In July and August 2015, a Canadian dating website operator, Avid Life Media (ALM), was subject to a data breach. The Australian Privacy Commissioner and the Privacy Commissioner of Canada investigated the incident together and released a joint report regarding their findings. The affected websites included the Ashley Madison dating website which had users in over 50 countries. Among other disclosures, the unauthorised access resulted in the online posting of details from approximately 36 million Ashley Madison user accounts. For further details on organisational takeaways from the investigation, please see this article.
The two regulators collaborated on this investigation as they are both members of the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement. This arrangement creates a framework for regional cooperation in enforcing privacy regulations by facilitating information sharing, providing mechanisms to promote effective cross-border cooperation and encouraging information sharing with respect to enforcement. The investigations were conducted in accordance with each regulator’s investigatory powers under their relevant privacy legislation.
In terms of process, the joint investigation team investigated the circumstances of the breach and how it had occurred, including by interviewing senior members of ALM and reviewing various elements of the situation including the website, the data breach notifications made by ALC to each regulator, the written responses from ALM to each regulator’s questions, the ALM website terms prior to and at the time of the breach, security reports and information provided by a cybersecurity consultant, and ALM’s IT operational procedures and security and privacy training materials.
Each commissioner then analysed the investigation’s findings in accordance with the relevant legislation for their jurisdiction.
The structure for the report was to set out each area of concern, then the regulators analysed the impact of the relevant legislation separately for each of Australia and Canada. The key areas of concern were:
- information security
- indefinite retention and paid deletion of user accounts
- accuracy of email addresses
- transparency with users
For the first three concerns, both the privacy legislation in both Australia and Canada were relevant, meaning that the regulators jointly proposed recommendations for ALM, including both compliance and confirmation of compliance mechanisms.
For the fourth concern, the Australian Privacy Commissioner noted that it was not an issue under Australian privacy laws, so the Canadian Privacy Commissioner set out its own recommendations regarding transparency with users.
In terms of enforcing the recommendations from the joint report, ALM agreed to enter into similar enforceable arrangements with each regulator under their relevant privacy legislation – an enforceable undertaking with the Australian regulator and a compliance agreement with the Canadian regulator. Both of these agreements contained similar obligations for ALM in terms of improving its internal processes and reporting to each regulator as to its progress, including obtaining independent reports regarding compliance.
Globally, privacy regulators (including Australia and Canada’s various privacy regulators) have been working together as part of the Global Privacy Enforcement Network (GPEN) and have collaborated on projects such as the 2015 GPEN Privacy Sweep concerning children’s online privacy, the 2014 GPEN Privacy Sweep concerning mobile apps, and 2013 GPEN Privacy Sweep concerning privacy practice transparency. The 2016 GPEN Privacy Sweep, which took place in April, focused on the “Internet of Things”, and the findings of the sweep are expected to be released this fall.
In addition, privacy regulators have worked together for several years now outside of GPEN. For example, in 2013, the Privacy Commissioner of Canada jointly investigated WhatsApp Inc. with the Dutch Data Protection Authority (College bescherming persoonsgegevens).
In Canada, the federal privacy regulator (the Privacy Commissioner of Canada) has, for many years, worked collaboratively with provincial privacy regulators such as the Alberta Information and Privacy Commissioner, the British Columbia Information and Privacy Commissioner, and the Ontario Information and Privacy Commissioner. For example, in 2015, they issued joint guidance on law enforcement and the use of body-worn cameras, and, in 2014, they issued a joint statement on national security and law enforcement measures.
As data breaches with a global reach necessarily increase, collaboration amongst regulators will only increase in the future as they seek to maximise their resources in both investigating and analysing large scale breaches.
Contributors: Anne-Marie Allgrove, Anne Petterd, Dean M. Dolan, Ju Young Lee, and J. Andrew Sprague
