On Meta’s ‘regulatory headwinds’ and AdTech’s privacy reckoning This week I was asked about the future of the AdTech industry in light of all the privacy regulation growing globally. AdTech and advertising isn’t going anywhere, but it feels like it is heading towards a regulatory singularity – or ‘regulatory headwinds’ as the company formerly known as Facebook called them. This is a very long but important read on that topic. If neither AdTech nor privacy regulation are going away, what will the landscape look like after impact?techcrunch.com
Reworked data-sharing legislation returns to Parliament with Labor’s support The Data Availability and Transparency Bill (or DATA Bill) is back. Again. The Government still pressing for an open bar on sharing Commonwealth data to support “innovation”. This time, the Bill limits the sharing to within Commonwealth organisations and not the private sector. Not seen the text yet (not available as at day of writing this), but I wonder if it addresses the distinction between data collected directly by the Government vs data the Government requires other data holders to report as a matter of law? The latter always felt like a bridge too far for me.www.innovationaus.com
Your heart rate increases, palms a little sweaty – your phone has pinged with the news that there has been a data breach. You’re not yet sure of the who, what or how, but one thing is for sure – you need to act swiftly.
When a cyber security incident or data breach happens to you here is what you need to have in place as immediate actions.
The key steps than need to be taken are to contain the breach, assess the extent of the breach and the kind of information that has been compromised, and then determine if the breach is notifiable and act accordingly.
It’s no secret that a quick response to a data breach is critical to managing the breach as effectively as possible. But… here are the first practical steps that you would take when faced with the news that your system in compromised.
As with ghosts and other threatening spectres, the first question that comes to mind is “who you gonna call?” – and this really is a critical first step toward activating a response plan in the event of a breach. Know who the members of your organisations response team are. You need to be able to quickly and easily identify the person or people who will report and escalate an actual or suspected data breach.
The next question to consider is how you gonna call? If your organisation’s intranet is compromised for example, do you have the contact details of the relevant personnel?
It is key to success to know who to contact and how to do it. Increase your response readiness by knowing your external assistance providers such as IT, cyber security, crisis management and legal advisors.
When the need to take swift action is so pressing, sometimes it’s the smallest details that can create the largest delays to activating your beautifully crafted data breach response plan. Make sure that you and your colleagues know exactly how to activate your organisation’s response plan by preparing an ‘Emergency Data Breach Response Card’ that can sit in your wallet or on your mobile device. There is an example below to get you started.
Having the key contacts and critical first steps in an easy-to-use wallet-sized card, you could help take the panic out of a data breach and grease the wheels for a quick and effective response that ensures the best outcomes for you, your organisation and any affected individuals.
This isn’t the only solution, but, it is one that addresses the “Oh No!” moment nerves when you’re faced with this cyber incident news. Other ideas are welcome, please share.
Here are a few things that you may have missed in digital, media & technology this week. This edition includes a Privacy SEALED SECTION!These were prepared listening to the new Wesbright LawCAST where I speak to Jamie Leach from Open Data about the new consumer data right rules and expansion in Australia. This newsletter and the podcast are best enjoyed with a coffee… or whatever your choice.Let me know if you want to talk about any of it, but please share with a few people and ask them to subscribe.Brett
UK’s CMA launches probe into music streaming market – GOV.UKThe CMA will ask whether the music streaming market is working well for music lovers, as part of a study launched in the UK this week. Why only streaming and not the entire music industry is anyone’s guess, but if you’re a fan of treating artists fairly, this is a step towards that.www.gov.uk
Privacy SEALED SECTION
I want this email to be always a few things that you may have missed in digital, media & technology from the past week. But with so much happening in Privacy, this required a special privacy sealed section for those who really love privacy and want to wade into deeper. Don’t worry… it’s SFW.
In this episode of the Westbright LawCAST Brett Farrell, founder of Westbright Law, talks with Jamie Leach about the Consumer Data Right. Jamie is the Regional Director of fdata in Australasia and the Founder and CEO of Open Data Australia.
With the Government’s announcements on expanding the CDR into new sectors we focus on where CDR is today and where it’s going for the energy and telecommunications sectors. We also talk about the launch of Open Finance and privacy’s role in the CDR.
If you want to talk about what any of this means for your business – get in touch with Jamie at fdata or Brett at Westbright Law.This podcast is best enjoyed with a coffee – or whatever your choice.
In this episode Brett Farrell, founder of Westbright xyz, talks with Jamie Leach about the Consumer Data Right. Jamie is the Regional Director of fdata in Australasia and the Founder and CEO of Open Data Australia.
With the Australian Government’s announcements on expanding the CDR into new sectors we focus on where CDR is today and where it’s going for the energy and telecommunications sectors. We also talk about the launch of Open Finance and privacy’s role in the CDR.
If you want to talk about what any of this means for your business – get in touch with Jamie at fdata or Brett at Westbright xyz.
This podcast is best enjoyed with a coffee – or whatever your choice
Here are a few things that you may have missed in digital, media & technology this week.These were prepared listening to The Bleachers – Live at Electric Lady (and hoping I get to see them perform live one day. Think Springsteen meets ska) and are best enjoyed with a coffee… or whatever your choice.Let me know if you want to talk about any of it, but please share with a few people and ask them to subscribe.Brett
CNIL sets parameters for processors’ reuse of data for product improvementThis is a GDPR guidance note from the French regulator, but in short: yes, data processors can use data processed on behalf of another to improve the processor’s own products and services BUT with explicit consent and if doing so is compatible with the original purpose for which the data was collected. Bonne chance et bon courage.iapp.org
Here are a few things that you may have missed in digital, media & technology.
These were prepared listening to triple j’s 40 years of music and are best enjoyed with a coffee… or whatever your choice.Let me know if you want to talk about any of it, but please share with a few people and ask them to subscribe.
An observation and actions out of the Australian Federal Police privacy breach Determination from the OAIC. The breach arose out of a free of charge proof of concept for 10 people.
Many companies run proofs of concept but the AFP Determination is a high impact regulatory action from a very small and contained proof of concept. The AFP determination recalibrates how we must think about privacy compliance for proofs of concept.
The Determination is about what the AFP failed to do, not what a supplier should have done. So, assuming that you can’t get a vendor to take much, if any, liability for a proof of concept (free or not) then you will need to consider a privacy impact assessment and compensating controls that address the level of risk to individuals and privacy compliance relevant to the activity.
This may mean adjusting your internal procedures to ensure that proofs of concepts are treated now as a potentially high-risk privacy compliance exposure.
A privacy impact assessment is still not mandatory for private organisations in Australia (it is for Government Agencies like the AFP), but the signal from the Commissioner is clear. Not having one for a high risk activity (even though not mandatory) isn’t going to be well received.
Sure, the AFP had some control measures in place, yet the Commissioner still found the AFP in breach because of the high risk nature in the activity and not having appropriate controls in place to support the proof of concept’s compliance requirements.
Simply, the AFP didn’t do enough that the Commissioner thought was reasonable.
And now, in addition to the breach finding, the AFP has an independent assessor who must review the AFP’s privacy compliance systems and controls.
This is the final edition for 2021 – thanks for reading, the feedback and being part of the fun.
To make sure that you have something to read over the holidays, this edition has some bonus stories that you will find interesting…. especially the on about the cyber security vulnerability affecting almost everything.
Unless something seismic happens over the holidays, this will return in early 2022.We’re also taking a break and will be closed from midday 23 Dec 2021 returning on Monday 10 Jan 2022.
The EU Digital Strategy & Privacy. The European digital strategy, a collection of laws designed to grow business and protect consumers in a digital age inevitably meet privacy. The IAPP considers how these reforms will touch on privacy and that gives us some insights into any (more) compliance expectations.
The OAIC finds that the AFP breached privacy. The AFP used biometric face software Clearview AI (also with a breach determination recently) and in doing so breached Australians’ privacy for a few reasons including not conducting a mandatory (for Government Agencies) privacy impact assessment. The AFP ordered to strengthen privacy procedures and processes.
Music streaming and the $9.99 price point. Economist Will Page reviews 20 years of the $9.99 price in music and why it hasn’t really changed. A side fun-fact from Jon Manning on the 9.99 price point: “They are thought to have originated in the Bon Marche Department Store in Paris, when it introduced price tags ~1860 (about 3-5 yrs later price tags were adopted by Woolworths in the US). But the vanity price point meant that the shop assistant had to open the till to give the customer change (rather than just put the 10 franc note in their pocket).”
These were prepared listening to 3LW and Taylor Swift (see below for why) and are best enjoyed with a coffee… or whatever your choice.
Until 2022, have a brilliant and relaxing holiday.
Sean Hall et al v. Taylor SwiftTaylor Swift’s ongoing law suit that claims she infringed copyright in a 3LW song in Shake it Off are now going to trial. Eventually, a legal ruling and we find out if the jury will hate hate hate. Stay tuned….www.docketalarm.com
EPDB when a data transfer is not a data transfer (Part 2). The Australian Government is also considering reforms to its electronic surveillance laws. It’s pitched as a consolidation/harmonisation project to ensure the laws are fit for purpose, but curious to see what new powers may arrive or existing powers enhanced.
Transferring data outside of the EAA under SCCs. A super-nerdy European GDPR point, but I know some of you are grappling with implementing the new standard contractual clauses. This article explains the difference between an Article 46 legal assessment (required) vs an Article 45 assessment (not).
These were prepared listening to Die Toten Hosen (discovered accidentally by the WhoSampled website linked below) and are best enjoyed with a coffee… or whatever your choice.
Let me know if you want to talk about any of it, but please share with a few people and ask them to subscribe.
The IAB Australia produced a Member Q&A guide on the Current Privacy Law Reform in Australia.I joined with Ross Phillipson (Norton Rose Fulbright), Anna Johnston (Salinger Privacy) and Peter Leonard (Data Synergies) in offering our perspectives on what the privacy law reforms could mean for your organisation and how to work through it.I’d be pleased to discuss what these key reforms could mean for your organisation’s privacy compliance.