Pokémon Go – catching your private data Pokémon Go – catching your private data

Pokémon Go – catching your private data

12 August 2016 | Professional Indemnity & Financial Lines

Pokémon Go, an augmented mobile reality game that uses mobile GPS to hunt for fictional Pokémon characters, is the latest technological development to raise privacy concerns in Australia in circumstances where the application requests full access to personal user information, including access to users’ camera, location data, emails, calendars, photos and stored documents.

On 14 July 2016, Privacy Commissioner Timothy Pilgrim released a statement highlighting some concerns about the app’s access to private information.

“I am aware of recent media reports of the Pokémon GO app accessing a significant amount of users’ personal information. My office has made enquiries with the provider of the app to ensure the personal information of users is being managed in accordance with the Australian Privacy Act.”

Privacy concerns related to Pokémon Go highlight the importance to companies for adhering to their privacy obligations under Australian law. Mobile apps often request permission to access more data than necessary for the operation of the app – data which may be collated and sold to third parties. Many users don’t realise the extent of the data being released and the value it presents for developers and companies.

The recent census denial of service attacks are another significant reminder of the potential vulnerability of private information submitted online.

Under Australian law, both public and private entities are required to adhere to its obligations under the Privacy Act 1988 (the Privacy Act), in particular the “Australian Privacy Principles” (APP). Although not prescriptive, the APPs require entities to ensure that:

  • personal information is managed in an open and transparent manner, including in accordance with an entities’ privacy policy;
  • individuals are provided with the option of transacting anonymously;
  • individuals are notified when their personal information is collected, stored and used, both nationally and overseas;
  • personal information is maintained and kept secure; and
  • individuals are able to access and correct their personal information.  

Breaches of the Privacy Act can lead to investigations by the Commissioner and potentially prosecution in the Federal Court of Australia. Both corporate and non-corporate entities can face significant monetary penalties.

The Privacy Commissioner may make various determinations under the Privacy Act in response to a privacy breach, most notably a declaration to compensate loss or damage suffered by an affected individual. Loss or damage includes “injury to the feelings of the complainant” and “humiliation suffered” by the complainant.  

In addition to breaches of the Privacy Act, there is a potential for the ACCC to become involved if companies are perceived to be misleading consumers about the information collected. Doing so may represent breaches of the Australian Consumer Law for misleading and deceptive conduct

Australian entities may soon also be subjected to mandatory notification laws. Although not yet passed in parliament, these proposed regulations will require companies to notify the Privacy Commissioner and affected individuals in instances where a data breach could give rise to a risk of harm. This could prove particularly onerous for national or international companies storing large amounts of personal data. The implications of mandatory self reporting on a company’s reputation may also be significant. The adverse press surrounding #censusfail provides an insight into how damaging a system breach or hack can be for all involved.

Entities wishing to protect themselves from privacy related risks, namely damages flowing from breaches of the APPs, whether caused by employees, hackers or technical glitches, should review their insurance policies and potentially introduce cyber cover to ensure they are adequately protected. Cyber policies are specifically designed to provide cover for the financial consequences resulting from misappropriation of data, including costs connected with investigations by the Commissioner, restoring data and business interruption.

Entities should ensure that their privacy policy is accessible to consumers and updated to reflect the requirements imposed by the APPs. Accessing user data should be done with an individual’s consent and the individual should be adequately informed as to how their personal information is stored and used. Companies handling personal information or private corporate information should also consider adopting cyber cover for risks associated with data misappropriation.

The cyber insurance field is rapidly becoming more technical and nuanced both globally and in Australia, with sophisticated insurance products now being released by a number of insurers – offering a suite of fast response capabilities in the event of a cyber attack or privacy breach. 

Simon Black

Simon Black

Principal

Brittany Guilleaume

Brittany Guilleaume

Lawyer