Global head of technology and innovation Nick Abrahams and special counsel Jim Lennon write about privacy reforms around the globe.
The following article was originally published by The Australian Financial Review and is reproduced with permission.
Data breaches and privacy issues on the rise
By Nick Abrahams and Jim Lennon, Norton Rose Fulbright
Privacy is big news. The data breach at Equifax has reportedly cost that company US$430 million and climbing, the PageUp People breach in Australia has impacted many of our biggest brands, meanwhile Barbra Streisand is intent on erasing your Memories.
Privacy is hot now because, globally, lawmakers have been busy passing new regulations, especially regulations requiring data breaches to be notified to affected individuals. Recent changes to privacy laws in Europe, Australia, Asia and the US present serious challenges now for businesses, especially those operating on a global scale.
Privacy regulators are not far behind. Facebook, for example, is the subject of investigations by privacy regulators around the world. Australia’s Privacy Commissioner is examining whether Facebook’s handling of personal information in the Cambridge Analytica saga complied with Australian privacy law. Most notably, the UK’s Information Commissioner’s Office obtained a warrant to enter and search the officers of Cambridge Analytica.
Surfing the privacy law reform wave
Australia introduced mandatory data breach reporting in February this year. Since then, there has been an enormous rise in the number of reported data breaches. According to the Privacy Commissioner, there were 63 breaches reported in the first six weeks – more than 10 breaches a week. Likewise, Canada is introducing a mandatory data breach reporting scheme from November 2018, with notification obligations similar to those in Australia.
The European GDPR (General Data Protection Regulation) has been in force since 25 May and is already having seismic effects on business around the world. Many Australia companies are only now becoming aware that they may have direct obligations under the GDPR because of their European-related activities. Other Australian companies are finding themselves indirectly caught by the onerous obligations of the GDPR when presented with detailed data processing agreements that regulate how they must manage personal information with a European link.
Generally speaking, boards of the larger Australian companies have been diligent in requiring management to implement GDPR compliance projects. In fact GDPR has probably had more prominence at the board level than any other single piece of foreign legislation ever. The eye-watering fines (up to 4 percent of global annual turnover or 20 million Euros, whichever is higher) may have something to do with that.
In Asia, China, Singapore and Vietnam have introduced new cyber security laws and Indonesia, Japan, The Philippines, Malaysia, Singapore, South Korea and Taiwan have introduced privacy and data protection laws in recent years. India, Hong Kong and Thailand are currently reviewing drafts of new privacy laws. Unlike Australia’s privacy laws, the privacy or data protection laws of several Asian countries include criminal sanctions. So directors of companies with operations in China, Japan, Malaysia, The Philippines, Singapore, South Korea, Taiwan and Vietnam need to be especially vigilant.
Not to be left out, the US recently introduced the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). The CLOUD Act enables US law enforcement agencies to require US-based companies to provide access to personal information and other data stored on servers no matter where those servers are located in the world. It does feel a bit like PATRIOT Act Mark 2.
The GDPR was always going to be big, but businesses are only now understanding how far reaching the effects will be. It has been reported that the Fortune Global 500 companies will spend about $7.8 billion on compliance. In terms of jobs of the future, people may want to look to becoming privacy managers – the market is only going to get bigger
GDPR compliance is already causing some global companies to adopt the GDPR as their default global privacy standard. Centralised information processing arrangements can make this a practical necessity. This trend is amplified by the long regulatory tentacles of the GDPR reaching through supply chains. For example, a company based in the UK is required to make its Australian IT service provider manage all personal information in accordance with the GDPR. The same applies to any subcontractors. We expect to see more and more Australian service providers voluntarily offering to be GDPR compliant as part of their commercial offering.
The GDPR’s introduction of new legal rights for individuals (or data subjects as the GDPR calls them) requires significant changes to IT systems, procedures, staff training and vendor arrangements. People are becoming more aware of their privacy rights and are starting to see themselves as the rightful owner of their information. Data breaches serve to further focus the minds of individuals on their privacy rights.
When a data breach occurs and word spreads via social media, organisations can be hit by waves of individuals requesting access to their personal information. Under the GDPR’s new right to be forgotten, those requests can be time consuming and difficult to implement. Companies are already wrestling with their requirement to keep proper records against a requirement to delete personal information on request.
But perhaps individuals and businesses will not find the new rights are all they thought they would be. Just ask Barbra Streisand, who now gives her name to the Streisand Effect which is that seeking to delete or hide information can have the unintended consequence of making the information much more widely known. Streisand’s attempt to suppress photographs of her Malibu home famously backfired by creating much more publicity. The singer who gave us Memories just wanted to be forgotten.