PRIVACY IN THE CLOUD AND BIG DATA WHAT FRANCHISORS NEED TO KNOW!

Transcription

1 PRIVACY IN THE CLOUD AND BIG DATA WHAT FRANCHISORS NEED TO KNOW! By Alec Christie, Partner, DLA Piper Franchisors will already be dealing with a number of day-to-day privacy issues arising from their implementation of the new Australian Privacy Principles ("APPs") which became effective from 12 March However, very different privacy issues arise from use of Big Data and the Cloud by franchisors. In this paper we aim to demystify these two ubiquitous IT terms, highlight the privacy issues that arise under the current Australian privacy law and provide some practical tips for franchisors to navigate the privacy landscape in respect of Big Data and Cloud. FIRST: BIG DATA AND THE CLOUD EXPLAINED What is Big Data? Big Data is the tracking and aggregation of a large volume of data (including personal information) from search engine histories, s, sales transaction histories, reward/loyalty programs, app downloads and other sources. The aggregation, tracking and analysis of large volumes of data across such a range of variables can be of considerable value to franchisors, allowing you to gain insight into your markets and consumers, making you more responsive, increasing efficiency and helping to shape possible new offerings or the entry "new" markets. As well as using your own and your franchisees generated data, franchisors are also finding more and more ways of combining their data with that of third parties (as well as publically available information) in order to analyse more variables and to "slice and dice" the data in numerous ways. AGC/SZM/AUM/

2 What is the Cloud? Web based (such as Gmail and Hotmail) and social networking websites (such as Facebook) are perhaps the most ubiquitous examples of Cloud services. However, Cloud services can be delivered through a multitude of models (including non public models such as "private Clouds" and "shared private Clouds"). Although the term "Cloud" does not have a precise meaning, it generally refers to information technology services, for example web based and social networking sites, that: 1. are delivered via the Internet (the "Cloud" being an icon for the Internet); 2. typically have a de centralised IT infrastructure (ie the supplier's data centres are spread across multiple, and sometimes offshore, locations); and 3. are dynamically scalable and used more like a utility (eg electricity) than traditional computing resources. PRIVACY CONCERNS WITH BIG DATA AND THE CLOUD Big Data The collection and use of Big Data gives rise to a number of potentially difficult privacy scenarios for franchisors. One such example, referred to in an article by journalist Aleks Krotoski 1, is the purchase of the social media start-up Social Calendar 2 by US chain store Walmart. Krotoski points out that, when users of Social Calendar listed friends' birthdays or their holiday details, users would have had no idea that the information they included in Social Calendar would end up in the hands of Walmart. The purchase of Social Calendar effectively means that Walmart will, subject to applicable law, be able to cross reference the data from Social Calendar users with its own data to generate profiles of users and 1 2 Article entitled "Big Data age puts privacy in question as information becomes currency" published in 'The Guardian' on 22 April A very popular calendar app on Facebook which allows users to record special events such as the birthdays, anniversaries, etc of family and friends. AGC/SZM/AUM/

3 their friends (and significant events/celebrations in their lives) for very direct and time sensitive marketing opportunities. 3 Perhaps the most dramatic example of the use of Big Data occurred in 2013 when Target's analysis of Big Data determined that a teen girl was pregnant (before her parents knew), but did not flag that she was a teen and sent her direct electronic marketing for baby and maternity products. This incensed the girl's father was Target trying to encourage his teen daughter to fall pregnant? Of course, Target failed to include in its analysis of the Big Data whether this person was over 18 before sending her this marketing. However, Target's analysis of the Big Data was able to determine that she was pregnant (and therefore a potential customer for its maternity wear and baby products). By tracking and analysing her spending habits (not just at Target) Target was able to determine (a) she was expecting a baby and (b) how far along with the pregnancy she was, with unsettling accuracy. Examples such as these make it clear that there is a large gap between what can be done with Big Data, what is currently regulated by privacy law and community perceptions as to what should be done with Big Data. The Cloud Concerns about privacy and control over data are often cited as the major impediments to the growth of Cloud and its wide adoption by both business and government in Australia. In light of the recent celebrity photo leaking scandals, these reservations have been reinforced. Moving to the Cloud means relinquishing a degree of physical control over IT infrastructure and relying, in part, on Cloud vendors to ensure that information is kept private and secure. If the data is stored in offshore locations, those locations may or may not be in countries that have privacy laws which are the same or similar to those in Australia. 3 Of course, this is subject to any consent requirements under the relevant US law. AGC/SZM/AUM/

4 However, contrary to popular perception, Cloud services models are not inherently incompatible with Australia's privacy laws or with privacy protection and security in general. Cloud does not raise legal issues, especially in respect of compliance with Australian privacy law, that are wholly new or even dissimilar to issues that have arisen in respect of other IT services (such as in the outsourcing and offshoring models). In respect of these other IT services, the issues have been successfully managed by well advised franchisors. THE CURRENT AUSTRALIAN LEGAL LANDSCAPE Australia has Federal, State and Territory laws which generally adopt similar (although not identical) privacy principles. The principal piece of Federal legislation, to which all Federal agencies and most private sector businesses (including franchisors) are subject, is the Privacy Act 1988 (Cth). The 13 APPs under the Privacy Act that regulate the collection, holding, use and disclosure of "personal information" have been in force since 12 March The Privacy Act defines "Personal Information" to mean: "information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not". For example, some addresses (such as alec.christie@dlapiper.com) are personal information, but anonymous information (such as purely statistical data) is not. The application of this regulatory framework to Big Data and the Cloud is discussed below. BIG DATA Outside of privacy and spam, Australian law does not currently regulate Big Data. Although not specific to Big Data, the Privacy Act imposes certain mandatory notification and consent obligations on entities collecting personal information which are relevant from a Big Data perspective. In addition, the SPAM Act prohibits the sending of electronic marketing communications without the prior "opt in" consent of the recipient. AGC/SZM/AUM/

5 Identified vs de-identified information The concepts of Personal Information, de-identified information and the applicability of the Privacy Act to Big Data appear, at first glance, simple enough. However, on further consideration, this is not straightforward in the Big Data context: can the information contained in Big Data ever truly (ie permanently) be de-identified? Big Data has historically been used for tracking the movements and interests of groups in a de-identified form (ie such that it does not identify any individual in the group). Of course, use of de-identified information is not regulated by the privacy law/apps and franchisors are free to collect, analyse and use such data as they see fit. However in recent years, as further potential uses for Big Data are discovered and the associated analytical tools developed, there has been an increasing ability to track (and a trend towards tracking) the movements and predicting the interests of identified individuals. Even if the data is de-identified (ie the franchisor is seeking to track/predict the behaviour of groups rather than individuals), the current (and future) data analysis capabilities are such that aggregation of vast amounts of data and the analysis available across such a vast range of Big Data collected from multiple sources (each of which may be de-identified individually) will almost certainly enable reidentification of the individuals concerned. Of course, as soon as the information is re-identified (or becomes reasonably re-identifiable), the collection, use and disclosure of such will be subject to the obligations of and restrictions imposed on the use of such personal information under the Privacy Act. When are mandatory notice & consent required? If Big Data held by a business includes Personal Information (including information which is reasonably capable of being re-identified), APP 5 requires that the relevant individuals from whom the information was collected be provided with mandatory notice regarding certain matters (such as the purpose of collection, use and the types of entities to which it is likely to be disclosed etc) at or before the time of AGC/SZM/AUM/

6 collection of such information. 4 Also, if any of the information to be collected is sensitive information (such as health records, criminal conviction information, race, sexual preference, etc) or if personal information is to be used for a purpose other than the primary purpose 5 for which it was collected then prior consent of the individual will be required. Franchisors (whether through their franchisees or directly) must provide the mandatory notices and obtain any necessary consent(s) through their privacy policy and processes at the time the personal information is first collected. As part of the process individuals are often required to expressly consent to the privacy policy (including the purposes for collection and any required consents), often by clicking a button or ticking a check-box in order to proceed. However in the Big Data context, at the time of the original collection of the information which later becomes part of Big Data, franchisors (even if they have collected all the relevant data themselves) are often not aware of the full extent of the potential uses they may have for such personal information as part of any future Big Data analysis. In addition, the significant volume of non-identified information collected legitimately without notice to and, sometimes, without the knowledge of the individual (eg via dynamic IP addresses, websites cookies, mobile phone location, etc) may itself become personal information when used as part of Big Data analysis, by being combined with other data and analysed in such a way that results in its identification of or connection to a specific individual. In practice it is expensive and impractical for franchisors to go back to individuals at a future date to renotify and/or re-consent for the new Big Data purpose(s) or for the "new" Personal Information collected (ie when de-identified information is re-identified). As a result many potential uses of the information, to which individuals may not have objected if asked when first collected, remain "locked-up" or, worse, franchisors will simply ignore the privacy law and push ahead regardless, exposing themselves to fines of up to $1.7 million. Essentially, the failure of regulation to keep pace with technology and the rise and use 4 Or, if it is not practicable to provide notice at this time, it can be provided as soon as possible after collection. 5 Or a purpose directly related to the primary purpose. AGC/SZM/AUM/

7 of Big Data acts as an impediment to commercialisation and technological innovation by businesses or, at least, a disincentive for businesses to comply with the privacy law. Where franchisors do anticipate certain future uses of personal information they may need to notify customers of (or require their consent to) either very complex or vague statements in their privacy policies in an attempt to comply with the obligations under the Privacy Act. Some customers may be put off by this and simply abandon the purchase of the goods or services, particularly in the online world. Also, individuals who provide consent without actually reading the privacy policy or understanding what they are consenting to, how their information will actually be used and whose hands it may end up in may be "shocked" by use of their personal information as part of Big Data analysis and there may be a customer revolt against the affected franchisors (even though the privacy policy of the relevant business technically notifies such use). A survey funded by the Australian Research Council identified that more than 60% of respondents rarely or never read website privacy policies. 6 Therefore the use of Big Data for purposes not reasonably expected by customers (particularly in the marketing context), without clear and transparent notice (ie informed consent), will likely result in unfavourable customer sentiment and may significantly increase the risk of a complaint to and investigation (or regulation) by the Privacy Commissioner. Marketing (electronic and traditional) Under the SPAM Act franchisors cannot send electronic marketing communications (such as s, SMS and MMS) to individuals, even if analysis of the Big Data shows that the individual wants such marketing, without that individual's prior consent. If the Big Data includes personal information (as it likely does in most Big Data circumstances), franchisors are also not able to use that personal information to send non-electronic (ie traditional hard copy) marketing if the recipients would not reasonably expect to receive such marketing communications. 6 Survey conducted by Mark Andrejevic of the University of Queensland's Centre for Critical and Cultural studies and presented by the Commissioner in Brisbane on 26 April 2012 at the University of Queensland Privacy Seminar. AGC/SZM/AUM/

8 Where consent is required to use Big Data for marketing initiatives, franchisors are faced with the same consent issues discussed above. WHERE TO FROM HERE? Both the Privacy Act and the SPAM Act were enacted before the rise of Big Data and neither adequately addresses the concerns of individuals or provide clarification for franchisors or other businesses regarding the steps that should be taken to manage the competing interests (ie balancing the protection of an individual's privacy against the commercial desire to use Big Data as a valuable "new economic asset"). Recently there has been much debate around whether uses of Big Data should be subject to increased or specific regulation. Some commentators have suggested that the use of Big Data should be subject to limitations that cannot be circumvented, even with an individual's consent. Others suggest, more reasonably, imposing "informed consent" obligations similar to the overseas transfer consent obligation in the new APPs (ie that the consequences of consent be specifically spelt out for and notified to individuals). Alternatively, we could see a shifting of the obligation for protecting Personal Information to the franchisor/business using that information in the Big Data context and a prohibition on using customer consent to get around those obligations. 7 The 12 March 2014 amendments to the Privacy Act did not specifically address Big Data and the Privacy Commissioner is yet to issue a guidance document on Big Data. However, given that the Commissioner has frequently mentioned the gap between practice and regulation when it comes to Big Data and the resulting pressures placed on the consent model under the Privacy Act (including the recent amendments), we expect some developments in this space in the near future. 7 In submissions to Microsoft in January 2013 the Privacy Commissioner indicated support for a move towards placing responsibility on data users (ie business) rather than individuals in order to ensure that the expectation of privacy is met, rather than the current approach of simply complying with black letter obligations. AGC/SZM/AUM/

9 THE CLOUD In the context of Cloud, the following APPs are especially relevant: APP 8 (Cross border disclosure of personal information) regulates the disclosure/transfer of personal information by a franchisor to a different entity (including a parent or related company) offshore. Before disclosure of personal information offshore, the Australian franchisor ("Australian Sender") must take reasonable steps to ensure the overseas recipient will comply with/not breach the APPs. This can be done by appropriate contractual provisions. However, the Australian Sender will (subject to limited exceptions) remain liable for the overseas recipient's acts and practices in respect of the personal information sent as if the Australian Sender had engaged in such activities in respect of that personal information in Australia and, where relevant, be in breach of the APPs due to the overseas recipient's acts or omissions. APP 11.1 (Security of personal information) requires that an organisation must "take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure". The Privacy Commissioner has issued a 32 page guidance as to what these "reasonable steps" might include. PRIVACY AND DIFFERENT CLOUD MODELS The practical importance of privacy issues for Cloud offerings very much depends on the nature of the particular Cloud services being acquired. In particular, whether the Cloud offering is simply a renting of the "tin" ie under an IaaS model or is more akin to a managed services, SaaS or EaaS 8 model, where the Cloud vendor has access to, takes possession of or processes the personal information of individuals provided by the customer. 8 "Everything as a Service". AGC/SZM/AUM/

10 Common issues There is (in our view, disproportionate) concern and focus on privacy and data security issues in respect of all Cloud offerings, in particular where the Cloud is (or may be) based outside of Australia. In fact, privacy and data security of information are consistently raised as the two main concerns for Australian businesses considering entering the Cloud. Potential customers (ie franchisors wishing to move to the Cloud) are concerned, where the Cloud offering is based/has servers outside of Australia, that the placing of any of Personal Information in the Cloud always results in a disclosing or transfer of the Personal Information offshore and this raises concerns for franchisors as to whether or not you have the appropriate notifications/consents in place. While there are some real concerns in respect of certain Cloud offerings in certain circumstances in reality, under the IaaS model for example, the data is not usually "transferred" or "disclosed" to a third party (ie the vendor). Rather, the information usually remains under the control of the Australian franchisor and, therefore, does not require any specific notifications or consents as the franchisor remains liable for privacy compliance under Australian law, no matter where it takes the data. Of course, under the managed services/saas model (if the vendor does access or process the customer's data), there are concerns as to overseas transfer/disclosure where the vendor's servers are outside of Australia. However, this can be (and often usually already is) covered by the franchisor's existing notifications/privacy policy and privacy processes. Australian Cloud customers (eg franchisors) are also often concerned (again, we believe, disproportionately) about the possible access to their data by foreign governments (eg under the terms of the USA Patriot Act 2001 or similar legislation of other countries) if hosted overseas. While this is not the place for a philosophical debate about the rights or wrongs of government (including intelligence agencies) accessing one's information and the recent events/publicity around this issue, 9 it is safe to assume that most governments can access one's information (wherever it is kept in electronic form) if 9 For example, the global press about the PRISM program as exposed by Edward Snowden. AGC/SZM/AUM/

11 they want to. In rare cases there may be information of a business (unlikely in the franchise context) which is so sensitive/of such national importance that there must be no chance of it being accessed by a foreign Government and so a foreign hosted Cloud offering is out of the question (as would be any offshoring, outsourcing or third party data centre hosted offering). However, for most franchisors and for most franchisor information, access by the Australian Government or a foreign Government is not either anticipated or overly concerning in a practical sense. While security in general and the security standards to which a Cloud vendor complies are important, the practical impact of the USA Patriot Act for US hosted Cloud offerings (or like legislation or potential actions of foreign Governments for other foreign hosted Cloud offerings) should not be overstated. The IaaS model Where the Cloud vendor is simply renting the "tin" to the customer and is not itself involved in any handling, use or processing of the personal information held by the franchisor, as in the IaaS Cloud model, all obligations with respect to privacy (and, generally, compliance with relevant laws) rightfully rest with the franchisor. In such circumstances it is usual for the franchisor to warrant (and be obliged to ensure) that it has all necessary privacy consents and has made all necessary privacy notifications in order to use the relevant Cloud service. The managed services/saas model Where the Cloud vendor has a more "active" role in handling, holding, using or processing the personal information originally collected or held by the franchisor, then the vendor also needs to consider its obligations under (and be compliant with) Australia privacy law even if, in practice, much of the mechanics of compliance is pushed down to the franchisor. That is, the franchisor must make the appropriate notifications/obtain the appropriate consents to provide the personal information to the vendor, but the vendor still needs to consider its separate privacy obligations. The vendor is also likely, in such circumstances, to have an obligation to notify the individuals (whose personal information the franchisor provides to it) that the vendor now holds their information and to provide the appropriate privacy notifications (usually done via its privacy policy). Of course, there are AGC/SZM/AUM/

12 practical ways of incorporating this into the franchisor's processes going forward but there needs to be extra care taken with (and thought given to) the Personal Information the franchisor has already collected and wishes to put into the Cloud. PRACTICAL TIPS FOR COMPLIANCE Big Data In the absence of clear regulation or guidance from the Privacy Commissioner on Big Data at present, franchisors can adopt a number of best practice steps to minimise the risks of infringing the Privacy Act/ending up being investigated by the Commissioner following a customer complaint. Specifically, franchisors can: Audit existing databases to determine what Personal Information they collect and hold, the purpose of collection and whether they are (or are likely) to track and aggregate such information for marketing purposes or purposes other than for which the information was originally collected. Knowing what you have and how you use it is the first step to compliance. Examine the Big Data used and whether information that is not identified separately is "re identifiable" by combination or through analysis and, if so, review original notices provided and consents obtained at the time of collection of that information. Focus on transparency by providing continuous notification each time there is a change in practices around collection, use or disclosure of personal information. Such notification should clearly set out the main ways in which the new practices are likely to impact individuals. Although keeping individuals informed will not remedy the shortcomings of the Privacy Act in respect of Big Data, greater transparency will (it is hoped) decrease potential customer fall out from unexpected use of personal information as part of any analysis of Big Data. Ensure your privacy policy is clear, concise and customer friendly. Mobile websites and apps should contain a short form privacy notice (ideally no longer than one screen shot) which is easy AGC/SZM/AUM/

13 to locate and which must be viewed before the customer can submit any personal information. The short form privacy notice could contain a link to the full privacy policy. Adopt continuous and flexible consent regimes where business wishes to use Big Data for marketing activities. For example, require customers to re-consent periodically to ensure their consent is current. Consider, in certain circumstances, detangling consents relating to uses of personal information which are not essential to the purchase of the goods or services from the remainder of the privacy policy so that customers can choose to consent to essential and non-essential uses separately. In such cases, incentivise the consent for non-essential uses. Ensure internal practices with respect to the handling of personal information are compliant with the recent guidance documents issued by the Privacy Commissioner (including the "Guide to Information Security"). The Cloud Franchisors which rely on Cloud services commonly address their obligations under the Privacy Act by (i) notifying/obtaining any relevant consents from individuals whose personal information they collect to process and store their information in the Cloud (often pushed down to the franchisees to do) and (ii) by placing appropriate Australian specific contractual obligations of privacy on the Cloud vendor. From a privacy perspective, some of the most important matters for franchisors to fully investigate and understand when negotiating an agreement with a Cloud vendor include: the types and sensitivity of the information that the franchisor wants to put into the Cloud (eg personal and/or confidential information about customers and employees); what privacy and other obligations the franchisor has with respect to the information (eg contractual, regulatory or statutory obligations); AGC/SZM/AUM/

14 the mechanisms and protections that the vendor has in place to protect and manage the information, including disaster recovery processes to protect against data loss; the locations of the vendor's data centres and other infrastructure and, if offshore locations are involved, what foreign laws will apply; and the vendor's reputation and track record in relation to security and privacy. A franchisor that enters into an agreement for a Cloud service should ensure that the agreement places appropriate privacy related obligations on the vendor. However, the franchisor also needs to ensure that it understands (and does not try and impose on the vendor) the privacy obligations which are rightfully those of the franchisor or, practically, are best managed by the franchisor (eg around the original collection of the information). Some of the appropriate vendor obligations to consider will relate to: retention of ownership of the information (ie ensuring it is clear that the information is owned by the franchisor); security arrangements to ensure that all information is safeguarded and secure and gives the franchisor the right to audit the vendor's compliance with security arrangements; reporting of information breaches and indemnities with respect to losses resulting from privacy related breaches; disaster recovery measures to help protect against information loss; storage of information only in nominated countries that have privacy protections which are compatible with Australian privacy law; and rights to audit and access information, including a right to the return of information when the agreement ends. Of course the ability to demand and negotiate contractual measures and protections will depend, in part, on relative bargaining position of the parties, the contract value and the type of Cloud services being AGC/SZM/AUM/

15 acquired. Accordingly, in some circumstances, a franchisor may be forced to assess the risks of proceeding without certain security or privacy protections against the benefits/cost savings it will receive from the Cloud service. CONCLUSION The use of Big Data and the Cloud by franchisors (and businesses generally) will only become more pervasive in the years to come. However, this increased use of Big Data and Cloud services by franchisors raises a variety of privacy, security, regulatory and other practical issues that need to be carefully addressed and managed by franchisors. While the regulation of Big Data is relatively undeveloped in Australia, practical measures can be taken now to minimise legal risks and to prepare for any changes in the regulatory landscape. From a privacy perspective at least, the legal issues that arise in respect of Cloud services are similar to issues that arise in the context of outsourcing, offshoring and other IT service models and can, as in these other areas, be appropriately managed and dealt with in the agreement between the parties. It is crucial that your legal advisor fully understands the nature of both the Cloud and Big Data and your privacy obligations in order to be able to tailor the legal protections for your organisation and to ensure compliance with privacy law/the APPs. AGC/SZM/AUM/