The mandatory notification of data breaches: Issues arising for Australian and EU legal developments

Public and private sector organisations are now able to capture and utilise data on a vast scale, thus heightening the importance of adequate measures for protecting unauthorised disclosure of personal information. In this respect, data breach notification has emerged as an issue of increasing importance throughout the world. It has been the subject of law reform in the United States and in other jurisdictions. This article reviews US, Australian and EU legal developments regarding the mandatory notification of data breaches. The authors highlight areas of concern based on the extant US experience that require further consideration in Australia and in the EU.     

An analysis of the effectiveness of the EU data breach notification obligation

In this paper we study the law and economics of the EU data breach notification obligation (EU DBNO), which is part of the general data protection regulation. We start our discussion with the origins and aims of the EU DBNO. Following this, we study the social benefits of the DBNO and the conditions for these social benefits to emerge. Next, we analyse whether there would be spontaneous notification without the existence of a DBNO. We discuss how the national DPAs, that are responsible for the execution of the EU DBNO, can sufficiently induce data controllers to comply with the regulation. We also discuss the scope of the regulation from a social welfare perspective, in particular the conditions, which trigger a notification from data controllers.     

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

Contradictions and inconsistencies in Australia's mandatory data breach notification laws

This article critically examines the objectives and practical operation of Australia's mandatory data breach notification [MDBN] law. We find that the scope and application of Australia's law do not reflect the legislative objectives underpinning the law. The wording of the law is ambiguous, and it is beset by conceptual inconsistencies. The law also fails to adequately consider the needs of individuals whose personal information has been compromised in a data breach. As a result, Australia's MDBN law is unlikely to meet the needs of organisations that have experienced a data breach, or of individuals who are notified. We conclude by identifying options for reform to better reflect the law's rationale and to better achieve its objectives. Comparisons are made with similar laws in force in the United States and with the General Data Protection Regulation.     

Data processing by police and criminal justice authorities in Europe – The influence of the Commission's draft on the national police laws and laws of criminal procedure

The proposal for a fundamental reform of the European data protection law, published by the EU Commission on 25 January 2012 is composed of two elements. Apart from a General Data Protection Regulation, the Commission proposes a second regulatory instrument, namely a Directive with regard to data processing by police and criminal justice authorities that shall supersede the Council Framework Decision 2008/977/JHA. This paper seeks to analyse the draft Directive in the context of the entire reform approach and scrutinizes a number of specific issues in regard to the scope, the requirements of data processing, notification duties and data transfer to third countries.     

Data breach notification law in the EU and Australia – Where to now?

Mandatory data breach notification laws have been a significant legislative reform in response to unauthorized disclosures of personal information by public and private sector organizations. These laws originated in the state-based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. We contend that there are conceptual and practical concerns regarding mandatory data breach notification laws which limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns here, in the light of recent European Union and Australian legal developments in this area.     

Hong Kong's data breach notification scheme: From the stakeholders’ perspectives

Data breach notification laws have been enacted in an increasing number of economies around the world. These laws establish the requirement for notice in the event of a data breach incident. Although, there are a number of reasons for requiring data breaches to be notified, the primary objective of the laws is to regulate organizations’ data security practices in order to protect the data privacy of its customers. In so doing, the data reporting obligations promote accountability, transparency and trust, thereby improving the overall organizational data security environment. Opinions are, however, divided amongst various private sector stakeholders on the issue of mandatory data breach notification. Drawing on the interviews with 24 private sector representatives with interest in data breach issues, this article documents and examines their position on the appropriate regulatory approach for data breach notification in Hong Kong .     

The 2012 CLSR-LSPI seminar on privacy,data protection & cyber-security – Presented at the 7th international conference on Legal,Security and Privacy Issues in IT law (LSPI) October 2–4, 2012, Athens

This has been a big year for privacy with so much going on within the EU regarding reform of data protection. What are the implications of reform here and what are the issues that concern us about the proposed new data protection regime contained in the proposed Regulation? We hear a lot about the ‘right to be forgotten’. How is that possible in the digital age within the online world? And what can be done about the big players who stand charged with the erosion of privacy viz Facebook, Google, Skype & YouTube etc? How can the law keep up with technological change when the latter is moving so fast e.g. with RFID, Cloud and social networking? To what extent can data breach notification, net neutrality and privacy impact assessment help and how should the law approach issues of liability and criminality in relation to privacy? What is the state of play too in the relationship between privacy policy and state surveillance and, given its implications for privacy, what obligations should governments adopt in response to cybersecurity regulation and data management? Is there a place for privacy self-regulation and if so in what respects and how effective are the Information Commissioners who often complain of being under resourced? In reviewing the way privacy law has emerged do we now need a completely new approach to the whole issue? Has the law crept into its present form simply by default? Do we need some new thinking now that reflects the fact that law is only one dimension in the battle for privacy? If so what are the other factors we need to recognise?     

无单放货的法律适用

在将无单放货定性为违约行为的前提下,以我国的国际私法规则为基础,论述了无单放货纠纷的法律适用问题:无单放货纠纷首先应适用提单准据法,在提单准据法不能规范无单放货行为时,应根据最密切联系原则确定无单放货地的法律作为无单放货纠纷的准据法。同时也分析了外国的直接适用的法、无单放货地公法适用的可能性,并指出根据中国立法,不存在根据场所支配行为而确定无单放货行为适用行为地法的可能。     

CLOUD act agreements from an EU perspective

For many years, transatlantic cooperation between the EU and the US in the area of personal data exchange has been a subject of special interest on the part of lawmakers, courts – including supranational ones – NGOs and the public. When implementing recent reform of data protection law, the European Union decided to further strengthen guarantees of the protection of privacy in cyberspace. At the same time, however, it faced the practical problem of how to ensure compliance with these principles in relation to third countries. The approach proposed in the GDPR, which is based on a newly-defined territorial scope of application, clearly indicates an attempt to apply EU rules extraterritorially in relation to data processors in third countries.Irrespective of EU activity, the United States has also introduced its own regulations addressing the same problem. An example is the federal law adopted in 2018, specifying how to execute national court orders for the transfer of electronic data. The CLOUD Act was established in response to legal doubts raised in the Microsoft v United States case regarding the transfer of electronic data stored in the cloud by US obliged entities to law enforcement authorities, as well as in cases where this data is physically located in another country and its transfer could result in violating the legal norms of a foreign jurisdiction. The CLOUD Act also facilitates bilateral international agreements that enable the cross-border transfer of e-evidence for the purposes of ongoing criminal proceedings. Both the content of the new regulations and the model proposed by the US legislature for future agreements concluded on the basis of the CLOUD Act can be seen as an alternative to regulations arising from EU law.The purpose of this paper is to analyse the CLOUD Act and CLOUD Act Agreements from the perspective of EU law and, in particular, attempt to answer the question as to whether this new legal mechanism brings the EU and the USA closer to finding common ground with regard to a coherent model of exchange and protection of personal data.     

On the Use of Law in Transatlantic Relations: Legal Dialogues between the EU and US

Law plays a significant role in contemporary transatlantic relations outside of the bilateral context which, from the perspective of EU external relations law, might seem neither conventional nor apparent. Non‐bilateral transatlantic relations increasingly deploy law as a communication tool between the two legal orders. For example, in 2011, the US intervened informally and anonymously in the formulation of EU legislation, while the US House of Representatives passed legislation to prohibit the impact of EU law upon the US legal order. Another example is constituted by EU amicus curiae submissions before the US Supreme Court in death penalty cases. The so‐called Brussels effect is also the subject of recent scholarship, assessing the perceived spillover effect of EU regulatory standards onto US rules. The paper provides many vivid examples of the variable institutional and legal components of transatlantic relations not usually accounted for in scholarship on transatlantic relations.     

The Power of EU Collective Action: The Impact of EU Data Privacy Regulation on US Business Practice

Contemporary critiques of globalisation processes often focus on the potential levelling of regulatory standards and the export by the United States of neoliberal norms of deregulation and market facilitation. This paper, in contrast, examines the extra-jurisdictional impact of EU regulatory policy on the behaviour of foreign private parties, even in powerful states such as the United States. Shaffer finds that the threat of curtailing access to the EU's large market provides the EU with leverage. By acting collectively, EU Member States can magnify the impact of European policy on US business practice and enhance EU Member State clout in the negotiation of de jure and de facto foreign standards. The site of analysis is the current dispute between the United States and the European Union over the provision of 'adequate' data privacy protection in accordance with the EU Directive on data privacy. The paper explores the many ways in which the Directive affects US practice through changing the stakes of US players – including regulators, businesses, privacy advocates, lawyers and privacy service providers – and thereby shifting the playing field in the United States on which competing interest groups clash. In examining the interaction of EU law, US practice and international trade rules, the author finds that WTO law, rather than constraining the Directive's extra-jurisdictional impact, provides the EU with a shield against US retaliatory threats, thereby facilitating a trading up of data privacy standards. The paper concludes by examining the conditions under which cross-border exchange can lead to a leveraging up of social protections: the desire for firms to expand their markets, Member States' collective bargaining power buttressed by market clout, the nature of luxury goods, the externalities of foreign under-regulation legitimising EU intervention, and the constraints of supranational trade rules.     

Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.     

The Continuing Conceptual Crisis in the Common Law of the Contract of Employment

The effects on the common law of the contract of employment of the decision of the House of Lords in Johnson v Unisys Ltd are considered. The focus is on liability rather than remedies. It is argued that the case created conceptual instability in the common law understanding of a breach of a contract of employment. The logical consequence of the majority reasoning is that in some cases the existence or not of a breach by an employer is contingent on an employee's reaction. Relevant case law history and developments since the Johnson decision inform a detailed critique of the arguments that underpinned it. A solution is suggested according to which, prima facie, contracts of employment would be required to be performed in accordance with terms that have been implied by law.     

我国物权变动理论的立法选择(上)

物权变动是物权立法政策和立法技术上的重大课题。我国物权立法对此应采取的选择是： 承认物权行为的客观存在性; 但当以债权契约为物权变动的原因关系时, 物权行为并不具有独立性, 而是被债权行为吸收; 物权的支配性特征要求物权变动以公示方法——交付 （动产） 或登记 （不动产） 为内在生效要件。这样, 物权变动过程就是意定行为（债权或物权行为） 和法定行为（交付或登记） 的结合; 在双方当事人之间, 法律赋予意定行为具有决定行为的效力; 但对善意第三人来说, 法定行为则具有决定意定行为的效力, 即赋予公示公信力来维护交易安全, 而无承认物权行为之无因性之必要。     

Systematic construction of lawfulness of processing employees’ personal information under China's personal information protection law

With the rapid development and widespread use of digital technologies in the workplace in China, employers’ right to monitor and direct employees has often been abused, raising a number of disputes over the infringement of employees’ right to privacy in terms of their personal information. China must urgently develop an appropriate approach to balancing these two conflicting interests. However, there is currently no coherent and uniform regime governing the protection of employees’ personal information in China. The primary legal source on which employers can rely is the latest version of the Chinese Personal Information Protection Law (PIPL), which offers three lawful bases for employers’ processing of their employees’ personal information. These bases are employee consent; “necessity for the conclusion or performance of an employment contract”; and “necessity for conducting human resource management.” Concerns have been expressed regarding the reasonableness and effectiveness of the three lawful bases under the PIPL. First, it is both legally and practically problematic for the PIPL to rely so heavily on employee consent. Second, it is unclear whether the other two lawful bases relieve employers of the duty of notification and, if so, how to safeguard employees’ right to know. Third, the ambiguous standard of “necessity” requires clarification.This article argues that China should adopt many elements from EU law, while US law should be only followed in relation to the standard of “necessity”. In relation to employee consent, the EU approach is preferable to the US approach. As the EU approach does not generally regard employees’ consent as a lawful basis for the processing of their information and uses the other two lawful bases as alternatives to employee consent, this approach better reflects the customary practices of employee subordination and employer control in China. In contrast, US law deems employee consent to be an absolute general defense to the tort of privacy violation and adopts an employer favoritism approach to balancing these two conflicting interests, which is not appropriate in the Chinese context. In relation to the scope of necessity, three tests taken from the EU and US approaches should be considered by the Chinese courts. In addition, when processing personal information based on the other two lawful bases, employers should safeguard employees’ right to know through collective contracts concluded with labor unions or employee representatives under the Chinese Labor Contract Law, which would effectively address employers’ arbitrariness. Ultimately, these changes would produce a better balance between employees’ right to privacy in terms of their personal information and employers’ need to subordinate and control employees.     

论重复保险——兼评我国《保险法》第41条之缺失

重复保险制度作为保险法律中一项防范投保人道德危险的基本制度,对保险功能的发挥具有重要意义。但是,我国重复保险的法律规定存在着诸多漏洞和不足。缺乏对违反通知义务法律后果的规定,缺乏恶意复保险的规定和重复保险的保险费处理方式的规定,另外,重复保险的适用范围不清、法律效力规定不恰当等,也导致了该制度无法正常发挥应有的效用。     

Mental health law and the EU: the next new regulatory frontier?

Over the last decade the EU's engagement with health law and policy has rapidly increased and there is now a growing body of literature highlighting this evolution and the impact of legal and regulatory structures in this area. In contrast the specific impact of EU law and policy in relation to the area of mental health remains the subject of comparatively little engagement. The aim of this paper is to examine whether mental health law and policy will become a major site for EU policy and law in the future. It examines the development of EU policy in this area. It sets this in the context of related legal developments such as the Charter of Fundamental Rights and the new EU Patients Rights Directives. It suggests that while it might be at present premature to envisage that a single body of EU mental health law itself may be unlikely that nonetheless the EU presents what is a potentially very influential site for regulation, law and policy in this area in the years to come.     

Global Privacy Concerns and Regulation-- Is the United States a World Apart?

The regulatory approach to privacy protection taken by many foreign jurisdictions is markedly different from that of the United States. The European Union (EU) best illustrates the international approach with its comprehensive privacy directive that applies to all EU members. By contrast, the approach regarding data privacy in the United States has been to pass industry-specific laws and often only in response to public outcry over some privacy concern. These fundamental differences have been the source of some conflict in international commercial transacting. Now that the global community is committed to eliminating terrorism, it remains to be seen if these different attitudes toward privacy by the United States and much of the rest of the world will affect global attempts to weed out terrorists. This article discusses the constitutional basis for most US policy approaches to privacy regulation. The article explains how the US constitution is the source for most of the differences between the US and international regulatory approaches to information privacy. Finally, the discussion addresses how new issues regarding privacy in the war on terrorism may be addressed by US Constitutional law.     

Editor’s Note

In the context of today’s big data and cloud computing, the global flow of data has become a powerful driver for international economic and investment growth. The EU and the U.S. have created two different paths for the legal regulation of the cross-border flow of personal data due to their respective historical traditions and realistic demands. The requirements for data protection have shown significant differences. The EU advocates localization of data and firmly restricts cross-border flow of personal data. The U.S. tends to protect personal data through industry self-regulation and government law enforcement. At the same time, these two paths also merge and supplement with each other. Based on this, China needs to learn from the legal regulatory paths of the EU and the US, respectively, to establish a legal idea that places equal emphasis on personal data protection and the development of the information industry. In terms of domestic law, the Cybersecurity Law of the People’s Republic of China needs to be improved and supplemented by relevant supporting legislation to improve the operability of the law; the industry self-discipline guidelines should be established; and various types of cross-border data need to be classified and supervised. In terms of international law, it is necessary to participate in international cooperation based on the priority of data sovereignty and promote the signing of bilateral, multilateral agreements, and international treaties on the cross-border flow of personal data.