2020 has been 'interesting', to say the least. But there is no doubt that the pandemic has hastened the adoption of emerging digital technologies, ushered in a new era of remote and flexible working arrangements, increased organisations' reliance on digital infrastructure and exposed our tech-related strengths and weaknesses alike.
Leaving 2020 in the rear-view mirror, we count down our top 10 predictions for 2021 and beyond in the domain of Digital Law in Australia.
10 – Increasing regulatory complexity
Despite an existing principles-based framework for the protection of privacy under the Privacy Act, in recent years the Federal Government has preferred to introduce parallel privacy requirements, such as the 13 Privacy Safeguards under the Consumer Data Right legislation and the privacy aspects of the upcoming Data Availability and Transparency Act for Government agencies. These nascent regimes are similar enough to the existing privacy regime to encourage complacency and different enough to give any compliance function a headache. Overlapping and often sectorial regulation adds to the increasing complexity of privacy law in Australia. For a law (and set of overarching principles) which were aimed at being easily understood and implemented by business and Federal Government agencies, we are now at a point where even experienced privacy lawyers struggle.
9 – Another year of reckoning for financial services
2021 is looking like another watershed year for regulatory compliance and accountability. Extending the scope of the Banking Executive Accountability Regime (BEAR), the Financial Accountability Regime (FAR) will likely come into effect during in 2021 and force Australia's financial services executives 'to pull their compliance socks up'. The FAR will impose significant additional burden on the management of financial services organisations, especially in organisations that are currently less-than-exemplary in compliance, including in respect of privacy compliance, data governance and, where relevant, under APRA standards.
Like the BEAR for banks, the FAR delivers the 'buck stops here' philosophy into the boardrooms of most financial services organisations. Responsibility (and liability) for an organisation's compliance across all laws, regulations and mandatory standards will rest with management. While one can debate the fairness of this approach, the FAR is not so 'far' away and, when it lands, will require much more oversight by and accountability of management (including in the usually neglected areas of privacy and cybersecurity).
There are various ways to deal with these matters to satisfy management that they can declare that the organisation is compliant. However, we recommend that each organisation subject to FAR first undertake an internal compliance audit or review to assess both: (i) what regulations, laws and standards the organisation should be complying with; and (ii) their actual compliance with those laws.
8 – A refreshed Privacy Act
Arising from the ACCC's Digital Platforms Inquiry, the Australian Government has announced its response to a number of the privacy-related recommendations made by the ACCC. Most notably, the Government has indicated support (subject to the consultation process playing out) for:
- a review into customer loyalty schemes and their 'problematic data practices';
- looking at the economy-wide impact of proposed privacy changes including bringing small businesses into the fold (i.e. abolition of the exemption for small businesses with an annual turnover less than $3 million);
- adoption of certain 'minimum privacy protections' that can't be consented away;
- strengthening consumer privacy protections both in the Privacy Act and under the Australian Consumer Law;
- consideration of broader privacy reforms including direct rights of action for individuals against companies and agencies for breaches of the Privacy Act/APPs, introducing a statutory tort for serious invasions of privacy and considering an increased 'informed consent' requirement model;
- the right to the erasure of personal information (like the GDPR's 'right to be forgotten'); and
- amending the definition of 'personal information' to capture technical data, online identifiers and other digital 'indicators' of a person which, in the digital world or when matched with other datasets, can identify a person.
All of these, combined with the proposed increase to the invasion of privacy penalty, will be a significant uplift in the privacy obligations in Australia. While the penalty increase will be introduced by early 2021, the review of and public consultation on the above matters will take place during the course of 2021. We expect the Government's response to any resulting recommendations by early 2022, with the possibility that some of those recommendations accepted by the Government could be introduced into the Parliament in late 2022.
7 – The dawn of the digital (resilience) age
The disruptions of 2020 have accelerated the convergence of the disciplines of: (i) cybersecurity, which is about keeping digital assets safe; (ii) business continuity planning, which is about organisations' ability maintain critical business functions in the event of a disruption; and (iii) digital governance, risk and compliance (GRC), which enables companies to keep digital machinery 'on track' and aligned with corporate objectives.
Digital resilience is an integrated approach to these disciplines. In 2020 Covid-19 punished digital maturity laggards and rewarded digitally resilient organisations. In 2021, becoming digitally resilient at an enterprise level will (and must) be a strategic priority for all.
6 – IOT security and privacy
Despite the Government's public statements about the critical importance of cybersecurity in business and Government agencies, it is disappointing that it did not accept industry recommendations for mandatory minimum (and truly not very onerous) cybersecurity guidelines for the Internet of Things (IoT). Instead, the Government released its 'Internet of Things Voluntary Code of Practice'.
While security concerns in the IoT space have been around since the beginning, we believe that 2021 will see significantly renewed interest in (and use of) IoT and thus increased data generated through the IoT, including in respect of AI developments, products and services. Unfortunately, this renewed interest in the IoT is also from 'bad actors' wishing to exploit its weaknesses and obtain the significant quantities of data which both pass through and are generated by it daily.
Similarly, in the realm of privacy, consumer IoT manufacturers will need to face up to the practical difficulty of obtaining informed consent from individuals who may be tracked using an IoT device. For example, the increased popularity of smart assistants in homes, GPS and telematics devices in shared vehicles and smart cities technologies in shared urban spaces raise difficult legal (and ethical) questions.
Failure to appropriately deal with IoT security and privacy issues now will significantly impede some of the exciting digital developments we are anticipating in the near future, such as autonomous vehicles, in-home health monitoring and traffic management systems.
5 – Directors' responsibility and liability for cybersecurity and increasing privacy fines
We expect the increase in the frequency and severity of cybersecurity incidents, particularly ransomware and phishing attacks, to continue unabated in 2020. However, we expect this will lead to increased innovation in legal actions around these issues, especially relating to customers suffering from a cybersecurity incident impacting a vendor or supplier of theirs, where the customer is subject to extreme limitations or exclusions of liability in their contract with that vendor or supplier.
One potential way to 'sidestep' liability exclusions and limitations in supply or services contracts is to pursue any breaches by directors of the vendor/supplier of their directors' duties in relation to cybersecurity. If the usual or appropriate cybersecurity practices of the relevant sector are not in place at your vendor or supplier and if such appear to be deficient, customers will seek to establish that the directors of the vendor or supplier failed to ensure the organisation's cybersecurity was appropriate, in breach of their director's duty to exercise 'due care and diligence' and take action against them.
This is not a straightforward action. There are some hurdles to establish this claim (including whether one may take direct action for breach of directors' duties and/or whether ASIC would need to be involved). However, given the potential amounts involved (which we believe will only increase in 2021) it is likely to become an economic imperative for customers significantly impacted by the cyber incident of their vendor or supplier and subject to extreme limitations or exclusions of liability under their contracts to test new ways of recovering their losses. Directors who fail to comply with their directors' duties in respect of cybersecurity, care and diligence for their organisation will be personally liable for what, in the circumstances, may be a significant amount of money.
In addition, other ways to 'bust' contractual limitations will be sought including looking at areas such as claims for misleading or deceptive conduct.
These developments in 2021 and beyond will sharpen the focus of company directors on cybersecurity. In addition, the proposed increased fine for a serious invasion or repeated invasions of privacy, which are planned to be legislated by early 2021, will increase the company's focus on privacy compliance (including information security). The current maximum fine for a serious invasion or repeated invasions of privacy, $2.22m, will increase to the greater of $10m, three times the benefit obtained and 10% of the company's Australian revenue.
4 – Mixed reality and digital twinning
Digital twins are virtual replicas of physical objects and systems – perhaps of an office building, city street or meteorological weather system. Mixed reality is the merging of physical and virtual worlds – it allows physical and digital objects to co-exist and interact in real time, opening new doors for human-computer interaction. We believe the pace of growth of 'mixed reality' and 'digital twinning' during 2020 will further increase in 2021, enough to raise significant new digital law concerns. Of course, vast amounts of data (almost always including personal and sometimes even sensitive information) is needed to generate digital twins in the first place. More advanced mixed reality applications are then able to enrich datasets in real time, adding to the already significant level of detail over time.
These developments will go hand in hand with (and to a large extent facilitate) the parallel developments in IoT (which enables the collection of information through connected sensors), AI (discussed below) and the ever-greater demands on cloud-based platforms.
3 – AI ethics goes mainstream with data privacy the central issue
Artificial intelligence is now so ubiquitous and embedded in our lives and it is almost invisible. It is used for process automation, administrative decision-making and underlies so many everyday consumer transactions. There has been a great deal of well-informed and important debate about the ethical issues arising from AI's rapid uptake, particularly around fairness, accountability and transparency. But 2020 has brought these conversations down from the ivory towers and into the high street. 'Normal' people have realised that their use of online platforms comes with a privacy 'price'.
Meanwhile, advancements in the capability of machine learning algorithms mean that our devices can be better than us at understanding speech, recognising patterns in images and comprehension of information. Powerful machine learning toolkits are now so accessible and easy to use that a teenage coder can develop enterprise-ready applications. Add to that mix the significant scale efficiencies and cost savings of AI offered as a cloud service (AIaaS) and the stage is set for another big year for AI in 2021.
We are already seeing enterprise customers and large AIaaS providers grapple (e.g. in contract discussions) with novel questions about IP ownership and various layers of personal information collection, use and disclosure (for model training and evaluation) and how customer data is treated once it's 'ingested' into the AI engine. In 2021 we expect the focus to shift to a more significant consideration of the privacy issues around the personal information consumed in the process of training and evaluating machine learning algorithms.
2 – Waking up to a COVID-19-induced compliance hangover
For many organisations, COVID-19 lockdowns forced a rush to transition to remote and flexible working arrangements, introduce BYOD for the first time and move mission-critical systems to the cloud, just to 'keep the lights on'. We know that privacy and cybersecurity considerations were neglected by many companies in the mad rush to make that transition. This has resulted in significant non-compliance which, together with a marked uptick in cybercrime, has resulted in a spike of cyber incidents and data breaches, including notifiable data breaches.
Given we are yet to emerge from the COVID-19 nightmare, the non-compliance and cybersecurity/privacy issues have not yet been fully realised, let alone dealt with. The figures released by the OAIC show the number of notifiable data breaches during COVID-19 to date have, amazingly, decreased not increased. Of course, this does not reflect reality. In practice, on the ground, we have seen significant increase in data breaches that should have been notified.
All this non-compliance, including not notifying notifiable data breaches, will lead us to emerge from COVID-19 (or 'wake up') in 2021 with a significant 'compliance hangover'. That is, 2021 will be spent scrambling to fix existing and recent past non-compliance resulting from the rush to transform ways of working without really having had a handle on what was going on. This will take away from any lingering euphoria companies may have from successfully 'keeping the lights on' through 2020 despite the disruption and emerging on the other side. This will likely demand significant resources to attend to the problems, address regulator investigations and the resultant damages/fines and bad PR.
Our advice, if you are in this position, is to address any non-compliance or non-notification as soon as possible. Don't wait for the end of COVID-19. Start moving now, including considering any data breaches that have occurred during 2020 and, if they should have been notified, start the compliance 'road to recovery' as soon as possible.
1 – The Facebook case and application of fines under the Privacy Act
The most significant new development in privacy in 2021 (and possibly of the last 10 years) will be if the OAIC succeeds in its Federal Court action against Facebook to have the fine for a serious invasion of privacy (even before it is increased – see 5 above) apply, not to the event giving rise to the serious invasion of privacy as a whole but to each individual impacted by that serious invasion of privacy event. That is, despite the widely held belief that the then $2.1m fine would be applied to the event causing the serious invasion of privacy as a whole (almost irrespective of the numbers of individuals affected, although this would factor into whether it was a serious invasion of privacy in the first place), the fine could be applied to each individual who has suffered a serious invasion of their privacy due to that event.
To illustrate by reference to the Facebook case, this may mean any fine imposed by the Federal Court would effectively be multiplied by the 300,000+ individuals that the OAIC can show were impacted by the serious invasion of privacy event (i.e. resulting from Cambridge Analytica's activities). While it is not certain that this argument will succeed, if it does it will be a game-changer and catapult Australia to join those countries with the highest potential maximum privacy fines. On this basis, even if the Federal Court imposes only a token fine per person in the Facebook Case of say of $1,000 per person for each of the 300,000+ individuals that the OAIC can show suffered a serious invasion of privacy from that event, the aggregate fine would exceed $300m.
And finally, our longer-range prediction:
Quantum Computing (all security bets are off)
Even if your organisation has been the best privacy and cybersecurity citizen to date, including through the implementation of best-practice encryption protocols and access controls, these measures will not be sufficient insurance against the eventual rise of quantum computing. We expect that, within a five-year timeframe, quantum computing will be commercially available and may be used to erode one of the key foundations for most cybersecurity and privacy enhancing measures in place today for most organisations—encryption.
While quantum computing is exciting for the exponential increase in computing power that it will deliver, it is a cybersecurity (in particular, cryptography) nightmare. The vast increase in computing power will mean that most encryption technologies in common usage today will be easily cracked or 'decrypted' by quantum computers in short order. Current encryption protections will be no impediment to access information, causing a significant and potentially unequalled (even by 2020 standards) disruption to the current cybersecurity and privacy landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.