Latest Products

Data Security: Regulatory tug-of-war

Tuesday 17 January 2017

Last Year, the European Court ruled that the UK’s proposed Investigatory Powers Act is illegal.

The UK was in the process of passing legislation to allow regulatory and enforcement entities to maintain and investigate websites visited by people in the UK. The new Investigative Powers Act 2016, better known in the UK as the Snooper’s Charter, is being touted as a method to fight terrorism.

Computer World reported that “Defenders of the legislation, including Prime Minster Theresa May, in her previous role as Home Secretary, say that requiring network operators to store years’ worth of communication data, and allowing government officials to sift through it, is necessary and proportionate for protecting national security and public safety.”

However, May said the public should not be concerned, since the data being collected and reviewed will not be used to look at the specific pages visited, but instead will focus on the websites.

According to the Daily Dot:

The Court heard that the “general and indiscriminate retention” of data conflicts with European legal standards, to which all EU member states must adhere.

Naturally, concerns surrounding the Act go beyond civil liberties. There is a genuine fear that the storage of this metadata may attract cybercriminals.

On the storage of metadata, The Wall Street Journal reported that “Google Inc. and Facebook Inc. have criticized the legislation in the past and said collecting data in bulk is overzealous. Apple Inc. earlier this year said complying with the proposals would weaken the strength of encryption in the products, making it easier for criminals and terrorists to steal data.”

Precedent for data retention does exist in the form of The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015.  This Bill also raised concerns, when it was first announced; however, while the Bill implemented to investigate a broad range of crimes, it contains within it a requirement for enforcement agencies to obtain a warrant, prior to any investigation commencing.
Last year, the Sydney Morning Herald reported that a spokesperson for George Brandis stated that:

The Government is working constructively with the telecommunications industry to achieve full compliance by April 2017.

Metadata is the basic building block in nearly every counter-terrorism, counter-espionage and organised and major crime investigation. It is also essential for child abuse and child pornography offences that are frequently carried out online.

With this kind of the rationalisation, it would be hard not to envisage other jurisdictions using the same argument to require telecommunication companies to retain their data.

Companies in Australia are expected to be fully compliant with the data retention bill by April 2017.


The sale of private data
Late last year, allegations surfaced that an offshore centre, charged with the storage of data for several Australian telephone companies, had been selling customer data on the black market.

The SMH reported that Chief Executive of the Australian Communications Consumer Action Network, Teresa Corbin, said consumers were "very concerned" about private information being accessed offshore, and she encouraged the Australian Federal Police to investigate. 

"It is actually the telcos' responsibility to make sure that the data is not disclosed to anybody. Ultimately, they are the ones who will be held accountable for that, under Australian law," Corbin said. 
This is an interesting approach. And with the deadline now looming, the telecommunications industry must have their requisite systems in place to maintain the data. It is clear that, at the end of the day, it is the private entities charged with storing the metadata, and not the regulators, who will bear brunt of the reputational risk if something should go wrong.
This means organisations that are outsourcing their services need to ensure they are also exporting their GRC frameworks, because the risk still rests with them, even if the breach happens at the hands of the third party.

Embedding this into your risk and compliance framework?
The UK has shown a certain amount of determination for having data retention for regulatory and enforcement purposes. Certainly, if and when Brexit is formalised, this is a risk about which Australian organisations need be very aware, when doing business in the UK.

Although data retention legislation has not yet been passed in the UK, risk and compliance professionals must be prepared to embed this into their risk and compliance frameworks—to be aware, also, that this is about more than just complying with the investigatory and regulatory powers; it is about reassuring stakeholders that their data is safe.
Similarly, stakeholders need to feel there is a level of transparency when it comes to how their data will be used.

When doing business in the UK, organisations need to be prepared to contend with social and reputational risk, especially if there is a major breach of communications and correspondences…and even if that breach comes from the regulatory and government agencies themselves.

After all, the public will only be looking at the organisation that collected their data in the first place.