The conceptual and operational compatibility of data breach notification and information privacy laws

Mandatory data breach notification laws are a novel and potentially important legal instrument regarding organisational protection of personal information. These laws require organisations that have suffered a data breach involving personal information to notify those persons that may be affected, and potentially government authorities, about the breach. The Australian Law Reform Commission (ALRC) has proposed the creation of a mandatory data breach notification scheme, implemented via amendments to the Privacy Act 1988 (Cth). However, the conceptual differences between data breach notification law and information privacy law are such that it is questionable whether a data breach notification scheme can be solely implemented via an information privacy law. Accordingly, this thesis by publications investigated, through six journal articles, the extent to which data breach notification law was conceptually and operationally compatible with information privacy law. The assessment of compatibility began with the identification of key issues related to data breach notification law. The first article, Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches started this stage of the research which concluded in the second article, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (‘Mandatory Notification‘). A key issue that emerged was whether data breach notification was itself an information privacy issue. This notion guided the remaining research and focused attention towards the next stage of research, an examination of the conceptual and operational foundations of both laws. The second article, Mandatory Notification and the third article, Encryption Safe Harbours and Data Breach Notification Laws did so from the perspective of data breach notification law. The fourth article, The Conceptual Basis of Personal Information in Australian Privacy Law and the fifth article, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws did so for information privacy law. The final article, Contextualizing the Tensions and Weaknesses of Information Privacy and Data Breach Notification Laws synthesised previous research findings within the framework of contextualisation, principally developed by Nissenbaum. The examination of conceptual and operational foundations revealed tensions between both laws and shared weaknesses within both laws. First, the distinction between sectoral and comprehensive information privacy legal regimes was important as it shaped the development of US data breach notification laws and their subsequent implementable scope in other jurisdictions. Second, the sectoral versus comprehensive distinction produced different emphases in relation to data breach notification thus leading to different forms of remedy. The prime example is the distinction between market-based initiatives found in US data breach notification laws compared to rights-based protections found in the EU and Australia. Third, both laws are predicated on the regulation of personal information exchange processes even though both laws regulate this process from different perspectives, namely, a context independent or context dependent approach. Fourth, both laws have limited notions of harm that is further constrained by restrictive accountability frameworks. The findings of the research suggest that data breach notification is more compatible with information privacy law in some respects than others. Apparent compatibilities clearly exist as both laws have an interest in the protection of personal information. However, this thesis revealed that ostensible similarities are founded on some significant differences. Data breach notification law is either a comprehensive facet to a sectoral approach or a sectoral adjunct to a comprehensive regime. However, whilst there are fundamental differences between both laws they are not so great to make them incompatible with each other. The similarities between both laws are sufficient to forge compatibilities but it is likely that the distinctions between them will produce anomalies particularly if both laws are applied from a perspective that negates contextualisation.

Transparent, balanced and vigorous: The exercise of the Australian Privacy Commissioner's powers in relation to National Privacy Principle 4

This thesis considers whether the Australian Privacy Commissioner's use of its powers supports compliance with the requirement to 'take reasonable steps' to protect personal information in National Privacy Principle 4 of the Privacy Act 1988 (Cth). Two unique lenses were used. First, the Commissioner's use of powers was assessed against the principles of transparency, balance and vigorousness and secondly against alignment with an industry practice approach to securing information. Following a comprehensive review of publicly available materials, interviews and investigation file records, this thesis found that the Commissioner's use of his powers has not been transparent, balanced or vigorous, nor has it been supportive of an industry practice approach to securing data. Accordingly, it concludes that the Privacy Commissioner's use of its regulatory powers is unlikely to result in any significant improvement to the security of personal information held by organisations in Australia.

If it's encrypted it's secure! The viability of US state-based encryption exemptions

US state-based data breach notification laws have unveiled serious corporate and government failures regarding the security of personal information. These laws require organisations to notify persons who may be affected by an unauthorized acquisition of their personal information. Safe harbours to notification exist if personal information is encrypted. Three types of safe harbour have been identified in the literature: exemptions, rebuttable presumptions and factors. The underlying assumption of exemptions is that encrypted personal information is secure and therefore unauthorized access does not pose a risk. However, the viability of this assumption is questionable when examined against data breaches involving encrypted information and the demanding practical requirements of effective encryption management. Recent recommendations by the Australian Law Reform Commission (ALRC) would amend the Privacy Act 1988 (Cth) to implement a data breach scheme that includes a different type of safe harbour, factor based analysis. The authors examine the potential capability of the ALRC’s proposed encryption safe harbour in relation to the US experience at the state legislature level.

Stakeholder perspectives regarding the mandatory notification of Australian data breaches

The advent of data breach notification laws in the United States (US) has unearthed a significant problem involving the mismanagement of personal information by a range of public and private sector organisations. At present, there is currently no statutory obligation under Australian law requiring public or private sector organisations to report a data breach of personal information to law enforcement agencies or affected persons. However, following a comprehensive review of Australian privacy law, the Australian Law Reform Commission (ALRC) has recommended the introduction of a mandatory data breach notification scheme. The issue of data breach notification has ignited fierce debate amongst stakeholders, especially larger private sector entities. The purpose of this article is to document the perspectives of key industry and government representatives to identify their standpoints regarding an appropriate regulatory approach to data breach notification in Australia.

Notification of data breaches under the continuous disclosure regime

Consumer personal information is now a valuable commodity for most corporations. Concomitant with increased value is the expansion of new legal obligations to protect personal information. Mandatory data breach notification laws are an important new development in this regard. Such laws require a corporation that has suffered a data breach, which involves personal information, such as a computer hacking incident, to notify those persons who may have been affected by the breach. Regulators may also need to be notified. Australia currently does not have a mandatory data breach notification law but this may be about to change. The Australian Law Reform Commission has suggested that a data breach notification scheme be implemented through the Privacy Act 1988 (Cth). However, the notification of data breaches may already be required under the continuous disclosure regime stipulated by the Corporations Act 2001 (Cth) and the Australian Stock Exchange (ASX) Listing Rules. Accordingly, this article examines whether the notification of data breaches is a statutory requirement of the existing continuous disclosure regime and whether the ASX should therefore be notified of such incidents.

Australian data breach notification : avoiding the State/Federal overlap

Mandatory data breach notification has become a matter of increasing concern for law reformers. In Australia, this issue was recently addressed as part of a comprehensive review of privacy law conducted by the Australian Law Reform Commission (ALRC) which recommended a uniform national regime for protecting personal information applicable to both the public and private sectors. As in all federal systems, the distribution of powers between central and state governments poses problems for national consistency. In the authors’ view, a uniform approach to mandatory data breach notification has greater merit than a ‘jurisdiction specific’ approach epitomized by US state-based laws. The US response has given rise to unnecessary overlaps and inefficiencies as demonstrated by a review of different notification triggers and encryption safe harbors. Reviewing the US response, the authors conclude that a uniform approach to data breach notification is inherently more efficient.

VA Privacy Act systems of records notices.

"Provides a copy of all notices of VA systems of records subject to the Privacy Act of 1974..."--p. [1].

Transfer of Title by a Non-Owner : Personal Property Securities Act 2009 (Cth) exceptions to the nemo dat quod non habet rule

The fundamental personal property rule – no one can transfer a better title to property than they had – is subject to exceptions in the Sale of Goods legislation, which aim to protect innocent buyers who are deceived by a seller’s apparent physical possession of property. These exceptions cover a limited range of transactions and are restrictive in their operation. Australia now has national legislation - the Personal Property Securities Act 2009 (Cth) - which will apply to many transactions outside the scope of the Sale of Goods Act and which includes rules for sales by non-owners which will provide exceptions to the nemo dat quod non habet rule for many common commercial transactions. This article explores the effect of the Personal Property Securities Act 2009 (Cth) on the Sale of Goods exceptions, explains that the new provisions are so wide that there is little continuing relevance for the Sale of Goods Act exceptions, and indicates where they may still apply.

Surviving the Personal Property Securities Act (2009) Cth

Australia has new national legislation - the Personal Property Securities Act 2009 (Cth) and the Personal Property Securities Regulations 2010 – which is expected to commence operating in February 2012. Previous personal property securities legislation was very complex, with more than seventy pieces of legislation in the states and territories, and more than forty registers. This reform package is the culmination of a process that began many years ago and various drafts have been the subject of much investigation and consultation. This legislation rationalises previous laws and bring about substantial changes to this area of law. This paper seeks to explain the principal changes and their implications.

In focus : the Personal Property Securities Act 2009 (Cth)

Australia has new national legislation - the Personal Property Securities Act 2009 (Cth) and the Personal Property Securities Regulations 2010 – which commenced operation on 30 January 2012. Previous personal property securities legislation was very complex, with more than seventy pieces of legislation in the states and territories, and more than forty registers. This reform package is the culmination of a process that began many years ago and various drafts have been the subject of much investigation and consultation. This legislation rationalises previous laws and bring about substantial changes to this area of law. This paper seeks to explain the principal changes and their implications.

Outline of the Personal Property Securities Act 2009 (Cth)

Australia has new national legislation - the Personal Property Securities Act 2009 (Cth) and the Personal Property Securities Regulations 2010 – which commenced operation on 30 January 2012. The policy objectives of the new legislation are to increase certainty and consistency and to reduce complexity and cost. To achieve this, the legislation treats like transactions alike, by focusing on substance over form, and so removes distinctions between security interests which have been based on their structure. Differences based on the location or nature of the secured property and the debtor’s legal form, as an individual or company, have also disappeared. We now have one single national scheme and one national electronic registration system for all security interests throughout Australia. The Act applies to security interests in tangible and intangible personal property, including those based on some form of title retention which are not security interests under the general law. This legislation rationalises previous laws and bring about substantial changes to this area of law. This paper seeks to explain the principal changes and their implications.

Setting aside default judgment - whether judgment regularly or irregularly entered - service under Corporations Act 2001 (Cth) s109X(1) - requirements for affadavit of service

In Hill v Robertson Suspension Systems Pty Ltd [2009] QDC 165 McGill DCJ considered the procedural requirements for the service of originating process on a company, and for proving that service for the purpose of obtaining default judgment.The judge’s views adopt a strict and technical construction of the requirements for an affidavit of service under r 120(1)(b). Though clearly obiter, they may well affect the approach taken on applications to enter or set aside default judgments in the lower courts. Pending further judicial consideration of the issue, it is suggested the prudent course is to ensure that the deponent of an affidavit for service effected under s 109X(1)(a) of the Act deposes not only to the location of the registered office of the company but also, at a minimum, provides the source of that information.