Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.

Contextualizing the tensions and weaknesses of information privacy and data breach notification laws

Data breach notification laws have detailed numerous failures relating to the protection of personal information that have blighted both corporate and governmental institutions. There are obvious parallels between data breach notification and information privacy law as they both involve the protection of personal information. However, a closer examination of both laws reveals conceptual differences that give rise to vertical tensions between each law and shared horizontal weaknesses within both laws. Tensions emanate from conflicting approaches to the implementation of information privacy law that results in different regimes and the implementation of different types of protections. Shared weaknesses arise from an overt focus on specified types of personal information which results in ‘one size fits all’ legal remedies. The author contends that a greater contextual approach which promotes the importance of social context is required and highlights the effect that contextualization could have on both laws.

Australian data breach notification : avoiding the State/Federal overlap

Mandatory data breach notification has become a matter of increasing concern for law reformers. In Australia, this issue was recently addressed as part of a comprehensive review of privacy law conducted by the Australian Law Reform Commission (ALRC) which recommended a uniform national regime for protecting personal information applicable to both the public and private sectors. As in all federal systems, the distribution of powers between central and state governments poses problems for national consistency. In the authors’ view, a uniform approach to mandatory data breach notification has greater merit than a ‘jurisdiction specific’ approach epitomized by US state-based laws. The US response has given rise to unnecessary overlaps and inefficiencies as demonstrated by a review of different notification triggers and encryption safe harbors. Reviewing the US response, the authors conclude that a uniform approach to data breach notification is inherently more efficient.

The conceptual and operational compatibility of data breach notification and information privacy laws

Mandatory data breach notification laws are a novel and potentially important legal instrument regarding organisational protection of personal information. These laws require organisations that have suffered a data breach involving personal information to notify those persons that may be affected, and potentially government authorities, about the breach. The Australian Law Reform Commission (ALRC) has proposed the creation of a mandatory data breach notification scheme, implemented via amendments to the Privacy Act 1988 (Cth). However, the conceptual differences between data breach notification law and information privacy law are such that it is questionable whether a data breach notification scheme can be solely implemented via an information privacy law. Accordingly, this thesis by publications investigated, through six journal articles, the extent to which data breach notification law was conceptually and operationally compatible with information privacy law. The assessment of compatibility began with the identification of key issues related to data breach notification law. The first article, Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches started this stage of the research which concluded in the second article, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (‘Mandatory Notification‘). A key issue that emerged was whether data breach notification was itself an information privacy issue. This notion guided the remaining research and focused attention towards the next stage of research, an examination of the conceptual and operational foundations of both laws. The second article, Mandatory Notification and the third article, Encryption Safe Harbours and Data Breach Notification Laws did so from the perspective of data breach notification law. The fourth article, The Conceptual Basis of Personal Information in Australian Privacy Law and the fifth article, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws did so for information privacy law. The final article, Contextualizing the Tensions and Weaknesses of Information Privacy and Data Breach Notification Laws synthesised previous research findings within the framework of contextualisation, principally developed by Nissenbaum. The examination of conceptual and operational foundations revealed tensions between both laws and shared weaknesses within both laws. First, the distinction between sectoral and comprehensive information privacy legal regimes was important as it shaped the development of US data breach notification laws and their subsequent implementable scope in other jurisdictions. Second, the sectoral versus comprehensive distinction produced different emphases in relation to data breach notification thus leading to different forms of remedy. The prime example is the distinction between market-based initiatives found in US data breach notification laws compared to rights-based protections found in the EU and Australia. Third, both laws are predicated on the regulation of personal information exchange processes even though both laws regulate this process from different perspectives, namely, a context independent or context dependent approach. Fourth, both laws have limited notions of harm that is further constrained by restrictive accountability frameworks. The findings of the research suggest that data breach notification is more compatible with information privacy law in some respects than others. Apparent compatibilities clearly exist as both laws have an interest in the protection of personal information. However, this thesis revealed that ostensible similarities are founded on some significant differences. Data breach notification law is either a comprehensive facet to a sectoral approach or a sectoral adjunct to a comprehensive regime. However, whilst there are fundamental differences between both laws they are not so great to make them incompatible with each other. The similarities between both laws are sufficient to forge compatibilities but it is likely that the distinctions between them will produce anomalies particularly if both laws are applied from a perspective that negates contextualisation.

Data breach notification law in the EU and Australia : where to now?

Mandatory data breach notification laws have been a significant legislative reform in response to unauthorized disclosures of personal information by public and private sector organizations. These laws originated in the state-based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. We contend that there are conceptual and practical concerns regarding mandatory data breach notification laws which limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns here, in the light of recent European Union and Australian legal developments in this area.

The Growing Pains of Data Breach Notification Law

Mandatory data breach notification laws are a novel statutory solution in relation to organizational protections of personal information. They require organizations which have suffered a breach of security involving personal information to notif'y those persons whose information may have been affected. These laws originated in the state based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. Despite their perceived utility, mandatory data breach notification laws have several conceptual and practical concems that limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns, and in doing so, we contend that while mandatory data breach notification laws have many useful facets, their utility as an 'add-on' to enhance the failings of current information privacy law frameworks should not necessarily be taken for granted.

Honesty about adverse event : more honoured in the breach than in the observance?

Part of the chapter: "Sale of Sperm, Health Records, Minimally Conscious States, and Duties of Candour" Although ethical obligations and good medical practice guidelines clearly contemplate open disclosure, there is a dearth of authority as to the nature and extent of a legal duty on Australian doctors to disclose adverse events to patients.

Court finds solicitor in breach of fiduciary duty owed to client but loss not caused by the breach

A solicitor owes fiduciary obligations to his or her client including the obligations of loyalty and disclosure. The Court of Appeal in Mantonella Pty Ltd v Thompson (2009) 255 ALR 367; [2009] QCA 80; BC200902311 recently considered when the fiduciary duty owed by a solicitor to a client is breached and the consequent liability of the solicitor...

Honesty about adverse events - more honoured in the breach than in the observance

The medical board of Australia Code of conduct reminds doctors that" "When adverse events occur, you have a responsibility to be open and honest in your communication with your patient, to review what has occurred and to report appropriately." More honoured in the breach rather than the observence may or may not be correct. Faced with the English concerns and the Netherlands research, an evidence based assessment of compliance with the ethical duty to disclose adverse events is warranted.

‘The door creaked shut’: The new breach of bail offence for youth in Queensland

As part of the 2014 amendments to the Youth Justice Act 1992 (Qld) the previous Queensland government introduced a new breach of bail offence and a reverse onus provision in relation to the new offence. Also included in the raft of amendments was a provision removing the internationally accepted principle that, in relation to young offenders, detention should be used as ‘a last resort’. This article argues that these changes are likely to increase the entrenchment of young people within the criminal justice system.

The ILC's Articles on Responsibility of States for Internationally Wrongful Acts: Completion of the Second Reading

In 2001 the International Law Commission finally adopted on second reading the Draft Articles on Responsibility of States for Internationally Wrongful Acts with commentaries, bringing to an end nearly 50 years of ILC work on the subject. This article reviews the final group of changes to the text, focusing on the definitions of ‘injury’ and ‘damage’, assurances of non‐repetition in the light of the LaGrand case, procedural aspects of countermeasures and the controversy over measures taken in response to a breach by states which are not individually injured. The focus of debate now turns to the UNGA Sixth Committee, which will have to decide what to make of the Draft Articles. The ILC itself recommended an initial resolution taking note of the Articles, with subsequent consideration (after a period of years) of a possible diplomatic conference with a view to concluding a convention. This modest proposal allows for further reflection on the text and may help to avoid possibly divisive and inconclusive debate in the Sixth Committee. At the same time it allows time for better understanding of the many changes made as compared with the first reading text (1996).

Statutory protections from forfeiture of a leasehold estate following Apriaden Pty Ltd v Seacrest Pty Ltd

In Apriaden Pty Ltd v Seacrest Pty Ltd the Victorian Court of Appeal decided that termination of a lease under common law contractual principles following repudiation is an alternative to reliance upon an express forfeiture provision in the lease and that it is outside the sphere of statutory protections given against the enforcing of a forfeiture. The balance of authority supports the first aspect of the decision. This article focuses on the second aspect of it, which is a significant development in the law of leases. The article considers the implications of this decision for essential terms of clauses in leases, argues that common law termination for breach of essential terms should be subject to compliance with these statutory requirements and, as an alternative, suggests a way forward through appropriate law reform, considering whether the recent Victorian reform goes far enough.

"Get new lawyers!"

In James Rubin's account of the Kosovo war, he describes an exchange between Secretary Albright and Robin Cook (the British Foreign Secretary). Cook was explaining that it is difficult for Britain to commit to the war without UN Security Council approval because the legal advice he had received was that such action would be illegal under international law. Albright's response was, simply, "get new lawyers". Rubin "credits" Blair with a "push" that swung the British to "finally agree" that a UN Security Council resolution was "not legally required". Robin Cook later stated in Parliament and that the war was legal. Interestingly, Blair did not. This article does not look at whether or not such an exchange took place; rather look at the ethical issues that such a situation would generate. The article suggests what the ethical obligations of the key legal players in such institutional dramas should be—including governments seeking advice, the lawyers giving it, the ministers reporting it and the opposition in Parliament. The article sets out the particular responsibilities of the lawyers and officials of a Westminster system. It also sets out some of the institutional mechanisms for making it more likely that those obligations are fulfilled—as always through the interaction of obligations by different players that make it more risky for any player to breach his or her ethical obligations. Analogous duties would be faced by the relevant actors in other systems.