The mandatory notification of data breaches: Issues arising for Australian and EU legal developments

Public and private sector organisations are now able to capture and utilise data on a vast scale, thus heightening the importance of adequate measures for protecting unauthorised disclosure of personal information. In this respect, data breach notification has emerged as an issue of increasing importance throughout the world. It has been the subject of law reform in the United States and in other jurisdictions. This article reviews US, Australian and EU legal developments regarding the mandatory notification of data breaches. The authors highlight areas of concern based on the extant US experience that require further consideration in Australia and in the EU.     

Data breach notification law in the EU and Australia – Where to now?

Mandatory data breach notification laws have been a significant legislative reform in response to unauthorized disclosures of personal information by public and private sector organizations. These laws originated in the state-based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. We contend that there are conceptual and practical concerns regarding mandatory data breach notification laws which limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns here, in the light of recent European Union and Australian legal developments in this area.     

Hong Kong's data breach notification scheme: From the stakeholders’ perspectives

Data breach notification laws have been enacted in an increasing number of economies around the world. These laws establish the requirement for notice in the event of a data breach incident. Although, there are a number of reasons for requiring data breaches to be notified, the primary objective of the laws is to regulate organizations’ data security practices in order to protect the data privacy of its customers. In so doing, the data reporting obligations promote accountability, transparency and trust, thereby improving the overall organizational data security environment. Opinions are, however, divided amongst various private sector stakeholders on the issue of mandatory data breach notification. Drawing on the interviews with 24 private sector representatives with interest in data breach issues, this article documents and examines their position on the appropriate regulatory approach for data breach notification in Hong Kong .     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies

The European Union's General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR's extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act, echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a worldwide compliance scheme.     

The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform

In the first part of this paper, I will present and explain the Singapore Personal Data Protection Act (“PDPA”) in the context of legislative developments in the Asian region and against the well-established international baseline privacy standards. In the course of the above evaluation, reference will be made to the national laws and policy on data privacy prior to the enactment of the PDPA as well as current social and market practices in relation to personal data. In the second part of this paper, I will decipher and assess the future trends in data privacy reform and the future development of the privacy regime in Singapore and beyond. In the course of this analysis, international standards, technological trends and recent legal developments in other jurisdictions will be considered.     

Medical data breaches: Notification delayed is notification denied

The EU and the United States have implemented data breach notification rules that cover the health sectors. Nevertheless, data breach incidents involving medical data continue to rise, especially in the US and the UK. The HITECH Act, Pub. L. 111-5 Title XIII is the first federal health breach notification law in the US to be characterized by less government intrusions, while the revised EU Privacy Directive, 2009/136/EC calls for tougher privacy protection for data held by electronic communication providers. While the EU law sets a global de facto standard, the law remains toothless without strong enforcement mechanisms.     

试析网络时代下的隐私权保护

随着互联网的高速发展,个人隐私在网络空间的安全性受到了挑战,网络隐私权的保护问题日益凸显。本文在对网络隐私权的基本理论进行分析的基础上,结合我国隐私权和网络隐私权的立法现状及存在的问题,借鉴了以美国和欧盟为代表的两大网络隐私权的立法模式,提出了构建我国网络隐私权保护体系的相关对策和建议。     

Global Privacy Concerns and Regulation-- Is the United States a World Apart?

The regulatory approach to privacy protection taken by many foreign jurisdictions is markedly different from that of the United States. The European Union (EU) best illustrates the international approach with its comprehensive privacy directive that applies to all EU members. By contrast, the approach regarding data privacy in the United States has been to pass industry-specific laws and often only in response to public outcry over some privacy concern. These fundamental differences have been the source of some conflict in international commercial transacting. Now that the global community is committed to eliminating terrorism, it remains to be seen if these different attitudes toward privacy by the United States and much of the rest of the world will affect global attempts to weed out terrorists. This article discusses the constitutional basis for most US policy approaches to privacy regulation. The article explains how the US constitution is the source for most of the differences between the US and international regulatory approaches to information privacy. Finally, the discussion addresses how new issues regarding privacy in the war on terrorism may be addressed by US Constitutional law.     

Are data protection laws sufficient for privacy intrusions? The case in Hong Kong

An area of concern which relates to privacy intrusions in Hong Kong is the substantial changes that have taken place in recent years in relation to news gathering and reporting and the activities of local paparazzi. The issue that needs to be addressed is how intrusions of privacy can be protected in Hong Kong. The most significant reform to date has been the enactment of the Personal Data (Privacy) Ordinance which provides rules for the fair handling of information about living individuals. However, the Ordinance is concerned only with data protection and does not provide a general privacy right. This article demonstrates the inadequacies of existing legislation for general privacy protection and examines the possibility of developing a separate action for general privacy via a) an action of extended breach of confidence as demonstrated by the UK model and b) a sui generis cause of action as can be seen in the New Zealand courts.     

Restoring Dignity and Harmony to United States-European Union Data Protection Regulation

Global data protection laws can be described, at best, as contradictory in philosophy and practice. The 2015 decision by the Court of Justice for the European Union declaring the mechanism for data transfer between the United States and European Union known as “Safe Harbor” invalid and the criticism of its replacement, Privacy Shield, is representative of the conflict in this area. Such contention often stems from the differences in privacy rationales and theories of the United States and European Union. This article examines the recent developments in data protection regulations, and makes the argument that issues such as data protection, and specifically data shared with intelligence agencies, should be analyzed through the privacy principle of dignity and that the law of confidentiality should be applied to data protection cases, thereby instilling more harmony into the data privacy approaches of the United States and the European Union.     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

欧盟信息安全法律框架之解读

网络与信息系统安全已经引起了全世界共同关注,美国和欧盟在这一领域走在了世界的前列。伴随中欧经济、文化交流的日益密切,欧盟信息安全法律框架也为我国立法提供了可资借鉴的蓝本。通过解读欧盟信息安全法律框架的演变轨迹及其特点,结合我国信息安全保障立法现状,分析当前我国信息安全立法的主要着力点,提出我国应加快信息安全立法进程,用法律形式明确信息安全监管机构和监管模式,构建有中国特色的信息安全法律体系。     

网络时代的隐私权──兼论美国和欧盟网络隐私权保护规则及其对我国的启示

随着网络和信息技术的快速发展,网络上的个人隐私权正在被严重地侵害,面对这种侵害,各国都致力于建立完善的网络隐私权法律保护体系。从比较研究的角度讨论美国和欧盟的网络隐私权立法保护模式和规则,并对我国网络隐私权的保护提出立法建议。     

论网络隐私权的立法保护

在日新月异的高科技发展过程中,弘扬人的主体性,保障人格尊严、生活自由、个人权利之不可侵犯,是民法学与时俱进的使命。网络信息技术的飞速发展和广泛应用,在带给人们方便、快捷的生活方式和巨大商业利益的同时,也给人们隐私权的保护带来了新的挑战。实践中网上侵权事件,尤其是侵害网络隐私权的事件频繁发生,使得网络隐私权的立法保护成为理论和实践中的一个热点问题。本文通过研究以美国和欧盟为代表的两大立法模式以及目前我国在网络隐私权方面的立法状况,对构建我国网络隐私权立法保护体系提出了一些对策和建议。     

Forgetting the First Amendment: How Obscurity-Based Privacy and a Right to Be Forgotten Are Incompatible with Free Speech

The privacy of personal information on the Internet has received special attention recently in both the United States and the European Union, and legislative and regulatory proposals regarding the reform privacy law abound. This article examines several prominent theories that undergird the American First Amendment and attempts to demonstrate that the concept of a privacy interest arising out of the obscurity of information, as a social normative principle, and the right to be forgotten, as a legal mechanism concerned with the European idea of dignity-based privacy, are fundamentally at odds with the right of freedom of speech.     

After September 11th: the Fight Against Terrorism in National and European Law. Substantive and Procedural Rules: Some Examples

Abstract: The terrorist attacks suffered by the United States of America on 11 September 2001 have caused a considerable increase in legislation at national and European level with the same objective: the fight against terrorism. The special nature of this crime makes judicial cooperation among states indispensable. In this context, both kinds of instruments are contemplated in order to provide the necessary measures especially—and not especially—addressed to prevent and repress terrorism: they give place to substantial and procedural rules, such as the European Arrest Warrant in the territory of the European Union. But in this claimed fight against terrorism there are also two important risks, namely the creation of a kind of ‘Security Criminal Law’ from a material point of view and the arguable breach of human rights infringed by some of those procedural measures.     

“In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence

This article reports on preliminary findings and recommendations of a cross-discipline project to accelerate international business-to-business automated sharing of cyber-threat intelligence, particularly IP addresses. The article outlines the project and its objectives and the importance of determining whether IP addresses can be lawfully shared as cyber threat intelligence.The goal of the project is to enhance cyber-threat intelligence sharing throughout the cyber ecosystem. The findings and recommendations from this project enable businesses to navigate the international legal environment and develop their policy and procedures to enable timely, effective and legal sharing of cyber-threat information. The project is the first of its kind in the world. It is unique in both focus and scope. Unlike the cyber-threat information sharing reviews and initiatives being developed at country and regional levels, the focus of this project and this article is on business-to-business sharing. The scope of this project in terms of the 34 jurisdictions reviewed as to their data protection requirements is more comprehensive than any similar study to date.This article focuses on the sharing of IP addresses as cyber threat intelligence in the context of the new European Union (EU) data protection initiatives agreed in December 2015 and formally adopted by the European Council and Parliament in April 2016. The new EU General Data Protection Regulation (GDPR) applies to EU member countries, a major focus of the international cyber threat sharing project. The research also reveals that EU data protection requirements, particularly the currently applicable law of the Data Protection Directive 95/46/EC (1995 Directive) (the rules of which the GDPR will replace in practice in 2018), generally form the basis of current data protection requirements in countries outside Europe. It is expected that this influence will continue and that the GDPR will shape the development of data protection internationally.In this article, the authors examine whether static and dynamic IP addresses are “personal data” as defined in the GDPR and its predecessor the 1995 Directive that is currently the model for data protection in many jurisdictions outside Europe. The authors then consider whether sharing of that data by a business without the consent of the data subject, can be justified in the public interest so as to override individual rights under Articles 7 and 8(1) of the Charter of Fundamental Rights of the European Union, which underpin EU data protection. The analysis shows that the sharing of cyber threat intelligence is in the public interest so as to override the rights of a data subject, as long as it is carried out in ways that are strictly necessary in order to achieve security objectives. The article concludes by summarizing the project findings to date, and how they inform international sharing of cyber-threat intelligence within the private sector.     

Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.