Peter A Clarke

Another case of compare and contrast between privacy regulators.  In the UK the Information Commissioner’s Office has announced the finding of investigations involving the use of personal information provided to Facebook by Cambridge Analytica.  The size of the breach of the Data Protection Act is enormous involving up to 87 million users worldwide.  The UK Information Commissioner commenced it investigation into Facebook in February.  It now announces its intention to fine Facebook a maximum of £500,000 as well as Read the rest of this entry »

The Australian in Facebook hit by Australian compensation case for data theft reports that the litigation funder IMF Bentham have lodged a representative complaint with the Office of the Information Commissioner arising out of the Cambridge Analytica use of personal information gleaned from Facebook.  One of the more egregious breaches of privacy by Facebook in recent times.  Which is saying something!  The story is also picked up by the Guardian in Compensation sought for Australians caught up in Facebook privacy breach.

Representative claims before the Information Commissioner is a rarely used provision.  The IMF Bentham quite lengthy statement relevantly Read the rest of this entry »

The Australian Government Agencies Privacy Code came into effect yesterday.  That is effectively today.

As the Privacy Commissioner notes on its media release under the Code agencies are Read the rest of this entry »

On 8 December 2017 Price Waterhouse Coopers, better known as pwc, undertook a review of the Privacy (Credit Reporting) Code 2014.  On 29 May 2018 the acting Information Commissioner and Privacy Commissioner has approved variations to the Privacy Credit Reporting Code 2014.

As a result of that review the Commissioner has amended the following Read the rest of this entry »

It is hard to be more disappointed with the Privacy Commissioner given the consistently inadequate determinations and tepid regulation.  But the Acting Commissioner has managed to show that with time and effort even more dreadful decisions are possible in privacy regulation in Australia.  That is amply displayed in the Commissioner’s response to the Centrelink release of personal information about a Ms Fox who wrote an article critical of Centrelink’s automated debt recovery system as it was used upon her.

The Commissioner’s “concluding statement” Read the rest of this entry »

The Commonwealth Bank of Australia has suffered a major data breach involving the records of 20 million customers.  In 2016.  It has only made this public now after media reports.  The CBA only made a statement after the media reports.  That is a dreadful approach to data breaches.  Conceal until you can’t.  Then obfuscate.  The CBA is not an outlier in its reaction to this data breach.  Unfortunately it is all too common in Australia.  Perhaps that will change with the mandatory data breach notification scheme but proper enforcement is required.  Incredibly the Information Commissioner was notified in 2016.  And took no enforcement action.  No enforceable undertakings even.  That was, and remains, a dreadful mistake.  The Australian Prudential Regulation Authority that has been more active and transparent than the Information Commissioner’s Office in dealing with privacy breaches.  If that is not an indictment on the Information Commissioner Read the rest of this entry »

The Acting Privacy Commissioner, Angelene Falk, recently gave a speech titled Privacy in Digital Media and Digital Advertising.

It is a speech very much in the vein of the previous Privacy Commissioner, completely unobjectionable, very reasonable, topical and accurate.  It hit the current affairs notes, commenting on Facebook/Cambridge Analytica and the topical regulatory change, the upcoming implemention of the GDPR in Europe.  It also is completely neutral about what the regulator expects in concrete terms and what it may do in “fostering a privacy culture…”  And that does not bode all that well for a change in direction for one of the least effective regulators at the Commonwealth level.  Bromides and exhortations to comply with the law are fine but never as effective as strategic and forceful enforcement which will send a message to the market.

The speech relevantly Read the rest of this entry »

The Office of the Australian Information Commissioner has published the first quarterly report on data breach notifications under the mandatory data breach notification legislation which came into effect on 22 February 2018. Not surprisingly the on a pro rata basis the number of notifications far exceeds the rate of notification under the previously voluntary scheme, 63 breaches in 6 weeks as opposed to 114 notifications in the last 52 weeks of the voluntary scheme.  If the rate of notifications remain consistent then 546 reports could be expected, almost 5 times the rate under the voluntary scheme. Because the legislation requires the organisation and agency to undertake self assessment as to whether a breach requires notification and some organisations will seek to take a less conservative approach, and take a risk in doing so, the figures are probably not a complete record of data breaches Read the rest of this entry »

The draft guidelines relating to the impending Data breach legislation coming into effect have now been finalised and were released yesterday.  All 64 pages of them.

While the guidelines are not regulations they will be very important when developing processes and procedures necessary to deal with a data breach.  They will also be important when dealing with data breach.  What is notable about this Guideline is that while it is comprehensive in one respect, addressing key issues in each category, and provides a very useful structure when dealing with a data breach it is drafted in broad and sometimes opaque terms.  That means there will need to be consideration of relevant principles of law when dealing with particular provisions of the Privacy Act.  The absence of case law does not assist.  It is a starting point only for Read the rest of this entry »

According to a report in the Mandarin,Last man standing: information and privacy commissioner Timothy Pilgrim to retire, Timothy Pilgrim, the Privacy and Information Commissioner is to retire on 24 March 2018. It is also reported in itnews, computerworld and zdnet.

Timothy Pilgrim has been one of the better privacy commissioners.  That is a comparative measure only.  His predecessors ranged from ineffective to hopeless.  As a result the privacy and data security culture has been poor.  Pilgrim was far more active than his predecessors both in terms of work rate and general profile.  But objectively measured he was a timid and tentative regulator.  Even with a limited budget from 2014 the Office of the Information Commissioner took a very low profile.  His determinations were excessively conservative and Read the rest of this entry »