17 March 2017

Money Laundering

AUSTRAC has announced a $45 million civil penalty against Tabcorp, promoted as "the highest ever civil penalty in corporate Australian history".

The penalty relates tonon-compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), with Tabcorp being held to have contravened the AML/CTF Act on 108 occasions over a period of more than five years.

Perram J found that Tabcorp failed to:
  • have a compliant AML/CTF program for over 3 years to manage the risks of money laundering and terrorism financing. 
  • give AUSTRAC reports about suspicious matters on time or at all on 105 occasions. Tabcorp has admitted that these suspicions related to unlawful activity including money laundering and credit card fraud. 
  • Identify a customer who collected $100,000 in winnings. 
  • Enrol with AUSTRAC on time. 
AUSTRAC comments
Tabcorp admitted that it had insufficient processes for consistent management oversight, assurance and operational execution of its AML/CTF program. Its AML/CTF function was under-resourced, and Tabcorp’s senior management did not regularly receive reports in relation to AML/CTF compliance.
Further
In our view, Tabcorp had a corporate culture indifferent to meaningful AML/CTF compliance and risk mitigation until we intervened ... Boards and senior management across all industries should take note to ensure that they are fully informed of their AML/CTF compliance.
 Such contraventions are not to be taken lightly and this unprecedented civil penalty highlights AUSTRAC’s resolve to take enforcement action against reporting entities that engage in significant, extensive and systemic non-compliance.
AUSTRAC indicates that
The financial consequences of the proceedings for Tabcorp will amount to more than $90 million once AUSTRAC’s agreed court costs and Tabcorp’s disclosed defence costs are factored in.
Tabcorp is reported to have agreed to pay the penalty (as 'recognised costs' in its corporate financial statement) on the condition that AUSTRAC withdraws any further allegations of non-compliance, presumably out of concern that derail the $11 billion merger with competitor Tatts Group.

A Tabcorp statement notes
Tabcorp acknowledges that there were a number of deficiencies in its former AML/CTF program, which resulted in a serious contravention of the AML/CTF legislation.

16 March 2017

Gender Identity Documents

'Identity Crisis: The Limitations of Expanding Government Recognition of Gender Identity and the Possibility of Genderless Identity Documents' by Anna James (AJ) Neuman Wipfler in (2016) 39 Harvard Journal of Law and Gender 491 comments
Trans rights advocates and allies are celebrating as governments around the world relax their standards for obtaining a particular sex designation and expand the available options for gender markers appearing on identity documents (IDs). While this increasing flexibility and diversity will improve the daily lives of countless trans and intersex people, it also raises the question of why government-issued identity documents designate gender at all. This question is particularly pressing for gender nonconforming people and nonbinary people for whom the compulsory inclusion of any gender marker may be especially harmful. 
As anatomy and identity become less presumptively linked and governments begin to acknowledge the complexity of gender, various countries have adopted a range of new approaches to sex designation. Many of the burgeoning solutions provide immediate, much-needed relief for binary transgender people who identify as male or female. Advocates have rightly prioritized gaining access to gender-affirming ID over abolishing gender from government ID in a world where gender recognition is still critical for survival. However, these approaches also illustrate how the state’s increasing respect for an individual’s gender identity and openness in recognizing more than two sexes simultaneously results in heightened anxiety over accuracy and security. The increased focus on accurately designating gender identity on government IDs is harmful to gender variant people overall and re-entrenches the primacy of fixed and binary gender. In supporting the state’s quest to “get it right,” advocates reinforce its hold over an aspect of identity that should belong only to the individual. 
This Article describes the sex designation policies of a number of international jurisdictions, arguing that each of them falls short by making such designations compulsory, and positing that even making sex designations optional carries a price. Specifically, it highlights New York City’s decision, launched at the beginning of 2015, to make sex an optional field on its new municipal IDs. The Article then identifies U.S. birth certificates as a strategic place to start the process of removing sex from government ID, based on their form, history, and use. Ultimately, the Article concludes that, so long as such documents include a sex designation field, new and seemingly progressive government policies of gender inclusivity harmfully reify sex classification. Therefore, it is time to envision genderless ID.

UK Trade Mark Analytics

A fascinating number-crunching report for the UK government on that nation's demand for trade marks offers a perspective for Australian intellectual property students.

UK Trade Mark Demand: An Analysis states
The Intellectual Property Office (IPO), an executive agency sponsored by the Department for Business, Energy and Industrial Strategy (BEIS), is the UK body responsible for registering trade marks (TMs), patents, designs and copyrights. Registration helps firms, designers and inventors to protect their intellectual property from unauthorised use by others and facilitates trade in these rights. A trade mark can be anything that defines a brand, for example words, sounds, logos, colours or a combination of all of these.
Faced with a very high increase in trade mark applications, the IPO has identified the need to forecast future trade mark applications to plan resource allocations. This report presents forecast results for 2017 and describes the approaches used to produce the forecasts. A panel dataset based on individual trade mark filers is used to forecast the number of UK domestic trade marks filed with the IPO each year. International registrations under the Madrid Protocol have not been considered. The estimation uses the data in panel form, with the cross-sectional element focusing on the owner type (individuals, companies etc.). The forecasting separately models new applications for trade marks and the renewal of existing trade marks. For the renewals modelling, a key predictor is – unsurprisingly – the number of trade marks that are up for renewal. The preferred model specifications make the following predictions for future trade mark filings: ...
The “preferred model” was selected from six alternative specifications for new applications for trade marks and three models for renewals. The specifications differ due to the different segments modelled and variables used. The criteria used to select the model were goodness- of-fit, the performance of the model when used for recent years, and a practical consideration: the number of future years that could be forecast using the model.
Previous work has largely been based on the data held on the trade mark register. While having a long time-series and allowing individual owners to be identified, there is very limited information about the owner of marks. This study has firstly identified the type of owner. For companies, it has then linked the trade marks to data about the company owning the mark. Since 2011, annual growth in the number of trade mark filings has been consistently above ten per cent, a level only seen once in the previous six decades (the 1980s). Most growth is derived from companies, though until the 1990s and the introduction of the European Union Trade Mark (EUTM), an important driver was also filings from foreign entities. Filings by individuals have also begun to contribute to growth in recent years.
The modelling includes looking at the impact of the EUTM on UK IPO filings. Results indicate that the introduction was associated with a fall in new UK trade mark applications each year as foreign businesses filed at a European level rather than in individual member states. A second policy driver is the extent to which recent simplification of the application process has encouraged trade marking. The evidence here is mixed as it is difficult to distinguish the effects of IPO policy from other drivers.
The report is structured thus
Chapter 1 reviews the literature. There is literature on intellectual property rights and their use by individuals and businesses. The focus is usually on patenting and on the role of intellectual property in productivity and innovation. However, researchers have also considered trade marks, looking at both the effects of trade marking and the drivers for registering a mark. Regarding forecasting the number of new trade mark registrations, the literature is more limited. A set of approaches have been developed for patents and these are beginning to be used to analyse trade marking.
The underlying data about each mark, derived from the IPO’s registration records, is described in chapter 2. The data comes from the live register of marks and the chapter reports the modelling of a history for each mark from its initial registration through all subsequent renewals. A key part of this study is linking each trade mark to information about the owner and the chapter describes this work. Owners are firstly categorised, with most identified as businesses or individuals. For businesses, steps were taken to link trade mark owners to a wider set of data about the business.
Chapter 3 describes recent trends in UK trade marking. There has been a growth in the number of new registrations in recent years. Chapter 4 describes the forecasting models used to predict new trade mark filings and renewals. The number of new applications and renewals were modelled separately because the two types of transactions are quite different, which is also borne out in the results.
The modelling finds that the number of new filings is quite persistent, in that last year’s activity determines this year’s to a significant degree. This finding is similar to other comparable studies and, like other studies, the modelling focuses on the annual change in activity. Macroeconomic variables, such as GDP and investment, are used to explain the change in activity and chapter 4 indicates the results of the alternative models. For renewals, the number of trade marks that are due for renewal each year is a predictor of the actual renewal activity that year.
Chapter 5 looks at the evidence on two policy areas: the introduction of the EUTM in 1996 and recent IPO policies to encourage trade marking. It also compares the findings in this report to those from a similar project commissioned by the EU IPO on trade mark and patent filings in Spain.
The authors conclude in 'Discussion and Policy Outlook' -
The previous chapter has described the findings to support IPO in its operational work. This chapter looks at the evidence on two policy areas. Firstly, the adoption of the EUTM in the 1990s and its impact on UK IPO filings provides evidence about the use of the Europe-wide mark. It indicates that the introduction was associated with a reduction of the growth rate of trade mark filings in the UK each year by around 1,500. A second policy driver is the extent to which recent simplification of the application process has encouraged trade marking. The evidence here is mixed as it is difficult to distinguish the effects of IPO policy from other drivers.
Since the UK referendum to leave the European Union, there is interest in forecasting the likely effect of different models of trade mark co-ordination between the UK and the EU. The chapter also looks at whether particular IPO policies can be forecast using the modelling here. The chapter ends on some of the possible next steps in this area of work, noting the context of the current study.
Effect of the introduction of the EU trade mark
In 1996, the European Union-wide Community Trade Mark was introduced allowing filers to receive a trade mark valid across the single market. The EU Trade Mark (EUTM) – as renamed in March 2016 – is valid in the UK. The introduction meant that businesses and individuals could register a mark at the European Office for the Harmonization of the Internal Market (now the EU IPO) and many businesses, especially those from outside the UK, began to use the service instead of registering in the UK. ...
From the regression analysis, the extent of this shift in the 1990s is discernible, though there is a mixed picture provided by the different models. Table 14 indicates the average number of trade marks that would have been registered additionally in the UK had the EUTM not been available. The table gives the marginal as well as cumulative effect on total UK applications as well as on foreign owners filing in the UK. The marginal effect is the reduction on the annual change in filings.
Adding these annual reductions or increases over the years between 1996 and 2014, the effects become sizable. It is estimated that filings from foreign owners in 2014 were reduced by between 8,000 and 21,000 due to the EUTM. The effect on total filings is also estimated to be negative but smaller. This might reflect an overall positive trend in the data. Estimates are derived by multiplying the number of segments by the estimated coefficient on the EU dummy for total UK applications and applications from foreign owners only.
Since the UK referendum to leave the European Union, there is interest in forecasting the likely effect of different models of trade mark co-ordination between the UK and the EU. The previous paragraphs estimate the number of trade marks that are registered in EU IPO that would have registered in the UK had EUTM not been developed. The cumulative estimate would represent trade marks on the EU register that may need the IP protection that they currently have in the UK were policy to return to the pre-EUTM position. However, because trade marking has seen such strong growth in the past decades, it is likely that this is an under-estimate.
A second aspect to consider is the annual additional new applications that might arise. Overall, there were 108,000 direct filings for trade marks at the EU IPO in 2015. For those trade mark owners who also require IP protection in the UK, it could become necessary to file for a separate trade mark in the UK.
It is probable that only a portion of the filings at EU IPO would also consider a UK filing after any change in the UK’s position. An indication of the lower bound for the EU IPO marks that may require a UK registration is the 12,524 direct filings from the UK at the EU IPO in 2015 (Statistics of European Union Trade Marks, 2016). If all of these were to additionally file for protection in the UK, should the EUTM no longer cover the UK, this would represent an additional increase in filings of 20 per cent (based on estimated UK domestic filings in 2016 of 61,211). Further, it is far larger than the marginal estimate given in Table 14, suggesting that the forecast modelling based on filings at the time when the EU trade mark was introduced, and overall filings were much lower, may underestimate the effect of the EU trade mark. However, it is likely that some of these filers explicitly sought to protect their IP in the European Union, because they do not require protection in the UK.
Policies to simplify trade mark application process
One of the notable features in recent years has been the steep rise in the number of small businesses that have sought trade mark protection for the first time. The IPO has also set in place measures to simplify the application and so reduce the cost of registering a mark. The opportunities have been taken by individual small businesses and individuals and by intermediaries seeking to support businesses to register their trade marks.
Estimating any impact of specific IPO policies has proved difficult, primarily because it is difficult to separate what has driven the recent rise of trade marking. It seems likely that the cost of trade marking has been reduced because of process changes, marketing of the ease and value of a mark and the introduction of registration services online. Equally, however, the UK economy has seen a large growth in the number of start-ups and SMEs, alongside a rise in self-employment. The evidence in this report suggests that new filers have been a significant driver of the recent growth of trade marks.
For estimation, the problem is that both sets of drivers have occurred at around the same time. The improvements in supplying the marks occurs at about the same time as the increased numbers of new businesses. The forecasting has found it difficult to discern the different drivers separately and it is very likely that both have been important.
Trade mark forecasting context and next steps
Forecasting the likely future level of trade mark applications is important for IPO to plan resources. This work has developed current modelling approaches to improve such forecasts. The most recent similar work on trade marking – the EU IPO has commissioned a forecasting model for trade marks (Hidalgo and Gabaly, 2012, 2013) – was discussed earlier in the report. These studies firstly sought to model trade marking purely using register information and at quite an aggregate level. In Hidalgo and Gabaly (2013), macroeconomic variables were added. There are three main differences between the approach used in these studies from the current work. First, this work splits trade mark filers into different segments, whereas Hidalgo and Gabaly looked at trade mark filings in the aggregate. This allows data about the different segments to be integrated into the modelling. Second, the EU IPO studies estimated the level of trade mark filings, while here the change in filings is estimated. Both changes appear to improve the modelling. Further, the modelling here has been underpinned by a significant improvement to the underlying datasets, linking the owner of a trade mark to data about the type of owner.
This linking exercise is a resource intensive exercise. It produces additional variables to model trade marking activity, by identifying characteristics of the trade mark owner from business databases. Some of the additional variables – such as owner type – prove useful in segmenting the modelling. However, it is apparent that the variables derived using business characteristics do not greatly improve the forecasts. The preferred models are mainly auto- regressive with policy dummies.
Continuing to use simple, time-series approaches would therefore be justified for activity modelling to support the resource planning of the IPO. However, one of the key dimensions for future work is to be able to represent policy and intellectual property related policy specifically in the models. Such interventions are occurring at sector and business type level, so the sophistication of the underlying datasets used in this study may be warranted if these interventions shape the future registration of trade marks.
An area of the modelling that may need developing is the representation of the various international routes to co-ordinate the trade mark application. This work has focused on the UK register and applications and renewals to that register. The modelling here does begin to lay the groundwork for going further. Where an entity is the owners of several UK trade marks, this is now represented in the data. It then makes it possible to link across different registers by the owner.

Whanganui Personhood

The Te Awa Tupua (Whanganui River Claims Settlement) Act 2017 (NZ) gives effect to recognition in New Zealand law of the Whanganui River as a discrete legal person.

My dissertation notes that
In 2014 the Te Urewera Act similarly established an 821-square-mile forest, the ancestral homeland and ‘living ancestor’ of the Tühoe people, as a legal person. The Act states that ‘Te Urewera has an identity in and of itself’ with ‘legal recognition in its own right’ as ‘a legal entity’ with ‘all the rights, powers, duties, and liabilities of a legal person’. Te Urewera holds title to itself, with representation by a board – its guardians.
A media release regarding the 2017 Act states
Whanganui Iwi have today closed the book on over a century-and-a-half of struggle for appropriate recognition for the Whanganui River, and appropriate acknowledgement of their longstanding relationship with it.
Over 200 descendants of Whanganui Iwi witnessed Parliament pass the Te Awa Tupua Bill into law, which gives the river legal personality and standing in its own right and enshrines in law and protects its rights and innate values.
“Since the mid-1850s Whanganui Iwi have challenged the Crown’s impact on the health and wellbeing of the river and those who lived on it, and have fought to have their rights and their relationship with the River recognised,” said Gerrard Albert, the Chairperson of Nga Tangata Tiaki o Whanganui.
“Eighty years ago Whanganui Iwi started what was to become the longest running court case in New Zealand history over who owned the bed of the river. It has been a long, hard battle.
“We have always believed that the Whanganui River is an indivisible and living whole – Te Awa Tupua – which includes all its physical and spiritual elements from the mountains of the central North Island to the sea.”
Mr Albert said the passing of the Te Awa Tupua Bill and the legal recognition of the Whanganui River with its own legal personality reflects this.
Te Awa Tupua will have its own rights and innate values and its own voice of representation. In the near future the Crown and Iwi of the River will jointly appoint two persons to the role of Te Pou Tupua; who will be charged with upholding the River’s interests and protecting its health and wellbeing.
“I acknowledge the seven iwi whose collective mana is represented by Te Awa Tupua and who were represented at Parliament today. I look forward to us all working together.
“This new legal status will be central to future decision-making,” said Mr Albert.
“It binds the Iwi of the river, the Crown and the many other communities of the Whanganui River to work together for the ultimate benefit and wellbeing of the River.”
Mr Albert said there is still a great deal to be done to give form and function to Te Awa Tupua and Whanganui Iwi looks forward to working closely with other iwi, local government, the Crown and other parties with an interest in the future of the River.
“It has taken us a century-and-a-half to get to this point. We will take a steady, calm and methodical approach to the next steps.

IoT

'Towards responsive regulation of the Internet of Things: Australian perspectives' by Megan Richardson, Rachelle Bosua, Karin Clark, Jeb Webb, Atif Ahmad and Sean Maynard in (2017) 6(1) Internet Policy Review comments 
The Internet of Things (IoT) is considered to be one of the most significant disruptive technologies of modern times, and promises to impact our lives in many positive ways. At the same time, its interactivity and interconnectivity poses significant challenges to privacy and data protection. Following an exploratory interpretive qualitative case study approach, we interviewed 14 active IoT users plus ten IoT designers/developers in Melbourne, Australia to explore their experiences and concerns about privacy and data protection in a more networked world enabled by the IoT. We conclude with some recommendations for ‘responsive regulation’ of the IoT in the Australian context.
Collaboration, networking and innovation are predicted to change radically as we move into an era of the Internet of Things (IoT). One of the fastest-growing trends in computing, the IoT promises to be one of the most significant disruptive technologies of modern times, affecting multiple areas of human life including manufacturing, energy, health, automotive, retail, insurance, crime, fraud and threat detection (Dutton, 2014; Gartner, 2014; OECD, 2015; Vermesan et al., 2011). Although there are multiple definitions of the IoT (Noto La Diega  and Walden, 2016), the essence is that the IoT involves computing beyond the traditional desktop, concentrated on smart connectivity of objects with existing networks and context-aware computation using network resources (Gubbi, Buyya, Marusi and Palaniswami, 2013). Indeed, connectivity of heterogeneous objects and smart devices is a crucial part of the IoT (Atzori, Iera, andMorabito, 2010; Caron, Bosua, Maynard and Ahmad, 2016; Gubbi et al., 2013; Noto La Diega & Walden, 2016). Interactivity and interconnectivity are therefore at the heart of the IoT, and promise to impact our lives in many positive ways.
At the same time, while the IoT holds great promise, it poses significant challenges to users’ abilities to control access to and use of their personal data (Caron et al., 2016; Dutton, 2014; Weber, 2009, 2010). This challenge and the attitudes of users and designers/developers in Australia is the particular focus of this paper. In the sections that follow we commence with a brief overview of the literature on privacy, data protection and the IoT, followed by a description of our qualitative research design, key findings and discussion of the findings. We conclude with some minimalist proposals for legal regulation of the IoT in Australia, based on an idea of responsive regulation i.e. of law responding to public concerns in fashioning legal standards (Nonet & Selznick, 1978; Nonet and Selznick, 2001).
The authors conclude
n this article, based on voiced concerns about privacy and data protection raised by a number of IoT users as well as some designers/developers in Australia, we have proposed a responsive system of privacy and data protection for the IoT beginning with privacy/data protection by design, covering basic matters such as notice and control throughout the life cycle of the data, then building up to more stringent consumer and privacy/data protection regulation provided under (inter alia) the Australian Consumer Law and Privacy Act 1988 (Cth), and as a third tier actions brought by individuals in court to vindicate their claims relying on privacy-type doctrines as applied by judges (for instance, through the current action for breach of confidence, and/or a specific privacy tort if and when this becomes part of Australian law).
We note that our discussion has not touched on the question of higher levels of regulation, for instance the use of the criminal law to restrain and control the ways in which the IoT might be used for antisocial purposes, including, for instance, undesirable forms of ubiquitous surveillance. For our users, on the whole, seemed to be rather unconcerned about the dangers of surveillance by the IoT, or as Andrejevic and Burdon put it (2015, 24) ‘the dimensions of a sensor society in which the devices we use to work and to play, to access information and to communicate with one another, come to double as probes that capture the rhythms of the daily lives of persons, things, environments, and their interactions’, with attendant risks for human dignity and freedom. Thus users’ responses to our interview questions do not offer much support for broader reform of what might be termed Australian surveillance law. Accordingly, based on a model of responsive regulation (i.e. law responding to existing public concerns), our recommendations have centred around more limited questions of how well IoT users’ private and personal information will be looked after, whether IoT users will be able to understand what is happening, and whether they can maintain control.
That is not to say that surveillance will not ultimately come to be seen more widely as a real problem of the IoT and that broader law reform measures will not be a focus of further public discussion. Indeed, already some of our interviewees argued that a coming issue will be the prospect of ubiquitous surveillance, affecting the basic structure of society (see Richardson et al., 2016). In response to this concern, law reform efforts in Australia may eventually need to be more deeply structural than the small-scale changes we have so far been contemplating.

15 March 2017

Victorian Privacy

The Victorian Commissioner for Privacy and Data Protection has released a disquieting - and brave - report titled Forensic Audit of Mobile Telephone Records - Final Report - March 2017.

The report highlights concerns regarding both privacy protection under Victorian statute law and the functioning of the Commissioner's office. The Commissioner notes that
Taking action to require the Premier, as the leader of the government of Victoria, to undertake his privacy obligations in a manner required by the law is a significant step.
The Commissioner omits the bureaucratic obfuscation (reflecting regulatory capture) evident in reports by the OAIC and goes on to refer to a response as being 'evasive, non-cooperative and misleading'.

The report states
On 12 January 2017 I issued an interim report regarding a forensic audit of the mobile telephones of certain Victorian politicians and public servants being undertaken at the request or direction of the Premier of Victoria. The audit was in response to the apparent leak of information regarding an increase in police numbers to the radio journalist, Mr Neil Mitchell. The interim report is Attachment 1.
In the interim report I advised that my office would continue investigating this matter, despite the Secretary of the Department of Premier and Cabinet (DPC) having issued a certificate under s79(3) of the Privacy and Data Protection Act 2014 (PDPA), claiming cabinet confidentiality in the information that I had formally sought from the Premier about the forensic audit. I also urged any person who had information relevant to my inquiries to come forward and contact me.
This final report:
  • provides an account of the circumstances as I understand them; 
  • discusses issues relevant to those circumstances; 
  • provides relevant documentation for public scrutiny; and 
  • discusses how legislation permits or encourages me to respond in my role as Commissioner.
In preparing this report, I have had careful regard to the objects of the PDPA, including balancing open access to public sector information with the public interest in protecting its security and to promote:
  • awareness of responsible personal information handling practices; 
  • responsible and transparent handling of personal information; and 
  • responsible data security practices in the public sector.
I have also had regard to the right to privacy supported by s. 13 of the Charter of Human Rights and Responsibilities Act 2006.
The circumstances
The circumstances have been widely reported. On 13 December 2016, at or immediately after the conclusion of a then recent cabinet meeting, the Premier told those in attendance that a forensic audit of their mobile telephones would take place at his instigation and that this audit would extend to all members of Cabinet. The purpose of the forensic audit was to determine who had leaked information about a proposed increase in police numbers to Mr Neil Mitchell. The Premier stated that the global consulting firm KPMG would undertake the forensic audit.
The audit would require handing over possession of mobile phones to the KPMG forensic audit team who would then analyse data embodied in them, presumably to identify who had communicated with Mr Mitchell, when the communication took place and the content of the communication. The audit would also extend to public servants, presumably those involved in developing the proposal to increase police numbers and those who otherwise could have had access to the information as it was processed through government.
Initial analysis
Immediately following the press reports on 13 December 2016 I was contacted regarding the proposed forensic audit. I had already considered the reports and had formed the opinion that there was an appearance that: • the reports were correct, as there had been no contrary or qualifying report; and • one or more of the Information Privacy Principles (IPPs) would be contravened by the forensic audit.
The immediate impression I gained from the information available to me was that the proposed audit appeared to constitute an investigation that was not supported by the usual legal safeguards relating to intrusion into the human rights of citizens. It is usual when investigative powers are granted to ensure that appropriate checks and balances are in place. This would have been the case for example if the audit were conducted as an investigation managed by Victoria Police. The same would have been true if the Ombudsman or any other usual investigative organisation had commenced an investigation. There was however an appearance that none of those organisations would be able to investigate, as there was no apparent illegal or wrongful behaviour which could be the subject matter of an investigation by them. While this caused me concern, my statutory concern is with issues of privacy and data security.
In this context there was an appearance that almost the entirety of IPP 1 – Collection would be contravened. Perhaps of greatest immediate concern was that:
  • the collection of personal information may not have been necessary for a function or activity of the collecting party; 
  • the collection of personal information may not have been lawful or fair, and appeared to be unreasonably intrusive; 
  • the individuals whose personal information was to be collected may not be given notice of the information set out in IPP 1.3, including the organisation collecting and the purpose of collection; and 
  • consideration did not appear to have been given to collection from the individual whose information was being collected.
Aside from those whose mobile phones were to be examined, the audit would involve gaining access to the personal information of anyone who had interacted with the politician or public servant being audited. In short, while the number of mobile phones examined may be fewer than 100, a reasonable estimate of the number of people whose personal information would be involved is very significantly greater.
The strong appearance that significant aspects of the IPPs were to be contravened also appeared to constitute a serious or flagrant contravention. This suggested that I might reasonably proceed to issue a compliance notice in relation to the proposed audit.
Taking action to require the Premier, as the leader of the government of Victoria, to undertake his privacy obligations in a manner required by the law is a significant step. I was inclined to seek an explanation from the Premier or from others involved before taking this step in the hope that the appearance I have described was mistaken or that interferences with privacy could be avoided. This would be consistent with the objects of the PDPA and the nature of a compliance notice as an educational tool for developing a compliance culture in the public sector.
Under the PDPA, I do not have a full range of investigative powers. Rather I have limited formal means of obtaining information and documents. As a result, I have few means of making enquiries such as were required. In this context I decided to issue a relatively informal request for information (rather than documents) and frame the request in the style of a notice under s. 79 of the PDPA.
A request for information rather than documents also had the virtue of permitting the Premier to comment on the course of action intended and so perhaps provide an opportunity for me to be reassured about the manner in which any process would proceed, so as to comply with privacy requirements. In this sense, the request for information functioned as a notice to show cause why further action should not be taken.
What information was sought from the Premier?
A notice under s. 79(1) of the PDPA was dated and served on the Premier of Victoria on 16 December 2016 and is Attachment 2 (the notice to the Premier). The notice to the Premier sought information about the basis of the Premier’s authority to undertake a forensic audit of information embodied in the mobile telephones of Ministers of the Crown and public servants. It did not explicitly or implicitly seek information about cabinet material, deliberations or discussions. The questions addressed to the Premier focused on the requirements for collecting personal information under IPP 1. They were designed to elicit information about the Premier’s understanding of his legal authority to collect personal information for the purposes of the forensic audit.
The response – conclusive certificate issued by the Secretary, DPC
On 23 December 2016, I received a certificate under s. 79(3) of the PDPA from the Secretary, DPC dated 23 December 2016 (Attachment 3). The Secretary certified that the provision of the information sought in the notice to the Premier ‘would involve the disclosure of information which, if included in a document of the agency or an official document of the Minister, would cause the document to be an exempt document of a kind referred to in section 28(1) of the Freedom of Information Act 1982.’ The effect of the certificate was to claim cabinet con dentiality in respect of all the information sought from the Premier.
Analysis in light of that certificate
This response heightened the appearance of contravention. There was no suggestion in the response either that the forensic audit would not proceed or that if it proceeded it would not involve any contravention.
The certification of cabinet confidentiality in respect of the entire request is worthy of comment. My statutory powers do not permit me to investigate a certificate or to question whether information referred to in a certificate is cabinet in confidence material. If I am inclined to seek a review of a certificate I must apply to the courts or to the Victorian Civil and Administrative Tribunal under ss. 73(3) and 76 of the PDPA. Nevertheless I am entitled to take account of the effect a certificate has on the appearance of the circumstances which are the focus of my enquiries.
The request did not seek any material related to cabinet proceedings. The certificate in response did not suggest that any attempt had been made to separate materials that were cabinet in con dence from other materials relevant to the audit. This appeared to be an unsophisticated and unhelpful response which adopted the wording of s. 79(3) by reiteration in an apparently indiscriminate manner so as to claim a complete exemption. In short the response did nothing to create an appearance of compliance, rather the reverse.
Confronted with this response, I decided that I could not conclude my enquiries at that point and decided to seek information from a source that was clearly outside the boundaries of cabinet confidentiality. I sought information from KPMG as the contractor apparently performing forensic audit activities.
What information was sought from KPMG?
Notices under s. 79(1) of the PDPA were dated and served on each of the Chief Executive Officer and the Victorian Chairman of KPMG on 5 January 2017 and are Attachments 4 and 5 (KPMG notices). The KPMG notices were designed to ascertain whether KPMG had been instructed to undertake the forensic audit and, if so, the scope of work it had been engaged to perform.
KPMG’s response
For some time, no response was received from KPMG. On 12 January 2017 I published the interim report regarding my enquiries. The following day I received correspondence from KPMG seeking a further copy of the notices and stating that their o ce had been closed until 3 days prior to the day that the notice was served and that each of the addressees of a notice were on annual leave. I provided that copy and in the meantime, KPMG located the notice that had been served earlier. On 16 January 2017 I received correspondence from KPMG stating that ‘KPMG has no documents to produce in response to the Notice’. This response was not entirely unambiguous. As a result I arranged for a discussion to occur, confirming that KPMG held no documents of the description set out in the notice.
Analysis in light of that response
The response from KPMG had, at most, a neutral effect on the appearance of the circumstances. The previous appearance remained unchanged and further action was warranted. It appeared that of those who might have an administrative role related to the audit and which was not the subject of cabinet in con dence restrictions, it was likely to be the Secretary of DPC.
Request for information from the Secretary, DPC
A notice under s. 79(1) of the PDPA was dated and served on the Secretary, DPC on 13 January 2017 and is Attachment 6. The notice sought information relating to the engagement of any contractor outside the Victorian public sector to undertake the audit and the scope of any such engagement.
The response – letter from the Acting General Counsel, DPC dated 20 January 2017 and conclusive certiffcate issued by the Secretary, DPC, dated 20 January 2017. On 20 January 2017, I received: • a letter from the Acting General Counsel of DPC marked ‘Confidential’ (Attachment 7), enclosing; • a certificate under s. 79(3) of the PDPA from the Secretary, Department of Premier and Cabinet (Attachment 8).
The letter marked ‘Confidential’ noted the secrecy provisions set out in s. 120 of the Act. It stated that ‘DPC does not consent to you disclosing or communicating this response’. I understood that that notification of non-consent was provided in the context of that provision. The effect of the reference to s 120 of the PDPA was to assert a secrecy claim in relation to the claim of cabinet in confidence.
Analysis in light of that response
That response was evasive, non-cooperative and misleading. It heightened the pre-existing appearance of wrongdoing. The response was misleading in that dealings between executive government and private sector contractors are universally accepted as not being within the boundaries of cabinet con dentiality. I would also expect that in a context where government has made a number of recent announcements regarding the improvement of privacy governance, the same government would seek to cooperate with and learn from an initiative taken by a regulator, such as myself, pursuing the same goals. When the only response to the initiative is an attempt to avoid scrutiny, this gives an appearance of wrongdoing.
Transmission of the response
I should also deal with the manner in which the response from the Department of Premier and Cabinet was framed and delivered. The letter from the Acting General Counsel of 20 January 2017 was endorsed “Confidential’ and by making reference to s. 120 of the PDPA expressly sought to ensure that both the letter and the certificate it transmitted would not be published.
In a Victorian government context, a claim of confidentiality should comply with the Victorian Protective Data Security Framework (VPDSF). The VPDSF permits a document to be protectively marked as ‘Confidential’ if disclosure of the content of the document could be expected to cause significant harm or damage to government operations, organisations and individuals. Such a marking asserts a business impact level of ‘Very High.’ There is only one higher category – ‘Extreme.’ It is difficult to imagine how the letter could reasonably be considered as falling within the claimed category. Even if this assessment is mistaken, the context in which this claim is made is mistaken, as will be examined more closely later in this discussion. The VPDSF includes explicit warnings about the inappropriate use of protective markings. It states that: Official information should only be protectively marked where there is a clear and justi able need to do so.
In no case should official information be protectively marked to: • hide violations of the law... • prevent embarrassment to an individual, organisation or agency
There is at least an appearance that the letter was protectively marked as ‘Confidential’ for either or both of these reasons and that the warnings set out in the VPDSF have been disregarded.
As noted above, the letter also referred to s 120 of the Act. Section 120 is a secrecy provision. It prevents me from communicating or disclosing information obtained or received in the course of performing my functions or exercising my powers under the PDPA except as permitted by s120(3).
Section 120(3) states: A person to whom this section applies may make a record, disclosure or communication referred to in subsection (2) if— a) it is necessary to do so for the purposes of, or in connection with, the performance of a function or duty or the exercise of a power under this Act or a former Act; or b) the individual or organisation to whom the information relates gives written consent to the making of the record, disclosure or communication.
So far as is relevant to the current circumstances, s.120 of the PDPA is designed to prevent the use of official material other than for the necessary purpose of the performance of the functions or duties or the exercise of a power under the PDPA, that is render that material secret, except with the consent of the person or organisation to whom the information relates. In my opinion it is necessary for those purposes to publish the documents attached to this report. Finally, the letter can be construed as a threat. Under s.121 of the PDPA it is an offence for me to disclose or communicate any information given to me ‘pursuant to a prescribed requirement’ unless I notify the person who provided the information of any proposal to disclose or communicate the information and give that person a reasonable opportunity to object.
However, the information I have received or obtained from DPC was not given to me pursuant to a prescribed requirement as defined in the PDPA. It follows that these are not circumstances in which the notice requirements of s. 121 of the PDPA apply.
It is inconceivable that the Acting General Counsel was unaware of this straightforward legal issue. There seems to be no substantive reason for him to provide advice to me about whether or not DPC consented to the disclosure of material other than to send a clear signal that the relevant material should not be published. In the current circumstances, the claims of confidentiality and secrecy are inappropriate in respect of both the certificate and the correspondence under cover of which it was transmitted. A certificate created under s. 79 of the PDPA is in the nature of a legislative instrument made under power delegated by legislation to the Secretary of the Department of Premier and Cabinet. It is not a document that is either necessary or desirable to hide from scrutiny. The same is true for the dealings surrounding a certificate. I consider that disclosure of the documents published with this report is necessary in pursuit of the objects of the PDPA.
The options for further action in relation to these issues, assuming that no more cooperative or compliance focussed communication occurs, are to: • issue a compliance notice to relevant persons regarding the conduct of any audit of mobile phone records; or • seek formal legal review of the information and documents in respect of which the two certificates given in response to notices discussed in this report with a view to seeking to have some or all of that material released to me; or • seek a declaration that those certificates were wrongly given and that they are ineffective.

Cybersecurity

The Australian National Audit Office report Cybersecurity Follow-up Audit considers practice in the Australian Taxation Office, Department of Human Services and Department of Immigration and Border Protection.

ANAO states
The audit objective was to re-assess the three entities' compliance with the 'Top Four' mandatory strategies in the Australian Government Information Security Manual (ISM). The audit also aims to examine the typical challenges faced by entities to achieve and maintain their desired ICT security posture.
In June 2014, ANAO Audit Report No. 50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems was tabled in Parliament. The report examined seven Australian Government entities’1 implementation of the mandatory strategies in the Australian Government Information Security Manual (Top Four mitigation strategies). The Top Four mitigation strategies are: application whitelisting, patching applications, patching operating systems and minimising administrative privileges. The audit found that none of the seven entities were compliant with the Top Four mitigation strategies and none were expected to achieve compliance by the Australian Government’s target date of 30 June 2014.
The Joint Committee of Public Accounts and Audit held a public hearing to examine Report No. 50 on 24 October 2014. Three of the seven audited entities—the Australian Taxation Office, the Department of Human Services, and the then Australian Customs and Border Protection Service3—appeared before the hearing to explain their plans and timetables to achieve compliance with the Top Four mitigation strategies. Each of the three entities gave assurance to the Joint Committee of Public Accounts and Audit that compliance with the Top Four mitigation strategies would be achieved during 2016.
These three major Australian Government entities are significant users of technology: the Department of Human Services relies on its information and communications technology (ICT) systems to process $172 billion in payments annually; through its electronic lodgement systems Australian Taxation Office collects over $440 billion in gross tax revenue annually; and the Department of Immigration and Border Protection electronically processes around seven million visas annually and inspects and examines around two million air and sea cargo imports and exports.
All three entities collect, store and use data, including national security data and personally identifiable information that can be used to identify, contact, or locate an individual such as date of birth, bank account details, driver’s licence number, tax file number and biometric data.
Not operating in a cyber resilient environment puts entities’ data and business processes at risk, with potentially significant consequences for Australian citizens and other clients and stakeholders.
Audit objective and criteria
The objective for this audit was to assess whether the Australian Taxation Office, the Department of Human Services, and the Department of Immigration and Border Protection are compliant with the Top Four mitigation strategies in the Australian Government Information Security Manual. The audit also examined entities’ cyber resilience, which includes establishing a sound ICT general controls framework and effectively implementing the Top Four mitigation strategies.
To form a conclusion against the audit objective, the ANAO adopted the following high level assessment criteria: do the entities comply with the Top Four mitigation strategies; and are entities cyber resilient?
Conclusion
The ANAO assessed that of the three entities only the Department of Human Services was compliant with the Top Four mitigation strategies. The Department of Human Services also accurately self-assessed compliance against the Top Four mitigation strategies and met its commitment to the Joint Committee of Public Accounts and Audit of achieving compliance during 2016.
Of the three entities, only the Department of Human Services was cyber resilient. Cyber resilience is the ability to continue providing services while deterring and responding to cyber attacks. Cyber resilience also reduces the likelihood of successful cyber attacks. To progress to being cyber resilient, the Australian Taxation Office and the Department of Immigration and Border Protection need to improve their governance arrangements and prioritise cybersecurity.
ANAO's recommendations are -
1  The ANAO recommends that entities periodically assess their cybersecurity activities to provide assurance that: they are accurately aligned with the outcomes of the Top Four mitigation strategies and entities’ own ICT security objectives; and that they can report on them accurately. This applies regardless of whether cybersecurity activities are insourced or outsourced.
2  The ANAO recommends that entities improve their governance arrangements, by: asserting cybersecurity as a priority within the context of their entity-wide strategic objective; ensuring appropriate executive oversight of cybersecurity; implementing a collective approach to cybersecurity risk management; and conducting regular reviews and assessments of their governance arrangements to ensure its effectiveness. 

14 March 2017

Coherence and confusion

'Coherence in the Age of Statutes' by Ross Grantham and Darryn Jensen in (2016) 42(2) Monash University Law Review 360-382 comments
The High Court of Australia, in pursuing coherence between common law and statute law, has limited itself to ensuring that the rules of common law and statute law should be free of contradiction. The Court does not appear to have embraced the idea, which lies at the core of some major theories of private law, that a set of rules is coherent only if the set can be explained as the outworking of a single principle. Applying that idea to the relationship between common law and statute law is confronted by some serious challenges. In the past, coherence as non-contradiction (combined with the idea of parliamentary supremacy) has worked well as a means of reconciling common law with statute law, but the proliferation of legislation in recent years and the character of much modern legislation has drawn attention to the limitations of such an approach to the question. A more exacting approach to coherence of common law and statute law, on the other hand, would require the revision of some widely-held assumptions about the nature of law, such as the core assumption of legal positivism that the ultimate criterion of the authority of the law is its pronouncement by an authoritative institution.
'The passage of Australia’s data retention regime: national security, human rights, and media scrutiny' by Nicolas Suzor, Kylie Pappalardo and Natalie McIntosh in (2017) 6(1) Internet Policy Review comments
In 2015, the Australian government passed the Telecommunications (Interception and Access) Amendment (Data Retention) Act, which requires ISPs to collect metadata about their users and store this metadata for two years. From its conception, Australia’s data retention scheme has been controversial. In this article we examine how public interest concerns were addressed in Australian news media during the Act’s passage. The Act was ultimately passed with bipartisan support, despite serious deficiencies. We show how the Act’s complexity seemed to limit engaged critique in the mainstream media and how fears over terrorist attacks were exploited to secure the Act’s passage through parliament.
The authors note
The final text of the act is complex, confusing, and lacks key safeguards to protect the privacy of Australians. In part II of this article, we review the obligations imposed by the act and the mechanisms that have been introduced to protect human rights. Experience from other jurisdictions and the recommendations of Australian reviews suggest that mass data retention obligations can only be justified if they are clearly necessary and curtailed to limit access to data for the purposes of addressing serious crimes with full judicial oversight. The act, as passed, does not contain these safeguards, and important terms are not defined in the act or are defined only in the negative or in explanatory materials.
Public interest concerns were raised consistently throughout the period in which the bill was under consideration, but were ultimately not directly addressed by the government. In part III, we review the history of the act’s introduction as represented in the Australian press media, in order to better understand how the act was passed without resolving these core human rights tensions. The final text of the act reflects the trauma the government suffered during its passage, resulting in a number of very specific limitations that address the most acute and politically problematic concerns raised by opponents. The larger-scale concerns about the necessity of introducing mass-scale surveillance obligations or the scheme's uncertain scope, vague specification of access rights, and limited judicial oversight, however, were not well represented in the media. Our analysis suggests that the government was able to exploit the complex and uncertain scope of the data retention obligations in its favour to marginalise opposition that hinged on quite technical questions of coverage and access. The government was also able to draw heavily on escalating national security rhetoric around several high-profile terrorist attacks to effectively sidestep scrutiny about why the new obligations were required. Ultimately, while the government had to make several concessions to particular interest groups, it was able to avoid substantively addressing key concerns about the scheme in the media by channelling attention to the more easily answered question about whether the proposed data set would be included in the legislation. Many of the issues raised during the passage of the act were effectively deferred to be resolved at a future date, either by a review committee or through ministerial regulations, giving the government the time it needed to secure bipartisan support for its passage.
They conclude
The Telecommunications (Interception and Access) Amendment (Data Retention) Act was passed by the Australian government in April 2015, and is due to be reviewed by the PJCIS sometime in 2019 (s 187N). However, absent a high-profile court case or renewed vigour in the public debate, it is unlikely that a review will change much about Australia’s current data retention scheme. Our analysis of the mainstream media over the course of the passage of the act highlights significant shortcomings in the legislative process. In Australia, where the legislature is primarily responsible for defining (and by implication, protecting) the rights of individuals, we have shown that human rights concerns about mass data retention were poorly ventilated in major policy fora. Ultimately, the government was able to pass the legislation with very little interrogation of its claims that data retention is necessary to maintain national security. We suggest that this is particularly concerning in a system without a constitutional bill of rights that is enforceable by an independent judiciary.
In Europe, similar data retention schemes have been found disproportionate to the objective of fighting serious crime, even where that objective was deemed to be a legitimate objective of general interest. Factors that compelled the ECJ to hold that a wide-ranging metadata retention obligation was disproportionate included that the obligation impacted all citizens using electronic communications services regardless of involvement in criminal activity and that there was no requirement that law enforcement agencies obtain a warrant or seek prior review from a court or independent administrative body before accessing a person’s metadata. In Australia, similar shortcomings with the government’s data retention regime did not have any real impact on the success of the act’s passage through parliament. Unlike in other jurisdictions, there is little prospect that these concerns can be raised in any challenge to the validity of the act.
The government asserted, following terror attacks in Sydney in December 2014 and Paris in January 2015, that extensive data retention was necessary to protect national security. This assertion was not effectively questioned by the Australian mainstream press. But even if data retention is accepted as a necessary intrusion to maintain national security, the government has not included protections to make it a proportionate measure. In this article we have raised concerns about deficiencies in the act, including that the language of the act remains vague; the scope for ministerial discretion about what metadata must be retained and which agencies may access metadata is significant; and there is no judicial oversight before agencies may access Australians’ private information.

Makers

The cogent 'The Maker Movement: Copyright Law, Remix Culture And 3D Printing' by Matthew Rimmer in (2017) 41(2) The University of Western Australia Law Review 51 comments
3D printing is a process of making physical objects from three-dimensional digital models. 3D printing is a form of additive manufacturing – rather than a traditional form of subtractive manufacturing. 3D printing is a disruptive technology, which promises to transform art and design, science and manufacturing, and the digital economy. 
The Minister for Industry, Innovation and Science, the Hon. Christopher Pyne, has highlighted the key role of 3D printing for manufacturing and material science in Australia: ‘Manufacturing remains a key driver in our economy, but as the industrial landscape changes, the sector needs to transition to more innovative and economically viable technology.’ Pyne stressed: ‘Emerging technologies such as metal 3D printing offer huge productivity gains and have the potential to turn Australia's manufacturing industry on its head.’ 
Likewise, the Australian Labor Party’s Tim Watts and Jim Chalmers have discussed the role of 3D printing in respect of intellectual property, innovation, and trade. 
There have been a number of early cultural texts on the topic of 3D printing. Cory Doctorow’s 2009 fictional story Makers was significant in promoting the culture of the maker community. Chris Anderson’s 2012 non-fiction work Makers considered the history of the industrial revolution, the rise of 3D printing, and the long tail of things.6 His work also reflects upon the development of open licensing and open hardware, and the financing of maker businesses. This rather evangelical work helped inspire wider public interest in the field. In The Maker Movement Manifesto, Mark Hatch, the CEO of TechShop, provides a practical guide to the applications of 3D printing, and the development of communities of practice. He is particularly interested in the development of distributed and flexible manufacturing, and the acceleration of innovation. The engaging 2014 Lopez and Tweel documentary Print the Legend provided a portrait of the emergence of 3D printing start-up companies in the United States. In 2014, the Australian journalist and cultural critic Guy Rundle also undertook fieldwork in his study on 3D printing and robotics, visiting key hubs of 3D printing in the United States. In his work upon the robotics revolution, Martin Ford has explored the intersection between 3D printing and automation. Futurist Jeremy Rifkin has been interested in the intersections between 3D printing, the Internet of Things, and collaborative capitalism. Likewise, Robin Chase has been concerned about how 3D printing fits into a larger model of the sharing economy. 
In terms of legal writing in respect of 3D printing, a number of works have sought to address the relationship between intellectual property and 3D printing. As a public policy expert at Public Knowledge, and as a lawyer working for Shapeways, Michael Weinberg (2010, 2013) has written a number of significant treatises on intellectual property and 3D Printing. Associate Professor Dinusha Mendis and her colleagues have undertaken legal and empirical research on intellectual property and 3D printing for the United Kingdom Intellectual Property Office. In 2015, Professor Mark Lemley from Stanford Law School observes, ‘A world in which sophisticated 3D printers are widely available would change the economics of things in a fundamental way.’ Amongst other things, he says that 3D Printing provides challenges and opportunities for intellectual property in ‘an age without scarcity’.  John Hornick has examined the topic of intellectual property and 3D printing from the perspective of a legal practitioner. From Australia, Dr Angela Daly has written on the socio-legal aspects of 3D printing in The World Intellectual Property Organization in 2015 has sought to investigate 3D printing as a breakthrough technology in terms of emerging developments in respect of intellectual property law, practice, and policy. 
There has been much interest in how intellectual property law, policy, and practice will adapt to the emergence of 3D printing and the maker movement. Intellectual property lawyers will have to grapple with the impact of additive manufacturing upon a variety of forms of intellectual property – including copyright law, trade mark law, designs law, patent law, and trade secrets. The disruptive technology of 3D printing will both pose opportunities and challenges for legal practitioners and policy-makers. 
Rather than try to survey this expanding field, this article considers a number of early conflicts and skirmishes in respect of copyright law and 3D printing. There has been significant interest in the impact of 3D printing on copyright law and the creative industries. There have been classic issues raised about copyright subsistence, and the overlap between copyright law and designs. There has also been a moral panic  about 3D printing facilitating copyright infringement – like peer to peer networks such as Napster in the past. There has been a use of open licensing models such as Creative Commons licensing to facilitate the sharing of 3D printing files. Such battles highlight a conflict between the open culture of the Maker Movement, and the closed culture of copyright industries. In many ways, such conflicts touch upon classic issues involved in ‘information environmentalism’. Part 1 looks at the controversy over Left Shark. In particular, it examines the copyright claims of Katy Perry in respect of the Left Shark figure. Part 2 considers questions about scanning. Augustana College tried to assert copyright against a maker, Jerry  Fisher, who was scanning statues of Michelangelo (although copyright had long since expired in such work). Part 3 focuses upon copyright law, 3D printing and readymades. The Estate of Marcel Duchamp lodged a copyright protest over a 3D printed set of chess, based on the work of Marcel Duchamp. Part 4 examines the intervention of a number of 3D printing companies in a Supreme Court of the United States dispute in Star Athletic v. Varsity Brands. Part 5 considers copyright law and intermediary liability. Part 6 examines the operation of technological protection measures in the context of copyright law and 3D Printing.