1. SECURITY, PRIVACY GOVERNANCE AND CYBER RISK MANAGEMENT – A LIKELY SIGNIFICANT PUBLIC INCIDENT AND/OR INVESTIGATION TO OCCUR IN 2015
The top priority for the Privacy Commissioner in 2015 is ensuring companies have appropriate privacy governance, in line with obligations under Australian Privacy Principle No. 1. This includes appropriate security measures to protect the personal information they hold.
We expect that there will be a significant and very public cyber incident and/or privacy breach investigation in Australia in the next 12 to 24 months. Of course for listed companies, failure to have an appropriate cyber risk management framework and privacy governance/security framework in place may result in a class action against the directors of the company for failure to meet their duty of care, should for example the share price be impacted by any such incident.
Therefore, apart from being good governance and part of the Board’s duty of care to the company, we recommend that all businesses (if you have not already done so) develop and implement appropriate privacy governance, security and cyber risk management frameworks as a top priority in 2015.
2. BIG DATA ANALYTICS – DON’T GET CREEPY
A number of our clients are already well advanced in the planning and development of Big Data analytics projects. We expect these projects to be deployed from the end of this year onwards and for Big Data to develop apace during 2015, with a significant number of Big Data analytics projects deployed across a number of sectors and industries.
In Big Data projects care must be taken to navigate your privacy obligations (see our update Big Data, Big Issues? Is Australian privacy law keeping up?) and, in particular, always be aware of whether what you are doing is “creepy” and will upset your customers. There has been a lot of media in 2014 about the “stalker” aspects of Big Data analytics, which are underpinned by a lack of transparency (ie conversation) when collecting personal information and continuing the conversation on an ongoing basis with those whose personal information has been collected and is being used for Big Data analytics.
A lesson from the large retailers is that a “bargain” with customers for use of their personal information for Big Data analytics is a valuable tool in reducing the pushback against it. That is, offering a discount or reward to encourage people to be involved in and agree to the continued use of their personal information for your Big Data analytics.
3. MOBILE/APP COMPLIANCE – IN THE PRIVACY COMMISSIONER’S CROSSHAIRS
4. INTERNET OF THINGS (”IOT”) – WHAT YOUR TOASTER WILL TELL YOUR SPOUSE, PERSONAL TRAINER, EMPLOYER, INSURANCE COMPANY AND CAR
For a few years now, when thinking about and discussing the IoT world of tomorrow, we could only lightheartedly imagine what our toaster might reveal about us. The good news is that your spouse can tell you are up at 3.00am making toast (i.e. not misbehaving!). The bad news is your personal trainer will know about the extra carbs and work you harder, your employer will scrutinise your work as you are not getting enough sleep and, for the same reason, your insurer may not wish to insure you (or may wish to raise your premiums) and your car may not let you drive it.
Of course one hopes the collection of such information is regulated. This is where privacy and transparency become even more important than they are today. Giant strides have been made in 2014 and even larger strides will be made in 2015 in terms of making IoT a reality.
As with Big Data analytics, the key to collecting and using personal information from the IoT will be to be transparent (engage in a conversation with the relevant class of individuals), offer a bargain for use of the data and have a robust privacy/security framework to protect the personal information.
5. IMPACT OF THE EU DATA PROTECTION REGULATION – THE RIPPLE EFFECT
Even before it has been passed, one of the key principles of the new EU Data Protection Regulation – the right to be forgotten – has already caused significant concern and discussion around the world. The Regulation will be passed during 2015 and the impact of its main principles (including the right to be forgotten) and the tougher and more onerous stance on privacy protection and security will also be felt outside of the EU.
We expect that the Regulation will have a ripple effect across the Asia Pacific including Australia and New Zealand and will embolden privacy regulators across the region to firstly interpret and apply their privacy laws more onerously and/or seek new enhanced privacy rules, heavier fines and far more administrative and investigative weapons to be available to them.
On a sobering note, don’t be surprised to see the first privacy-related custodial sentence passed in 2015 somewhere in the region.