In search of privacy excellence

Australia’s narrow focus on compliance is detrimental to global privacy objectives. What’s needed is ethical leadership.

Against the backdrop of Australia’s Notifiable Data Breaches scheme (NDB) and the preparation for the soon to be effective General Data Protection Regulation (GDPR), and at a time when many proffer advice on ‘privacy’, I am reminded of Australian businesses’ slow uptake of interest in the subject.

I had been tracking changes regarding privacy and personal information (PI) since 2003 when I wrote in a 2014 article, “[T]here is no doubt in my mind that the value attached to personal information or data privacy is not properly understood. In my view, it is the most important category of information that there is today — it provides access to almost anything. Good and evil.”

Despite increased risk to individuals, businesses and nations, resistance to change and lack of interest has persisted. Last month, the general counsel of a multinational organisation asked me why privacy was getting so much attention, and what, if anything, had changed? This, from a leader whose organisation would incur penalties of $200,000-plus under the GDPR regime.

Many years’ experience tells me PI — information that could identify an individual — is the most important kind of information, on par with national security. The Facebook surveillance machine, Cambridge Analytica and the persistent psychographic targeting debacle supports this opinion.

So it was heartening that a Facebook cybersecurity executive urged transparency on (Russian) disinformation. It was reported that the security team had pushed for more disclosure about how nation states had misused Facebook, but the legal and policy teams generally prioritised business imperatives.

I have worked in cyber warfare for well over a decade. We have moved beyond debates about its existence to accepting it’s real. Cyber warfare goes beyond outdated kinetic impact to ransomware hostilities such as those waged against the health sector. The result of monetising data in that sector (currently the highest attack vector) is that PI becomes a matter of life and death.

Forward-thinking organisations know that nation states are on the list of attackers they must consider and counter. They plan for a future where assessing director liability regarding care and diligence has ratcheted up. We are way beyond ‘check lists’ and ‘top 10’ action summaries — the question of global stability linked to the commercialisation and criminalisation of PI requires ethical leadership.

Australia’s 30-year-late adoption of mandatory breach notification is symptomatic of other ‘Lucky Country’ behaviours. Why do we insist upon legislation as a pre-curser to action? While the business world looks to technology for the next financial boom, attackers are working on cyber weaponry. Organised criminals, terrorists, hacktivists and hackers will be harder to counter than before, their activities disregarding both physical and legal jurisdictions.

Privacy and PI are vital for stable world economies and foreign relations. The breakdown of legal structures that societies have relied upon for centuries, an increasingly punitive regulatory environment and inadequate security solutions have led to instability. Ethical business leadership involves alignment of business types and processes with the reasons for which law affords protection to PI.

The GDPR is designed to harmonise data privacy laws across Europe, to protect and empower EU citizens’ (and non-citizens’) ‘data privacy’ by better protecting PI and to reshape the way EU organisations approach data privacy. Petabytes of information have been produced on GDPR, but the issue is identifying quality resources and their proper application to the business sector via pragmatic and ethical responses.

Multi-jurisdictional businesses must emulate the GDPR objective of harmonising data privacy laws across Europe. This means businesses must set their bars to compliance and risk across all jurisdictions. In turn, this means understanding more than just the NDB Scheme and GDPR — security, data sovereignty and other laws must be in the compliance and risk mix. The most common mistake — and biggest waste of resources — is treating privacy as a standalone issue.

The situation in Australia is compounded by a statute unlike any in the world. Its terminology, concepts and content are inadequate in relation to the European Union (EU). As a result, Australian businesses are required to work harder to compete globally and win trust.

The concept of ‘privacy’ is related to PI, but different. Some privacy laws, like the Australian Privacy Act (Cth) 1988, are not concerned with privacy. Australia does not currently recognise the right to privacy (tort). In fact, Giller v Procopets [2004] VSC 113 is the only Australian Appellate authority for the recovery of compensation of emotional distress in a breach of confidence action, not privacy.

The EU approach recognises the right to privacy and seeks to protect individuals whose PI is ‘processed’. Importantly, it provides legal recourse to individuals whose rights have been infringed. The concept of ‘controllers’ of PI (who determine use) and processors (who process PI on behalf of controllers) is particularly useful for identifying responsibility and accountability regarding PI flow. Australian privacy law lacks this clarity. Sadly, it has also failed to adopt some of electronic model laws’ most empowering provisions, and Australian business consequently must work harder to achieve international parity.

Existing mechanisms and standards that provide trust in global privacy are neither understood nor commonly used in Australia. Australia’s trading relationship with the EU has not resulted in the Australian Government providing the assurances that the Unites States Government has in relation to the Privacy Shield, effectively ensuring individual rights of recourse.

Overall, the lack of consistent terminology and the use of and differences between contractual clauses and corporate binding rules (CBR) is neither well understood nor employed in Australia. The interaction between privacy and surveillance is rarely, if ever, mentioned in corporate policies, to say nothing of complex Australian federal telecommunications laws governing switched networks, and state laws governing internet protocol data surveillance.

Mistakes in the reading of statutory instruments abound, to say nothing of how some provisions might be interpreted. Of greatest concern is Australian businesses’ failure to identify when the GDPR applies. Its ambit is wide and, admittedly, there are interpretation and application nuances. Time will tell how courts decide, but there is no excuse for dumbing-down possibilities.

Privacy and PI is much more than a compliance issue; businesses must do more than the basics, they must strive for excellence. If they do, I am confident of a return on their investment. One clue (by no means legal advice) is to engage a multidisciplinary team. Public pronouncements in the form of published privacy policies speak volumes. Make sure you do what you say you do.

I prefer not to be a ‘doubting Thomas’, but a report last week surprised me: “Nearly all (96%) Australian IT decision-makers feel confident that their employees are equipped to comply with both regulations”. I sincerely hope I am wrong.

If you have any queries, please feel free to contact:

Helaine Leggat
Sladen Legal
T +61 3 9611 0150  l M +61 439 466 821
Level 5, 707 Collins Street, Melbourne, 3008, Victoria, Australia

This article was first published on on 24 May 2018.