Privacy law: Making it stick

From March 2014, Australian businesses were obliged to comply with an amended set of federal privacy laws that aimed to bring privacy and security practices in line with consumer expectations in an increasingly digital world. 

Australia's Privacy Commissioner Timothy Pilgrim. Source: AISA

Crucially, the amended laws demanded that organisations seek more appropriate forms of consent from users as to how their data would be used and whether it would be transferred offshore.

It also gave the Office of the Privacy Commissioner newfound powers when a breach is uncovered – powers to demand an organisation undertake remediation or some other form of enforceable undertaking, not to mention the power to levy fines.

Thus far, however, the Commissioner’s powers have been held in check by a conservative federal government that is stripping resources away from the Office just as it gained the authority to make a real difference.

Australia’s largest organisations, yet to be bound by mandatory data breach notification laws, have by and large responded by paying lip service to privacy laws.

The question for Privacy Commissioner Timothy Pilgrim, who sat down in recent days with iTnews editor Brett Winterford, was how would he make the laws stick?

Brett Winterford, iTnews:

Privacy is understood by most organisations as a compliance issue. Recently we’ve seen companies like Apple position it as a brand value, or as something you can market yourself and differentiate on.

Do you think a sound approach to the privacy of your customer’s data could be a marketable characteristic? 

Timothy Pilgrim, Privacy Commissioner:

This time last year we looked at community attitudes towards privacy. One of the key, if not sobering statistics that came out of that was 63 percent of respondents said they decided not to deal with an organisation because they were concerned about what was going to happen to their personal information and how it would be handled.

[They'd] made a conscious decision when they were about to deal with an organisation to say ‘no, I’ve looked at what they’re going to do with my personal information and I’m not prepared to do that’.

People often say that young people are careless about their privacy. In a survey last year in the United States, we saw figures of around half of young people decided to stop using a mobile app they’d already downloaded because they found out what was happening to their personal information and how little control they had over it. Close to another 30 percent decided not to download an app once they saw what was going to happen with their personal information.

So I think across the board we can move away from the idea that there will be differences between generations about how they view privacy. On the whole, I think we’re seeing a consistent view that people still do care what is happening to their personal information and they’re taking steps to not deal with organisations as a result, and businesses need to be really aware of that. 

A few years ago you would hear the expression “privacy’s dead, and we need to get over it” ---- [whereas] I think every time technologies change, people become more aware of what’s happening to their personal information. They’re actually becoming more conscious about it and are still actively looking for ways to protect it and to keep control of it.

So businesses need to make careful choices, because people will take their business elsewhere.

Brett Winterford, iTnews:

We are still talking about avoiding a potential negative when we say ‘I won’t do business with someone, because of…..’ But is it possible in your opinion that someone might choose to do business with you because you make an outward expression of confidence in the privacy associated with your services?

Timothy Pilgrim, Privacy Commissioner:

I’m surprised that I haven’t seen many businesses pushing a good privacy message, because again, as I say, people are very conscious and concerned about what happens to their personal information.

I think there is an opportunity there for businesses, particularly those who are required to collect lots of customer information, to push how they’re going to protect it and limit its uses. 

I think that’s part of building trust. Being upfront and clear about what’s going to happen to a customer’s personal information will engender that trust. 

Brett Winterford, iTnews:

At a lot of organisations, their version of being ‘clear and upfront’ about how customer data will be used is a 120 page document of click-wrap terms that say, ‘click here to agree’.

So even someone who’s very conscious about privacy probably won’t choose to read it. What in the eyes of Australian law constitutes providing users clear communication about how you will use their data? 

Timothy Pilgrim, Privacy Commissioner:

It’s a requirement of the Privacy Act for organisations to be transparent and open about how they’re going to use peoples’ personal information. This can be achieved through notices and through policies.

This doesn’t mean that it requires a 120 page document. In fact, the longer the document, the greater risk organisations face in it being found that people were not able to get a clear understanding of what’s going to happen to their personal information. If it’s not clear and not easily understood, then it may not be compliant with the Act.

We recommend organisations consider approaches such as layered notices. That means summarising the key facts upfront about what happens to personal information, but also providing the ability for people to click down to further levels of more detailed amounts of information on more specific issues.

This is particularly relevant in terms of providing this sort of information on mobile devices where you don’t have a lot of screen space. Organisations are going to have to find innovative ways to gain consent as increasingly they’re using mobile devices to ask people to sign up to a service.

Last year we participated in some survey work with a forum called The Global Privacy Enforcement Network, which is set up under the auspices of the OACD. Our office and a number of other regulators around the world decided to look at the policies of a number of the top 50 most used online companies.

We found that on the whole, most policies were far too long and far too complex and really difficult for people to work through and understand. Organisations need to take a clever approach to pulling out what the key information a person needs to know about that interaction.

Brett Winterford, iTnews:

Has the validity of click-wrap terms been tested in any of those jurisdictions in court? Has it ever been found that because the consent or privacy policy couldn’t be easily understood, that it wasn’t compliant?

Timothy Pilgrim, Privacy Commissioner:

I can’t recall off the top of my head.

Brett Winterford, iTnews:

We published a piece after the amendments were enacted, where we looked at what text had changed in the privacy policies of the top 20 or 30 companies in Australia. Most added vague lines like: ‘Your data might be used in a third world country for processing purposes – and we would do that with a trusted party. By clicking this, you are consenting’. 

I and others felt that such a statement wasn’t in the spirit of the legislation. Do we need court action or something to happen before organisations will pay more than lip service to compliance?

Timothy Pilgrim, Privacy Commissioner:

My starting point is that I hope that we don’t need court action. I think organisations are becoming more and more aware, particularly in Australia, about the concerns that the community has about personal information.

Following the changes that we saw this year in the Act, I think there was quite a considered approach by a number of large organisations to get their privacy policies and notices right.

There is still work that could be done, but in terms of things like the length of documents and how some of them are structured, there has been a concerted effort. I know there was some issues the French government had with Google around their privacy policies, and we also participated in some work here with Google Australia about their notices and talked about how they might improve.

I would say that Google in Australia was fairly receptive at looking at how they could improve what were some quite complex matters. 

Brett Winterford, iTnews:

Was that only about the complexity of Google’s privacy notices?

Timothy Pilgrim, Privacy Commissioner:

It was around how you can communicate quite a number of uses, so the person is clear about what’s going to happen to their information. Some of the terms are clearly too broad in a number of organisations’ policies, and there may need to be some requirement for those to give people a bit of a better idea.

One of the things that changed in our laws this year was the need to be more explicit about information being sent overseas and trying to identify those countries or jurisdictions where that information is going to go.

Next: Pilgrim discusses how businesses can adapt their systems to adhere to the Act

Brett Winterford, iTnews:

One concern that a lot of readers had about the amendments to the Act was the systems impost when you are asked to ensure that all of the customer’s record is available. This requires, if you want to comply in a cost-effective way, a single view of the customer, or at least of their personally identifiable data.

They complained because it would be quite the nuisance factor if there were ten thousand Ben Grubbs seeking a copy of their personal data. They would need to have automated systems in place or some other way to meet that obligation without it being a significant overhead on the business.

Is there any room for an organisation being able to appeal to your good sense if individuals were to abuse that part of the Act?

Timothy Pilgrim, Privacy Commissioner:

Within the Privacy Act, I have the ability to handle complaints from an individual against an organisation – so if an individual was to go to an organisation stating ‘I want access to my personal information’, then we will now be able to determine what constitutes their [personally identifiable] PI and what they’re going to hand over.

But in addition, the terminology of the Act states that there is an ability for me to dismiss a case on the grounds that it is vexatious, or misconceived ---- so if you had an individual who kept going back to an organisation, saying ‘I want this piece of information’ and then coming back in a couple of days saying ‘I want this piece of information again’ – then we can close the complaint and choose not to investigate because it’s vexatious’. 

At the moment we haven’t had to use that for complaints about access to PI data yet, but there is that ability there to dismiss the case.

Brett Winterford, iTnews:

Have you seen any activity that suggests organisations are working to restructure their systems in such a way to create a single customer view, and that they are doing so in light of privacy legislation?

Timothy Pilgrim, Privacy Commissioner:

One of the issues with the whole concept around a person’s PI held in a large, possibly complex organisation, is where the disparate bits of information sit. Do they all sit on the one server or database?

One of the challenges will be for organisations to determine under the Act when that information is going to constitute personal information.

If a piece of data is sitting in isolation and even when drawn together with another piece of personal information or data about the same person, the person is not easily identifiable, it therefore is not going to constitute personal information in the terms of the Act. 

So there are going to be considerations from a compliance perspective about what organisations fundamentally want to do with the information they have on their customers.

If they choose to start bringing [disparate pieces of data] together, for the purposes of having a better client relationship, then generally speaking, it will constitute personal information. And on that basis, people will have a right to access it.

Should they have very specific needs for a small portion of information about a customer, then that’s all they should be storing. In those situations, the organisation is going to have to assess how easily that information can be brought together with other data to understand whether in fact it’s going to sit within the definition of personal information.

Brett Winterford, iTnews:

Do you have currently any means of accrediting third parties to help organisations with this?

Timothy Pilgrim, Privacy Commissioner:

I don’t necessarily think that we need to accredit third parties at this point in time to check on other organisations. But there are auditors within large accounting, legal and consulting firms that can be called upon when necessary.

For example, if I was to undertake an investigation and I form the view that there was a high chance that there was a breach, or in fact found a breach – one of the things I could do is require the organisation to employ an independent third party to undertake an assessment of their systems.

The changes to the Act did increase the powers I have to resolve investigations, one option being enforceable undertakings, that is to get an organisation to agree that it will do certain things. If an organisation fails to comply with those undertakings, I can have them forced.

As part of one of those undertakings I could say that I want the organisation to employ a company to come in and do an independent third party audit of their systems just as I would myself.

Brett Winterford, iTnews:

I was asking because I would posit that you don’t have the resources to audit the volume of breaches out there. The question is how to get enough warm bodies to make these laws stick.

Timothy Pilgrim, Privacy Commissioner:

That’s a fair point, and like all government bodies, we do have limited resources, so we do look at ways of being able to achieve our compliance outcomes.

And quite clearly one way of doing that could be to use the enforceable undertakings process to say work with an organisation that has been breached, to identify an independent third party company to come in and undertake an assessment of their systems and have them report back to me.

Around two years ago in New Zealand there was a significant data breach with one of their government agencies, and the New Zealand Privacy Commissioner required an agency to bring in an auditor to do a full independent assessment of their systems and to report back to both the Privacy Commissioner and the organisation. I think that is a very useful tool to have.

Brett Winterford, iTnews:

One of the presenters here at the AISA conference recommended that Australia needs to learn some lessons from the US mandatory data breach notification schemes before we head in that direction.

He claimed that naming and shaming and lawsuits levelled against breached organisations aren't as productive as privately compelling them to share data with their peers and the government on how they were breached, so the lessons can be shared more broadly.

Is there a way this might tie in with privacy compliance? Can you enforce an obligation to help your peers not suffer the same fate as a company that is breached?

Timothy Pilgrim, Privacy Commissioner:

It’s an interesting approach but its an approach that goes beyond just privacy issues. It obviously impacts on personal information but goes a step beyond to broader IT security issues.

If hackers are going to go to a particular type of organisation, they may go for a whole group within the sector. My understanding is that the government, via the ASD and others, already encourage the sharing of this sort of information. I think that could be encouraged more broadly. 

Where I come from is this: whether data breach notification is mandatory or voluntary, I want to ensure that an assessment is done about the potential harm to the individual as a result of that breach, and what steps need to be taken to notify them. 

I think what we would all agree in situations such the hacking of credit card data from a company we do business with, we would expect to be notified. Going back to our survey, close to 95 percent of respondents said they should be advised if there’s been a breach of your personal information.

It’s a very complex debate about data breach notification. There is that line between how often, or when should you notify individuals of a breach. We have a voluntary data breach notification guide, recognising that you can get notification fatigue if we’re getting something every day.

We don’t want to see that happen, because that can have the effect of people not taking it seriously in situations whereby they should.

So it’s going to be an ongoing issue that organisations need to keep reflecting - determining when to notify a person.