privacy – Page 14 – Cyber Law Watch

Victorian ruling clarifies application of privacy principles to social media accounts

Oct 13 2016

By Cameron Abbott and Rebecca Murray

The Victorian Supreme Court recently confirmed that an employer was not obliged to immediately notify an employee that it was accessing her Facebook messages during a disciplinary investigation. This case clarifies the manner in which the Victorian Information Privacy Principles (IPPs) apply to social media.

In this case, an employer conducted an investigation into an employee after a colleague reported her for making a number of abusive remarks over Facebook. During the investigation, the employer accessed the employee’s Facebook messages without her knowledge. She was subsequently found guilty of misconduct and given a final warning.

The employee appealed the case to the Supreme Court of Victoria after the Victorian Civil and Administrative Tribunal (VCAT) found that her employer had complied with the IPPs. In her appeal, she questioned whether the ways her employer collected and used the information was necessary “for the purposes of a workplace disciplinary investigation” and whether accessing it without her knowledge or consent was “necessary for one or more of the organisations functions or activities’ for the purposes of IPP 1.1”.

The Supreme Court of Victoria confirmed VCAT’s finding that collecting further information was necessary under IPP 1.1 as the employer was conducting a misconduct investigation “which was a legitimate purpose” and said there was nothing to suggest its approach was inconsistent with the right to privacy. Furthermore, the court found that VCAT was correct in finding that IPP 1.3 (and 1.5) did not impose an obligation of immediate notification on the employer as it could have jeopardised the integrity of the disciplinary investigation. Access the IPPs here. and read the court’s decision here.

Importantly, this case demonstrates that privacy law doesn’t automatically prevent employers from accessing the social media accounts of their employees to conduct investigations in appropriate circumstances.

Ashley Madison data breach joint findings released

Sep 01 2016

By Cameron Abbott and Rebecca Murray

The Australian Privacy Commissioner, Timothy Pilgrim and The Privacy Commissioner of Canada, Daniel Therrien have released a joint report on the data breach of cheating website Ashley Madison which affected approximately 36 million Ashley Madison user accounts last year. Read our post on the breach here.

Controversially, despite the company not having a physical presence in Australia, the Commissioners found that Ashley Madison’s parent company Avid Life Media (ALM) was regulated as an “APP entity” due to the fact that it carried on business and collected personal information in Australia. This finding was based on the fact that ALM conducted marketing in Australia, targeted Australian residents for its services and collected the personal information of Australians.

ALM agreed to a number of enforceable undertakings to the Commissioner. Amongst other things, ALM has undertaken to augment its security framework, provide extensive security training for staff and cease its practice of retaining the information of users with deleted, deactivated or inactive accounts. Consistent with the trend in undertakings it requires independent verification of certain compliance steps. Find the undertakings here.

It also seeks to address the accuracy of the records, which is a challenge for a cheating website. Letting someone sign up using for example Tony Blair’s email address captured the attention of the regulators. They focused on the interests under Privacy laws of those whose email addresses were falsely added to the sign up. A confirming email with an option to opt out was not considered an adequate measure.

Government committed to introducing Mandatory Data Breach Notification laws

Aug 22 2016

By Cameron Abbott and Rebecca Murray

After much delay, a spokesperson for Attorney-General, George Brandis has said the government is committed to introducing the Mandatory Data Breach Notification laws this year. We will be sure to look out for it during the next term of Parliament. You can find more information on the proposed scheme and its regulatory impact on the Attorney General’s Department consultation for Serious Data Breach Notification webpage.

Was Mickey Mouse hacked?

Aug 02 2016

By Cameron Abbott and Rebecca Murray

Disney Interactive has notified users of its Playdom Forum that hackers have stolen personal information, which could put their privacy and online security at risk. The hackers acquired usernames, email addresses, and passwords for playdomforums.com accounts as well as IP addresses. Disney has not disclosed how many users have been affected, although the forum is said to have over 350,000 members. Read Disney Interactive’s statement here.

What Pokémon ‘needed’ to know about you

Jul 22 2016

By Cameron Abbott and Rebecca Murray

The hugely popular Pokémon GO app is at the centre of privacy and security concerns after recent media reports noted that its installation required access to a significant amount of users’ personal information. This prompted Australian Privacy Commissioner, Timothy Pilgrim to make enquiries with the developer of the app, Niantic Labs, to “ensure the personal information of users is being managed in accordance with the Australian Privacy Act.” Read the OAIC statement here.

Available on iOS and Android platforms, the smash-hit game uses augmented reality technology and your smart-phone GPS and camera to display fictional Pokémon which users then aim to find and capture.

Privacy concerns arose after users noted that installing the iOS version of the app required full access to users’ Google accounts. In response, Niantic Labs reported that the access was requested erroneously and that Google would reduce Pokémon GO’s permission to only the basic profile data that it needs. Niantic and Google have since corrected the permissions. Read Niantic’s statement here.

Commissioner Timothy Pilgrim warned that the security scare was a “timely reminder that people need to read the privacy policies of all smartphone apps before signing up. This way people can make an informed decision about if they want to use an app.” However, we will wager that 99% of people just click “accept”.

Microsoft welcomes big win against government information requests

Jul 19 2016

By Cameron Abbott and Simon Ly

Last week, the US Court of Appeals for the Second Circuit reversed a previous lower court decision and found in favour of Microsoft in a long running dispute over a government information request.

In 2014, the US government successfully received a warrant for email records sought in connection with a drug case. Microsoft refused to comply with the orders and was subsequently found to be in contempt of court. However, the Court of Appeal has now ruled that the US government could not force Microsoft to hand over customer emails stored in an offshore server in Ireland because, amongst other things, the Stored Communications Act did not intend to legislate to allow for such warrant provisions. This decision comes hot off the heels of the EU-approved Privacy Shield, and it will be interesting to see how a similar decision will be dealt with moving forward in light of this regime.

This represents a big win for Microsoft and the tech sector more broadly as service providers now have a basis for maintaining the position of protecting its users’ privacy. This decision also highlights that legal regimes are territorial notwithstanding the global nature of new technology offerings.

To read Microsoft’s news release following the decision, please see here.

EU-US Privacy Shield approved

Jul 12 2016

By Cameron Abbott, Rob Pulham, Simon Ly and Rowena Baer

When the Safe Harbour arrangements were struck down the EU and US worked to create a replacement and flesh out the details of this new arrangement (see our last article on this issue here). We have all been somewhat nervously watching to see if the new ‘Privacy Shield’ would get final approval amid some criticism from some quarters. Good news, last Friday the EU member states on the Article 31 Committee voted to approve a revised Privacy Shield.

The new arrangement provides a welcome measure of certainty for businesses whose Trans-Atlantic data transfers have been left in legal limbo since the European Court of Justice declared the longstanding Safe Harbor Framework invalid in October 2015.

The European Commission has released a statement expressing their confidence in the adoption of the new Privacy Shield, noting that the new pact is “fundamentally different” from its predecessor. The new Privacy Shield imposes “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice”.

International tech industry groups have also praised the move as a win for both consumers and businesses as the pact provides robust consumer privacy protections. Voicing their support of the Privacy Shield, Microsoft released a detailed blog post on how the Privacy Shield is progress for privacy rights, declaring that the regime is an “important achievement for the privacy rights of citizens across Europe, and for companies across all industries that rely on international data flows to run their businesses and serve their customers”.

Whilst we are still at the early stages, companies should begin assessing the Privacy Shield’s impact on their existing agreements and also more broadly their data strategy, keeping in mind that the regime relates only to EU-US data transfers. In particular, consideration should be given to the transitional arrangements in the Privacy Shield. Companies should also be aware of the potential challenges to this regime (and related issues post-Brexit) as there is concern about the shelf life of the Privacy Shield.

For more information, please see the EU’s page here and the US’s page here.

Former High Court judge Michael Kirby calls for privacy laws to deal with serious invasions of privacy

May 12 2016

By Cameron Abbott and Simon Ly

In a recent speech and comments made to Fairfax Media, former High Court of Australia judge Michael Kirby has taken aim at the current state of Australia’s privacy law regime in regards to serious invasions of privacy such as “revenge porn” and the kinds of privacy breaches often associated with the press.

Mr Kirby called upon the NSW parliament to legislate to protect its citizens in order to push the federal government to create a national standard. Mr Kirby’s comments follows the March 2016 report released by the NSW parliament titled “Remedies for the serious invasion of privacy in New South Wales” where the Upper House committee made a series of recommendations that a statutory cause of action be introduced in NSW that would enable people who have suffered a serious invasion of privacy to commence a civil action.

Taking an international view, this issue took the attention worldwide recently when then-ESPN reporter Erin Andrews was secretly filmed nude by a stalker while in her hotel room. Since then, Erin Andrews settled a claim with the hotel operator after having been awarded $55 million in March 2016.

For more information, please see NSW’s report here, which the government is expected to respond to by 5 September 2016.

Privacy Commissioner releases a Guide to deal with data breaches

Apr 19 2016

By Cameron Abbott, Rob Pulham and Simon Ly

On 11 April 2016, the Privacy Commissioner released a guide to deal with issues associated with data breaches. This is aimed at entities regulated by the Privacy Act 1988 (Cth) in order to assist them with complying with the Australian Privacy Principles.

When (and it is likely to be a matter of when and not if) your entity is subject to a data breach, whether it be through your system being hacked or if devices are lost or stolen, it is important that you are equipped to deal with it. It is important to get in front of such problems and have pre-prepared action plans given that it is likely that the first 24 hours will be the most crucial in determining your level of success in dealing with a data breach. Data breaches can be expensive, both in a monetary and reputational sense.

In the guide, the Privacy Commissioner highlighted that a written data breach response plan is an important tool to help deal with such issues. Such a plan should include:

actions to be taken if a breach is suspected, discovered or reported by a staff member, including escalation measures;
the members of the data breach response team; and
the actions the team are expected to take.

Such a plan needs to be regularly reviewed and updated, with all relevant staff kept up to date so that they know what actions they are expected to take.

The Privacy Commissioner suggests the following four steps to be taken when a data breach is discovered:

contain the breach and do a preliminary assessment;
evaluate the risks associated with the breach;
develop a plan for notifying affected individuals and consider what information should be in any notification; and
determine steps to be taken to prevent future breaches.

For more information, please feel free to contact us. You can find out more information on practical steps you can take here.

Apple sends passionate message to customers following court order to hack iPhone

Feb 18 2016

By Cameron Abbott and Meg Aitken

A US District Court has ordered Apple to assist US law enforcement agents to bypass the security features, disable the auto-erase function and ultimately access the data contained within an iPhone 5C that was used by one of the San Bernardino shooters, Syed Rizwan Farook.

Apple’s CEO Tim Cook responded to the order with an open letter to customers discussing the privacy and security implications of the order and calling for public discussion on the issue.

Read Apple’s Customer Letter here.

Access the Court Order here.

Tag:privacy