Catagory:Government Regulation, Legislation & Enforcement

1
EU-US Privacy Shield certifications to open in August
2
EU-US Privacy Shield approved
3
Agreed changes to EU-US Privacy Shield strengthens data transfer pact
4
Report finds average cost of data breach reaches $4 million
5
European Data Protection Supervisor less than impressed with EU-US Privacy Shield
6
OAIC releases draft guide for conducting big data activities
7
Yes it can cost you your job…even if you are the boss!
8
Former High Court judge Michael Kirby calls for privacy laws to deal with serious invasions of privacy
9
SWIFT’s assessment of Distributed Ledger Technologies
10
Australian Government releases Cyber Security Strategy

EU-US Privacy Shield certifications to open in August

By Cameron Abbott, Simon Ly and Rowena Baer

As a follow up to our latest blog post, the European Union and European Commission yesterday announced that the Privacy Shield arrangement has been adopted.

Companies wanting to utilise the Privacy Shield for their Trans-Atlantic data transfers are able to apply for certification with the U.S. Department of Commerce from 1 August 2016, with the US and EU to brief companies on the application process later this week.

For a legal perspective and analysis of the Privacy Shield, please see our colleagues’ report here.

To keep up to date and for an overview of the changes, please see here.

EU-US Privacy Shield approved

By Cameron Abbott, Rob Pulham, Simon Ly and Rowena Baer

When the Safe Harbour arrangements were struck down the EU and US worked to create a replacement and flesh out the details of this new arrangement (see our last article on this issue here). We have all been somewhat nervously watching to see if the new ‘Privacy Shield’ would get final approval amid some criticism from some quarters. Good news, last Friday the EU member states on the Article 31 Committee voted to approve a revised Privacy Shield.

The new arrangement provides a welcome measure of certainty for businesses whose Trans-Atlantic data transfers have been left in legal limbo since the European Court of Justice declared the longstanding Safe Harbor Framework invalid in October 2015.

The European Commission has released a statement expressing their confidence in the adoption of the new Privacy Shield, noting that the new pact is “fundamentally different” from its predecessor. The new Privacy Shield imposes “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice”.

International tech industry groups have also praised the move as a win for both consumers and businesses as the pact provides robust consumer privacy protections. Voicing their support of the Privacy Shield, Microsoft released a detailed blog post on how the Privacy Shield is progress for privacy rights, declaring that the regime is an “important achievement for the privacy rights of citizens across Europe, and for companies across all industries that rely on international data flows to run their businesses and serve their customers”.

Whilst we are still at the early stages, companies should begin assessing the Privacy Shield’s impact on their existing agreements and also more broadly their data strategy, keeping in mind that the regime relates only to EU-US data transfers. In particular, consideration should be given to the transitional arrangements in the Privacy Shield. Companies should also be aware of the potential challenges to this regime (and related issues post-Brexit) as there is concern about the shelf life of the Privacy Shield.

For more information, please see the EU’s page here and the US’s page here.

Agreed changes to EU-US Privacy Shield strengthens data transfer pact

By Cameron Abbott and Giles Whittaker

The US and the European Union reportedly reached an agreement on the language of a key data transfer pact, including clearer limits on U.S. surveillance and stricter rules for companies holding information of Europeans. The updated EU-US Privacy Shield was sent to EU member states, who are expected to vote on the proposal in July. The revised data transfer pact is said to include stricter cross-border data-handling rules for companies using Europeans’ information for targeted online advertising, and also has detailed the specific condition under which U.S. government intelligence services would collect data in bulk and the safeguards on how the data is used.

Meanwhile, U.S. Chamber of Commerce Executive Vice President and Head of International Affairs Myron Brilliant urged the EU’s member states to quickly sign off on the updated version, saying that the new framework for trans-Atlantic data transfer is critical for companies on both sides of the pond.

Further information regarding the report by Reuters can be read here.

Report finds average cost of data breach reaches $4 million

By Cameron Abbott and Giles Whittaker

A report sponsored by IBM and conducted by the Ponemon Institute found that the average cost of a data breach has grown to $4 million, up 29% from 2013. The survey also found cybersecurity incidents continued to witness growth in both volume and sophistication, with 64% more security incidents reported in 2015 than the preceding year. According to the study, the companies lose $158 per compromised record. Also not surprisingly, breaches in highly regulated industries were even more costly. For instance, healthcare breaches reached $355 per record – a full $100 more than in 2013.

Read the full report conducted by the Ponemon Institute here.

European Data Protection Supervisor less than impressed with EU-US Privacy Shield

By Cameron Abbott, Rob Pulham and Giles Whittaker

The EU-US Privacy Shield data-sharing agreement has come under scrutiny from the European Data Protection Supervisor Giovanni Buttarelli. Mr Buttarelli has expressed concerns that the Privacy Shield, which will outline how data (including personal information) should be handled in foreign jurisdictions, is “not robust enough to withstand future legal scrutiny”.

While Mr Buttarelli said he “appreciates” the efforts made to develop a solution to replace Safe Harbour, he emphasised that “significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect…the key data protection principles” which are afforded in Europe with particular regard to “necessity, proportionality and redress mechanisms”.

Giovanni Buttarelli’s statement regarding the Privacy Shield can be found here.

OAIC releases draft guide for conducting big data activities

By Cameron Abbott and Simon Ly

Last week the OAIC released their consultation draft Guide to big data and the Australian Privacy Principles, with feedback on the Guide open until 26 July 2016.

The main purpose of the Guide is to facilitate big data activities while protecting personal information (being information or an opinion about an identified individual, or an individual who is reasonably identifiable). The Guide addresses issues such as notice and consent, retention minimisation and use limitation in regards to such data. Whilst not legally binding, the Guide will be referred to by the Privacy Commissioner in undertaking its functions under the Privacy Act.

One of the key aspects dealt with in the Guide is that entities should consider undertaking big data activities on an anonymised manner by de-identifying personal information. If so, this has the favourable outcome that such data will not be considered personal information so accordingly less onerous obligations apply under the Privacy Act to such data. Of course, if this is the case it also lessens the chance that personal information will be compromised should a data breach occur (speaking of which, we note OAIC’s April 2016 guide to deal with data breaches). However, in our experience most of our clients want to analyse and then drill down to take actions or campaigns in relation to a then identified group of customers.

The Guide also highlights how big data interacts with the APPs as well as discussing other related concepts, such as “privacy by design” frameworks. For more information, you can access the OAIC’s consultation draft Guide here.

Yes it can cost you your job…even if you are the boss!

By Cameron Abbott and Giles Whittaker

The CEO of Austrian aerospace parts maker FACC, has been fired following a cyber fraud that cost the company 42 million euros (AUD $65 million). FACC also fired their CFO in February soon after the cyber fraud.

Executives are being held responsible for business’ cybersecurity measures, and while FACC declined to comment on the details of Walter Stephan’s shortcomings, their supervisory board concluded that Walter Stephan had “severely violate his duties, in particular in relation to the fake president incident”. It is likely that this violation is in reference to a lack of adequate cybersecurity procedures or protections, which would be considered essential for most businesses in this technologically integrated era.

So how was it done? The technique used to deceive FACC into handing over their money is known as a ‘fake president incident’. To put it simply, the hackers sent an email to an employee posing as the CEO, and requested that funds be transferred to a specified account for a fake acquisition project. It would appear the board figured it shouldn’t have been that easy.

More information about this cyber fraud can be found in an article by reuters.

Former High Court judge Michael Kirby calls for privacy laws to deal with serious invasions of privacy

By Cameron Abbott and Simon Ly

In a recent speech and comments made to Fairfax Media, former High Court of Australia judge Michael Kirby has taken aim at the current state of Australia’s privacy law regime in regards to serious invasions of privacy such as “revenge porn” and the kinds of privacy breaches often associated with the press.

Mr Kirby called upon the NSW parliament to legislate to protect its citizens in order to push the federal government to create a national standard. Mr Kirby’s comments follows the March 2016 report released by the NSW parliament titled “Remedies for the serious invasion of privacy in New South Wales” where the Upper House committee made a series of recommendations that a statutory cause of action be introduced in NSW that would enable people who have suffered a serious invasion of privacy to commence a civil action.

Taking an international view, this issue took the attention worldwide recently when then-ESPN reporter Erin Andrews was secretly filmed nude by a stalker while in her hotel room. Since then, Erin Andrews settled a claim with the hotel operator after having been awarded $55 million in March 2016.

For more information, please see NSW’s report here, which the government is expected to respond to by 5 September 2016.

SWIFT’s assessment of Distributed Ledger Technologies

By Cameron Abbott and Giles Whittaker

SWIFT and Accenture released their new paper into how Distributed Ledger Technologies (DLTs) could be used in financial services. The outcome of their assessment highlighted 8 key gaps between industry requirements and the current DLT solutions. The 8 critical factors to be addressed before widespread adoption of DLT’s include:

  1. strong governance;
  2. data controls;
  3. compliance with regulatory requirements;
  4. standardisation;
  5. identity framework;
  6. security and cyber defence;
  7. reliability; and
  8. scalability.

The potential use of these technologies is still unclear according to Fabian Vandenreydt the Head of Securities, Innotribe and the SWIFT Institute. However SWIFT has committed to working with the industry to identify areas in which the technology can provide the greatest benefit.

For more information about SWIFT’s position on DLTs or to download a copy of the paper visit here.

Australian Government releases Cyber Security Strategy

By Cameron Abbott and Giles Whittaker

Cybersecurity appears to be a new popular expenditure, particularly in Australia, as Malcom Turnbull announces his government’s new Cyber Security Strategy initiative budgeted to cost $230 million over 4 years in addition to the $400 million allocated in the 2016 Defence White Paper over 10 years.

So what do we get for all that money? The government has announced their 5 themes of action over the next 4 years which includes:

  1. a national cyber partnership;
  2. strong cyber defences;
  3. global responsibility and influence;
  4. growth and innovation; and
  5. a cyber smart nation.

This will include the funding to establish a Cyber Security Growth Centre through a National Innovation and Science Agenda. The Growth Centre is intended to serve as an innovation hub which will identify and prioritise cybersecurity challenges and identify opportunities for Australia to build globally competitive commercial solutions.

Cybersecurity is grabbing global attention and the Turnbull government has appointment their first Cyber Ambassador. The role of the Cyber Ambassador will be to identify opportunities for practical international cooperation and ensure Australia is situated to take advantage of new commercial opportunities.

Small businesses are often left exposed to hackers due to a lack of resources allocated to cybersecurity and, are targeted for their potential provide a back door to other companies, are often targeted. Turnbull’s no business left behind strategy sees small businesses being allocated $15 million in grants to have their systems tested and improved by The Council of Registered Ethical Security Testers (CREST).

For further information access the government’s plan here.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.