BUSL315 Cyber-security & Privacy

BUSL315 Cyber-security & Privacy: Week 9

Privacy Regulation Outside of Australia (A brief sampling)

Overview

• European Union’s General Data Protection Regulation
• California’s Consumer Privacy Act
• India: Aadhaar & High Court Recognition of a Constitutional Right to Privacy

GDPR: Transfers of EU Data to Third Countries

Data can only be transferred outside the EEA if it is transferred:

• to an adequate jurisdiction (Australia has not been judged to be “adequate”);
• into the US via the Privacy Shield (at risk due to Schrems2);
• Via another appropriate safeguard (e.g. Binding Corporate Rules, Model Clauses); or
• pursuant to a derogation (e.g. litigation; explicit consent).

GDPR: Sensitive Personal Data

Now known as Special Category Personal Data:

• Racial / ethnic origin
• Political opinions
• Religious / Philosophical beliefs
• Trade Union membership
• Genetic or biometric data
• Health
• Sex life / sexual orientation
• Criminal offences / convictions not now included but separated out and similar extra safeguards put in place at Article 10

GDPR: Data Controllers and Data Processors

• Controller says how and why personal data is processed
• Processor acts on controller’s behalf
• Processing includes:
  • Collecting
  • Storing
  • Using
  • Deleting
  • Sharing

GDPR: Data Collection

• Data shall be:
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
  • accurate and, where necessary, kept up to date (accuracy)
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)

GDPR: Processing Data

• Data shall be processed lawfully, fairly and transparently
  • Lawful – must not be in breach of other laws (e.g. HRA, PECR, common law duty of confidentiality) & must be lawful in accordance with Article 6 & 9 – Lawfulness of processing
  • Fair & Transparent – data subjects made aware (privacy notices etc); must ‘feel’ fair.
• Data shall be processed with appropriate security, including protection against:
  • Unauthorised or unlawful processing
  • Accidental loss, destruction or damage (Integrity and confidentiality)

GDPR: Data Controllers are accountable

• Data Controllers must:
  • Implement appropriate technical & organisational measure to ensure and demonstrate compliance (e.g. training, policies, audits etc)
  • Maintain relevant documentation (controller info, Purposes of processing, categories of data subjects / personal data, recipients of data, transfers to 3rd countries, retention schedules, and security )
  • Implement data protection by design (e.g. minimisation, pseudonymisation, transparency, security)
  • Use Data Protection Impact Assessments / Risk Assessments
  • Appoint a Data Protection Officer

GDPR: What is Consent?

“Consent” means:

• “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”

GDPR: What is Consent?

Different types of uses require separate consent.

• Bundling multiple requests for consent may not be permitted.
• Implied consent or requiring consumers to “opt out” is insufficient.
• Silence, pre-ticked boxes or inactivity are not consent.
• Must have the right to refuse or withdraw consent at any time.
• Must be as easy to withdraw consent as to give it.

GDPR: Consent vs Legitimate Interests

• Organisations might be able to rely on legitimate interests for print communications only and for holding the data in the first place
• Consent is necessary for marketing by email or text
• Mixture of legitimate interests and consent for marketing calls

GDPR: Applicable to Australian organisations?

The GDPR extends to controllers and processors not established in the EU if they process data which relates to data subjects in the EU.

Australian organisations need to comply with the GDPR if they:

• are established within the EU;
• offer goods or services to individuals in the EU; or
• Monitor the behaviour of individuals in the EU (e.g. by tracking or profiling those individuals).

GDPR: How does it extend beyond Australian privacy law?

1. Right to erasure of data (“right to be forgotten”)
2. Right to object to processing (including automated decision-making, direct marketing / profiling)
3. Right to data portability
4. Privacy by Design and by Default
5. Fines up to 20 million euro, or 4 percent of annual worldwide turnover (whichever is higher)

GDPR: Responding to Data Breaches

Personal data breach is a breach of security leading to the destruction, alteration, unauthorised disclosure or, or access to, personal data

If Data Processor breached, they must notify the Data Controller When a breach occurs, the Data Controller must:

• notify an EU national data regulator (e.g. UK ICO) where it is likely to result in a risk to the rights and freedoms of individuals (within 72 hours of being aware of the breach)
• notify individuals where it is likely to result in a high risk to the rights and freedoms of individuals

GDPR: Collective (~Class) Actions

Brussels subway advertisements: 30 936 people have joined a “collective action” against Facebook Each seek Euro200+ compensation

• Article 80 permits representative actions for privacy breaches
• US investor class action already lodged against Neilsen for failure to make a timely disclosure of its GDPR non-compliance

Californian Consumer Privacy Act of 2018

• Effective: Comes into force on 1 January 2020
• Grants Rights to: All natural persons resident in California, except those visiting for temporary or transitory purposes. Residents domiciled in California who are temporarily or transiting outside the State also have rights.
• What does it cover: broad definition of PI: any information that relates to a particular consumer or household
• Exclusions: publicly available information; commercial conduct that takes place wholly outside California

Californian Consumer Privacy Act of 2018

• Thresholds: (includes parents & subsidiaries)
  • $25M turnover (California or worldwide?); or
  • PI on 50 000+ Californian residents; or
  • 50%+ of annual revenue from selling PI of Californian residents
  • Challenge: can you prove your company is not “doing business in California”?
• Penalties: up to $7500/intentional violation & up to $750 per resident / actual damages in class actions

Amendments to the CCPA in 2019

• Tech lobby (and others) have been trying to water down the CCPA’s privacy protections: see Assembly Bill 1355 – subject to Governor’s veto powers
  • Assembly Bill 25: A bill to exclude job applicants, employees, contractors or agents personal information from being protected – Status: compromise of partial exclusion PASSED but 2021 sunset clause, so this will be re-visited
  • Assembly Bill 1416: A bill to ensure the CCPA doesn’t restrict a business’ ability to comply with a civil, criminal or regulatory inquiry AND expands protections for businesses to avoid complying with consumers’ rights – Status: PASSED
  • PI collected in the context of B2B transactions is exempted
  • Assembly Bill 1202: A bill requiring data brokers to register with the state’s Attorney-General, pay a registration fee and to honour consumer request to opt-out of the sale of their PI – Status: Passed
  • Other bills seeking to increase consumer protections (such as adding a private right of action and set 45-day breach disclosure requirements) have been blocked in the Senate
• Tech lobby’s end-game: lobby federal congress for a weak federal privacy law (which could over-rule any additional protections granted to Consumers under the Californian CCPA)

Is GDPR Compliance Sufficient for this Californian Law?

• In short, NO
• Additional Californian Law obligations:
  • Prescribed disclosures and communication channels (incl toll-free numbers)
  • Broader definition of PI
  • Direct deletion rights
  • Broader access rights (e.g. disclosures that would implicate the privacy interests of third parties)
  • More rigid restrictions on data sharing for commercial purposes
  • Companies may offer financial incentives for the collection or sale of PI, but only with prior OPT-IN consent which is revocable at any time
  • Mandated OPT-IN before sale of PI for a person <16yo
• Will this increase pressure for federal US private-sector privacy laws?

India: Aadhaar Technology

Aadhaar’s goal: to empower residents of India with a unique identity and a digital platform to authenticate anytime, anywhere

• Aadhaar ensures Uniqueness through biometric attributes: Fingerprint & Iris
• Aadhaar usage among Adult population is about 90%

India: Aadhaar Technology

Aadhaar’s features:

• Random 12-digit Number – No Intelligence, No Profiling
• Only a Number – No Smart Cards
• All Residents – Including Children
• Uniqueness – Ensured through biometric attributes
• No Guarantee to Citizenship, Rights, Entitlements
• Security and Privacy of Information Collected
• Ubiquitous Online Authentication – From no ID to Online ID

India: Aadhaar technology

India: Aadhaar Technology

How can aadhaar be updated?

All the details including demographics, biometrics and photo can be updated by the resident At certain government offices

• Details can be updated after biometric authentication and with required documents at any of the PEC
• Update Client Lite is available for updating mobile, email & consent

SSUP (Self Service Update Portal)

• Requires registered mobile number for OTP
• Demographics including mobile, email can be updated

By Post

• Resident can also send demographics update request by Post

Mobile Update API

• Made available to selected AUAs / Enrolment Agencies Resident can update Mobile, Email & consent easily

India: Aadhaar technology

India: Aadhaar Technology

India: Aadhaar Technology

India: Aadhaar Technology

BUT: India had no national privacy law to protect against mis-use of user data or harms arising out of loss of the user data

India: Puttaswamy decision

• Privacy is a fundamental right under the Constitution of India.
• Although privacy is not mentioned in the Constitution, the right emerges primarily from the guarantee of life & personal liberty.
• Privacy is the constitutional core of human dignity.
• But, like other fundamental freedoms, privacy is not an absolute right. Its invasion can be justified on the basis of a law which advances a legitimate state aim, which is proportional to its object.

India: Puttaswamy decision

“The Attorney General argued before us that the right to privacy must be forsaken in the interest of welfare entitlements by the State. … The refrain that the poor need no civil and political rights and are concerned only with economic well-being has been utilised through history to wreak the most egregious violations of human rights. … The pursuit of happiness is founded upon autonomy and dignity. Both are essential attributes of privacy which makes no distinction between the birth marks of individuals.”

India: After Puttaswamy decision

• India’s national government had to create a regulatory framework which could protect constitutional privacy rights
• Srikrishna Committee report released August 2017: A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians
  • Cited my Data Localization article at fn299 on p92
• Draft Personal Data Protection Bill (2018) released for debate – delayed by election (Modi re-elected, MEITY held further (limited, non-public) stakeholder consultations in August 2019)
• India’s business community has generally supported the Bill as they perceive it will increase trust by foreign businesses in Indian out-sourced business- processing services, which are vital to its economy (many had already become GDPR-compliant data processors)