR. The German city of Munich found that embedding Google Fonts on a website and transferring the IP address to Google via the library without users’ consent contravenes GDPR.
Under the GDPR, data points such as IP addresses, advertising IDs, and cookies are counted as PI and personally identifiable information (PII), making it mandatory for organisations to seek users’ explicit consent before processing such information.
Hopefully the privacy regulatory reform currently underway in Australia will align with these international trends and DPO findings, as clarity on what exactly constitutes PII is, is sorely needed.
All this means a new level of complexity for boards, especially because data and digital transformation are now viewed in the light of data as capital.
- Keep up with international trends
- In Australia follow ASIC vs RI Advice (obligations to implement cyber security systems)
- Focus on leadership and budget, and brief company directors and officers on privacy
- Develop data privacy leaders and educate everyone in the business
- Know you information and data assets, and have high visibility of your network at all times.
What success looks like
Success means having an integrated legal and cybersecurity compliance framework.