Channel Nine cyber attack is a watershed moment…supposedly..or at least that is what the scribes say

March 30, 2021 |

It is quite the month where things “have to change” according to the modern day seers, journalists of our national dailies. I will confine my observation to the cyber attack on Nine last weekend. It has spurred a flurry of reporting fizzing with excited commentary on this Ransomware thing that causes such chaos as knocking live Sunday morning programming out of the park. We are now into day 3 of the media’s voyage of discovery that behind the headline and bland unimaginative by the numbers reporting cyber attacks are serious and can do real damage. Damage like in the analog world if a semi trailer drove through the front gate of Nine’s headquarters and onto the main studio and then blew up. So now Nine has been attacked it embarks upon a serious analysis of what happened and why with Why was Nine hacked and how do cyber attacks actually work?  And the Australian runs a piece Nine hack a ‘wake up call’ because, I guess, the threat wasn’t known before. I mean, Really!  And being the serious media types as they are the ABC gives a quick tutorial on the ups and downs of cyber attack (The sort of thing I have been doing for a decade) as if it were a first year undergrad reading from newly acquired lecture notes.  It is all rather confected outrage.  The problem has been well known for a very long time, digitally speaking, and the players may change in composition over time but the damage they do doesn’t change all that much. 

The need for proper cyber security is vital and that is a message that has sent by all in the privacy and data protection field since cyber attacks began.  Lip service has been paid to it by Governments and regulators because it costs money, time and effort to develop and maintain proper cyber security.  There has always needed to be a comprehensive set of laws that regulate data security and require compliance on the pain of litigation.  Australian Law Reform Commissions and now ACCC have also supported the fundamental need to give individuals a right to enforce their privacy rights and take action in the event it has been interfered with, whether that relates to the handling of their personal information or their physical personal privacy. 

It is in that last respect that the shallowness of the media is so apparent.  In yesterday’s Australian Financial Review in Media sector leads business push against citizen privacy right the media are reported as joining with business against individuals having an enforceable right to take action for serious interferences with their privacy. The submissions by media organisations are the same hoary old arguments that have been raised many times before in the multitude of enquiries on privacy (which inlead to the findings that there should be an enforceable statutory right to take action for an interference with privacy); that it chills freedom of expression, that the OAIC is doing a good job and that the current system works well. Some media groups must feel particularly emboldened because they want to increase the journalists exemptions.  Now that is chutzpah.

The creepiest suggest is by the US Chamber of Commerce which  though that Data privacy rules should be enforced exclusively by government agencies  because then citizens will have the “benefit from appropriate guidance by experts in the field who can understand the complexities of encouraging compliance and innovation while preventing and remediating harms.”  That form of parternalism jars.  It is almost Orwellian. 

There are enforceable privacy rights by citizens in all common law countries except Australia.  Some are grounded in the common law, some are by virtue of statute, some like the UK’s tort developed in equity but was influenced by the the Human Rights Act. 

The media’s arguments are fallacious, self serving and intellectually bankrupt.  But they might work in this yet another round of review if the Government behaves like Australian Governments have done for 30 years, flinch at the final hurdle.

The article provides:

Business groups, led by major public and private media organisations, have criticised proposals that would allow citizens to sue and be compensated for privacy breaches.

The push to head off such plans comes as the Attorney-General’s department is considering 200 submissions from stakeholders on an initial issues paper as part of a major review of the Privacy Act.

Among the submitters, the commercial broadcaster associations, Free TV and Commercial Radio Australia, the two public broadcasters, the ABC and SBS and Nine Entertainment (publisher of The Australian Financial Review) all strongly pushed back on proposals for citizens to be able to sue for privacy breaches.

They argued current arrangements where complaints can be brought to the peak privacy regulator the Office of Information Commissioner were an effective low-cost complaints mechanism that would avoid expensive legal actions.

The media groups were supported by the two big telcos, Telstra and Optus, private hospital operator Ramsay Health Care as well as peak business lobbyists, the Australian Industry Group, the Insurance Council of Australia, the US Chamber of Commerce and the Federal Chamber of Automotive Industries.

The seminal review was announced by Attorney-General Christian Porter, after the Australian Competition and Consumer Commission (ACCC) digital platforms report called for the Privacy Act to be updated for the digital era.

The ACCC threw its influential weight behind the creation of a new private right of action for compensation and a broader statutory tort for serious breaches of privacy.

The proposed personal privacy rights are among a group of threshold issues to reform the Privacy Act and bring it in line European and leading US privacy protections.

The proposal for citizen remedies is supported by the federal Privacy Commissioner, Angelene Falk, after a 2020 citizen survey by her agency, the Office of the Information Commissioner (OAIC) found 78 per cent believed they should be able to claim compensation.

The OAIC said it supported the ACCC’s recommendation “for a direct right to bring actions and class actions …in the federal court or the federal court circuit to seek compensatory damages, as well as aggravated and exemplary damages in exceptional circumstances for the financial and non financial harm suffered as a result of an interference with privacy under the Privacy Act.”

The OAIC submitted the right for compensation and damages should not be limited to just serious breaches, noting this would “substantially curtail its effectiveness” and “preclude many individuals from seeking recourse in the courts for breaches of their privacy.”

Free TV said it strongly opposed the introduction of a statutory tort for invasion of privacy or a compensatory right.

“This would fail to address the issues identified by the ACCC, is not necessary and would place undue weight on an individual’s right to privacy at the expense of freedom of communication.

“A statutory cause of action would only provide a small number of individuals with sufficiently deep pockets the opportunity to pursue litigation after a privacy breach has occurred. For most people this would be meaningless.”

Nine Entertainment argued in its submission that existing processes were working well.

“Sometimes it is important to recognise systems and agencies that are doing a really good job,” Australia’s largest media group said.

“In contrast to a system in which disputes are resolved by litigation, the current regime allows for claims to be heard in a manner that is efficient, cheap and accessible to all.”

“The main beneficiaries of having those claims in the courts instead of the OAIC will be lawyers, as many people will choose to be represented. Lawyers will have incentives to increase the quantum and frequency of claims,” Nine Entertainment said.

Both public broadcasters, the ABC and SBS rejected the need for any direct enforcement or compensatory right, with SBS claiming “any further regulatory requirement is likely to have a chilling effect on journalism.”

At the same time all the media groups called for continuation—and strengthening—of the current journalism exception which exempts media organisations in the course of journalism, if the media organisation has publicly committed to standards that deal with privacy.

The OAIC joined other privacy advocates calling for a proper enforcement procedure to be applied to this exemption.

Telstra said it saw “no need” for either a direct compensatory or new statutory tort, arguing “a well-resourced OAIC as a more effective way of continuing to pursue the Privacy Act’s objectives.”

Publicly listed health care provider Ramsay Health Care opposed any direct rights arguing it would place a “disproportionate burden… especially health care organisations, to triage, manage and respond to privacy-related claims which would be more appropriately managed by the OAIC.“

The Australian Industry group also argued for the OAIC to continue be the complaints forum potentially arguing a new right could open “up the floodgates to a litigious culture.”

“Class actions do not provide individual applicants with greater control over proceedings, particularly where the action is financed by a litigation funder,” the AI group said.

The US Chamber of Commerce said it “strongly advises the Attorney-General’s Department against proposing such (enforcement) changes to the Act.”

“Data privacy rules enforced exclusively by government agencies benefit from appropriate guidance by experts in the field who can understand the complexities of encouraging compliance and innovation while preventing and remediating harms,” the Chamber said.

The Australian Privacy Foundation strongly supported the new personal rights noting the tort had been well considered and supported by all relevant reviews for more than a decade and was “a long-overdue reform that fills a glaring gap in the law.”

The APF said a right of action would mean the “courts will through their judgments set standards for what are appropriate types and levels of penalties and compensation for privacy breaches.”

The NSW Privacy Commissioner, Samantha Gavel, supported a national statutory cause of action, but for serious invasions of privacy.

She noted in her submission this had been the position of the NSW government which in 2016 supported a call by the Australian Law Reform Commission for statutory cause of action for serious invasions of privacy.

“There is strong support amongst law reform bodies for creating a statutory cause of action to provide an adequate remedy for serious invasions of privacy,” Ms Gavel said.

In a joint submission the UNSW Allen’s Technology Hub and the Australian Society for Computers & Law said “the common law in Australia has failed to develop a cause of action in tort unlike other jurisdictions including the UK and New Zealand. This has left Australian plaintiffs without an adequate cause of action for serious invasion of privacy.”

Deloitte also swung its support behind a direct right if action noting it would “raise the profile of privacy within organisations, reducing a compliance-only approach to management of personal information.”

“The 2017 Privacy Index found that 58 per cent of organisations indicated that privacy was important solely because ’it is a law that we need to comply with,” Deloitte said

The Victorian Law Institute called for a Privacy Ombudsman for complainants and said any right of direct action should be narrowly crafted to only apply to “wilful and repeated violation…likely to cause the person physical, serious emotional, or economic harm.”

The Business Council of Australia observed that of the 3000 complaints to the OAIC in 2017-18, only three had ended up with a formal determination.

“The relatively limited number of determinations means there is a limited set of precedents or case studies for business and the community to understand ‘the rules of the road’ where there may be confusion,” the BCA said.

The Attorney-General’s review team is preparing a discussion paper which is expected to be released in May 2021.

The discussion paper will be a public document which provides detail on the submissions received by the review to date and seeks feedback on possible options for reform.

No time table has been released when the government will consider the results of the consultation process.

Leave a Reply

Verified by MonsterInsights