Self-driving cars, smartphone-operated doors and smart home automation systems are no longer the exclusive domain of science fiction authors. Today, things connect to people seamlessly. Our phones, our tablets and computers, even our watches and GPS systems connect us to the Internet and each other.
This entanglement or ‘web’ of devices and data is aptly coined the ‘Internet of Things’ (IoT). It involves the interconnectivity of everyday objects like your fridge or bicycle, making it incredibly easy to transmit large amounts of data instantaneously. Naturally, developers have adapted such technology to respond to consumer needs in a more personal manner – think locating your lost keys or monitoring your fitness. Cisco projects the IoT’s reach will extend to 50.1 billion things in 2020, from 22.9 billion things in 2016.
But where there is Big Data, there are big problems. Data breaches in familiar and trusted brands such as Woolworths and Kmart have heightened consumer awareness of data security and privacy – particularly when data is stored offshore. Reported data breaches to the Office of the Australian Information Commissioner doubled between 2014 and 2015, and that number is likely to increase as the flow of information between devices becomes easier. Concerns surrounding data collection, use and sharing are then well-founded and require appropriate government regulation.
The IoT ignites debate around the need to promote convenience and innovation and to protect against breaches of privacy. It will require policymakers to tackle difficult questions like, how is personal privacy protected if data is collected and stored by an overseas entity? Who is responsible if there is a data breach?
Businesses can take a number of steps to not only protect their customer's personal information, but also comply with Australia’s privacy framework. With that in mind, we look at what challenges businesses face regarding privacy and using IoT devices.
Australia’s Privacy Framework & the Australian Privacy Principles
Australian privacy law regulates how businesses collect, store and use personal information. Australia’s privacy regime principally consists of the Privacy Act 1988 (Cth) and thirteen Australian Privacy Principles (APPs) that apply to three broad parties: government agencies; private sector businesses and not-for-profit organisations with an annual turnover of more than $3 million, and any private health service providers (APP Entities).
Cross-Border Disclosure of Personal Information
Often APP entities that use the network of the IoT engage third party companies that may be based overseas to manage and store their users' personal data (such as web hosting providers). Under the obligations of APP 8, if an Australian company discloses personal information to a company overseas, the Australian entity is ultimately responsible and must take reasonable steps to ensure compliance with the APP’s. But what happens when the laws of a foreign country conflict with Australia’s, and permits access to personal information for reasons such as a national security? There is little evidence about how the extraterritorial application of Australian privacy law works or will work in practice.
Furthermore, under APP 11, an APP entity is required to destroy or de-identify any personal information when it no longer needs it, raising questions about companies that collect personal information for future uses such as marketing. APP 11 also requires an APP entity to comply with an individual’s request to access his or her information, or provide reasons for any refusal.
Requiring an APP entity to respond to all requests to access information is one thing – whether the APP entity has the resources to do so is another. In our experience, few web-hosting providers appear equipped to handle the compliance burden. Indeed, if Cisco’s projections are correct, it’s conceivable that APPs do not contemplate how radically the IoT and the data collected will affect our everyday lives. So where to next for our evolving IoT ecosystem?
Business’ Role in Privacy Protection
In 2015, the average cost of a data breach in Australia was $2.82 million dollars per company. The average breach involved more than 20,000 records and the cost per record breached was $144. The potential impact data breaches have on a business’ bottom line should, at the very least, be cause to review internal data management policies. Do your key decision makers know what types of personal information your business collects, and where and how that data is stored? Have you ensured that your data is adequately encrypted and protected?
As we charge into the 21st century, government policy will need to keep pace with the changes IoT will bring. Web-hosting service providers must ensure they not only comply with privacy legislation, but also take reasonable steps to protect the data they collect, particularly if it is stored overseas. For online businesses and developers in the IoT space, it is in their commercial benefit to adopt best practices when it comes to privacy, as consumers are increasingly factoring this into their purchasing decisions.
In the meantime, businesses should develop a data breach response plan to comply with their obligations under the Privacy Act and instil public confidence in their capacity to protect personal information by responding to a breach. The Office of the Australian Information Commissioner (OAIC) produced a guide to developing such a plan. The OAIC encourages businesses to test the plan before a data breach occurs, for example, by responding to a hypothetical data breach. The plan should provide a clear explanation of what constitutes a data breach, as well as who is responsible for determining how the businesses will contact affected individuals. This is especially important to address given the Federal Government released a draft Bill in December this year requiring businesses to notify the Federal Privacy Commissioner and affected individuals of serious data breaches involving personal information.
APP entities should also consider managing any risk created by offshore disclosure of personal information by setting out the responsibilities of relevant parties in a written agreement. The contract should also address the cost of managing data breaches and include the appropriate liability provisions, indemnity obligations and insurance requirements.
This article is contributed by LegalVision, a market disruptor in the commercial legal services industry and sponsor of CeBIT 2016. Their innovative business model and custom-built technology assist their lawyers to provide a faster, better quality and more cost-effective client experience.