Australian data laws to mirror the UK, Germany: Fieldfisher

Data protection laws in Australia could soon mirror those in Germany and the UK, according to a new report by European law firm, Fieldfisher.
Written by Leon Spencer, Contributor

European law-firm Fieldfisher has released a study suggesting that the legal regime around data protection in Australia would soon mirror those in the UK and Germany.

This is significant because, according to Fieldfisher, the legal regimes in the UK and Germany are quite severe with respect to companies and other organisations holding private data, and such changes would impact the way Australian businesses handle their data.

Fieldfisher's white paper, which was created in partnership with data security company Vormetrics, examined the legal and regulatory obligations to encrypt personal data in three of the major economic regions of the world, Europe, the US, and the Asia Pacific region.

It argues that, whether expressly or by implication, the laws in those regions give rise to a clear need to deploy encryption technologies to protect personal data.

According to the paper, The legal obligations for encryption of personal data, the UK’s Data Protection Act 1998 requires data controllers to take "appropriate technical and organisational measures" to keep personal data safe and secure.

In Germany, the Federal Data Protection Act places an obligation on bodies processing personal data to take "appropriate technical and organisational measures" to preserve data security, and explicitly refers to encryption technologies for that purpose.

In Australia, The Privacy Act 1988 is the core legislation, and in late 2012, the Australian parliament passed the Privacy Amendment Act 2012, which came into effect in March this year.

The original Privacy Act contained the National Privacy Principles (NPPs), the fourth of which governs data security, and stipulates that "an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure".

According to the paper, encryption is, by implication, likely to be considered a reasonable measure to implement in order to protect personal information.

The requirement to encrypt personal data in Australia is also set out in regulatory guidance published by the Office of the Australian Information Commissioner (OAIC) in April 2012, with the Data breach notification – A guide to handling personal information security breaches (PDF) aimed at assisting organisations to respond effectively to data breaches.

The paper said that, although Australia's legal framework for encryption was principally based on EU data and e-privacy law, there was a "very high probability that legal regime in Australia will mirror that in the UK and Germany soon."

For Fieldfisher partner, Phil Lee, this dynamic is just one face of a larger, global trend that is seeing the emergence of an international consensus around data security laws.

"We are witnessing a unique legal phenomenon; there is a global convergence of data security law and regulation around the issue of encryption so that it does not matter where in the world your organisation operates — regulators everywhere increasingly expect encryption of sensitive data, computers, databases and applications," said Lee.

The report comes as internet giant, Google, boosts its Chrome encryption while also releasing a report highlighting the variable nature of encryption rates of other providers and domains from around the world.

According to Google's Safer Mail Transparency Report, released earlier this week, 71 percent of outbound messages from Gmail to other providers globally were encrypted in transit. By contrast, only 49 percent of inbound messages globally from other providers were encrypted in transit.

The report showed that in the Oceania region 99 percent of outbound Gmail messages sent via Telstra's Bigpond network were encrypted, while messages from Bigpond itself were not encrypted at all, scoring a zero percent rating.

However, Telstra disagreed with the report, saying that it included encryption for all of its mail systems.

"We have a range of security measures in place to protect our customers across our network and on our Bigpond email service," a Telstra spokesperson told ZDNet. "They include SSL/TLS encryption at key stages of the webmail product and additional security for desktop email clients and smartphone users.

“We are confident in the security of our product. We are also always looking for ways to improve, including further encryption."

Editorial standards