Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy directions

Presentation by Timothy Pilgrim to iappANZ Summit, Melbourne 18 November 2015

Good morning. I would like to acknowledge the Wurundjeri people, the traditional custodians of the land on which we meet today, and pay my respects to their elders, both past and present.

It’s a pleasure to open the annual iappANZ Summit, and I’d like to add my welcome to Anna’s.

iappANZ is always a great opportunity to hear a wide range of interesting and expert opinions on all aspects of privacy, and this is a particularly interesting time for our field.

We’re seeing an increasing intersection between international data flows, cross-border cooperation and regulation, and privacy management as an inherent component of business management.

So it will be interesting to hear from today’s speakers, who will be looking at the issue of Privacy at Work, and more, and I also expect we’ll be hearing some robust and well-informed discussions from the panels throughout the day.

I’ve recently returned from the International Conference of Data Protection and Privacy Commissioners where there were a broad range of discussions on a number of current privacy issues with international impact.

I hope that this morning I can give some insights on trends and changes at an international level, as well as looking at the direction ahead for my Office.

Privacy is an international conversation, particularly as information flows have become more complex, traversing national borders and established regulatory jurisdictions.

Therefore, privacy regulation must be ready to respond to an environment of constantly changing technologies and ways of doing business. It must evolve and remain flexible and adaptable to this environment.

The need for this flexibility is being played out increasingly in the area of cross border and cross jurisdictional cooperation and information sharing amongst regulators.

The theme of this year’s International Conference was ‘Building Bridges’, and while the shadow of the recent decision of the Court of Justice of the European Union (CJEU) on the US Safe harbour arrangements, which I will come back to shortly, hung over the conference and flavoured much of the discussions, it nevertheless underpinned the reality of the importance of regulating cross border data flows.

This decision, and the work that will need to be done as a result, reinforced the timeliness of some of the outcomes of the conference. The first of these I would mention was agreement on a new Global cross border enforcement cooperation arrangement.

Like the APEC Cross-border Privacy Enforcement Arrangement (the ‘CPEA’), of which I am sure most of you are familiar, this agreement will facilitate new inter-jurisdictional information sharing, enforcement co-operation and coordination in investigations.

These arrangements support other arrangements that are already in place between Australia and other regulators, such as the MOU my Office has with the Irish Data Protection Commission.

Further, while at the Conference, I became a signatory to the recently launched Global Privacy Enforcement Network’s (GPEN) Alert initiative, which is a multilateral system to enhance coordination between GPEN member organisations by enabling them to confidentially share information about investigations.

Information flows no longer acknowledge national borders, and can therefore no longer be effectively dealt with by one authority. The Ashley Madison data breach investigation is an example of this.

As you would be aware, we have launched a joint investigation with the Canadian Office of the Privacy Commissioner, as Avid Life Media, the parent company of Ashley Madison, is based in Canada.

This collaboration is made possible by the APEC CPEA, and two of my staff have just returned from Canada, where they were working on this investigation, while also sharing learnings on undertaking technologically focused investigations.

All of these agreements, as well as legislative systems for cooperation and consistent regulation, are indicative of an increasing trend towards co-operation and information sharing between regulators.

Safe harbour

Let me turn now to what I have not so subtly suggested was the elephant in the room of the conference.

The decision overturning Safe Harbour has been of considerable interest worldwide, and obviously this decision was a hot topic at the International Conference, as it will have a huge impact on businesses both in the EU and the US, and how they manage cross-border data flows between those economies.

Many of you in this room may be familiar with this background, but with privacy attracting new professionals all the time, the background is worth briefly recapping.

The Safe Harbour scheme has, since July 2000, allowed US companies to achieve compliance with EU data protection law by self-certifying compliance with specific privacy requirements, thus allowing them to receive EU-origin data. At a personal level it was fascinating to listen to this discussion having been at international conferences in Europe in the early 2000’s when the Safe harbour arrangements were being negotiated.

In June 2013 a law student called Max Shrems made a privacy complaint against Facebook to the Irish Data Protection Commissioner.

He claimed that because Facebook had participated in the United States’ PRISM scheme – under which personal data can be provided to the US National Security Agency – his right to privacy had been violated under Irish law.

This claim carried the logical implication that his personal information should not be transferred to the US under the EU’s Safe Harbour scheme.

The Irish Data Protection Commissioner dismissed Shrems’ complaint, finding that as Facebook were bound by the Safe Harbour scheme, his data had been protected as required under the EU Data Protection Directive.

Shrems appealed this decision, and it ultimately ended up before the Court of Justice of the European Union, who found the Safe Harbour decision itself to be invalid.

The CJEU’s reasons for overturning Safe Harbour were that:

  • US legislation that permits public authorities to have general access to content from electronic communications contradicts the right to privacy as guaranteed in Article 7 of the Charter of Fundamental Rights of the European Union.
  • And, further, that US legislation does not include remedies to access, correct or have personal information deleted, which is contrary to the right to effective judicial protection in Article 47 of the Charter of Fundamental Rights of the European Union.

Therefore, they found that the Safe Harbour decision does not ensure a level of protection of fundamental rights essentially equivalent to those guaranteed in the EU.

Although this decision doesn’t directly impact on Australian regulation, it is having an impact on organisations around the world, and it will likely be influential in a wide range of ways.

For example, Germany has stated that it will undertake enforcement action on organisations that are still relying on Safe Harbour as proof of a data protection standard, and also, as equally worrying, questions the use of binding corporate rules, which, in the EU, have previously been considered an adequate method of ensuring data protection standards.

I have already been asked what the impact is for Australian businesses and the short answer is, this decision does not apply to us, as Australia has never been party to Safe Harbour, nor have we been formally assessed for adequacy by the EU, although the EU has issued an opinion on Australian data protection law that it wouldn’t be adequate.

However, it does indicate a shift in international standards for personal information protection, and will be significant for those multinationals that use the EU as their standard for data protection, which I know many do.

Nevertheless, my message for Australian businesses is that you are required to comply with Australian Privacy Principle 8, which requires you to take reasonable steps to ensure that the overseas recipient of personal information does not breach the APPs.

As you would know, if an organisation fails to ensure the protection of personal information disclosed overseas, they can be held accountable.

So irrespective of the ramifications of the Schrem case, our current advice, as set out in the APP guidelines, is that BCRs can be one of the acceptable methods of ensuring an overseas recipient is subject to an appropriate binding scheme.

Proposed EU regulation

While on the subject of things European, I’d like to talk briefly about the proposed new EU General Data Protection Regulation, which is set to replace the Data Protection Directive.

It can’t be denied that data protection regulation across the world is heavily influenced by the EU. So I think it’s worth looking closely at the trends and changes that are impending from that part of the world.

There are a wide range of changes in the Data Protection Regulation, including changes to the powers of privacy regulators. While the final wording is still being negotiated we expect that:

  • the new Regulation will have a wider jurisdiction, applying to any business that offers goods or services to EU residents, rather than only applying to those businesses with a physical link to the EU. This is of course similar to the operation of our own Privacy Act. Businesses that process EU data will also have direct obligations under the Regulation.
  • The new Regulation will include the ‘Right to be Forgotten’, as well as stricter rules about gaining explicit consent for use and disclosure of personal information.
  • And that under the Regulation, we will see for the first time, a single mandatory data breach notification scheme that applies consistently across all EU nations.

And finally on the international scene, you would know, the UN has appointed a special rapporteur on privacy, Professor Joseph Cannataci, who has an extensive mandate and believes that strong oversight is the only way of progressing and protecting people’s right to privacy.

While there will no doubt be considerable debate as Cannataci starts to push governments around the world on issues such as surveillance, I expect that between this new role and the upcoming new Regulation, the coming year will be a very interesting one for privacy.

Let me turn now to some domestic issues, which are also playing out in other jurisdictions.

Transparency

Mandatory data breach notification was one of the privacy protections that the government agreed to introduce as part of the metadata retention scheme that commenced on 13 October this year. At this time we are awaiting advice from the Government as to when we may see draft legislation.

Data breach notification is an important part of risk mitigation in a situation where the volume of data being collected and held increases by a substantial amount, but it is also important in the context of transparency.

Transparency of reporting is an important safeguard where protecting national security impacts the privacy of individuals.

It is for this reason that the International Conference this year adopted the ‘Resolution on Transparency Reporting’, urging governments to develop consistent reporting across jurisdictions about requests for personal data, and to keep records on access. This resolution also calls on:

  • governments to remove barriers to transparency,
  • organisations to implement rigorous due diligence and internal policies around government access to information, and
  • regulators involved in the supervision of surveillance to ensure trustworthy, independent and publicly accountable oversight where they have the power to do so.

It is on this same principle that we carry out our responsibility to oversee the development and implementation of privacy protections in new national security personal information collection schemes.

For example, my Office has begun assessing the collection, storage, sharing and use of data collected by the Department of Immigration and Border Protection in relation to new powers brought in by the Foreign Fighters Act.

We have commenced a range of assessments aimed at ensuring that personal information being collected for immigration purposes or being retained for law enforcement purposes, is being adequately protected.

These assessments will look at:

  • how the Department is using its new powers to seize false documents
  • how it uses biometrics via Smart Gates, and
  • its use of personal information in its new power to carry out Advanced Passenger Processing for departing sea and air travellers.

Meanwhile, on the topic of Data Retention legislation, all telecommunications data required to be collected and retained by telecommunication organisations is deemed to be personal information within the meaning of the Privacy Act.

So we plan to do assessments of telecommunication organisations to ensure metadata retained to comply with the Data Retention scheme is adequately protected.

I will also continue to conduct inspections of telecommunication organisations to ensure each organisation is maintaining records of disclosures in accordance with their obligations under the Telecommunications Act, such as the one we recently completed.

That inspection assessed whether each of the four primary telecommunications providers were maintaining records of disclosures in accordance with their obligations under the Telecommunications Act.

Our assessment, while generally positive in outcome, has found potential areas of improvement, and I look forward to discussing those publicly in the near future.

We will also of course continue to work proactively with businesses and agencies on privacy impact assessments and other methods of developing and improving information handling, as new national security laws are implemented.

OAIC directions

I called my speech today ‘Privacy directions’ because I wanted to talk to current issues that will, eventually, if not immediately, have an impact on how we all approach privacy and data protection.

But I’d also like to take a few minutes to talk about the OAIC’s direction, and some issues of significance from this year that will impact on our focus moving into 2016.

I know a lot of people in the room would have been at the Privacy Awareness Week breakfast, and most of you would read our monthly updates in the iappANZ newsletter, but there have been a few publications and decisions that we made this year which I’d like to highlight as being particularly significant.

Privacy management framework

The first is the Privacy management framework.

This Framework was released during Privacy Awareness Week and, beyond its immediate practical usefulness to agencies and businesses; I want to emphasize what it signifies at a strategic level.

The Framework telegraphs a shift in expectations regarding the integration of privacy management into core business practices.

As I have noted previously, the APPs provide a robust and flexible framework to allow any business or entity to achieve best practice privacy management, provided that an integrated approach to the Principles is taken.

Entities that approach the APPs as an “add on” can miss out on the opportunities that an integrated approach to privacy gives. And, to a degree, simply seeking compliance, while better than noncompliance, can encourage that “add on” approach.

While a clear strategic governance driven approach to privacy management will ensure good operational compliance, it is a misunderstanding to think that good compliance can be achieved without good governance because APP 1.2 sets the bar higher than that, making a governance-based approach to privacy management a compliance test in itself.

With this in mind, the Privacy management framework provides a top down and comprehensive approach to creating what we are now looking for — which is integrated and robust privacy governance systems. So we encourage businesses and agencies to use this tool to assist them achieve that.

Privacy regulatory action guide

The second is the Privacy regulatory action guide.

Released in June of this year, the regulatory action guide is a comprehensive summary of all of our regulatory powers and, more importantly, provides a detailed outline of how and why we use them.

It hasn’t received as much attention as it should, as there has been a lot else happening in the last few months but this guide is the first time the OAIC has had a complete public statement on how we exercise our regulatory powers and it is a publication that will be useful to everyone, from organisations and agencies to journalists, for some time.

Grubb determination

The third issue from this year that I wanted to touch on is my decision in Grubb and Telstra.

I’m sure everyone is the room is familiar with it, and I don’t intend to go into details of the case, however, I just wanted to note, in line with everything I have been talking about this morning, that the face of privacy, personal information, and data protection is changing.

The argument in this case was that metadata was not 'personal information', however, the current challenge facing all organisations that handle large data sets is that data sets of ‘anonymous data’ are fast becoming identifiable. And personal information is not just that which does identify you, but that which may.

Big data and data analytics mean that there are increasingly more methods of matching and identifying information previously thought not to be personal.

So my advice to prudent organisations would be to work on the assumption that such data is "personal information".

The logical courses of action are to manage it and secure it as if it is, or to ensure that data systems include strong anonymising protocols, and robust protections against re‑identification.

Conclusion

I’ve mentioned these three matters specifically because I want to highlight that our focus over the next year, and beyond, will be on issues of governance, and on the integration of privacy in business processes, particularly as we all move to more and more technology-based solutions to everything from information storage to data aggregation.

You have heard, and you will continue to hear, me saying that privacy must be by design, and that it can only be driven from the top.

This is a simple summary of my message that I expect increasingly high standards of privacy management from the organisations that fall under my regulatory scope.

And on that note, I will say – I hope you enjoy the day, and leave with new insights as to how to integrate privacy by design into your own organisational practices.