7 April 2017

Our reference: D2017/001982

Ambassador for Cyber Affairs
Department of Foreign Affairs and Trade
RG Casey Building
John McEwen Crescent
Barton ACT 0221

Dear Ambassador Feakin

Submission on the International Cyber Engagement Strategy

Thank you for the opportunity to provide comment on the International Cyber Engagement Strategy (the Strategy).

As the Department of Foreign Affairs and Trade has noted in its call for submissions, privacy is an important interest and value. Individuals have an interest in their personal and sensitive information being protected online, regardless of whether they are dealing with an organisation within Australia or overseas. The Strategy represents an opportunity to ensure that Australia’s privacy and data protection commitments are reflected in Australia’s international engagement.

The Office of the Australian Information Commissioner (OAIC) has experience dealing with many issues relevant to the Strategy. Modern privacy and data protection laws, including the Privacy Act 1988 (Cth) (the Privacy Act), have an inherently international aspect, due to the increased flow of personal information between countries. These laws also include requirements around information security as an essential element of the protection of personal information.

The Privacy Act contains 13 Australian Privacy Principles (APPs), which are technology neutral, ensuring they remain applicable in the face of changing and emerging technologies. The APPs require regulated agencies and organisations to take reasonable steps to keep personal information secure and to implement practices, procedures and systems to ensure compliance with the APPs. The OAIC works with agencies and organisations to facilitate compliance and best privacy practice.

My comments below address these issues, with a view to ensuring that individuals’ privacy rights are respected in cyberspace. These comments reflect the OAIC’s experience as Australia’s national privacy regulator, and the OAIC’s experience in international engagement on privacy and information security matters.

The OAIC’s international engagement

Increasingly, privacy threats and challenges extend beyond national borders, and a coordinated and consistent global approach can be an effective response to global privacy issues, including privacy issues relating to the international cyberspace environment. In light of this, there is a trend towards increased cooperation and information sharing between data protection authorities. The OAIC has extensive experience in international engagement on privacy and information security matters.

As privacy is one of Australia’s key interests in cyberspace, the Strategy could leverage the OAIC’s existing international relationships, initiatives, activities and agreements as part of Australia’s overall international cyber engagement.

The OAIC is involved in a range of forums, including the Asia Pacific Privacy Authorities Forum (APPA), which brings together privacy and data protection authorities in our region, and the Global Privacy Enforcement Network (GPEN), which facilitates cooperation between privacy and data protection authorities globally on cross-border privacy matters.

The OAIC has also conducted joint regulatory activities with international regulators, including a joint investigation with the Privacy Commissioner of Canada into the Ashley Madison data breach, conducted in August 2015 under the APEC Cross-border Privacy Enforcement Arrangement.[1]

Joint investigations reflect the global nature and impact of modern data breaches. Nationally, the OAIC has also collaborated with other agencies on privacy and security matters, including the recent report Review of the events surrounding the 2016 eCensus: Improving institutional cyber security culture and practices across the Australian government.[2] This report demonstrated, among other things, the increasing interconnectedness of privacy and information security.

In addition, Australia has a bilateral agreement with the European Union (EU) permitting the transfer of EU-sourced passenger name record data by air carriers to the Department of Immigration and Border Protection. This agreement enables Australian authorities to assess security risks, and contains certain privacy safeguards that are overseen by the OAIC.

Research collaborations between Australian agencies and organisations and their international partners may provide an avenue for identifying best practices and emerging threats to privacy and security. International research collaborations may be of particular value given the international character of these issues. Research work by other regulators, such as the United States Federal Trade Commission’s Office of Technology Research and Investigation,[3] could provide a basis for such collaboration.

Supporting an open, free and secure Internet

Effective privacy protections are an important component of an open, free and secure Internet. Good privacy practice promotes cyber security. It also builds consumer trust and confidence, which in turn provides a social licence for agencies and organisations operating in an online environment.

Security of personal information

APP 11 requires regulated entities to take active measures to take reasonable steps to protect the personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. APP 11 also requires entities to take reasonable steps to destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.

Regulatory harmonisation

Variations between privacy and data protection laws in different jurisdictions can present challenges to regulated entities. The importance of compatibility of privacy and data protection laws of different jurisdictions is well recognised, and is increasingly important: data knows no borders, and international data flows and data breaches are increasingly frequent occurrences.

In part, this challenge is simply the result of having multiple compliance requirements. For example, Australian businesses offering goods and services to individuals within the EU will soon be required to comply with the EU General Data Protection Regulation (GDPR),[4] as well as the Privacy Act. While there are a number of similar requirements in the Privacy Act and GDPR, there are also some differences. The OAIC works with regulated entities in Australia to build their capacity and compliance in a global environment.

The OAIC looks to play a leadership role in improving the interoperability of privacy responsibilities. The Strategy could include efforts to work with other countries and international bodies to achieve harmonisation of different privacy and data protection laws, standards, and regulatory approaches.

Cross-border disclosure

International data flows are subject to multiple privacy and data protection laws, which usually limit the disclosure of personal information to an overseas recipient unless the information will be suitably protected when it is received.[5] These limitations may present challenges for regulated entities operating across national boundaries.

A central object of the Privacy Act is facilitating the free flow of information across national borders while ensuring the privacy of individuals is respected. Under the Privacy Act, APP 8 requires entities, before disclosing personal information to an overseas recipient, to take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs[6] in relation to that information.

Laws such as APP 8 and the EU GDPR are of great interest to government and business, particularly given the prevalence of cloud storage of data in foreign locations and data sharing commonly occurring within and between global companies.

The Strategy could assist businesses who are subject to multiple regulatory frameworks by promoting both the development of internationally harmonised privacy laws as well as the need for companies to be privacy compliant when operating in the international cyberspace environment.

I trust that these comments are useful to the Department of Foreign Affairs and Trade and we would welcome the opportunity to contribute to the further development and implementation of the Strategy.

If you or your staff have any questions or require additional information, please contact Dimitrios Kormas, Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

7 April 2017

Footnotes

[1] See Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner and Acting Australian Information Commissioner.

[2] See Review of the Events Surrounding the 2016 eCensus: Improving institutional cyber security culture and practices across the Australian government [PDF].

[3] See Office of Technology Research and Investigation.

[4] The GDPR is not yet in force, and will commence in May 2018.

[5] Many privacy and data protection laws are based on the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which includes a principle to this effect; see OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[6] Excluding APP 1 (open and transparent management of personal information).

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia