15 April 2008

Cyberspace May 2008


My recent jaunt through the European Union gave me an education on privacy law; in short, we don't take it very seriously in Australia, and despite a lot of EU law, EU business don't either, as evidenced by the number of data blunders recently. APEC has also been fiddling around with a privacy framework for at least the last four years, with little impact on law or commerce. Cross-border data transfer doesn't sound very exciting or even relevant, but you might like to consider the last time you rang your bank or telco and ended up with an operator in Asian region. How did your data get there? Who is adminstering it? What legislative and contractual controls exist to protect you? Is your data exposed to subpoenas, or perhaps government inquiry without judicial process, in that country? You might have a right to privacy, but who is it that has the obligation to provide it? Many countries have legislation on privacy, including Australia (http://tinyurl.com/6e5eeb) and Canada (http://www.canlii.org/ca/sta/p-8.6/), but we are now seeing the rise of data retention laws, which some see as the opposite of data privacy. The EU has a Data Retention Directive (DRD) (currently being challeneged by Ireland and others in the European Court of Justice), which requires, among other things, telcos to retain records of who rang who for how long and when for up to two years. One basis of challenge is Article 8 of the European Convention on Human Rights (http://tinyurl.com/5hhvvr), which states that "Everyone has the right to respect for his private and family life, his home and his correspondence." This is of course topical because of current Australian intentions to amend the Telecommunications (Interception) Act, 1979 (although workplace surveillance is already legal in Australia subject to conditions).

The EU muddle

The EU also has a Data Protection Directive (DPD), and a group named the Article 29 Working Party, which recently stated that search engine companies such as Google should delete data after it has been used for its intended purpose, and at any rate delete the data after six months (http://tinyurl.com/6kedsf). Google is now in the position of working out how it can comply with the DRD, the DPD, and the Working Party's opinion while achieving its commercial goals (Google currently keeps search logs for 18 months). A key statement by the Working Party is that the DPD applies to organisations doing business in the EU, even when their headquarters are outside the EU. The Working Party also stated that IP addresses (routinely collected by web sites, including corporate extranets) are personal information, and must be protected accordingly. My employer has a subsidiary in the UK, and therefore the DPD applies to it, and getting a handle on EU data retention and privacy is now of major interest to me; but what is it to you? One lesson is that the area is a minefield for conflicting legislation and obligations, and Australia doesn't seem to have a coherent, unified approach to dealing with privacy, retention, FOI and national security (if we do, it's probably an accident). We have the common law and some State codification on data retention, Federal and State privacy and FOI legislation, and recent privacy intrusions based on claims of national security. Other lessons abound: if you have a client in NSW who does business in Victoria then it is possible that it may have a higher standard of document retention where litigation is anticipated. If you use a laptop with a wireless network you should consider how secure that communication is. Public networks at airports and coffee shops are inherently insecure, and you should get advice on how to use them securely. Finally, your client may be subject to foreign privacy law if its website is more than just "brochure-ware" (http://tinyurl.com/5dbc9e).