October

"IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters, CIPP|US, said, ""CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections."" Hogan Lovell's Partner Christopher Wolf told The Daily Dashboard, ""APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs."""

"In the case, Austin v Honeywell Ltd, the Federal Circuit Court determined that the Privacy Act 1988 (Cth) is not a ""workplace law"" for the purpose of protecting a person against adverse action under section 340 of the Fair Work Act 2009 (Cth) (Act). However, the judge conceded that a provision within an Act or regulation could regulate the relationship between employers and employees even though the Act or the regulations as a whole did not do so. In any case, the Judge found that the employer had discharged the onus of proving that it had terminated her employment because of her attitude to her manager and not because she had commenced an adverse action claim. Not all statutory rights amount to workplace rights granting protection against adverse action. Whether a workplace right exists depends on whether the provision or Act is aimed at regulating the relationship between employers and employees. The Privacy Act was held not to be a workplace law, therefore it did not give rise to a workplace right."

Australia's privacy and data protection laws are hard to explain and often poorly understood. The first challenge is to explain that the Australian Privacy Commissioner sits in the Office of the Australian Information Commissioner (OAIC) and applies laws that the Australian parliament has misleadingly called 'principles'. The second challenge is describing how to read principles as laws and fit them together with other provisions in the Privacy Act that clearly are drafted as laws. And then there's the difficulty of trying to interpret these provisions when dealing with novel issues such as cross-border cloud deployment and access to personal information held in another jurisdiction (or jurisdictions unknown), geo-tracking of devices, data warehouses, virtualised servers, big data and customer data analytics. Privacy and data protection in Australia has become a confusing landscape, with forests of regulation to get lost in, unexplored corners and many poorly understood rules. At a time when privacy and information security is becoming a major area of concern for governments, businesses and consumers, it is unfortunate that Australia has created such a confusing thicket of regulation and quasi regulation.