Another tech giant privacy breach! Is your organisation protected?
Assisted by Isabella Krstanovski.
Early 2018 saw social media giant Facebook plagued with a high-profile privacy scandal, which revealed that millions of Facebook profiles had been used by Cambridge Analytica for political purposes, without the consent of users. Just as some social media users began to believe that privacy breaches were a thing of the past (or at least, that their frequency would be), another scandal hit a different tech giant: Google.
In the wake of this scandal, it is starting to look like Google may well be the next digital head on the chopping block (or at least, the next tech company to receive unwanted media attention with regard to a privacy breach), following the Wall Street Journal revelations on the technology giant's social media platform, Google+.
The Wall Street Journal recently revealed that Google had left users of their social media platform Google+ vulnerable following the discovery of a bug, which potentially exposed the data of over 500,000 users to 438 external applications. This meant that these external apps could have potentially accessed Google+ users' genders, ages and email addresses without their permission. In a blog post by Ben Smith of Google, it was confirmed that there was no evidence that the data had been misused.
So, what's the issue?
Privacy breaches are incredibly serious issues, particularly those on this large of a scale. Another major factor in Google being caught under such fire was their failure to disclose the issue to potentially affected users. As it turns out, Google was aware of the breach back in March 2018, around the same time that the Facebook privacy scandal was making headlines. However, the company's Privacy & Data Protection Office opted to keep the breach quiet, as they did not believe that they were legally required to disclose it.
Google looked "at the type of data involved, whether [they] could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response", eventually coming to the conclusion that "none of these thresholds were met". Whilst Google did immediately patch the bug in March 2018, their decision not to disclose the breach to the affected users is a big part of what has their customers worried.
New laws were recently introduced in both Europe and the American state of California in order to strengthen the privacy rights of internet users. The laws now require companies to disclose security breaches. This new scandal demonstrates both the relevance and importance of these new laws, as they will help to ensure the development of trusting relationships between internet users and large companies such as Google and Facebook. With this said, the scandal has also demonstrated that there is still a long way to go with regard to the development of this trust.
In Australia, the Privacy Act 1988 ('the Act') currently governs how entities are permitted to use personal information linked to social media users, although there are limits on the level of protection under the Act. Protection under the Act is contingent on whether an organisation (in this context, a social media platform) is part of an organisation which has a link to/presence in Australia, whether it carries out business in Australia and whether it has an annual turnover of more than $3 million.
It is important to note that this means that whilst there are indeed privacy laws in place, there may be instances where the laws are not applicable.
What's next for Google+?
Google+ was launched in 2011, with Google hoping that it would be seen as a legitimate competitor to Facebook, although it has been announced that Google will be throwing in the towel, with the social media site set to be shut down in August 2019.
This particular Google-centric scandal does seem to demonstrate the fact that social media users' concerns are not just focused on the initial privacy breaches themselves, but that consumers are quick to take issue with the way that organisations choose to (or choose not to) disclose information relating to such breaches, especially if the announcements are not handled swiftly and with complete transparency.
As such, it may well be the case that Australian privacy laws need to be strengthened in order to ensure that users are made aware of these types of privacy breaches - although it should be acknowledged that the European General Data Protection Regulation (GDPR) regulations do apply to Australian organisations of any size that either:
- have an establishment or presence in the EU, or
- do not have a physical presence in the EU, but;
a) offer goods and services to European-based individuals, or
b) monitor the behaviour of European-based individuals.
If you would like to speak with a lawyer in Coleman Greig's Privacy and Data Protection team with regard to a suspected privacy breach, or you would like to ensure that and private/confidential information held by your company is effectively protected against a privacy breach, please don't hesitate to get in touch with us.