20 October 2012

Australian Data Breach Consultation

The Commonwealth Government has released its Australian Privacy Breach Notification discussion paper [PDF] regarding potential introduction of mandatory data breach notification. Submissions are sought by 23 November 2012.

The Attorney-General's media release indicates that "it was timely for a public discussion on how legislation might deal with data breaches, such as when private records are obtained by hackers. Australians who transact online rightfully expect their personal information will be protected". Quite so.

In the introduction to the paper the Attorney-General comments that -
One of the ALRC’s [2008 For Your Information: Australian Privacy Law and Practice ] recommendations was that a mandatory data breach notification scheme be introduced. In responding to this recommendation, the threshold question that must be asked is whether the introduction of such a scheme is warranted. For example, it may be the case that the existing voluntary guidelines issued by the Office of the Australian Information Commissioner are working effectively enough. If there is to be a mandatory data breach notification scheme, how do we make sure it gets the balance right between the public interest in mitigating the adverse effects of data breaches while ensuring we do not create an overly burdensome compliance requirement on entities that make their business from collecting, storing and using personal information?
The paper indicates that
A data breach occurs when personal information is improperly accessed, obtained, used, disclosed, copied or modified. 
It goes on to comment that
There have been several significant and high-profile data breaches in recent years. 
As noted recently, at least one of those breaches appears to have completely bypassed the attention of AFP cybercrime czar Gaughan, perhaps because he has been busy misconstruing German data protection law.

The paper asks what notification requirements government agencies and large private-sector organisations should have to meet when they suffer a data breach, including -
  • Should Australia introduce a mandatory data breach notification law? 
  • What kind of breaches should trigger notification requirements? 
  • Who should decide whether notification is necessary? 
  • What should be reported and how quickly? 
  • How should a notification requirement be enforced? 
  • Who should be subject to a mandatory data breach notification law?
  • Should there be an exception for law enforcement activity?
The paper advances seven arguments in favour of 'retaining the existing position', ie not implementing mandatory data breach notification -
  • the additional costs of compliance for entities would be too onerous; 
  • there are sufficient commercial incentives for entities (eg reputation) to have high standards of data security and to voluntarily notify the OAIC where appropriate; 
  • the voluntary OAIC guidelines are operating effectively, and more entities are using them after voluntarily contacting the OAIC; 
  • many organisations do not have the capability of detecting whether data loss has occurred, and whether there has been a significant impact or harm caused by such data loss; 
  • some organisations already voluntarily report certain categories of incident to law enforcement agencies and CERT Australia; 
  • the connection between data breaches and identity theft has been criticised as being overstated ; and 
  • data breach disclosure laws have marginal effect on the incidences of identity thefts 
The incidents highlighted in this blog over the past three years (eg involving Medvet, Sony, AICD, Vodafone, Telstra and other blue chips) suggests that several of those arguments are problematical.

The paper goes on to articulate "four broad goals" regarding mandatory data breach notification.
A. Mitigation of consequences of breach
First, by providing advice to those who have had their privacy infringed, that person will have an opportunity to take corrective action to change or otherwise ‘resecure’ the information. This could be called the ‘mitigation objective’. For example, to change passwords where those passwords have been hacked or to cancel credit cards if their details have been stolen. The ALRC considered this to be the primary goal to be achieved. However, such a rationale shifts the onus away from the organisation that has suffered the breach and onto a person who may be ill-equipped or unable to correct the consequences of the breach. For example, in cases where an individual’s health information has been accidentally uploaded to the internet, it may not be possible to rectify the breach even if it has been subsequently taken down.
B. Deterrence/incentive to improve data security
Secondly, requiring notification may act as an incentive to the holders of personal information to adequately secure or dispose of that information. In other words, the adverse publicity occasioned by a notification may deter poor handling of such information, and increase the likelihood that adequate and reasonable measures are taken to secure it. This could thus be called the ‘deterrent objective’. The ALRC viewed this as more of a secondary objective, although it has been part of the rationale for data breach notification laws in many other jurisdictions. With respect to agencies, this objective is consistent with guidelines issued by the Government under the Protective Security Policy Framework. These guidelines highlight the need for agencies to understand and address their responsibility to minimise the risk to the public when transacting online with the Australian Government. The failure by an agency to adequately notify the public of a data breach could place the public at risk. A mandatory data breach notification requirement would ensure all agencies take action to minimise the risk of harm to the public.
C. Tracking of incidents and provision of information in the public interest
A third goal would be to provide better information to government and the public on the scope and frequency of data breaches. This ‘informational objective’ is essentially a correction of the market failure by which organisations have insufficient incentives to disclose incidents of data loss, even though such losses may cause harm to others.
D. Maintaining community confidence in legislative privacy protections
Finally, there is what could be called a ‘public confidence’ objective. Even where the harm of a data breach to individuals is minimal, there is a chance individuals will feel deceived or disempowered in the absence of notification. Mandatory data breach notification may bolster public confidence that the Government is taking individual privacy rights seriously.
We need more than mandatory reporting, underpinned by penalties for non-reporting or dilatory reporting. Tony Burke, ag chief of the Australian Banking Association, is reported as commenting that mandatory data breach reporting would lead to
 an unwarranted loss of confidence in Australia’s payment systems to the detriment of all.
Attempting to notify individuals potentially affected could lead to significant levels of community concern, disproportionate to the actual level of risk, which could well be zero. 
Mandatory reporting in isolation may well lead to what I have elsewhere characterised as data breach fatigue. What is essential is attitudinal change among data custodians through public shaming and penalties that are sufficient to motivate organisations to safeguard personal information through for example adequate vetting of staff and partners and through maintenance of network intrusion detection systems.

Fakers

The SMH reports that "A Bangladeshi national faces up to 35 years behind bars after being arrested and charged by Australian Federal Police over false identification charges".

Md Mahfuzur Rahman was reportedly charged with
  • being in possession of over $100,000 in the proceeds of crime, 
  • four counts of possessing a false foreign passport (a maximum jail sentence of 10 years),
  • one count of being in possession of false identification (maximum sentence of  five years).
It is alleged he was in possession of a passport stating he was born in 1987. However his fingerprints allegedly match those of a person with the same first and last name but different middle name, born in 1979.

The  brief account provides insufficient information for much analysis and Rahman has of course been reportedly charged rather than convicted, so we can only speculate about the $100k.

Potential precedents for prosecution under s 21 of the Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) for possession of a false foreign passport include Tomov v The Queen [1011] WASCA 189, Nikaghanri v The State of Western Australia [2009] WASCA 192 and Salman v Director of Public Prosecutions (Cth) [2011] NSWCCA 192.

Finnis's Justice

'What is the Philosophy of Law?' asks John Finnis in 1 Rivista di Filosofia del Diritto (2012) 67-78.

The answer it seems is that the philosophy is that expounded by Finnis in an echo of de Maistre. He claims that -
The philosophy of law is not separate from but dependent upon ethics and political philosophy, which it extends by that attention to the past (of sources, constitutions, contracts, acquired rights, etc.) which is characteristic of juridical thought for reasons articulated by the philosophy of law. Positivism is legitimate only as a thesis of, or topic within, natural law theory, which adequately incorporates it but remains transparently engaged with the ethical and political issues and challenges both perennial and peculiar to this age. The paper concludes by proposing a task for legal philosophy, in light of the fact that legal systems are not simply sets of norms.
If, like me, you are underwhelmed by the way that Finnis confuses personal idiosyncracies for timeless truths you might want somewhat more substance than a whinge about the supposed "oppression of critics of homosexual conduct" or scarewords such as communism.

Finnis concludes
Though, as has been said above, law and legal philosophy has a quasi-distinct domain and technical character, the very idea (concept) of law (an idea without which no laws will be made or maintained) is so dependent upon wider principles of moral and political thought and philosophy that neither law nor its philosophy can avoid engagement with the ethical and political issues and challenges of the age. Particular aspects of our law‘s content (including its procedural rules and institutions) can ameliorate, or in other cases harm and exacerbate, our community‘s common good. The legal instrumentarium can, not infrequently, provide an easy route to destructive social changes, as the apparatus of human rights litigation has, in many places, provided an easy route to abortion, euthanasia, damaging immigration, and same-sex marriage, to the oppression of critics of homosexual conduct, and to other destructive evils. But what social elites desire can very often be achieved without much resort to that instrumentarium, or even in defiance of it. 
It seems to me that the task of legal philosophy today is twofold. It must keep clear its intrinsic relationship with, and dependence upon, all the truths of moral and political philosophy, not least by providing a constant critique of every form of legal philosophy that denies or distorts that relationship. And by its mastery, and its foundational explanatory understanding, of the law‘s technical instrumentarium it must remain in a position to criticize and expose – in the hope of deflecting -- every manipulation of it for purposes destructive of the common good, a good that includes but is not exhausted by the upholding of juridically cognizable rights. 
Of special importance in the coming decades will be a recovery of awareness amongst legal philosophers that law‘s paradigmatic form, the ius civile, is the law of a people, posited by a constituent act (or constitutive custom) and ongoing legislative acts of their self-determination as a people, acts which can and should be consistent with their obligations to do and respect right (human rights, as contained in the ius naturale) and their responsibilities towards other peoples and those other peoples‘ self-determination, rights and needs. Just as countless thinkers in the nineteenth and twentieth centuries too casually assumed the justice of communist notions of a propertyless community, notions inadequately attentive to the long-term conditions of a sustainable, prosperous and just society of free persons, with the result that countless millions of people suffered more or less directly from the application in their polities of these errors of practical thought, so likewise many thinkers today too casually assume (explicitly or implicitly) the justice of quasi-communist notions of a borderless humanity, notions incompatible with the long-term conditions of a sustainably just and civilly free political order and Rule of Law. Even in the short term, this kind of error of practical thought results in the kind of political community increasingly familiar, whose peoples‘ multi-cultural internal diversity of ultimate allegiances is both promoted and countered by an ever-growing apparatus of security and surveillance, a severe diminution in freedom of political and intellectual discourse, and an explosion of law-making and regulatory bureaucracy indifferent to the benefit of having a society whose self-determination takes in large measure the form of that sharing of expectations which Ulpian and Aquinas called common custom. 
Practitioners of the philosophy of law may be especially susceptible to this kind of error, to the extent that they envision legal systems simply as sets of norms, rather than as the principles, norms and institutions adopted by a people extended in time and in territorial bounds, in more or less adequate fulfilment of its moral responsibility to do so.

FIM and its discontents

'Economic tussles in federated identity management' by Susan Landau & Tyler Moore in (2012) 17(10) First Monday considers federated identity management (FIM), which "enables a user to authenticate once and access privileged information across disparate domains".
FIM’s proponents, who see the technology as providing security and ease of use, include governments and leaders in the IT industry. Indeed, a cornerstone of the current U.S. government’s efforts to secure cyberspace is its “National Strategy for Trusted Identities in Cyberspace” (U.S. Department of Commerce, 2011). Yet adoption of federated identity management systems has been slow.
From disputes over liability assignment for authentication failures to concerns over privacy, there have been many explanations for the slow uptake of federated identity management systems. We believe the problem is embedded in stakeholder incentives. We present an economic perspective of stakeholder incentives that sheds light on why some applications have embraced FIM while others have struggled. To do so, we begin by briefly analyzing seven use cases of successful and unsuccessful FIM deployments. From this we identify four critical tussles that may arise between stakeholders when engineering a FIM system. We show how the successful deployments have resolved the tussles, whereas the unsuccessful deployments have not.
Landau & Moore conclude -
In seeking to understand why federated identity management systems have not yet succeeded in the broad way anticipated at the beginning of the last decade, many have pointed to the uncertainty surrounding liability as a major obstacle. We believe this mischaracterizes the problem. Instead, we have argued that liability fits within larger set of economic tussles that arise between stakeholders in any engineered system.
In order for a federated identity management system to succeed, all parties in the system must gain. Otherwise at least one has no incentive to participate. A user has to gain through ease of use, access to more services, greater privacy, or improved security. A Service Provider has to gain by acquiring more user data (the Facebook model), in the ability to reach to larger markets, or by insulation from liability for failures (as happens in some instances of credit card usage). An Identity Provider must also gain from the system. The gain in control of user data and of the user authentication process are obvious benefits to the Identity Provider, but those gains must be offset by granting some benefits to the Service Provider and user.
Considering the situation from the economic perspective of gain, it is clear that the early enterprise–oriented systems such as the Liberty Alliance protocols did not provide sufficient value to the individual so as to create widespread adoption (e.g., in the open Internet). However, certain instantiations such as InCommon or the NIH Federated system did provide such benefits; in those cases, uptake was high (it might be argued that in those two instances the users did not have alternatives, but the fact remains that the systems provided clear advantages to users).
Privacy, interpreted here as user control over personal data collection, should also be viewed from this perspective. Upon examining what has been produced in the market so far by OpenID, Facebook, and Google+, users have been ignored in the tussle over who controls user data. To handle this, some have proposed identity management systems such as Higgins (2009) or User Managed Access (Kantara Initiative, 2011), in which control over transactional information resides with end users, who control what data to share with Identity and Service Providers. The issue of control is a complicated one. Ease-of-use and user-data privacy are often in conflict. The success of the Kantara Initiative User Managed Access and similar projects depends critically on easy methods for users to control their data.
Government regulators and policy–makers also have a role to play if user privacy is to be included in successful systems. Here European data privacy commissioners have been active; their negative response to Passport and positive one to the Liberty Alliance protocols were important in the early days of federated identity management systems. We suspect that the best prospect for achieving user privacy in future FIM deployments will require an active role by policy–makers in advocating on behalf of users, who are largely voiceless in current debates over FIM proposals. The recent Facebook IPO, and the new economic pressures that will result from the social network becoming publicly owned, may accelerate regulators’ efforts in user privacy protections.
What are the lessons for the future?
Federated identity management systems exhibit a number of economic tussles, of which liability for failures is only one. As in any complex engineered system, the tussles cannot be resolved separately. Liability must be viewed as part of a larger set of economic conflicts occurring between the user, Identity Provider, and Service Provider. This provides an opportunity for resolving the liability problem, which properly belongs in the context of other tussles. Seeing liability this way creates opportunities for compromise. We are therefore optimistic that taking the broader view of all tussles may actually simplify the liability problem.
Another way to put this is that if the Identity Provider accrues (most of) the benefits, it would be natural to also expect the Identity Provider to accrue (most of) the risk. At one level, that is obvious; at another, by isolating the various tussles, this provides room to determine the bargaining that must arise between the three players. Of these, only two, the Identity Provider and Service Provider, are typically in the explicit negotiations; the users, of course, walk with their feet (or in this case, their fingers).
Another observation is that the payment–card networks have largely overcome liability issues between stakeholders and deployed a highly successful, if technically imperfect, system. When systems have failed to succeed commercially, it is usually caused by an unfair distribution of responsibilities and benefits between Identity Providers, Service Providers and users. One cannot expect any technology, including FIM, to solve irreconcilable incentive incompatibilities on its own. The key to success lies in setting the rules of the platform so that each stakeholder derives benefit from cooperation.
A key function of payment–card networks in e-commerce has been their ability to authenticate users for completing transactions. The early participation of American Express in the Liberty Alliance shows that even though there is less active participation now, there was initial interest by the payment-card industry in federated systems.
Payment-card networks already provide a usable solution to authenticating payments, the primary requirement of many e-commerce applications. This weakens the business case for many aspiring identity-management solutions, particularly given the strong network effects present in two-sided markets and the high fixed costs of deployment. Furthermore, a widely deployed FIM system might commoditize payment processing, particularly if their main competitive advantage is ubiquitous authentication of cardholders.
Thus we conclude with an open question: can payment-card networks peacefully coexist with a successful, widespread deployment of a federated identity management system, or will the present success of payment-card networks prevent federated identity management systems from taking off in the open Internet?

19 October 2012

A Meat Pie Anton Piller Order

A nice instance of the Anton Piller order in Australian Football League & Ors v Hard On Sports & Ors [2012] VSC 475 regarding trade marked sporting memorabilia.

The Court notes that
Australian football is one of the most popular sports in Australia, and attracts a very large number of supporters throughout the country who follow the AFL Competition and support a favoured AFL Club. 
The following may described as the relevant “meat-pie” statistics: in 2011, there were approximately 800,000 registered participants playing the sport in Australia. An additional 45,000 registered participants play Australian football in countries outside of Australia. In 2011, the national television audience of AFL matches was approximately 4.7 million each week. The AFL Grand Final is estimated to attract a worldwide broadcast audience of over 30 million people. An aggregate of 6.763 million people in 2005, 6.736 million in 2006, 7.05 million in 2007, 7.082 million in 2008, 6.985 million people in 2009, 7.147 million people in 2010 and 7.139 million people in 2011 attended matches conducted by the AFL.   
I accept that by reason of the popularity of Australian football, the AFL Competition and AFL Clubs, there is demand amongst AFL Supporters for memorabilia relating to the AFL Competition and AFL Clubs and their players (“AFL Players”), particularly memorabilia signed by AFL Players, including signed guernseys, shorts, football boots and other playing apparel, posters, prints, cards, photographs, lithographs and plaques, many of which are placed in frames for hanging on walls (“AFL Memorabilia”).
The AFL holds 278 registered trade marks relating to the AFL Competition and the AFL Clubs, including the word AFL, the full and shortened name of each AFL Club (eg Collingwood Fotball Club and Collingwood Magpies), the nickname of each AFL Club (eg Magpies) and images of the AFL premiership cup and the Brownlow Medal, each oregistered in respect of a broad range of goods and services that include paper, cardboard, posters, printed matter, albums, autograph books, photographs, mounted photographs, picture frames, works of art, signboards, display boards, display stands and show cases, clothing, leisure wear, sportswear, uniforms, shirts, sports shirts, jumpers, sweaters, guernseys, jerseys and associated wholesaling/retailing.

Hard On Sports [HOS] and its "controlling mind and will" Mr Sumiga are alleged to have engaged in sale of unauthorised AFL products. The Court noted claims that
The memorabilia market in Melbourne has a number of unlicensed suppliers of memorabilia that use AFL Images and AFL Trade Marks and engage directly with players or through their management companies to secure signatures outside of the conditions of the current AFL Commercial Operations Guidelines. The obtaining of these signatures is done without the knowledge or approval of the AFL. … 
HOS has 30,000 to 40,000 pieces of memorabilia on site. The Official AFL Memorabilia program only sells 7,000 to 10,000 pieces of year. While HOS also deals in memorabilia for other sports, its stock holding is 90% AFL products. … 
Australian football supporters who wish to purchase Official AFL Memorabilia knowing that the funds from their purchase will go back to the game and their AFL Club are misled when they purchase unofficial AFL memorabilia. He says on the other hand, no funds from unofficial AFL memorabilia go back to the AFL and by extension to the AFL Clubs. The funds are usually distributed to the players who sign the unofficial AFL memorabilia outside the terms of the official process, the person who arranged for the creation of the product and the retail outlet that distributes the product. [C]onsumers don't easily recognise the difference between Official AFL Memorabilia and unofficial memorabilia especially where they are designed to look the same.
Given concerns about loss or 'leakage' of the contested products in litigation involving claims of passing off, copyright infringement, trade mark breaches and other matters the Court made an Anton Piller order as follows -
Interlocutory injunction 
The Defendants and each of them, whether by themselves, their servants, agents or howsoever otherwise, be restrained until the trial of the proceeding or further order from procuring the creation of, keeping, distributing, offering for sale or selling memorabilia which is not authorised by the AFL, including:
(a) guernseys bearing AFL Trade Marks which were applied without the AFL’s consent; 
(b) guernseys, shorts, football boots and other playing apparel signed by current or former AFL Players placed in frames bearing trade marks which are substantially identical with or deceptively similar to AFL Trade Marks including “AFL”, AFL club names, club nicknames, club logos and/or images of the AFL premiership cup or Brownlow or Norm Smith medals; 
(c) posters, prints, cards, photographs, lithographs and plaques: (i) incorporating reproductions of substantial parts of AFL Photographs; and/or (ii) placed in frames bearing trade marks which are substantially identical with or deceptively similar to AFL Trade Marks including “AFL”, AFL club names, club nicknames, club logos and/or images of the AFL premiership cup and/or Brownlow and/or Norm Smith medals.
Search Orders (pronounced on 9 October 2012)
By 10 October 2012, the independent solicitors deliver to the Plaintiffs' solicitors:
(a) all of the things retained pursuant to undertaking (3) given by the independent solicitors in Schedule B to the search order of Justice Vickery made on 10 September 2012 (Search Order) save that the Plaintiffs shall return to the Defendants from who premises such goods were obtained any irrelevant documents, within 7 days of receipt of the above listed things; and 
(b) the keys to the locks to the storage unit rented by the independent solicitors at Kennards Self Storage located at 159 Racecourse Road, Flemington, Victoria (Storage Facility).
The independent solicitors be otherwise released from undertaking (3) given in Schedule B to the Search Order. 
The Plaintiffs' solicitors keep secure each thing delivered up to them pursuant to paragraph 1 of this order and they only use these things for the purposes of this proceeding. 
The Plaintiffs' solicitors are permitted to make copies of any documents or photographs of any things (as the case may be) and may disclose to the Plaintiffs any information that is acquired from reviewing these things and provide the Plaintiffs with copies of such documents or photographs. 
Until trial or further order of the Court, the Plaintiffs' solicitors are to retain the keys to the locks to the Storage Facility.

Pharma Patents

A step to the left, a step to he right, shake it all about. Alongside the Productivity Commission's review of compulsory licensing of patents (and after reviews by ACIP) the Australian government has announced a review of pharmaceutical patents, presumably reflecting debate in Europe about the 1992 Supplementary Protection Certificate (SPC) regime, ie short term extension for pharmaceuticals of patent protection, questioned in the Medeva decision. (Section 70 of the Patents Act 1990 (Cth) provides for 5 year extension for pharma inventions beyond the 20 year term for a standard patent)

The review is to be undertaken by a three member panel: Tony Harris (former NSW Auditor-General) as Chair, Professor Dianne Nicol (Associate Dean, Research, Law Faculty at the University of Tasmania) and Nicholas Gruen (CEO of Lateral Economics and last mentioned in this blog regarding the fatuous Government 2.0 report).

The review will involve consultation with stakeholders and public submissions.

The Terms of Reference indicate that
The review will evaluate whether the system for pharmaceutical patents is effectively balancing the objectives of securing timely access to competitively priced pharmaceuticals, fostering innovation and supporting employment in research and industry. 
Central to this will be an analysis of the pharmaceutical extension of term provisions of the Patents Act 1990 (s.70). The review will also consider whether there is evidence that the patent system is being used to extend pharmaceutical monopolies at the expense of new market entrants. 
In doing this, the review will consider how patents for new formulations are granted, consider the treatment of new methods of manufacturing and new uses of known products, the impact of contributory infringement provisions and the impacts of extending patent monopolies on entry of generic pharmaceuticals into the market. 
Should such evidence be found, the review should provide an assessment of the subsequent impact on competition, innovation and investment.
The panel is expected to provide a final report to Government in early 2013.

In conducting the review and making recommendations the panel is to have regard to:
  • The availability of competitively priced pharmaceuticals in the Australian market 
  • The role of Australia's patent system in fostering innovation and hence to bringing new pharmaceuticals and medical technologies to the market 
  • The role of the patent system in providing employment and investment in research and industry 
  • The range of international approaches to extensions of term and arrangements for pharmaceutical inventions Australia's obligations under international agreements (including free trade agreements and the World Trade Organisation agreements) 
  • Australia's position as a net importer of patents and medicines 

18 October 2012

Data Retention Questions

In discussing the development of the new Australian data retention regime I have recently noted the claim by the Australian Federal Police that people can and should trust that organisation.

That claim is somewhat at odds with testimony to the Senate Legal & Constitutional Affairs Legislation Committee at the 16 October Estimates hearing (video here).

One example is the exchange between Senator Ludlam, AFP Commissioner Negus and AFP Assistant Commissioner (and cybercrime czar) Gaughan.
Senator Ludlam: Are you aware Telstra were recently logging all 3G users' web access over their mobile network and were sending the information to an overseas server for the development of some kind of new filtering product? There have been suggestions that this behaviour by Telstra was in breach of the TIA act and warranted investigation by the federal police. Can you fill us in: firstly, are you aware of the breach I am referring to? 
Mr Negus: I will get the head of our high tech crime unit to come to the table and perhaps give us some more details. 
Mr Gaughan: Senator, this is the first I have heard of that, and I am in regular contact with Telstra. 
Senator Ludlam: True? Okay. Is it the first you have heard that the AFP's intervention was called for, or the first you have heard of that data breach? 
Mr Gaughan: It is the first I have heard of the data breach. 
Senator Ludlam: That is interesting. It might help if I table some material so that you know what I am referring to. I am aware that a number of people did make complaints. It was effectively transferring traffic on Telstra's network to a cloud-hosting provider in the United States, which then potentially exposed Australian data to the Patriot Act, which obviously has very different ideas around privacy protection than we do here. A number of constituents that I am aware of did receive traffic back from the AFP saying, 'We have to prioritise. Our case load is very heavy; we will not be investigating this one.' But, if you are not aware of that, I might come back to that later and give you some material to work with. To whoever wants to take these questions: I am just referring to the national security inquiry that is underway at the moment and is before the joint committee.
It is disturbing, to say the least, that the AFP officer who is assuring us that the organisation is trustworthy and that the proposed legislation is benign seems to have no knowledge of practice that received major coverage in the mass media, in the specialist media and in examination by the Privacy Commissioner.

The testimony continued with Senator Ludlam stating
I am aware you gave evidence on 26 September with a number of other commissioners from around the country …  Can you tell us about the AFP's role in the lead-up to the announcement of this committee? Did you play some part in forming the terms of reference or provide material for the discussion paper that came with the committee?" ... 
Mr Negus: Yes, we certainly could have a look now and get back to you very shortly about that. It was a few days before my appearance. 
Senator Ludlam: All right. Great. Obviously I have got quite a keen interest in this one. You are giving evidence to the joint committee now, which is good. 
Mr Gaughan: We have been involved from the outset in relation to this particular issue, working with the Attorney-General's Department and other Commonwealth agencies, in relation to preparing the discussion paper that was put forward before the committee. Obviously, as a user of the telecommunications interception act, we have a strong interest in where this goes. There has been a number of different meanings convened over the period of time before this paper went forward. There is working group level, where the people are talking about exactly the content of a proposed bill, and there are also more senior discussions in relation to some of the strategic issues that are currently before that committee. 
Senator Ludlam: All right, thank you. Now I am aware that this, at least from the Attorney General's Department's point of view, goes back a number of years: four meetings that they had convened with telecommunications providers. Were the Federal Police involved in those meetings? 
Mr Gaughan: I have certainly been involved in some of those meetings. That has been with some of the larger telcos, particularly Optus, Telstra, Vodafone and Hutchison in South Australia. Some of those meetings I have been involved in and others I have not. That question is probably best answered by the department. 
Senator Ludlam: No, as for the Federal Police's involvement, they would refer me back to you. Are those meetings ongoing, or have they lapsed while the joint committee does its work? 
Mr Gaughan: I have not been involved in a meeting of that nature for at least six months. 
Senator Ludlam: Okay. Does that mean they are not occurring or your involvement has ceased? 
Mr Gaughan: My involvement is not occurring. Whether they are still happening would be a matter for the department. 
Senator Ludlam: You recently sent Deputy Commissioner Phelan around the country. I am just going to cite briefly from the evidence that you gave a week or so ago. You sent the Deputy Commissioner: ... around the country and he spoke to every jurisdiction about the issues we saw as being important for Australian law enforcement. Why have you done that? Why has the Deputy Commissioner been tasked to do that? 
Mr Negus: Because it was a federal committee, we basically saw that someone needed to take a bit of a leadership role from the law enforcement perspective. It is one of the reasons I asked my fellow commissioners to appear together, so that we could have a bit of a united front, if you like, and put forward those issues from the law enforcement perspective. So, because, as I said, many of the states and territories do use interception and are involved in this process but do not really have a voice, other than providing a submission to the committee, we sent Deputy Commissioner Phelan around to talk to them about issues that we thought were important, seek them and encourage them to actually put a submission into the committee, which most of them did, and answer any questions they may have about how this process is undertaken at a federal level. 
Senator Ludlam: And that evidence, or some of it at least, is now on the public record. 
Mr Negus: I have to say, too, that we put a public submission to the committee—and, again, that is available on the website—and our position is very clear with regard to what we are trying to do here. The information that was provided in camera by Deputy Commissioner Phelan and Assistant Commissioner Gaughan was very much about the operational examples of these issues around methodology. So there was nothing untoward in that regard; it was more things that we would not put on the public record because of our operational capability. 
Senator Ludlam: Yes, I understand that. So that material is also beyond the reach of this committee while we are in public session. I am just interested in the idea that you would send a deputy commissioner around the country to get everybody onto the same page before you gave evidence. 
Mr Negus: I see this as one of the most important strategic issues for law enforcement in the next decade. If we do not get this right, balancing the privacy obligations and the privacy principles that underpin the TI Act 1979, then from a law enforcement perspective, the Australian public are going to have an outcome which is going to be suboptimal. Organised crime, terrorists and other things will get an advantage that I do not think had been anticipated in this regard. We are not seeking additional powers; all we want to do is modernise the TI Act to the context of what is really the communications and telecommunications industry of today. In 1979 when this act was launched, I do not think anyone could have foreseen what this would become in the way that people would communicate in 2012 and beyond. We want something that is technology neutral. We want to protect people's rights and liberties. We do not want additional powers. We still want to make sure that people are obliged to go and seek a warrant from a judicial officer to get content data. But the non-content data—and they are the things that we have been talking about here around the fact that a telephone conversation took place, where it took place and what the numbers were—are the sorts of things that we see as really important to get some consistency across telecommunications carriers and other areas through the use of quite legitimate law enforcement.
Given the vagueness of proposals, noted in this blog and in articles in Privacy Law Bulletin, there is substantive concern regarding the meaning of that non-content data (aka telecommunications traffic data).
Senator Ludlam: Could you provide us with your working definition, written or otherwise, of non-content data? 
Mr Negus: Absolutely. In fact, I have one written down. We could actually tender one. The department has one here which we have worked on. 
Senator Ludlam: I would appreciate that. 
Mr Wilkins: We have a definition here that is probably useful. Particularly if you are going to talk us and some of the other agencies about the same topic, it is actually important that we make that available to you. 
Senator Ludlam: I would greatly appreciate that, with the consent of the chair. 
Mr Wilkins: It is a folio, really. 
Mr Negus: I agree that it would be useful to table this, because there has been a lot of confusion in the media reporting about what is content and non-content data. I think it has unfortunately alarmed many people that some things would be looked at by law enforcement when in fact that is not exactly the case.
That "confusion" extends to the legal community and is not wholly an attribute of media reporting
Senator Ludlam: It certainly alarmed me and I will go into a bit of detail as to why. Chair, are you happy for that material to be tabled and circulated? 
CHAIR: Yes, that is fine. 
Senator Ludlam: Great. Can I just summarise a sketch without having seen the document that you are about to circulate? Is it the case that the definition of non-content data is basically anything except the content of the communication itself, or is a bit more technical than that? 
Mr Negus: Have a look at the definition first, Senator. 
Senator Ludlam: All right. We come back to that in a moment then. Do you think it is appropriate, Commissioner, that that material is at the moment being applied for a bit under two dozen agencies—as the TI(A) Act annual report describes, without any warrants at all? You actually provided us with the paperwork that the AFP is obliged to go through to obtain those. Do you acknowledge that no warrants are required? 
Mr Negus: That is right. As I think I have said to you before, I think the AFP applied for 23,000 of these last year. So if you were wanting to grind the AFP to a halt, then you should implement a warrant scheme to actually do non-content data application—because 23,000 of these would require 23,000 judges to consider affidavits for those to be prepared and for those to be granted. It is an unrealistic expectation. I think there are certainly significant safeguards in place and I am confident that internally within the Australian Federal Police we actually provide a level of scrutiny and accountability to that that we treat very seriously. 
Senator Ludlam: Can you tell me why you think it is appropriate that suspects need to be named and targeted and serious crimes need to be under investigation and warrants need to be applied for for a direct intercept of a phone call but detailed locational data, moment by moment, of exactly where I am at every given moment of every day, should not have any warrant or any of those preconditions applied? Why is one worthy of such protection and the other one is not? 
Mr Negus: One is a far greater intrusion into an individual's personal discussions than the other— 
Senator Ludlam: Commissioner, I strongly disagree. 
Mr Negus: Senator, that is a matter for you, and that is what the committee is actually considering. What I was going to say at the very beginning of this is that this whole information is being considered by another committee, which we have appeared before. We have put a public submission in and we have had a number of our officers appear before that committee. There has been a range of different views expressed, and really it is a matter for that committee to consider all of those and make recommendations accordingly. We are but one player in this process. 
Senator Ludlam: Yes. 
Mr Negus: We have tried to play a coordinating role to look to have the best possible information available for the committee so that they can make an important decision. But, as I said at the beginning—and I do not resolve from it—perhaps one of the most important things that law enforcement will face in the next decade is to get this right in balancing the privacy issues with the availability of data and information to law enforcement to protect the community. 
Senator Ludlam: I recognise that and I understand that. It is also a legitimate role of this committee to put precisely the questions that I am, while you are flying people around the country trying to get everybody on the same page. 
Mr Negus: I reject that, Senator. This is not about getting people on the same page; this is about coordinating a response. We did not tell people what to say in their submissions; we just encouraged them to be part of the debate, and answered any of their questions about what would be the federal process and how this would unfold. So I reject your assertion that we sent someone around in an untoward way to get people onto the same page, because that is not what was actually undertaken.  
Senator Ludlam: I have now got the definition that we are working to, and I appreciate that. It is not just the Federal Police applying for these; it is the tax office, at least one local government authority that I am aware of, welfare agencies, anticorruption agencies and all sorts of folk. Do you concede that you are now able to create very, very detailed real time maps of an individual's social networks, their movements and their transactions— effectively everything about their lives apart from the content of the communications? 
Ludlam has identified a key issue, one that is recognised in much of legal literature. Traffic data allows robust inferences about private lives and about the content of the communications.
Mr Gaughan: Senator, that document that you have in front of you does not talk about web browsing. We are not seeing web browsing as part of that. 
Senator Ludlam: It relates to communications for internet. 
Mr Wilkins: It does not include web browsing. 
Senator Ludlam: It says internet. 
Mr Wilkins: It does not include web browsing. 
Mr Gaughan: Mr Wilkins makes a very good point. Talking about getting into the details of what someone is looking at is arguably content. We are not after content. Clearly what is defined in that is metadata. It is important for us to have that information for us to undertake basic investigations. All of the sworn members in this room have been in the police force for in excess of 25 years, and I cannot recall any investigation that I have been involved in as a constable or the investigations that I have oversighted as an assistant commissioner or the ones that my telecommunications interception arm is involved in that do not use metadata. It is the primary function of law enforcement. The fact that the authorisations as recorded in the annual report have been consistent over the last three to four years in my view shows that the use of metadata is efficient and effective in bringing people to justice. We pay for this information. It is was not effective, we would not be using it; we would be doing something else. 
Senator Ludlam: I am not arguing about its effectiveness. I will read from the sheet that you have just tabled. Part I says 'relates to communications for item 2, internet,' and then it says, 'Information that allows a communication to occur,' and the first dot point there says, 'the internet identifier'. I presume you mean an IP address there. 
Mr Gaughan: Correct. 
Senator Ludlam: It says 'The internet identifier assigned to the user by the provider,' but you are telling us that that would not allow you to identify web traffic. 
Mr Negus: That is right. 
Mr Gaughan: What it does, Senator, is it allows us to identify who has used a particular IP address when they have undertaken a certain activity - for example, downloading child abuse material. 
Senator Ludlam: From the web. 
Mr Gaughan: From the web. If we do not have that IP address we cannot start the investigation. 
Senator Ludlam: I am with you, but I am also profoundly confused. You have just explained that this is not about identifying web traffic. That is now how I read this piece of paper. 
Mr Wilkins: You would need to get a warrant to get that information, Senator. 
Senator Ludlam: You would need to get a warrant to find out, for example, a specific URL that someone had visited - not a copy of the page but the URL? That is not my understanding of how the system works at the moment. 
Mr Gaughan: For instance, how it works in child protection investigations is a very good example. We receive from our international law information agencies what has been accessed - that is, child abuse material - and an IP address. That is all we get. We do not get any other information. We then ask the telcos to identify who has accessed that IP address to enable us to commence the investigation. 
Senator Ludlam: So who held the IP address for a period of time in which content was accessed? 
Mr Gaughan: Correct, but it is in undertaking our specific investigation. We do not go on fishing expeditions. We do not obtain IP addresses and then go seek the internet of what they have looked at. That is web browsing. 
Senator Ludlam: But there would be nothing preventing you. You guys are busy and presumably you do not have time for fishing expeditions. 
Mr Gaughan: Correct. 
Senator Ludlam: But there would be nothing preventing you from doing exactly that. 
Mr Gaughan: As Mr Wilkins said, we would need a warrant. 
Mr Wilkins: The law prevents them, Senator. 
Senator Ludlam: I am not sure that it does. 
Mr Wilkins: It does. 
Senator Ludlam: If you can provide us with exactly how that is the case, that would be appreciated. I am sorry, but that directly contradicts— 
Mr Wilkins: I guess we will just have to spell it out in words of one syllable for you, but it does. 
Senator Ludlam: That is a profoundly unhelpful response to the question. If you want to do that, you would be very welcome. I would like to see you try. 
Mr Wilkins: We are trying to be helpful, Senator. We have just explained to you how this is meant to operate. 
Senator Ludlam: This will be a bit out of the AFP's hands, so I can put this to the department a bit later if you like, but of the just under a quarter of a million metadata or communications data requests that were reported in the last annual report, none of that relates to web traffic. If that were the case you would need warrants. 
Ms Smith [Attorney-General's]: The majority of those requests are in relation to subscriber requests—names and addresses and things like that. The internet aspect of that will be in relation to IP addresses. For example, through an intercept they have found out that there are various people accessing it and they will have a number of random IP addresses. They will go to the provider and say, 'Who belongs to these IP addresses?' under a data authorisation. But they have no authority, and the law does not allow them to access the contents of the communication outside a warrant. The TIA act is very clear in its definition of what is a communication, and includes issues like web browsing and anything that goes to the substance of a communication. 
Senator Ludlam: Yes, but I can give you a URL of a web page without disclosing what is on that page. What I am trying to identify now, in words of one syllable, is whether a URL is communications data/metadata or whether it is content. 
Ms Smith: The department has always taken a very conservative approach in relation to URLs to ensure that there is no unintended access to content of communications under data authorisations. 
Senator Ludlam: Are you able to point me to the part of the Act that says it is or is not a URL? 
Ms Smith: There is no definition under the current legislation and, as has already been noted, this is a matter for the PJCIS as far as modernising the legislation— 
Senator Ludlam: It is a matter for this committee as well. 
Mr Wilkins: What we are saying is that is our interpretation of the current legislation, and it would be made very clear in new legislation that that is the case.
There has been no indication of that so far.
Senator Ludlam: That a URL, for the purposes of the way you are currently interpreting these requests, is content and not communications data? 
Ms Smith: Correct. 
Mr Wilkins: That is right.
Discussion then moved to the working group on the data retention proposals. That group may or may not have featured much involvement or consultation with the Privacy Commissioner. We might reasonably expect the Commissioner to have close involvement in the development of proposals that have major privacy implications and that, on the basis of committee hearings over the past three years, are highly controversial
Senator Ludlam: Can we go to the working group you mentioned earlier, Mr Negus. Could you spell out what its task is at this stage? 
Mr Negus: I think Assistant Commissioner Gaughan mentioned the working group; I will pass it back to him. 
Mr Gaughan: Initially it was to discuss some of the things that Mrs Smith has alluded to - the fact that there is no definition of a lot of the issues that are currently open for discussion and debate - and to try to come up with some terms and some words that everyone agreed to. We obviously still have some work to do with that, and the committee has come back to us a number of times in relation to some of those particular issues. The working group was also responsible for assisting and putting together the discussion paper that forms the basis of the PJCIS discussions at the moment. 
Senator Ludlam: Are you able to provide for us the membership of the working group and what its standing is? Is it informal or does it have some standing? 
Mr Gaughan: That is probably best answered by the department. Certainly, the AFP has a member in their group, but it is probably a question for Mrs Smith. 
Mr Wilkins: Do you want us to answer questions on this? We might as well. There is no working group at the moment. It is basically in abeyance. We are basically waiting to see what comes out of the committee, and then we may reconstitute a working group. 
Senator Ludlam: So there was a working group that was stood up to help produce that discussion paper and the terms of reference, and then it was stood down for the time being? 
Ms Smith: No. What the working group did was look at the need to reform the legislation, as Mr Gaughan has said. It was about coming up with some of the challenges that the current legislation faced. The work on the terms of reference et cetera was done by a different group of people. 
Senator Ludlam: Can you provide for us an idea of the working group when it was active; the membership and the duration that it worked for? 
Ms Smith: It was essentially the Attorney-General's Department, the AFP, the Department of Broadband, Communications and the Digital Economy— 
Senator Ludlam: You can put this in writing if you would prefer. 
Ms Smith: Would you prefer us to take it on notice? 
Mr Wilkins: We will take it on notice and make sure we get the names right. 
Senator Ludlam: Particularly on the DBCDE about what officer they were represented by or at what level they were represented. What about the Privacy Commissioner? 
Mrs Smith: We have certainly consulted the Privacy Commissioner on aspects. 
Senator Ludlam: Were they on the working group? Mrs Smith: I am not sure. We will take that matter on notice. 
Senator Ludlam: You cannot recall if they were involved? 
Mrs Smith: It was some time ago because we have moved into the PJCIS phase now. I will have to take that on notice.
Memories are short in A-G's, apparently.

Malcolm Turnbull, the Law Institute of Victoria, senior barristers and bodies such as the Victorian Privacy Commission ("the introduction of intrusive powers suggested in the Discussion Paper fails to achieve those tests of legitimacy, necessity, proportionality and effectiveness") have all expressed strong concern regarding the proposed legislation. The lack of detail, factual inaccuracies and inconsistencies in claims do not induce trust. The arrogance of the head of the Attorney-General's Department is disappointing. Uncertainty about whether there has been meaningful consultation with the Privacy Commissioner suggests that the Government's claims regarding its respect for privacy are hollow. If the Government doesn't think that the Privacy Commissioner is important, why should we?

House of Cards

'The Efficiency and Integrity of Payment Card Systems: Industry Views on the Risks Posed by Data Breaches' (Federal Reserve Bank of Philadelphia - Payment Cards Center Discussion Paper No. 12-04) by Julia Cheney, Robert Hunt, Katy Jacob, Richard Porter & Bruce Summers comments that
Consumer confidence in payment card systems has been built up over many decades. Cardholders expect to use their cards to execute payment instructions in a reliable and timely manner. Data breaches that degrade the perceived safety and reliability of payment cards may weaken consumer confidence in those systems and potentially cause cardholders to shift to other, and perhaps less efficient, forms of payment. A sizable shift away from payment cards — induced by the consequences of one or more data breaches is unlikely. Even so, the probability of such an outcome is uncertain. In other words, this could be an example of “tail risk” for payment card systems. The authors informally interviewed a number of market participants and several experts to better understand the risks presented by data breaches, the efforts to protect payment card systems against data breaches, and areas where more might be done to secure these systems. In particular, the authors investigated whether existing levels of investment, coordination, information sharing, and management of incentives in securing payment card systems by firms and organizations in the private and public sectors are adequate to confront the threats arising from modern data breaches. The lessons learned from these conversations are described in this paper. These insights may also be helpful in considering the risks that data breaches may broadly pose to retail payments in the United States.
The authors note that
The management of payment card fraud raises a number of difficult questions: Have changes in technology increased or decreased the vulnerability of payment card systems to data breaches that might undermine consumer confidence in them? Do payment card networks, their partners, and their customers have the appropriate incentives to take precautions to avoid card fraud? Are the costs of payment card fraud or of avoiding this fraud borne by the appropriate parties? For example, do nonfinancial firms that retain personal or account data have sufficient incentives to protect this information? Are payment card networks able to make efficient choices about managing fraud risks and to implement antifraud measures in a timely manner? If not, are there reasons to believe that public authorities could facilitate better or timelier decisions? If such a role is appropriate, what information and expertise would government need to have? 
The answers to these questions are not simple. Taken as a whole, our interview results convey mixed views on most of these topics and, in particular, on the role that government should play or is capable of playing. At the same time, some general observations can be made with respect to areas of shared concern and insight among the interviewees. 
Most interviewees recognized that payment card systems have benefited from dramatic advances in information, computing, and telecommunications technologies over the past four decades. These advances have helped create opportunities for new participants in payment card systems, such as nonbank payment providers, to introduce innovative products and services, such as prepaid cards and Internet shopping. At the same time, these additions to the traditional payment card system model present new risks and require a re-evaluation of the security protocols that were developed in the past. Of course, criminals can also leverage technological advances to develop, test, and deploy their tools quickly. And when they find a promising vulnerability, there is at least the possibility that their attacks will rapidly increase in scale. Several interviewees emphasized the adeptness of thieves to identify vulnerabilities and quickly exploit them. They also noted that the vulnerabilities may include a type of payment system participant and a point in the payment processing chain, as well as a data storage system risk and a software weakness. Any incremental risk that results from innovation should be offset by careful risk management and investments in new defenses, with an emphasis on dynamic and flexibledatasecurityapproachesratherthanstaticones. Severalintervieweesobserved that a national focus on the security of the information and communications infrastructure in the United States could result in significant improvements in securing retail payment systems, including payment card systems. 
The interviewees expressed very mixed views about the incentives to prevent fraud and to mitigate its consequences among various payment system participants. Respondents generally considered the incentives at their organizations to be better than those in other parts of the transaction chain. This is perhaps an indirect recognition of the interdependence of payment participants in securing the system and the importance of adequate coordination of their efforts. 
A number of interviewees stated that the protections afforded to consumers from losses associated with fraudulent transactions limit consumers’ incentives to protect their cards, personal information, and computers. Others pointed out that these protections do help to ensure public confidence in card payments and that diluting those protections may increase the likelihood of a mass abandonment of these instruments if a “tail event” as we described earlier were to occur. 
There was widespread agreement that a key ingredient in protecting payment systems from fraud is coordination of fraud defenses among participants in these systems. For payment card systems, this coordination function is generally performed by the networks. Many participants expressed the view that, in the U.S., payment applications have become so diverse and payment firms so specialized that effective coordination is becoming more difficult. Others questioned whether the networks had exactly the right motivations or were sufficiently well equipped to ensure that all payment participants had the right incentives. Such concerns led some interviewees to speculate about an increased role of government as a coordinator. Others wondered whether government was sufficiently nimble or adequately equipped to play such a role. 
There was greater consensus about a number of roles in which government either is essential or could likely be more helpful. The first is in its law enforcement capacity, which may require additional resources. Given the international character of many modern electronic payment systems, interviewees recognized that law enforcement efforts must also take on a more international character. This too will require additional coordination — in this case, among governments around the world. Also, interviewees mentioned the need for more comprehensive information about the volume, character, and drivers of payment card fraud and data breaches. In general, interviewees supported expanding the collection and dissemination of data and new research. 
Most interviewees also said that the government could play a useful role in facilitating a more rapid dissemination of actionable information about new threats to the security of payment systems. Numerous information-sharing networks already exist, but some of our respondents contended that information exchanges remained too balkanized and too slow in many instances. The U.S. federal government is already an active participant in a number of these exchanges and, in some instances, contributes information obtained through various law enforcement and intelligence channels. 
Several respondents suggested that the government can play a special role as both a participant and a facilitator of the exchange of actionable information about data breaches because it may be uniquely positioned to address private-sector incentives in markets where security may be a source of competitive advantage. If maintaining a reputation as a secure provider of payment services is good for business, then firms will have incentives to invest in appropriate procedures and technology. But the desire to maintain a competitive advantage may act to discourage private actors from sharing information about the nature of any new threats they are experiencing. Government does not face this trade-off. In addition, by acting as an important source of information while insisting on reciprocity, government can tip private-sector incentives in the direction of sharing more information — and sharing it sooner.

Copernican Privacy

'The European Commission's Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law' by Christopher Kuner in Bloomberg BNA Privacy and Security Law Report (February 2012) 1-15 comments that
In the 18th century Immanuel Kant famously initiated a “Copernican revolution” in philosophy by shifting the understanding of reality away from external objects and towards the cognitive powers of the individual. The European Commission’s recent proposal for a General Data Protection Regulation attempts a similar revolution in European data protection law by seeking to shift its focus away from paper-based, bureaucratic requirements and towards compliance in practice, harmonization of the law, and individual empowerment. Indeed, the Proposed Regulation represents the most significant potential change to European data protection law since adoption of the EU Data Protection Directive 95/46/EC in 1998. 
The final success of the Proposed Regulation will perhaps depend on three key factors, namely the effectiveness of the “lead DPA” concept; the operation of the consistency mechanism; and the ability of the Commission to issue delegated and implementing acts of high quality in a way that is timely and transparent and gives stakeholders an opportunity to provide input. 
If these three factors are realized, then it may work as designed to bring about a more harmonized level of data protection throughout the EU, and the benefits could be great for data controllers, individuals, and the EU economy. But if they are weakened during the EU legislative process, or if member states and DPAs undermine them, then many of the other positive changes foreseen in the text may lose much of their effect. Only time will tell if the final result is a revolution that brings about lasting improvements. 
Kuner concludes
The Proposed Regulation deserves to be considered a “Copernican revolution” in EU data protection law. It constitutes a bold attempt to make the legal framework more efficient and effective; increase protection of fundamental rights; and provide more legal certainty. Such a complete revision is justified, as it has been widely recognized that Directive 95/46 is out of date, and given the current political climate, the revision process now underway may be the best opportunity to update the framework for the foreseeable future. 
Some of the reforms are highly welcome. For example, because the Proposed Regulation would be directly applicable, it would provide as near complete harmonization as is possible under EU law. It would also make companies with operations in multiple EU member states subject to the jurisdiction of a single DPA, based on their main place of establishment in the EU. Notifications to DPAs of data processing activities would be eliminated. The legal certainty of “adequacy” decisions and standard contractual clauses for transferring data outside the EU would be increased, and binding corporate rules would be explicitly recognized. DPAs would be forced to cooperate, and the Commission would be empowered to issue EU-wide interpretations of important provisions. These are all highly significant improvements to the legal framework, and represent changes that business has been requesting for years. 
It is much easier to criticize such an ambitious proposal than to draft one. Nevertheless, the Proposed Regulation also gives grounds for criticism. First of all, it sometimes loses sight of the need to adopt provisions that can actually be implemented in practice, and to be precise and meticulous in drafting. While the text emphasizes the need for data controllers to use understandable language, it is equally important that legislation be written so that it can be easily used by non-lawyers and businesspeople unacquainted with data protection. In fact, the text abounds with legalistic jargon that many businesspeople will be able to make little sense of (for example, “The data subject shall have the right to obtain from the controller communication to each recipient to whom the data have been disclosed of any rectification or erasure carried out in compliance with Articles 14 and 15...” in Article 11). The text also contains several examples that seem merely illustrative and could better be included in the explanatory memorandum or in a recital; for example, the right to be forgotten is said to apply “especially in relation to personal data which are made available by the data subject while he or she was a child” (Article 17(1)), but it is unclear what the legal effect is of saying that the right applies “especially” to such data, or whether any special legal effect was intended at all. 
The commendable reduction of bureaucracy in some areas is at least partially offset by the introduction of other procedural requirements (such as the need to keep extensive internal documentation of data processing). While a number of last-minute changes to the text were adopted to reduce the burden put on SMEs, it can be feared that they will still be burdened by extra costs. Despite its status as a regulation, the use of vague language is likely to lead to difficulties of interpretation, and may cause greater divergence in national approaches than the Commission thinks. Basic differences in legal systems and administrative cultures in member states may be one of the greatest risks to the Proposed Regulation, since these are not easily susceptible to harmonization from Brussels. 
In addition, some of its specific innovations seem misguided. The “right to be forgotten” seems to be a version of the existing right to erasure which has been extended so far as to pose risks to other fundamental rights and to the use of the Internet. The rules on profiling will prove difficult to understand and apply in practice. And while there is a need for more stringent enforcement of the law and more harmonized enforcement powers, the combination of ill-defined offenses and huge mandatory fines raises basic questions of fairness. 
Another point of concern relates to the role of EU data protection law in the current global environment. The apparent assumption that the majority of international data transfers can be legalized by the use of BCRs and standard contractual clauses insufficiently takes into account the realities of massive international data transfers via phenomena such as cloud computing. It is also unfair that the requirements for transferring personal data internationally for criminal justice purposes under the Proposed Directive are much more lenient than are those under the Proposed Regulation. The significant changes brought about by the Proposed Regulation may also make it more difficult to achieve interoperability between the EU legal framework and those in other regions. The Proposal also contains a whiff of protectionist language. 
While the Proposed Regulation would in general harmonize the law at a high level, some member states may raise legitimate questions as to the affect it would have on data protection in their own countries. For example, a member state such as Austria has only a very small number of companies with over 250 employees, and thus the vast majority of companies there will be exempt both from the duty to appoint a DPO and from the documentation requirements, while the duty to notify the DPA of data processing would also be eliminated. Since the requirement to appoint a DPO and to keep documentation of data processing would be introduced largely as a replacement for the notification requirement, one might be legitimately concerned about how the fact that none of these three requirements would apply in a number of member states would affect the level of data protection in them. It also seems counterproductive to raise the threshold for appointment of a DPO so high in a country like Germany where their use has been a success. 
Despite the above criticisms, the author’s overall view of the Proposed Regulation is cautiously positive, as it constitutes an improvement on Directive 95/46, and demonstrates a commendable willingness to take on some of the “sacred cows” of data protection law that have outlived their usefulness. For the private sector, the final success of the Proposed Regulation will perhaps depend on three key factors, namely the effectiveness of the “lead DPA” concept; the operation of the consistency mechanism; and the ability of the Commission to issue delegated and implementing acts of high quality in a way that is timely and transparent and gives stakeholders an opportunity to provide input. If these three factors are realized, then it may work as designed to bring about a more harmonized level of data protection throughout the EU, and the benefits could be great for data controllers, individuals, and the EU economy. But if they are weakened during the EU legislative process, or if member states and DPAs undermine them, then many of the other positive changes foreseen in the text may lose much of their effect. Only time will tell if the final result is a revolution that brings about lasting improvements.

Watching the Watchers

France's Commission nationale de l'informatique et des libert├ęs (CNIL) - the counterpart of the OAIC in Australia - has released findings on its consideration of Google's Privacy Policy. Those findings are highly critical of Google's practice and request Google to expressly commit to more meaningful privacy principles.

The findings are made by CNIL on behalf of the EU Data Protection agencies through the Article 29 Working Party and thus have a significance beyond France.

CNIL indicates that the agencies
recommend clearer information of the users and ask Google to offer the persons improved control over the combination of data across its numerous services. [They] wish that Google modifies the tools it uses to avoid an excessive collection of data. 
On January 24, Google announced that it would be updating its privacy policy and terms of service for almost all of its services on March 1, 2012. 
Given the numerous questions raised by these changes, the Article 29 Working Party mandated the CNIL to lead the investigation into Google's new privacy policy. Two successive questionnaires were sent to Google. The company replied on April 20 and June 21, but several answers were incomplete or approximate. In particular, Google did not provide satisfactory answers on key issues such as the description of its personal data processing operations or the precise list of the 60+ product-specific privacy policies that have been merged in the new policy. 
The analysis of Google's answers and the examination of numerous documents and technical mechanisms by the CNIL's experts have led EU Data protection authorities to draw their conclusions and make recommendations to Google. 
In discussing specifics CNIL is highly critical, stating that
Firstly, it is not possible to ascertain from the analysis that Google respects the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data. 
The EU Data protection authorities challenge Google to commit publicly to these principles. 
Google provides insufficient information to its users on its personal data processing operations: Under the current Policy, a Google service's user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed. E.g.: the Privacy Policy makes no difference in terms of processing between the innocuous content of search query and the credit card number or the telephone communications of the user ; all these data can be used equally for all the purposes in the Policy. 
Moreover, passive users (i.e. those that interact with some of Google's services like advertising or ‘+1' buttons on third-party websites) have no information at all. EU Data protection authorities remind Google and internet companies in general that shorter privacy notices do not justify a reduction of information delivered to the data subjects. 
EU Data protection authorities ask Google to provide clearer and more comprehensive information about the collected data and purposes of each of its personal data processing operations. For instance, EU Data protection authorities recommend the implementation of a presentation with three levels of detail to ensure that information complies with the requirements laid down in the Directive and does not degrade the users' experience. The ergonomics of the Policy could also be improved with interactive presentations. Google does not provide user control over the combination of data across its numerous services. Combination of data across services has been generalized with the new Privacy Policy: in practice, any online activity related to Google (use of its services, of its system Android or consultation of third-party websites using Google's services) can be gathered and combined. The European DPAs note that this combination pursues different purposes such as the provision of a service requested by the user, product development, security, advertising, the creation of the Google account or academic research. 
The investigation also showed that the combination of data is extremely broad in terms of scope and age of the data. E.g.: the mere consultation of a website including a ‘+1' button is recorded and kept during at least 18 months and can be associated with the uses of Google's services; data collected with the DoubleClick cookie are associated to a identifying number valid during 2 years and renewable. 
European Data Protection legislation provides a precise framework for personal data processing operations. Google must have a legal basis to perform the combination of data of each of these purposes and data collection must also remain proportionate to the purposes pursued. However, for some of these purposes including advertising, the processing does not rely on consent, on Google's legitimate interests, nor on the performance of a contract. 
Google should therefore modify its practices when combining data across services for these purposes, including: reinforce users' consent to the combination of data for the purposes of service improvements, development of new services, advertising and analytics. This could be realized by giving users the opportunity to choose when their data are combined, for instance with dedicated buttons in the services' (cf. button “Search Plus Your World”), offer an improved control over the combination of data by simplifying and centralizing the right to object (opt-out) and by allowing users to choose for which service their data are combined adapt the tools used by Google for the combination of data so that it remains limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising. 
Google does not provide retention periods Google refused to provide retention periods for the personal data it processes. The recommendations of the EU Data protection authorities have been sent to Google to allow the company to upgrade its Privacy Policy practices.
CNIL notes that
This letter is individually signed by 27 European Data protection authorities for the first time and it is a significant step forward in the mobilization of European authorities. Several recommendations are also supported by members of APPA (Asia Pacific Privacy Authorities) and Canada's federal Privacy Commissioner has had similar concerns about various Google activities. 
The CNIL, all the authorities among the Working Party and data protection authorities from other regions of the world expect Google to take effective and public measures to comply quickly and commit itself to the implementation of these recommendations.
We might hope that the OAIC will expressly endorse the Article 29/CNIL statement

Unleashing the EU Cloud

The European Commission has released its Communication [PDF] on Unleashing the Potential of Cloud Computing in Europe.

The Communication comments that
‘Cloud computing’ in simplified terms can be understood as the storing, processing and use of data on remotely located computers accessed over the internet. This means that users can command almost unlimited computing power on demand, that they do not have to make major capital investments to fulfil their needs and that they can get to their data from anywhere with an internet connection. Cloud computing has the potential to slash users' IT expenditure and to enable many new services to be developed. Using the cloud, even the smallest firms can reach out to ever larger markets while governments can make their services more attractive and efficient even while reining in spending. 
Where the World Wide Web makes information available everywhere and to anyone, cloud computing makes computing power available everywhere and to anyone. Like the web, cloud computing is a technological development that has been ongoing for some time and will continue to develop. Unlike the web, cloud computing is still at a comparatively early stage, giving Europe a chance to act to ensure being at the forefront of its further development and to benefit on both demand and supply side through wide-spread cloud use and cloud provision. 
The Commission therefore aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy which can cut ICT costs, and when combined with new digital business practices1, can boost productivity, growth and jobs. On the basis of an analysis of the overall policy, regulatory and technology landscapes and a wide consultation of stakeholders, undertaken to identify what needs to be done to achieve that goal, this document sets out the most important and urgent additional actions. It delivers one of the main actions foreseen in the Communication on e-Commerce and online services; it represents a political commitment of the Commission and serves as a call on all stakeholders to participate in the implementation of these actions, which could mean an additional EUR 45 billion of direct spend on Cloud Computing in the EU in 2020 as well as an overall cumulative impact on GDP of EUR 957 billion, and 3.8 million jobs, by 2020. 
Several of the identified actions are designed to address the perception, by many potential adopters of cloud computing, that the use of this technology may bring additional risks. The actions do so by aiming at more clarity and knowledge about the applicable legal framework, by making it easier to signal and verify compliance with the legal framework (e.g. through standards and certification) and by developing it further (e.g. through a forthcoming legislative initiative on cyber security). 
Addressing the specific challenges of cloud computing would mean a faster and more harmonised adoption of the technology by Europe's businesses, organisations and public authorities, resulting, on the demand side, in accelerated productivity growth and increased competitiveness across the whole economy as well as, on the supply-side, in a larger market in which Europe becomes a key global player. Here, the European ICT sector stands to benefit from important new opportunities; given the right context, Europe's traditional strengths in telecommunications equipment, networks and services could be deployed very effectively for cloud infrastructures. Beyond that, European application developers large and small could benefit from rising demand.
It indicates that
preparatory work undertaken by the Commission shows the key areas where actions are needed:
• Fragmentation of the digital single market due to differing national legal frameworks and uncertainties over applicable law, digital content and data location ranked highest amongst the concerns of potential cloud computing adopters and providers. This is in particular related to the complexities of managing services and usage patterns that span multiple jurisdictions and in relation to trust and security in fields such as data protection, contracts and consumer protection or criminal law. 
• Problems with contracts were related to worries over data access and portability, change control and ownership of the data. For example there are concerns over how liability for service failures such as downtime or loss of data will be compensated, user rights in relation to system upgrades decided unilaterally by the provider, ownership of data created in cloud applications or how disputes will be resolved. 
• A jungle of standards generates confusion by, on one hand, a proliferation of standards and on the other hand a lack of certainty as to which standards provide adequate levels of interoperability of data formats to permit portability; the extent to which safeguards are in place for the protection of personal data; or the problem of the data breaches and the protection against cyberattacks.
This strategy does not foresee the building of a "European Super-Cloud", i.e. a dedicated hardware infrastructure to provide generic cloud computing services to public sector users across Europe. However, one of the aims is to have publicly available cloud offerings ("public cloud") that meet European standards not only in regulatory terms but in terms of being competitive, open and secure. This does not preclude public authorities from setting up dedicated private clouds for the treatment of sensitive data, but in general even cloud services used by the public sector should – as far as feasible – be subject to competition on the market to ensure best value for money, while conforming to regulatory obligations or wider public- policy objectives in respect of key operating criteria such as security and protection of sensitive data.
The Communication highlights privacy issues, stating -
Data protection emerged from the consultation and the studies launched by the Commission as a key area of concern that could impede the adoption of cloud computing. In particular, faced with 27 partly diverging national legislative frameworks, it is very hard to provide a cost-effective cloud solution at the level of digital single market. In addition, given the cloud’s global scope, there was a call for clarity on how international data transfers would be regulated. These concerns have been addressed, in completion of another Digital Agenda Action, by the proposal of a strong and uniform legal framework providing legal certainty on data protection by the Commission on 25 January 2012. 
The proposed regulation addresses the issues raised by the cloud. Centrally, it clarifies the important question of applicable law, by ensuring that a single set of rules would apply directly and uniformly across all 27 Member States. It will be good for business and citizens by bringing about a level playing field and reduced administrative burden and compliance costs throughout Europe for businesses, while ensuring a high level of protection for individuals and giving them more control over their data. Increased transparency of data processing will also help increase consumer trust. The proposal facilitates transfers of personal data to countries outside the EU and EEA while ensuring the continuity of protection of the concerned individuals. The new legal framework will provide for the necessary conditions for the adoption of codes of conduct and standards for the cloud, where stakeholders see a need for certification schemes that verify that the provider has implemented the appropriate IT security standards and safeguards for data transfers. 
Given that data protection concerns were identified as one of the most serious barriers to cloud computing take-up, it is all the more important that Council and Parliament work swiftly towards the adoption of the proposed regulation as soon as possible in 2013. 
Meanwhile, as cloud computing involves chains of providers and other actors such as infrastructure or communications providers, guidance is required on how to apply the existing EU Data Protection Directive, notably to identify and distinguish the data protection rights and obligations of data controllers and processors for cloud service providers, or actors in the cloud computing value chain. Moreover, due to the specific nature of the cloud, questions have been raised about applicable law in case where the relevant place of establishment of a cloud provider may be hard to determine, e.g. for a non-EU user of a non-EU provider operating equipment in the EU. In this context, the Commission welcomes the guidance on how to apply the existing EU Data Protection Directive given in the Opinion of the data protection working party, the so called "Article 29 Working Party" on cloud computing of 1 July 2012. The Commission considers that the Article 29 Working Party Opinion provides a good basis for the transition from the current EU Data Protection Directive to the new EU Data Protection Regulation and that it should guide the work of national authorities and of businesses, thereby offering maximum clarity and legal certainty on the basis of the existing legal framework. Moreover, once the proposed regulation is adopted, the Commission will make use of the new mechanisms set out therein to provide, in close cooperation with national data protection authorities, any necessary additional guidance on the application of European data protection law in respect of cloud services.