Online privacy – no longer playing catch-up?

DAVID CARRINGTON, General Counsel, Bombora Technologies, Australia

25th March 2014

It may come to pass that 2013 will be regarded as the year that the general public sat up and took notice of online privacy.

The Australian Information Commissioner advised earlier this year that “2013 is shaping up to be the biggest year for privacy in over 20 years”. As the year drew to a close, a number of major publications including the New York Times, Forbes and the Guardian heralded 2013 as a pivotal moment in the evolution of privacy, particularly online. Dictionary.com went so far as to name privacy as its “word of the year”.

It is not difficult to see why.

The Edward Snowden disclosures focussed the attention of the world’s media on the issues of privacy and security. Endless column inches were devoted to a classic tale of Orwellian interference, leaving the general public shocked at the ease with which their information might be “stolen”. Experts on twenty four hours news channels scared us with tales of a lawless, malevolent moral vacuum residing beyond the click of a mouse button or the tap of a smartphone.

Something simply must be done. Except something has been done, and is being done.

The principled questions that privacy, particularly online privacy generate, have been debated at length for years. Far from there being an absence of regulation, Governments, academics and the judiciary have wrestled with the concepts and between them distilled a wealth of laws, rules, directives and regulatory structures to control those who run the internet and thus the private nature of the information contained within.

That such are not harmonised is unsurprising. That Governments might seek to shape the system to their own ends on the pretence of national security is similarly unsurprising.  However, it does not follow as a matter of logic that the system is unfit for purpose or in need of a reactionary overhaul.

The image of the internet as a lawless landscape is misplaced.

Providers of certain core internet services in particular are in fact heavily regulated both by international regulatory bodies, as well as national and supra-national law, each containing strict obligations as to privacy. This paper will not seek to exhaustively define such, as to do so could fill a library, rather it highlights a number of existing regulatory structures, as well as current and forthcoming legislation in Australia and beyond that has developed over recent years.

Privacy/data/security?

In order to analyse the protection available, it is helpful to first address what is determined to fall under the umbrella of “privacy”. Too often it is a blanket description.

Privacy is used as a byword for a range of issues, from the right to respect for one’s private life, to data protection, retention and security. Each of these facets is covered by a myriad of regulation across jurisdictions.

Taking the EU as an example, the notion of the right to respect for private life is enshrined in Article 8 of the European Convention on Human Rights, signed back in 1950. Significant case law, influenced by an extended jurisprudential debate on the existence of a “right of privacy” has developed across a number of member states.

In terms of data protection, under the 1995 EU Data Protection Directive, personal data must be gathered only under strict conditions, for a legitimate purpose and protected from misuse. In 2012, the European Commission proposed reforms in the form of a new General Data Protection Regulation, anticipated to be published by the end of 2013. This has since been delayed due in part to elections, but is currently being heavily debated by member states. Controversial issues include express consent for all processing of personal data, a right to be forgotten – the power for individuals to request that online content (often embarrassing) be deleted, and a 24-hour breach notification period.

Looking specifically at online privacy, the 2002 Directive on Privacy and Electronic communications, updated in 2009, ensures a level of privacy is granted to communications over public networks. It contains requirements on data breach notification meaning providers must report such to the national authority and inform individuals directly if there is a risk to personal data or privacy.

The author is by no means advocating that present systems do not need to grow and adapt in response to technology and globalisation, far from it. Staying with the EU, as an example of the way in which the landscape quickly evolves, in this case to combat security issues, the Commission published a proposal in February 2013 for a “Directive concerning measures to ensure a high common level of network and information security across the Union” with the stated aim of ensuring a “high common level of network and information security (NIS) across the EU”. States will be required to establish NIS national competent authorities, set up Computer Emergency Response Teams, adopt national NIS strategies, and exchange information and cooperate so as to counter NIS threats.

The EU is not standing idly by. Indeed protagonists, including the US Government, have for many years argued that the regime is overly prescriptive regarding data protection.

The EU is not alone but rather indicative of a landscape where safeguards are in place and in many respects have been so for some time. They may be subject to legislative inertia at times, but are capable of reacting rapidly to a pressing need. That being said, the author appreciates that the media would rather paint the macro picture of the internet being a legal vacuum, than debate the micro points of directives such as those highlighted above.

Australian Approach

Turning to the landscape local to the author, historically, Australia was a relative early adopter regarding detailed privacy legislation and a centralised privacy commissioner.

The Privacy Act 1988 (Cth) (“Privacy Act”) created the Office of the Privacy Commissioner and a Privacy Commissioner in Australia. It was variously charged with regulating the handling of personal information about individuals including its collection, use, storage and disclosure.

The Privacy Act created Information Privacy Principles that apply to the handling of personal information by most Australian public sector agencies, as well as National Privacy Principles (NPP’s) that apply to large businesses, health service providers and some small businesses and non-government organisations.
In addition to its regulation function, the Privacy Commissioner, since changed to Information Commissioner, has been active in assessing the public perception of privacy across Australia. It conducted four major surveys about attitudes towards and awareness of privacy between 1990 and 1995. Further studies were subsequently undertaken in 2001, 2004 and 2007.

The 2007 study formed the basis of a submission to the Australian Law Reform Commission (ALRC) inquiry into privacy law and practices ordered by the Attorney General in 2006.

The ALRC report - For Your Information: Australian privacy law and practice (ALRC Report 108) was released in 2008 and represented the “culmination of a 28-month inquiry into the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia.”

Although the Privacy Act was found to work well in certain respects, the ALRC made a number of key recommendations including:-

    (a) Simplification and streamlining of the Privacy Act.

    (b) Uniform privacy principles and national consistency.

    (c) Regulation of cross-border data flows.

    (d) Mandatory data breach notification for government agencies and business organisations where there is a real risk of serious harm occurring as a result of a data breach.

    (e) Cause of action for a serious invasion of privacy.

In response to the report, the Government implemented the Privacy Amendment (Enhancing Privacy Protection) Amendment Act 2012 (Cth) (the “2012 Act”) which was passed in November 2012. It dealt in many respects with the first of the above three recommendations by replacing the current privacy principles for the public and private sectors with a single set of privacy principles (the Australian Privacy Principles (APPs)). These will come into effect on 12 March 2014.

Guidelines in relation to such are being released in tranches at the time of writing. What is clear is that the APPs differ in parts significantly from the current principles. In light of such, entities caught by the new provisions and who have not already would be well advised to review their practices, in particular their privacy policies, or lack thereof, in advance of 12 March 2014.

Key changes include the following:-

    APP 1 introduces an obligation to take reasonable steps to implement APP-compliant practices, procedures and systems. This includes having a privacy policy that covers specific types of information – it is no longer sufficient to simply have a basic policy regarding the management of personal information.

    APP 4 introduces new requirements pertaining to unsolicited information - personal information which an entity has not actively collected. If it is not reasonably necessary for one or more of their functions, then it must be de-identified or destroyed as soon as practicable

    APP 7 introduces a prohibition on the use of personal information unless a specified exception applies. The primary exception allows an entity to use or disclose personal information (other than sensitive information) if

      it collected such from the individual;

      the individual would reasonably expect their personal information would be used or disclosed for direct marketing; and

      the entity has provided a simple means by which the individual can request not to receive direct marketing, and the individual has not done so.

    APP 7 further provides the right for individuals to make a request to an entity to disclose the source of their personal information which must be answered unless impractical or unreasonable to do so.

    APP 11 imposes the same security obligations as the current NPP 4 in relation to the protection of the personal information that an entity holds, that is to say it must take reasonable steps to ensure it is accurate and up-to-date, and kept secure from unauthorised use or access. However, the new APP also requires entities to protect personal information from interference. Guidelines released have indicated that interference can include attacks on computer systems. Quite how and if this can be achieved will no doubt be open to sustained debate.

In terms of enforcement, the Information Commissioner has been given a new set of teeth.

It will be empowered to not only investigate and monitor compliance, but also to seek civil penalties for serious or repeated breaches of privacy. It can do so via the Federal Court which will have the power to award penalties of up to AUD1.7 million for body corporates and AUD340,000 to non-corporate entities, including individuals.

Perhaps though the most controversial change arises under APP 8.
APP 8 states:

8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

    (a) who is not in Australia or an external Territory; and

    (b) who is not the entity or the individual;

    (c) the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.
8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:

    (a)   the entity reasonably believes that:

      (i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and

      (ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or

    (b)   both of the following apply:

      (i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;

      (ii) after being so informed, the individual consents to the disclosure; or

    (c)   the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

    (d)   a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; or

    (e)   the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or

    (f)   the entity is an agency and both of the following apply:

      (i) the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body;

      (ii) the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

In short, failure by an entity to take reasonable steps to ensure overseas recipients do not breach the APPs can leave that entity accountable for the actions of the recipient.

Such clearly has widespread ramifications in the digital age of cross border data flow, particularly in terms of cloud storage. Further, APP 8 governs any overseas disclosure, not simply transfers. By way of example, if an overseas recipient accesses information stored on a cloud operated from Australia, then the Australian entity running such is responsible for the disclosure and potentially breach of the APPs by the recipient, despite no active transfer on their part having been carried out per se.

It will therefore be critical for entities to instil protection, ordinarily via contractual warranties given by, or obligations upon, the recipient ensuring its adherence to the APPs.

Alternatively, entities can consider establishing an exception under APP 8.2(a), regarding the nature of privacy protection in the recipient’s locale, or more likely, consent under APP 8.2(b).

Proponents of greater online privacy protection will no doubt be keen to see such a fundamental change implemented. At the same time, one can well appreciate that the potential for entities to be responsible for the actions of an overseas recipient is crystallising privacy thinking for many affected parties.

The 2012 Act is by no means the only privacy football currently being kicked around Australia.

The mandatory breach notification promulgated by the ALRC in their report cited above, backed by 96% of respondents in a recent Information Commissioner survey, is presently in legislative limbo.

The Privacy Amendment (Privacy Alerts) Bill was introduced to Parliament in May 2013 and sought to create a mandatory notification scheme for serious breaches. Failure to comply with the requirements of the Bill would have constituted an interference with the privacy of an individual for the purposes of the Privacy Act, allowing the Information Commissioner to engage the new powers outlined above.

The Bill was due before the Senate but lapsed after Parliament was prorogued for elections, meaning the status in light of the new government is presently unclear. The Senate Committee report recommended the Bill be passed, and such may be reintroduced at a later stage, however, such is by no means certain and the Government’s appetite to do so is unknown.

Separately, there is also the ongoing debate regarding the justification for a statutory cause of action for breach of privacy.

In September 2011 the Government released an issues paper "A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy" further to the ALRC’s 2008 recommendation outlined above.

In June 2013, the Attorney-General referred the issue back to the ALRC for inquiry and report by June 2014. The scope of reference required the ALRC to make recommendations including with regard to “innovative ways in which law may reduce serious invasions of privacy in the digital era”.

The ALRC subsequently released an issues paper on 8 October 2013 seeking comment and consultation. The outcome will clearly be awaited with interest in some quarters. However as noted previously, one suspects that media coverage of the fine detail of such will be muted.

Awareness

It is clear from the above, in the author’s view, that the myth of lawlessness as far as online privacy is concerned is demonstrably false.

It is though perhaps no surprise that such persists when one is faced with evidence that the internet community itself does not fully appreciate the protections available.

At a recent national Internet Governance Forum, the author was struck by not only the conflation of “privacy” issues, but also the level of awareness of the legal landscape.

One question in particular described the “privacy” issue of how a user of social media was sending anonymous abusive messages to another and how the recipient was powerless to do anything. There was much nodding of heads amongst industry veterans.

The author would argue that this is by no means a question of privacy. One could maintain that an individual’s right to privacy (if such exists depending on jurisdiction) is infringed by the harassment taking place, but this is rather a harassment issue, one that could be readily dealt with in a number of ways.

The activity in question almost certainly breached the terms and conditions of the social media provider, meaning the recipient could have availed themselves of the reporting function and have the aggressor barred from future use.

If the harassment continued elsewhere, or the aggressor simply set up a new account, which is common, then further steps are possible. By way of example, if the abuse were taking place in England or Australia, then the recipient could lodge a claim and seek an “unmasking order” relying on the case of Norwich Pharmacal Co. & Others v Customs and Excise Commissioners [1973] UKHL 6, further to which the social media provider would be obliged to provide identifying data regarding the aggressor.

One could then look to rely on local law dealing with harassment.  If in England, depending on the precise nature of the harassment, such could amount to an offence in the UK under the Protection from Harassment Act 1997, the Offences Against the Person Act 1861, the Sexual Offences Act 2003 or the Malicious Communications Act 1988.  If in Australia, state legislation covers harassment. Although it varies between states, by way of example, the author’s home state is subject to the Crimes Act 1958 (Vic) which prohibits harassment committed through electronic messages.

Misunderstanding does not stop at the question of social media bullying/harassment. Many of the newsworthy events leading to privacy being the watchword of 2013 could more accurately be defined as security issues, albeit often with a privacy consequence.

As we saw in 2013, it is difficult to avoid being hacked. High profile brands such as Microsoft, Skype, Dell, Kaspersky, Google and Yahoo! were attacked in different countries around the world. Whilst it is likely impossible to entirely avoid the risk that hacking presents, there are steps that can be taken to mitigate such and providers are developing ever more complex programs to heighten network security and thus data integrity.

One example is the New York Times hack that took place in August 2013 wherein hackers maliciously hijacked the .com domain name of the New York Times website to redirect visitors to websites controlled by the attackers. In the same incident, the hackers attempted to change the domain name records of around a dozen separate websites, including major brands and media organisations such as Twitter and the Huffington Post.

In order to mitigate such risk, each site could have availed itself of domain locking. Such is increasingly widely available and relatively cheap. It works by adding an additional layer of authorisation at the registry level meaning only authorised individuals who are verified are permitted to alter domain name records.

This is just one simple security measure that can be taken in order to preserve business continuity, reputation and data integrity in the face of hackers. There are many more products in the marketplace designed to do so.

Internet governance

As described above, with the instances of data breach and hacking on the rise, there are increased calls for thought to be given to how the internet might be governed on a global basis.

This presupposes that the debate has not raged for years, which it has.

It also ignores the fact that in many respects, certain providers of internet services are already subject to regulation. Indeed, it could be said there is an embarrassment of riches as two regulators have vied for a number of years for the right.

Although complex, one could distil the debate as a face-off between ICANN and the ITU.

The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit private organization which oversees management of the internet's domain names system through a multi-stakeholder model of governance comprising representatives from private corporations, civil society, governments and other interest groups.  

It has defined and overseen internet policy, including areas of data privacy, since 1998, predominantly via compliance under contracts entered into with the major domain name registry providers and the accreditation of domain name registrars.

It has a budget of over US$200m (2014) and the power to impose significant financial sanction upon those contracted parties who transgress policy.

ICANN currently has an expert working group focussing on data protection and has dedicated significant time in recent years to questions related to data protection in particular the publication of WHOIS data and compliance with local laws as well as the privacy policies of registrars.

In the opposite corner is the International Telecommunications Union (ITU), the UN agency for information and communication technologies. It consists of government representatives and seeks to “…develop the technical standards that ensure networks and technologies seamlessly interconnect, and strive to improve access to ICTs to underserved communities worldwide.”

Broadly, the latter seeks a more interventionist approach to internet governance under the auspices of the UN whereas the former advocates the status quo whereby the multi stakeholder model is king.

The competition between these two is likely to be exacerbated in coming months, due to the Snowden disclosures. These have also served as the impetus behind a move by the Brazilian government to seek to postulate a new framework of internet governance, one that addresses a US bias it perceives in internet governance.

In April 2014, Brazil will host a global summit to debate the future of and potential models for internet governance. Details are at present sketchy, as is the direction such might take, although one could predict from the information so far public as to the makeup of embryonic committees, that it may seek a hybrid of the ICANN and ITU approach, by involving both organisations to an extent, as well as government, the UN and a wide variety of stakeholders.

Regardless though of what happens in Brazil, it is difficult to argue that certain internet providers are or have been operating in a regulatory vacuum.

Furthermore, based on the above regulatory, national and supra-national protections in place and under consideration, the author finds it difficult to conclude that such represent a paucity of action in the online privacy space as certain elements of the media would have people believe.

This paper was first published in the International In-house Counsel Journal in March 2014.

About ARI Registry Services

ARI Registry Services is driving innovation and the expansion of the Internet through the delivery of world-class domain name registry services. With over 10 years of experience, ARI Registry Services is a leading provider of Domain Name Registry Infrastructure Services and DNS Services for generic Top-Level Domain applicants and country code Registry Operators. We help governments, major brands and entrepreneurs across the globe realise the full potential of the Internet by providing expertise, security and reliability in operating a core piece of Internet infrastructure.

Visit www.ariservices.com for more information.