Greetings from Singapore!
Given that the California Consumer Privacy Act of 2018 has been in the limelight for the privacy world the last couple of weeks, it is perhaps timely to return our focus to the Asia-Pacific region.
Unfortunately, the news is not great in this part of the world. A number of privacy leaks are featured in the newsfeed below, ranging from what is reportedly the largest breach of personal information in China in the last five years (affecting up to 130 million customers of hotels operated by the Huazhu Hotels Group) to the revelation that sensitive medical information of hundreds of employees has been left unsecured on a GitHub repository by an Australian staffing agency.
The latter incident potentially raises interesting jurisdictional issues, given the staffing agency is founded by Australians and uses an Australian URL but operates mainly in the Philippines by offering workers residing in the Philippines employment in Australia. It would be interesting to see whether the Philippine National Privacy Commission and the Office of the Australian Information Commissioner (with its recently appointed Australian information commissioner and privacy commissioner) will collaborate in investigating this incident and what form such collaboration would take.
In another case that highlights potential conflicts stemming from the uneven privacy landscape around the world, a British-Australian software developer traveling through Sydney airport had his phone and laptop seized for inspection by officers from the Australian Border Force. It is believed that information on his password-protected devices may have been compromised.
Part of the issue is clearly the broad powers that the ABF has under the Customs Act to examine personal devices where potential security concerns exist. More concerning, however, is the seemingly indiscriminate way that such power has been wielded, particularly with ABF officers examining the personal devices in a separate room and refusing to provide information on what (if any) information will be retained, for what purposes, and for how long.
While this is not the first time that the ABF has gotten into trouble for accessing a passenger’s personal device, I do not think that the issue is a uniquely Australian one. Truthfully, the situation described in the following comment attributed to Greens Sen. Jordan Steele-John might potentially apply to a number of other countries, both within and outside of this region: “Australia’s privacy laws are now so drastically out of step with the rest of the world — especially the EU — that they will cause conflicts and infringe on the rights of citizens from other jurisdictions, especially when you add in the new proposed powers under the Assistance and Access bill.”
Also very insightful was the following quote from the software developer, who is now faced with the unenviable task of having to issue breach notifications to his customers under the EU General Data Protection Regulation: “I don’t mind people looking at the files if that’s one of the directives, but you have to give clear definitions and you also can’t leave the international business travelers exposed like this to having fines or breach notices being served by their own clients. I’m getting messages from fellow business owners that they’re re-thinking their choice to come to Australia to do business over here, they’d rather just do it remotely. They expect that in America, but they don’t expect that behaviour here in Australia.”
With that, I wish you (somewhat) happy reading.
Kind regards,
See Khiang
Comments
If you want to comment on this post, you need to login.