Nowadays, terrorists, gangsters, paedophiles and organised criminals heavily rely on cyber platform and increasingly adopt sophisticated tactics that one can hardly imagine. Apart from well-known messaging tools – like WhatsApp, WeChat, iMessage – authorities investigating Paris ISIS attack in 2015 once suspected terrorists might have employed Sony’s PlayStation 4 for planning the massacre, sending messages through the PlayStation Network online gaming service and voice chatting to even communicating through a specific game.
Wide availability of end-to-end encryption services has made life difficult for law enforcement and government agencies. In addition, existing laws and regulations may not be of great assistance for investigators when it comes to gaining access to encrypted data. In February 2016, the FBI sought help from Apple Inc. during an investigation of 2015 San Bernardino shooting attack. Despite the court order specifying Apple to provide assistance to delete keys to read encrypted date of shooters’ iPhone and submit passcodes, Apple opposed the order, explaining that US government has demanded them to take an unprecedented step which threatened the security of their customers. Besides, Apple believed that the court order had implications far beyond the legal case at hand, and that called for public discussion.
The Assistance and Access Act in Australia
Given that terrorists attacks have been quietly spreading around the world over the past decade, Australia took the lead to take robust gaits. On 8 December 2018, the Assistance and Access Act came into effect which allowed government authorities to compel a private company to create new interception capabilities so no communication data is completely inaccessible to the government. It is controversial in that this security vulnerability must be deployed in secret, without public knowledge.
The Act defines three kinds of notices that can be served on what are called “designated communications providers” (“DCP”):
- Technical Assistance Requests (TAR), which are “voluntary” assistance requests may be issued by the head of an interception agency (Federal, State and Territory law enforcement or anti-corruption agencies), the Australian Security Intelligence Organisation (“ASIO”), the Australian Secret Intelligence Agency or the Australian Signals Directorate to DCP to use their existing capabilities to access user communications;
- Technical Assistance Notices (TAN), which are mandatory notices issued by ASIO or an interception agency that require DCP to give assistance, utilising the provider’s current capability; and
- Technical Capability Notices (TCN), which are mandatory notices issued by the Attorney General requiring DCP to build a new interception capability, so that it can meet subsequent Technical Assistance Notices.
The range of DCP that could be subject to a request or notice is broad. The Act includes both Australian and foreign communications services and device providers, to the extent the service or device has an Australian user. Foreign DCPs who provide goods or services to Australian users, will need to be prepared to comply with a Technical Assist Request, Technical Assistance Notice or Technical Capability Notice, and may need to raise this with their clients and update their terms and conditions. Besides, apart from telecommunication providers, equipment vendors, smartphone and other device manufacturers and software and services vendors (whether local or global) could also be the subject of a request or notice. Those directly impacted will need to have in place arrangements that allow them to comply with the relevant requests or notices.
Another concern is the Act provides that non-compliance can attract fines of up to A$10 million (US$7.2 million) for institutions and prison terms for individuals for failing to hand over data linked to suspected illegal activities.
Under the new law, enforcement agencies’ demand may put communication providers in awkward positions: given that no judicial warrant is required, providers may have to adjust their system settings and protocols to allow the investigators’ access to data whenever requests or notices are served, which in turn may result in unintended weakening of digital security and increasing potential data breaches in the long run. Soon or later, companies may choose not to develop security tools so as to avoid potential liability. On the other hand, whether there is sufficient check and balance on the exercise of the additional power on the part of the government authorities remains an issue.
Whilst Australia has decided to be one step ahead in respect of safeguarding national security and personal safety, Canada and California have chosen to tighten up rules to allow data subjects to have more control over the processing of their own personal information.
Canada introduced a mandatory breach notification law in November 2018 enabling the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to be in line with the General Data Protection Regulation (“GDPR”). California Governor went much further by signing into law, AB375, the California Consumer Privacy Act of 2018 (“CCPA”) which has been regarded as US version of GDPR, and one of the toughest privacy laws in the country.
The Personal Information Protection and Electronic Documents Act in Canada
According to a report released by Statistics Canada, Cyber Security and Cybercrime in Canada, more than one in five Canadian companies were hit by a cyber-attack in 2017. The new data breach notification law aims to equip entities and individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of the breach.
With the new amendments to PIPEDA, an organization in Canada must report to the federal Privacy Commissioner any breach of security safeguard involving personal information under its control and notify an individual of any breach of security safeguards involving the individual’s personal information if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property. The Federal Privacy Commissioner also now has the power to initiate an investigation based on a reported data breach.
Interestingly, unlike GDPR which exempts data controller from complying with the breach notification requirement if appropriate technical and organisational protection measures such as encryption is adopted, it does not appear PIPEDA provides that breaches involving encrypted personal information will necessarily present a low risk of harm, or be exempt from notification, which means the data breach notification requirements apply to all kinds of data, whether encrypted or not.
The Data Breach Notification Statute in California
CCPA confers upon California residents with a qualified private right of action if a consumer’s nonredacted or nonencrypted personal information is the subject of unauthorized access and exfiltration, theft or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures appropriate to the nature of the information. In particular, a consumer may initiate an individual action or a class action to recover statutory damages of US$100 to US$750 per violation or actual damages, whichever is higher. Seems like encryption is the way to reduce exposure to litigation risk.
Upon further review of Data Breach Notification Statute of California (the first state to enact its Data Breach Notification Law in 2002 with the latest amendments passed in 2017), the statute specifically addresses two situations: (i) encrypted data; and (ii) non-encrypted data. If the data is encrypted but the encryption key or security credential that allows an unauthorized party to render the data readable or usable is compromised, the data breach notification mechanism will also be triggered.
Having data encrypted does not forbid hackers from accessing to stolen data forever. Despite the existence of data breach incident response plan, if the encryption system is not subject to regular review, there is no way to ascertain whether “encryption” has in fact become a tool to avoid reporting an actual data breach.
The current situation in Hong Kong
Hong Kong data privacy protection and cybersecurity legal framework has become talk of the town in these days, in particular after PRC Cybersecurity Law was enacted on 7th November 2016 and GDPR has commenced on 24th May 2018. Can Hong Kong keep pace with global changes?
In relation to law enforcement, there is no specific law in Hong Kong on decryption that compels anyone to assist agencies to decrypt encoded messages or devices or to hand over to officers encryption key. Having said that, investigators could obtain information in a legible form or the decryption key under the United Nations (Anti-Terrorism Measures) Ordinance. In addition, Hong Kong also does not have stand-alone cybercrime and cybersecurity legislation despite the fact that, according to the Hong Kong Police, there were 5,567 computer crime cases in 2017, with an associated loss of HK$1.39 billion.
Speaking of mandatory data breach notification, Hong Kong does not have similar statutory requirement like USA and EU. Given that the present Privacy Commissioner focus more on developing “culture of personal data protection and respect in stakeholders’ DNA as the solution in the longer term”, it remains uncertain whether amendments to the Personal Data (Privacy) Ordinance in this regard will be introduced during his terms of office.
Impact of exponential technological advancement is hardly predictable. Solely relying on organisations to carry out privacy management practice is not enough. Being Asia’s premier data hub, it is time for Hong Kong lawmakers to revisit whether a set of common standards and approaches to cybersecurity and incident response should be introduced to the existing legislation.
For more information on data privacy, please contact us.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.