UK Information Commissioner fines transgender charity Mermaids 25,000 pounds for failing to keep personal data secure

July 19, 2021

The UK Information Commissioner’s office has fined Mermaids £25,000 for failing to keep personal information secure.  The nature of the breach was personal information found in emails and documents created by staff at Mermaids or its clients were publicly available on line.  Mermaids were advised by a newspaper of this fact in June 2019.  Mermaids contacted the Commissioner that day.

Mermaids is a charity that offers support to young people and their families regarding gender non comformity.  As such the nature of discussions and personal information were very sensitive.

The media release provides:

The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. Read the rest of this entry »

New cyber security rules proposed. Another discussion paper on privacy and cyber security. A good paper, the question is whether anything will come of it.

July 18, 2021

On 13 July 2021 the Federal Government released a comprehensive discussion paper titled Strengthening Australia’s cyber security regulations and incentives as part of its attempts to make the digital economy more resilient.  The focus is on cyber security.  It summarises the issues and raises options across the broad subject headings of:

  • Governance standards for largebusinesses
  • Minimum standards for personal information
  • Standards for smart devices
  • Labelling for smart devices
  • Responsible disclosure policies
  • Health checks for small businesses
  • Protecting consumers
  • Clear legal remedies for consumers

As papers go it is comprehensive and a good resource in itself as it sources US, UK and European actions (which are far ahead of Australia’s) in cyber security.  But there is nothing stated in the report which hasn’t been written before.  It is candid enough to state that the primary current regulatory framework of the Privacy Act 1988, the Australian Consumer Law and the Corporations Act as well as other more specialised acts are not effective in this area.  Refreshingly the Paper highlights the dissatisfaction with the Information Commissioner’s approach to enforcement of the Privacy Act stating Read the rest of this entry »

ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022

May 17, 2021

The civil penalty proceeding in the Federal Court of ASIC v RI Advice Group is a significant case regarding the effectiveness of the Corporations Act 2001 in dealing with cybersecurity issues. ASIC commenced proceedings against RI Advice alleging that authorised representatives of RI advice were subject to data breaches between 2016 and 2020,  ASIC alleges that RI Advice failed to implement adequate policies and systems and provide sufficient resources to manage cyber security and cyber resilience risk.  ASIC alleges that these failures constitute a breach of the general obligations of RI Advice’s financial licence under section 912A of the Corporations Act.  I provided a detailed analysis of the pleaded case in August last year. 

On 19 February 2021 Mr Justice O’Callaghan set down the timetable of the interlocutory steps before trial, being:

  1. The Plaintiff has leave to file and serve an Amended Originating Process substantially in the form served on the Defendant on 26 October 2020.
  2. By 4.00pm on 24 February 2021, the Plaintiff is to file and serve its Amended Originating Process.
  3. By 4.00pm on 1 March 2021, the Plaintiff is to file and serve any Reply to the Defendant’s Defence to the Amended Statement of Claim.
  4. By 4.00pm on 30 April 2021, the Plaintiff is to file and serve the lay witness statements and expert reports upon which it proposes to rely at trial, and a list of documents which it proposes to tender at trial.
  5. The matter be listed for a further case management hearing at 9.30am on 14 May 2021.
  6. The proceeding is tentatively listed for trial with an estimate of 2 to 3 weeks commencing on 29 November 2021.
  7. Costs are reserved.
  8. There is liberty to apply.

RI Advice’s defence was filed on 12 February 2021.  ASIC did not file a Reply.  ASIC’s expert report was filed on 30 April 2021.  So far so good. 

Last Friday RI Advice claimed Read the rest of this entry »

Privacy Awareness week has come and gone and not much has changed

May 10, 2021

It is better to have Privacy Awareness Week than not.  It is just that it is  poorly promoted and the regulator has relatively little to say.  That is a major pity.

This year the Commonwealth Information Commissioner in addition to an anodyne joint statement by information commissioners did put out a glossy tips for home, tips for work, tips for parents and carers, what to do if individuals  receive a data breach notification  and  10 steps to undertaking a privacy impact assessment. OVIC had a modest program.  The media coverage was thin on the ground with the most notable coverage being ABC News Radio doing a 6.21 minute piece Does privacy still exist in 2021?  It is little wonder Governments feel not much in the way of pressure to bolster privacy rights in Australia.

What is interesting is the recounting of the 2020  Australian Community Attitudes to Privacy Survey.  It is something of a behemoth running to 121 pages. Some of the findings are:

  • 70% of Australians see the protection of personal information as an important issue and a major concern in their life.
  • 84% think identity theft and fraud, and data security and breaches, are the biggest privacy risks.
  • Most Australians have a clear understanding of why they should protect their personal information (85% agree), but half (49%) say they don’t know how.
  • 84% feel privacy of information and data is important when choosing a digital service.
  • 87% want more control and choice over the collection and use of their personal information.

These figures are hardly surprising but always worth recounting because there remains a sub current of cynicism about privacy and unfounded statements that people have given up on their privacy and are prepared to sacrifice privacy for services or security, or both.  As if it is a binary choice.  Which it never has been.

The Information Commissioner delivered a speech on 7 May titled Fair, flexible, fundamental: the future of data protection in a digital world where she Read the rest of this entry »

Dani Laidley sues Victoria Police over unauthorised photography and disemination

May 4, 2021

It was hardly a shock that Dani Laidley sued Victoria Police over unauthorised photos taken when she was in the custody of the Victoria Police.  The question was when rather than if action would be taken.  And taken it has been, with a writ filed in the Victorian Supreme Court.   This follows on 6 police officers being ordered to pay Laidley compensation of up to $3,000 each by an internal disciplinary panel.  Those awards are ridiculously small and will be dwarfed by an award in the Supreme Court if the matter proceeds to trial and then judgment.  It is more likely that it will settle.  The then Deputy Victorian Police Commissioner, stated he was appalled by the conduct.  The career consequences for the officers have been severe with a senior constable and constable charged with the unauthorised disclosure of police information with the senior constable also charged with misconduct in public office

Once the images were leaked online they were shared by 224 Victorian Police.  Thirty nine police and public servants are or have faced internal disciplinary Read the rest of this entry »

European Commission releases proposed regulatory framework governing artificial intelligence

April 27, 2021

The European Commission has recently released its proposed regulation of Artificial Intelligence. It is the first ever legal framework on AI.  Given the impact of the European Union’s implementation of the General Data Protection Regulation (GDPR) on worldwide data collection, use, storage and security this proposal, if the Artificial Intelligence Act becomes European law it will have similarly significant impact. The proposal runs to 108 pages with 17 pages of attachments.  It will be a seriously large, laborious and slow process to go from its proposal to adoption stage.

There is a useful 10 page overview titled Communication on Fostering a European approach to Artificial Intelligence.  And being the EU there is a 66 page overlong and detailed plan on AI titled Coordinated Plan on Artificial Intelligence 2021 Review.

The media release Read the rest of this entry »

Yet more warnings of cyber security threats, appropriate, but the follow through is the usual. Rhetoric over application

April 23, 2021

The Australian in Business on frontline in cyberspace ‘war’   and the BBC with GCHQ chief warns of tech ‘moment of reckoning’ both report on senior governmental figures in Australia and the United Kingdom warning of the impact of threats to security through the internet.

Andrew Hastie, Assistant Defence Minister, in another series of “canary in the coal mine” grabs highlights the danger of cyber attacks to infrastructure, governments and business.  There is talk of a new international cyber and meetings of critical technology engagement strategy and meetings of the governments cyber security industry advisory committee and need to counter threat actors.  He is right that major cyber attacks aimed at government institutions and major infrastructure is a threat to Australia’s digital sovereignty.  And of course the article talks up the funding of the international cyber and critical technology strategy which involves spending of $375 million.  All very worthy.

But these statements are nothing much new.  The threat from hackers has been a problem that has existed for over a decade.  Longer.  It has evolved over time, as technology has developed and opportunities to monetise the use of malware has grown at an exponential rate. The greater activities of state players has made a difficult situation worse.

Where Hastie and other government members are wrong is in having a top down approach to the ensuring that businesses and governmental agencies are properly prepared to deal with cyber attacks.  Strategies are fine.  But they have no real impact on the day to day operations of businesses, many of which have contact with government.  There is little incentive for businesses to do all that is required to minimise cyber attack.  Some Read the rest of this entry »

Privacy related proceedings issued against NRL player for release of sex tape allegedly filmed without her consent

In Australia the few notable privacy related cases have involved the use of sex tapes, recordings of former partners involved in intimate sexual conduct.  This was the subject of the claim in the Victorian Court of Appeal decision of Giller v Procopets [2008] VSCA 236 and the Western Australian decision of Wilson v Ferguson [2015] WASC 15 which I posted on here. In both of those cases the actual filming was consensual but the subsequent use of those recordings by rejected male partners was not.

In Victim of Tyrone May sex tape seeks damages the Australian reports that a woman has commenced action against Tyrone May for illegally filming her having sex with him and then disseminating those recordings without her consent.  According to the article the recordings went viral through Facebook messenger and SMS text and ended up on a pornographic website, Porn Hub, reputedly the largest adult website in the world.

Interestingly the woman is suing for “breach of privacy”, presumably alleging there is a tortious cause of action. If successful that will set precedent and be welcome.  At the moment privacy claims languish in the realms of equity, specifically breach of confidence. It is unsatisfactory.

May pleaded guilty to intentionally recording an intimate image without consent.  That may complicate any defence he Read the rest of this entry »

National Institute of Standards and Technology has released a guid on securing the Industrial Internet of Things

The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce.  It is enormously influential in setting standards, worldwide, in the cyber security sphere.  That is relevant in privacy protections as well.  Overnight the NIST released a guideline for comment, Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.

It is a very topical release and deals with a difficult area of cyber security.  The industrial internet of things involves multiple devices.

The goals of the guide are:

  • remotely monitor and control utility-owned and customer-managed DER assets
  • protect and trust data and communications traffic of grid-edge devices and networks
  • capture an immutable record of control actions across DERs
  • support secure edge-to-cloud data flows, visualization, and continuous intelligence

The guide is aimed to have Read the rest of this entry »

Australian Competition and Consumer Commission succeeds in alleging Google misled consumers regarding its location history settings. Privacy law enforcement via the Consumer Law

April 16, 2021

In a very significant decision of Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 the Federal Court, per Thawley J, has found that Google breached sections 18, 29 and 34 of the Australian Consumer Law (the “ACL”).  At 341 paragraphs it is a significant and detailed judgment.

Privacy policies and settings remain problematical in terms of practical, as opposed to theoretical, compliance with the Privacy Act 1988 and in providing consumers with a clear understanding of what the settings actually mean for them.  It does not help that settings are changed regularly and often without notice, with Facebook being particularly notorious in this regard.

It appears that the ACCC is stepping into the regulatory void that would otherwise be occupied by the Australian Information Commissioner in enforcing privacy protections.  By relying on misleading and deceptive conduct provisions of the ACL the ACCC is following the long established approach taken by the US Federal Trade Commission in bringing proceedings for misleading conduct where companies claim to protect privacy or have proper data security when in fact they do not.  That has led scholars to suggest that the FTC has developed a new common law of privacy. It would be a welcome development if the ACCC used its experience and superior litigation skills to enforce privacy protections in Australia.  The Information Commissioner has thus far had a dismal record in the Federal Court regarding consideration of the Privacy Act 1988.

The proceedings commenced in October 2019. Final orders will not be made for at least 14 days as the parties are to provide orders to reflect the court’s conclusions.  Given the nature of the findings it is reasonable to expect Read the rest of this entry »