Privacy down under is going European, and reaching for gold!

Put the beer down. You are being stalked and tracked everywhere you go, and it’s gradually dawning upon the rest of us just how big of a problem this really is.

I’m talking about the risk to our Privacy. The right not to be tracked to the pub, or have our personal information leveraged beyond its primary use without our consent, either as an individual, as a community, as a city, or as a society as a whole.

You are being tracked everywhere you go by many companies, data brokers, and hackers. If we thought about comparing real-world tracking vs. online tracking it’s disturbing indeed. What is illegal offline, should be applicable online as well. And now we seem to be going from a global health pandemic straight into a global privacy and breach pandemic.

The thing is, when it comes to a data breach, it’s more about when than if….

This write up covers the following topics:

• Privacy
• Data Security
• Cyber Security
• The Australian landscape and upcoming reform to the Privacy Act
• Governance, Risk & Compliance
• Privacy & Security by Design

The regulator’s regular attitudes to privacy survey found that most Australian consumers said they are uncomfortable with targeted advertising and businesses keeping databases on their activity.

From surveillance capitalism spawned by the advertising industry, shaping politics and culture, to the fear that transcends the 2020 virus morphing into CoivdApps triggering global mass paranoia of surveillance potentially overreaching beyond its intended use. But it appears that citizens’ fear of tracking by authorities or their company is potentially greater than the fear of tracking by Google, Facebook, or Apple for marketing purposes. Digital platforms are starting to erode the social fabric of how modern society works, potentially influencing social and economic change that could be so pervasive that it becomes irreversible.

It is evident that self-regulation doesn’t work, giving rise to Europe’s General Data Protection Regulation (GDPR) which has become the toughest privacy and security law in the world.

I love European holidays, but in 2020, GDPR is as close as I’m getting to experience Europe while being internationally grounded down under and it’s called the Australian Privacy Act reforms.

The changes will bring Australia into line with its major trading partners’ privacy frameworks, which means anyone doing business with Australia will need to comply.

Our laws and how we govern society reflect our values as a community, and Australia has lacked the ability to protect its citizens’ privacy lagging behind the toughest international standards. “The external landscape has changed significantly in recent years, and our research shows declining levels of community trust in how organisations handle personal information.” (OAIC)

The Digital Platforms Inquiry

Digital privacy laws are paramount for the protection of people over profits and potential abuse of power. Regular reviews of regulation are needed to realign our values as a society to the evolving contemporary landscape. Participating in a public inquiry means having a say in Australia’s public policy formation, it gives the opportunity for active community involvement for different points of view to be heard and considered.

The Digital Platforms Inquiry was the world’s first inquiry into digital platforms in the media sector focusing on the impact of digital platforms on the supply of news and journalistic content its implications for media content creators, advertisers, and consumers.

Inspired by GDPR, the Office of the Australian Information Commissioner (OAIC) put forward 70 recommendations for change to Australian privacy law in legislative review, following the ACCC’s recommendation for reform after its Digital Platforms Inquiry. Placing more accountability on the entities collecting personal information and greater protection for individuals (especially when it comes to children using the internet and other vulnerable groups). This includes protections from small businesses, political parties, and employee records.

Australian Privacy Act changes

The proposed reforms to the Privacy Act will potentially expose organisations to tougher penalties for the misuse of personal information be it deliberate or accidental invasions of privacy, attracting fines that may exceed $100 million for some companies.

Penalties will apply to multinational social media and online platforms operating in Australia, including tech giants Google and Facebook and also individuals, private sector, and not-for-profit organisations with annual turnovers of $3 million or more per financial year, and small businesses that handle personal information.

Changes also include:

• Greater emphasis on the protection of individuals and the obligations on entities to ensure business models and practices safeguard privacy.
• Increasing penalties for breaches of the Privacy Act to the greater of (i) $10million AUD, (ii) three times the value of the benefit obtained through the misuse of information, or (iii) 10% of the company’s annual turnover.
• Definition of personal information, to also include any digital identifiers including the capture of technical data e.g., IP addresses, device identifiers, location data, etc.
• The introduction of fairness and reasonableness standards for the collection, use, and disclosure of personal information. Strengthening existing notice and consent requirements, e.g., by requiring collection notices to be concise, transparent, intelligible, and easily accessible, written in clear and plain language, and provided free of charge.
• Individuals will have a direct right to bring an action in the courts to seek compensation for interference with their privacy.
• Developing a binding privacy code applicable to social media and other online platforms trading in personal information.
• Stronger organisational accountabilities for entities, with an onus on organisations to understand the risks that they create for others and to mitigate those risks upfront
• the removal of exemptions for employee records and acts and practices by small business operators and political parties

Consent is not just about ticking a box

The regulators ACCC sued Google for allegedly misleading consumers into signing away their privacy and give away a lot more personal information than they had expected. The regulators made it clear that having users click “I agree” is simply not enough.

“Australians should be able to expect that safe practices are in place, without having to read lengthy and complex notices on a take-it-or-leave-it basis. Consent should be kept for where it really matters and is meaningful, so it doesn’t turn into a tick-box exercise which detracts from its value in higher-risk situations.” (OAIC)

According to the regulator’s submission “fairness and reasonableness” standards should be introduced for the collection of personal information. While the current laws are underpinned by the concepts, the regulator says, the protection does not currently go far enough and companies have skirted them to collect and use personal information for additional purposes.

The change would mean even if a person consents to a privacy policy, any collection and use of personal information must be fair and reasonable under the circumstances. For example, a mobile app developer could not necessarily sell people’s information to advertisers if it was secretly collected.

The regulator argues this is a better approach than explicit consent for data collection which has been “eroded” in an online environment filled with pop-ups and cookie management.

Reforms into the digital age that reflect Australian Values, the fair-go

The Australian Privacy law reforms have been enacted to ensure they remain “consistent with Australian values” and suitable for an increasingly digital world.

Our values define and shape our societies, and our common values help bind us together.

Australian democratic values have created our peaceful and stable society, generally based on freedom, respect, common sense, fairness, and equality of opportunity for all people. These values are central to our community that fosters a secure, prosperous, and peaceful place to live.

As I began to write about what could be considered as uniquely Australian values, such as getting into the front seat of cabs and Ubers (which I thought was normal), to the gift of the nature strip where one mans trash becomes another man’s treasure, the fundraiser charity sausage sizzle, to a day off and of course the down to earth sense of humor which translates directly into our healthy respect for authority. But at the heart of Australian values is the iconic term ‘fair go’ (meaning an equitable opportunity, a reasonable chance; even-handed treatment). A “fair go” for all that embraces mutual respect, tolerance, compassion for those in need, justice, and equality of opportunity for all. Australians understand what the ‘fair go’ means. A “fair go” for those who have a go and be prepared to help others. Simply, the call out for everyone to do what is fair and right including online participation.

The co-operation carrot or the penalty stick

For those not willing to co-operate in fairness, the OAIC will be able to issue infringement notices for failure to cooperate with efforts to resolve minor breaches. Introducing penalties of up to $63,000 for companies, or $12,600 for individuals, to encourage collaboration and assistance.

OAIC will be provided with more options to ensure breaches are addressed, via third-party reviews, and/or publication of notices about specific breaches, in order to ensure individuals who are directly affected are aware of threats to their personal information.

The OAIC received $25.1 million funding over the next three years, to handle the changes and enforce compliance, in addition to the $12.9 million increase received the previous year to support the Consumer Data Right (CDR) regime.

Cyber Security overlaps Data Privacy programs, and you really can’t have one without the other

It is clear that “Australians want more done to protect their privacy in the face of ongoing and emerging threats.” (OAIC)

We talk about data privacy, if you are collecting personal data then you can’t achieve data privacy without data security. It’s all about data protection and security to ultimately prevent a data breach from occurring and the misuse of personal information.

• Data privacy focus’ on the protection of individuals with regard to the processing of personal data, governed by a Data Privacy Officer. This also means preventing that data from being released without the informed consent of the individual, except where other legal obligations require its release (a topic for another discussion). Companies should not access it or share it without permission for other purposes than to perform their legitimate business functions.
• Data security focus’ on the protection of information data itself generally the confidentiality, integrity, availability, and against unauthorised access through digital environments, governed by an Information Security Officer.
• Cyber Security is more of a broad term covering people, processes, and systems, including the data and protecting the moving, storing, and authenticating of data from being compromised or attacked. Think in terms of computers, servers, cloud hosting, networks, mobile, IoT, and edge devices.
• Cybersecurity is everyone’s responsibility, but when it comes to people, the co-ordination chaos emerges between GRC (Governance, Risk & Compliance) / Privacy experts overlapping responsibility with Information Security/CIO/CISO. Then mix in the lawyers on one end and the ‘hands-on’ Cybersecurity folk on the other end and all the vendors. It can quickly become a very expensive operation if you opt for a Lastminute.com strategy 🙈

The global pandemic and adapting to new ways of working have left most organisations exposed to privacy and data breaches. In a game of cat and mouse, it’s created a new playground for criminals and an endless amount of work for cybersecurity professionals.

Whether you realise it or not, pretty much EVERYONE has had to enact their business continuity plans to support the disruptions to normal course of business. This has left many organisations exposed to potential security risks, especially where no business continuity plans were considered prior to the lockdowns.

Major privacy and data protection regulations like GDPR, HIPAA, CCPA, and Cyber Security industry standards such as ISO27001, NIST, PCI-DSS recommend going beyond compliance and adopting a Privacy and Security by Design and by default (GDPR Art.25) approach. Protecting data through technology design will not only streamline compliance obligations but also reduce future costs.

History of the Australian Privacy Act

The Australian Parliament passed the Privacy Act 1988 (Privacy Act), today governed by the Office of the Australian Information Commissioner (OAIC). It gave effect to Australia’s agreement to implement the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as to its obligations under Article 17 of the International Covenant on Civil and Political Rights. It now sets out 13 Australian Privacy Principles for how Australian Government agencies must handle personal information.

In 2017, the Australian Government announced the introduction of the consumer data right (CDR) in Australia, regulated by the Australian Competition & Consumer Consumer Commission (ACCC), giving consumers greater access to and control over their data. It aims to improve the consumers’ ability to compare and switch between products and services, encourage competition between service providers, foster competitive pricing as well as innovative products and services, starting with the banking, energy, and telecommunications sectors.

Following the Digital Platform Inquiry into the Media industry, Australia’s privacy regulator has called for reform, acknowledging that Privacy Act reform is crucial to building public trust under legislative review.

RISK, PRIVACY, and TRUST towards a fair and secure future

In the year ahead, company boards will continue to face compliance challenges to keep up with the volume and pace of regulatory change, cyber resilience, conduct risk, compliance budget, and resource allocation constraints. TRRI in 2019 captured 56,624 regulatory alerts from more than 1,000 regulatory bodies, averaging 217 updates a day.

It’s unfair to make businesses pay for the escalating costs of regulatory compliance, it squeezes the smaller players out of the market competition. A smarter solution into the future is to think about how we can remove as much as possible, the need for any organisation other than the issuing authority to handle or store personally identifiable data in the first place. This not only reduces the regulatory and compliance burden on the entity but the costs associated with reaching compliance in this area and maintaining compliance. Already, there are innovative solutions in Digital Identity on the blockchain, of Universal Identity Management, supporting the Concept of the “Self-Sovereign” Individual. The lifetime portability of an identity of a person, organisation, or being that does not depend on a centralised authority.

I believe that:

“Privacy and Security by Design is a move towards a Scalable, Distributed, Decentralized and Secure solution around identity and data portability” — JustAskPenny

Hackers understand the true value of your data, even a few credentials or records may attract unwanted attention from criminals. The typical small business has employee records that hold personal information, financial records like credit card numbers, and some even have health records on file. These are all in high demand as hackers take this information and sell it on the black market, creating a revenue stream for criminals.

Data privacy and portability are critical and moving towards the portability of self-sovereign identity, which is scalable, distributed, decentralised, and secure is just common sense. The individual becomes the only entity with the authorisation to disclose or allow access to their sensitive information, and also controls the level and duration of external access, thus consent is controlled by the data owner.

Taking a copy and storing personally identifiable information such as a driver's license, and passports should be deemed illegal for entities that cannot prove certified compliance with the strongest standards as it creates the greatest point of risk for privacy breach.

Think about that accounting firm, law firm, mortgage broker, financial advisor, property purchase and rental agents, hotels, travel agents, schools, recruiters, employers, and other small businesses, the list goes on… the smaller the entity, the more likely they are not compliant with privacy and security standards unless they have found a way to outsource or not handle or store sensitive data.

Beyond an identity issuing authority, collecting, sharing, or storing private information to verify a person’s personal identity data to function in everyday society creates unnecessary administrative overhead to securing privacy. The solution is already right in front of us if we are able to collaborate effectively between government, industry, and communities.

We have seen the implementation of mobile number portability in the telecommunications industry, and the banking industry is working on account number portability, so it’s not such a brain stretch to work towards an identity portability solution to truly protect our privacy.

What Next?

Don’t wait for a breach to occur and be in the firing line to receive hefty penalties or worse still face potential reputation damage to your business and people.

If you are working on M&A acquisitions, this is definitely a risk that should not be overlooked as you can inherit a potential lemon.

When you review your back to work / reopening protocols, consider the data you are a collecting and ask yourself do you really need to store it?

Act Now!

✅ Review your privacy and security posture. Conduct a privacy self-assessment audit to ensure your dealings with personal information comply with the Australian Privacy Act and review your data breach response plan. Moreso if you are looking to acquire a company, they could bring more risk than you bargained for.

✅ Adopt a Privacy and Security by Design mindset and approach across your organisation, from the awareness you create, systems you build, technologies you leverage, and how your organisation treats your information assets.

✅ Keep it simple! Simplify and shorten your privacy policies so people can access, read, and understand them quickly i.e., within 60 seconds. Clarify the compensation customers and users may expect in exchange for their data, whether in money, discounts, or services, and make it easier to opt-in or out.

Examples of better privacy and security (please also do your own research!) :

• For secure browsing, DuckDuckGo or Brave browsers offer better privacy

https://spreadprivacy.com/how-anonymous-is-duckduckgo/

DuckDuckGo - Privacy, simplified.

Secure, Fast & Private Web Browser with Adblocker | Brave Browser

• For secure access to systems turn on 2FA/MFA such as Google or Microsoft Authenticator, for everything it’s available on (don’t be lazy!)

‎Google Authenticator

‎Microsoft Authenticator

• For secure messaging and video conf., use Signal or Wire (more corporate friendly)

Signal Messenger: Speak Freely

The most secure collaboration platform · Wire

• For secure alternative email, use something like ProtonMail

Secure email: ProtonMail is free encrypted email.

• A simple low tech way to reduce impact risk of a breach is to use a cipher for your passwords so that your passwords are not all the same and only you know the key
• For endpoint devices ensure you have an antivirus installed and updated across laptop computers, tablets, and mobiles
• There are over 1000 different types of controls and tools available to help secure your organisation. It’s worth putting in place a best of breed tailored to your company needs and risk appetite

For my view on supply chain privacy & security assessments …

How to torture your suppliers with privacy and security questionnaires...

To talk through your organisation’s privacy and cyber security posture and strategy, please get in touch.

About me: I have 20 years of experience in Information, Communications, and Technology having rescued and salvaged over 50 digital projects across enterprise and government, always with a privacy and security by design first lens. Feel free to connect on LinkedIn or drop me a message.