As is tradition I wish all a very Merry Christmas.  Probably a celebration more keenly appreciated and felt this year than most.  This second year of COVID has been a grind and more difficult than 2020 when we first exerienced the effect of restrictions. 

As is my practice I republish one of the most heartfelt and brilliantly written paean to the Christmas celebration and optimism and being unafraid to reject cynicism of our current age; Yes, Virginia: There is a Santa Claus.  It is as apt today as it was in 1897. More so.  The prose is wonderful and little wonder it is history’s most reprinted newspaper editorial.

The article provides:

DEAR EDITOR: I am 8 years old.
Some of my little friends say there is no Santa Claus.
Papa says, ‘If you see it in THE SUN it’s so.’
Please tell me the truth; is there a Santa Claus?

VIRGINIA O’HANLON.
115 WEST NINETY-FIFTH STREET.

VIRGINIA, your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except they see. They think that nothing can be which is not comprehensible by their little minds. All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, VIRGINIA, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to your life its highest beauty and joy. Alas! how dreary would be the world if there were no Santa Claus. It would be as dreary as if there were no VIRGINIAS. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus! You might as well not believe in fairies! You might get your papa to hire men to watch in all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove? Nobody sees Santa Claus, but that is no sign that there is no Santa Claus. The most real things in the world are those that neither children nor men can see. Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world.

You may tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, nor even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernal beauty and glory beyond. Is it all real? Ah, VIRGINIA, in all this world there is nothing else real and abiding.

No Santa Claus! Thank God! he lives, and he lives forever. A thousand years from now, Virginia, nay, ten times ten thousand years from now, he will continue to make glad the heart of childhood.

The ubiquitous use of some software coupled with their vulnerabilities makes for a massive cyber security headache as the Australian’s article Millions face cyber attack via compromised Log4j Java-based software makes clear.  Log4j Java is installed on more than 100,000 devices, apps etc..  In cybersecurity terms it is a story that has been around for a while.  On 11 December Kaspersky reported on the vulnerability.  The Google Security blog put out a post, Understanding the Impact of Apache Log4j Vulnerability on 17 December. 

The Australian article Read the rest of this entry »

The Court of Appeal upheld the summary judgment decision of Warby J in HRH The Duchess of Sussex v Associated Newspapers Limited [2021] EWCA Civ 1810 which found that Associated Newspapers Limited had breached the Duchess’ reasonable expectation of privacy with the publication of a letter from her to her father Thomas Markle.

FACTS

The court summarised the facts as:

• Mr Markle did not attend the wedding of the Duke and the Duchess on 19 May 2018 [14].
• He was admitted to hospital days beforehand for emergency heart surgery.
• Text messages from the Duchess  made it plain that  before the wedding Mr Markle behaved in ways which caused her

“concern because of the publicity they were likely to and did cause, and the impact on her, [the Duke], and [Mr Markle]”.[14]

• • Mr Markle:
    • engaging with the media (e.g. a front-page Mail on Sunday report on 13 May 2018 was headed “Meghan’s Dad staged photos with the paparazzi”, and reported that Mr Markle was “colluding with the paparazzi to stage a series of lucrative photo opportunities”, for which he apologised by text to the Duchess on 14 May 2018).[15]
    • being well aware that the Duke and Duchess wanted him to avoid engaging with the media, and that all their correspondence was personal and private in character [16].
    • continuing, thereafter, to have dealings with the media which resulted in press articles. The Articles themselves referred to “a series of damaging interviews” given by Mr Markle [16].
  • The Duke texting Mr Markle on 17 May 2018 asking him to “stop talking to the press for your sake and hers”, and expressing concern that Mr Markle had not “returned any of our 20+ calls since we all spoke on Saturday morning” [15]. the run-up to the wedding was fractious, revealing substantial differences of approach to dealing with the media.

The letter

• The Letter was sent on 27 August 2018 with bold text identifying words published in the Articles, and italicised text being the judge’s interpolations [18]:

Read the rest of this entry »

The Prime Minister today foreshadowed legislation to unmask online trolls and amend the law of defamation in response to the High Court decision in Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News Channel Pty Ltd v Voller [2021] HCA 27.  The necessary bills will be released in the next week.  A mid morning media release on a Sunday, usually a slow news day where editors fret on what will fill the front page the next day, guarantees big coverage on Monday.

Extracting the reforms from the media release the changes will involve:

• legislating a requirement that social media platforms to set up a complaints system so as to remove defamatory remarks;
• establishing a new Federal Court order to require social media giants to identify details of trolls to victims without consent.
• Australians and Australian media organisations will not be considered publishers. 
• social media platforms will be considered publishers though liability may be avoided if they provide information which permits victims to commence defamation proceedings against a troll.

The curious thing is that there is already a process for applying to the Federal Court for an order to a social media platform, search engine or internet service provider to identify an author who is using a pseudonym to defame someone.  I make these applications regularly enough as part of my defamation practice.  The principles are well established and the process is not overly onerous.  What new order is required will be interesting to see. There is also concern raised about social media platforms being required to collect personal information which would be provided if the mooted application is made.  That is not as dramatic as has been reported.  Google and Yahoo and other platforms require email addresses and sometimes phone numbers.  They can provide the isp number. It is relatively easy to identify the author from those details.  Similarly if the social media is put on notice about defamatory posts they may currently lose their protection from suit in the Broadcasting Services Act. 

If the Government were serious about Read the rest of this entry »

The Security Legislation Amendment (Critical Infrastructure) Bill passed both houses of the Commonwealth Parliament on Monday 22 November 2021. 

Key elements of the legislation are:

• Section 8D defines the critical infrastructure sector as being:

Each of the following sectors of the Australian economy is a critical infrastructure sector:

                     (a)  the communications sector;

                     (b)  the data storage or processing sector;

                     (c)  the financial services and markets sector;

                     (d)  the water and sewerage sector;

                     (e)  the energy sector;

                      (f)  the health care and medical sector;

                     (g)  the higher education and research sector;

                     (h)  the food and grocery sector;

                      (i)  the transport sector;

                      (j)  the space technology sector;

                     (k)  the defence industry sector.

• section section 8E defines a critical infrastructure asset as being an asset that relates to a critical infrastructure sector. There are definitions of specific types of critical infrastructure assets
• there are very broad definitions of when assets relate to a sector
• the definition of a relevant impact is broad and general
• Part 2B sets out the obligations of mandatory reporting.  Section 30BC, regarding a critical cyber security incident, provides, in part:

Read the rest of this entry »

Another sign, if more more were needed, that data breaches are a chronic and increasingly damaging phenomana when the US Federal Trade Commission (the “FTC”) has issued amendments to the Standards for Safeguarding Customer Information. 

The Final Rule is a very substantial document. It is a useful document for those interested in privacy and cybersecurity generally. Given the dearth of clear and precise definitions, practices and protocols in Australia it is quite useful in Australia.  Like NIST publications it is a much more substantial and useful documents than the vague and opaque guidelines issued by regulators in Australia.

Those who are responsible for maintaining cyber security and establishes procedures and protocols to protect personal information could do worse than read these rules.  It is only a matter of time before the Information Commissioner prepares detailed guidelines which are more consistent with the voluminous GDPR documents or the direct and also comprehensive FTC rules Read the rest of this entry »

On 25 October the Attorney General’s Department released its long awaited Privacy Act Review Discussion paper (the “Paper”).  It is something of a behemoth, being 217 pages long or about half a lever arch folder.  That said, as a veteran of reading many reform papers on privacy over the years it is not the longest or most comprehensive.  That honour falls upon the Australian Law Reform Commissions 2008 Report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108), which filled more than 3 lever arch folders over 3 volumes.  The ALRC’s 2014 Report,Serious Invasions of Privacy in the Digital Era (ALRC Report 123), at 332 pages, was modest by comparison and slightly built on the earlier ALRC report.  The ACCC Digital Platforms Inquiry considered privacy related matters, in particular endorsing and recommending a statutory tort of interference with privacy, coming in at 623 pages.  And there are reports from the Victorian Law Reform Commission and the New South Wales Law Reform Commission on privacy. The point being made is not that I have read a lot of reports. I have.  It is also not that the size of the reports matter.  They don’t.  It is that this Paper is just another in a long line of reports on the need for report of privacy legislation.  And those previous reports were prepared by much more learned authors and were more thorough than this Paper.

The Paper is a constrained work, making many generally uncontroversial recommendations to make interpretation clearer, operation of APPs more relevant and giving some increased powers to the Information Commissioner.  It is far from comprehensive.  It avoids making recommendations about a statutory tort of privacy. Rather it continues the continual policy loop as governments of every persuasion push this issue into further review, then consultation then bury it in a report and then hope it goes away until it is recommended or otherwise finds itself before the Government.  It has been a hugely expensive, time intensive waste of time.  Any body outside of a Government that looks into the issue recognises the need for a statutory tort of privacy.

The Report discusses the small business exception from the operations of the Privacy Act in the broad, on the one hand then on the other way, as well as that of the Employment Records, Political Parties and Journalist carve out but goes no further.  Each exception is anomolous to a greater or lesser degree and the restricted coverage of the Act, covering only 5% of businesses, is a matter that should have been addressed with a firm proposal. Those carve outs make it regulation that is quite limited in scope.

The Paper did not consider the many exceptions to and limitations upon the APPs.  There are too many exceptions which permit agencies especially avoid proper scrutiny.

It is interesting that the Paper quotes the GDPR definitions and practices quite liberally and endorses aspects of the GDPR but refrains from adopting those parts of the regulation, by way of amendment to the Privacy Act 1988, which makes the GDPR a much more effective privacy regulation regime.

The Paper does not consider the role of the Guidelines, which are prepared by the Office of the Australian Information Commissioner’s office, in proceedings.  The Guidelines are important in giving context and detail to the broadly drawn Australian Privacy Principles (APPs).  But they are not regulations.  As such the Administrative Appeals Tribunal and the Federal Court are quite able to have no regard to them, which has happened in cases.  This has made submissions on the interpretation of Principles a fraught affair before the AAT and the Federal Court where applicants have had a poor record of success.  And not because they had weak cases.

Where major revision was warranted the Paper recommends modest improvements.  An improvement is just that, so that is to be welcomed.  But only to that degree. What the Paper does not Read the rest of this entry »

As with the Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB) is concerned about tech giants untrammelled use of vast amounts of consumers’ personal information.  To that end the CFPB issued orders on Tech Giants to require each to provide information about data harvesting and monetization and access restriction.  

The Director of the CFPB set out the rationale for this significant fact finding exercise in a formal statement.  It provides Read the rest of this entry »

The Federal Trade Commission (the “FTC”) released a report titled A Look At What ISPs  Know About You: Examining the Privacy  Practices of Six Major Internet Service Providers on 21 October 2021.   It is a very significant report as it lays out in detail the poor privacy practices of ISPs in the United States of America. Thsi follows on from FTC previously signalling interest in formulating new online privacy rules. 

The report makes for grim reading in terms of privacy invasive conduct by ISPs in the USA including Read the rest of this entry »

The Attorney General for the District of Columbia is planning to join Mark Zuckerberg, CEO of Facebook, to its consumers protection lawsuit according to the New York Times in Zuckerberg to Be Added to Facebook Privacy Suit.

Claims of this nature which are brought by bodies politic are not unusual in the United States.  They are far less common in Australia where Read the rest of this entry »