Category: Government Regulation, Legislation & Enforcement

1
US Internet of Things bill advanced to vote on House floor
2
PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK
3
Canada proposes to increase penalties for tech giants in its Digital Charter
4
Sharing of ‘abhorrent violent material’ now an offence under new laws
5
Consumer Data Right Draft Rules – submissions closing soon
6
PROPOSAL TO INCREASE PENALTIES FOR PRIVACY BREACHES
7
To encrypt or not encrypt? That is the question
8
Biggest data leak in German history
9
What do you need to know about the encryption killing legislation?
10
Cybersecurity: location, location, location

US Internet of Things bill advanced to vote on House floor

By Cameron Abbott and Rebecca Gill

Just a few months ago, we blogged on the ‘Internet of Things’ (or IoT) legislation making an appearance in the US Senate. But now the legislation may be becoming a reality. On Wednesday, the House Committee on Oversight and Reform advanced the Internet of Things Cybersecurity Improvement Act of 2019 to a vote on the House floor.

The bipartisan legislation aims to reduce the risk to critical government information technology infrastructure from cyberattacks, and directs the National Institute of Standards and Technology to develop recommendations for use and management of internet-connected devices by March 31 2020.

Read More

PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK

By Cameron Abbott and Rebecca Gill

PwC’s UK Privacy & Security Enforcement Tracker has found that fines in the UK over data protection law violations totalled £6.5 million in 2018, a £2 million increase from 2017.

The Tracker analysed data protection enforcement actions by the UK Information Commissioner’s Office (ICO), including monetary fines, prosecutions and undertakings. The Tracker shows that the total sum of fines increased from 2017, but the number of ICO enforcements fell to 67 in 2018 from 91 in 2017.

Read More

Canada proposes to increase penalties for tech giants in its Digital Charter

By Cameron Abbott and Rebecca Gill

The Canadian federal government has proposed to introduce a combination of fines for companies that violate privacy laws, in order to rein in the growing power of Silicon Valley tech giants.

Canada’s Innovation Minister recently announced a 10-point Digital Charter that aims to provide more transparency into how companies collect and use personal information and stronger rights for consumers to consent to the use of their data. Key principles of the Charter include giving Canadians control over their data, promoting ethical use of data, ensuring that the online marketplace is competitive to facilitate growth of Canadian businesses, and implementing “meaningful penalties” for violations of privacy laws.

Read More

Sharing of ‘abhorrent violent material’ now an offence under new laws

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Governments around the world are imposing more responsibilities on tech providers to deal with online harms. In response to the recent attacks in Christchurch, in which a gunman livestreamed on Facebook his attack on a mosque, the Australian Government recently enacted the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (Cth) (Act). The Act, which commenced on 6 April 2019, was pushed through swiftly and has a broad reach.

Under the Act, internet, content and hosting service providers must refer details of any ‘abhorrent violent material’ that records or streams ‘abhorrent violent conduct’ to the Australian Federal Police. Abhorrent violent material is material that is audio, visual or audio-visual, and that records or streams ‘abhorrent violent conduct’. Such conduct includes acts of terrorism, murder, attempted murder, torture, rape and kidnapping.

Read More

Consumer Data Right Draft Rules – submissions closing soon

By Cameron Abbott, Rob Pulham and Rebecca Gill

The deadline for submissions on the ACCC’s draft Competition and Consumer (Consumer Data) Rules 2019 (Draft Rules) is fast approaching. The ACCC is seeking feedback from community organisations, businesses and consumers on the approach and positions of the Draft Rules for the Consumer Data Right (CDR) regime until this Friday, 10 May 2019.

Key aspects of the Draft Rules (which are available on the ACCC’s website) include:

  • the three ways in which CDR data may be requested;
  • the requirements for consent to collect CDR data;
  • rules relating to the accreditation process; and
  • rules relating to the thirteen privacy safeguards for CDR data.
Read More

PROPOSAL TO INCREASE PENALTIES FOR PRIVACY BREACHES

By Cameron Abbott and Rebecca Gill

In light of concerns over how personal data is being used by social media platforms and tech companies, the Commonwealth Government has proposed amendments to the Privacy Act in order to more harshly penalise companies for privacy breaches. The new regime, which aims to update Australia’s privacy laws in line with increased social media use, will see tougher penalties for all entities that are subject to the Privacy Act, not just the headline companies like Google and Facebook.

The Commonwealth Government proposes to increase the penalties for serious or repeated breaches by such entities from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover – whichever is the greater value.

Read More

To encrypt or not encrypt? That is the question

By Cameron Abbott and Ella Richards

In response to the new controversial anti-encryption laws, Australian tech heavyweights have banded together to kick and scream over the restrictive implications the laws are already having on their industry.

Quick history lesson; the Assistance and Access Bill permit law enforcement to demand companies running applications such as Whatsapp to allow “lawful access to information”. This can be through either decryption of encrypted technology, or providing access to communications which are not yet encrypted. These ‘backdoors’ are intended to provide the good guys with the opportunity to fight serious crime, however there’s serious fear that in reality, these doors could throw out privacy or let in unwanted guests.

While the legislation states that backdoors should only be created if it doesn’t result in any ‘systemic weakness’; this is yet to be defined in a concrete and informative way. Industry points out that once created any such measure has the potential to be exploited by others. There is no such thing as a “once” only back door.

There is little doubt that this will end up in litigation as larger industry players challenge the abstract concepts in the legislation against the reality of their technology.

StartupAUS, an industry group of tech executives, have made several recommendations to amend the legislation. Even though they’re not holding their breath for any significant changes, they’re demanding more transparency around the requirements. Their recommendations include scrapping the requirement for an employee to build capabilities to intercept communications, tightening the scope of ‘designated communication providers’, giving oversight on how companies will be targeted and increasing what constitutes a ‘serious offence’.

Australia’s legislative response to the problem faced by law enforcement is one of the most heavy handed in the democratic world, and now has the world of technology companies with their significant impact on our economy watching the latest debate on reforms with great concern.

Biggest data leak in German history

By Rob Pulham, Warwick Anderson and Wendy Mansell

A 20 year old German man orchestrated a serious and sophisticated data breach which affected more than 1000 people.

The attack was focused on German and European politicians at all levels including German Chancellor Angela Merkel, President Frank Walter Steinmeier and hundreds of public figures and celebrities.

The 20 year old hacker took to Twitter to drip feed the information depicted as an advent calendar by releasing new data each day in December. Information exposed included contact details, credit card and financial information, chat records, photographs and other personal information.

Reuters’ reported that the hacker is a student who lives at home with his parents, has no formal computer education and was motivated by irritation over statements made by politicians and public figures.

The widespread nature of this attack has resulted in a number of government officials calling for tighter laws.

It is clear that no-one is safe from a data breach – even those elected representatives who enact the laws designed to protect against them.

What do you need to know about the encryption killing legislation?

By Cameron Abbott and Wendy Mansell

There are now three ways a government agency can gain access to encrypted information:

1. ask you to voluntarily help them
2. demand your help
3. force you build new functions in your systems to help them

As a company if you don’t comply you could be hit with a fine of up to almost $10 million dollars.

You do have a defence though – if the requests will undermine your encryption systems, making them inherently less secure you do not have comply.

If you would like to know more about how the new legislation will affect you feel free to contact us for any assistance or information.

Cybersecurity: location, location, location

Authors: Cameron Abbott and Sara Zokaei Fard

According to a report published by BitSight on 4 December 2018, “Are the New European Cybersecurity Regulations Working?”, Europe is one of the only exceptions to a global decline in security performance. There are regular occurrences of cybersecurity compromises around the world, with some sectors such as Technology consistently performing weaker than others. Companies in the Finance sector continue to be the world’s strongest cybersecurity performers, due to their high regulative overlay. While “continental cybersecurity performance continues to decline”, in Europe, cybersecurity performance is improving to an extent unlike any other continent in the world.

The General Data Protection Regulation (GDPR) officially went into effect in the European Union in May 2018. The GDPR is a landmark European Union law, that sets significant punitive fines at up to 4% of global revenue if organisations do not implement a broad set of cybersecurity requirements in certain circumstances. In the months following the implementation of the GDPR, European security performance has consistently improved and now significantly surpasses all other continents. In this same time frame, Oceania’s cybersecurity performance has spiralled downwards.

BitSight states “the chorus for GDPR-style regulation is growing internationally”. The statistics certainly support this.  However others argue that countries like the US demonstrate significant competitive advantage in developing highly valuable big data and social media intellectual property because of the lower regulatory environment encouraging innovators.  The value to economies of these industry segments is significant.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.