Peter A Clarke

Cameras placed in toilets or showers has been a feature of privacy intrusive behaviour for almost as long as there have been working photographic equipment. In May the ABC reported in Women filmed in bathroom without their consent, former housemate to be sentenced over violation as did the Guardian in Every time I took a shower I thought: is he watching me?’ – the terrifying rise of secret cameras. Yesterday the ABC reports in Junior doctor charged after camera found in staff bathroom at Melbourne hospital that a trainee surgeon has been charged with stalking and using an optical device after a camera was found in a staff toilet at the Austin Hospital in Melbourne.    

In Australia the common law has not responded to privacy protections and only tentatively in equity.  The preference of legislatures was to criminalise such intrusive behaviour but shy away from providing civil remedies. That was an inadequate response.  That significant gap in the law has been filled by the enactment of a statutory tort of serious invasion of privacy on 10 December 2024, taking effect on 10 June 2025. Behaviour as described in the ABC articles would provide a strong basis for issuing proceedings allegation a serious invasion of privacy.

The earlier ABC article provides:

When Sarah* moved into her first Sydney share house, the Canadian expat thought it was a “completely safe, normal environment”.

Months after moving out, she would find out it was the backdrop of a horrific violation of privacy and trust, perpetrated by her former male housemate. Read the rest of this entry »

The Qantas data breach saga is following a predictable trajectory largely due to a poor initial response to the data breach. The coverage has moved, having begun that transition yesterday, from the data breach itself to the impact on the customers, continuing problems with communication and possible compensation. As the story has developed victims or just upset customers coming forward to provide colour and put Qantas in an even poorer light.   The stories are widespread including the Australian’s Qantas cyber incident: frequent flyers, customers await update on stolen data with the SMH’s Qantas hack will haunt affected customers for a long time, experts warn and Qantas hack victims could get compensation, say experts and ABC’s Qantas data breach: questions remain. And as with data breaches where there are internal issues, and a poorly management data breach response, the leaks come thick and fast. As Crikey demonstrates with ‘This isn’t a one-off glitch’: Qantas pilots blast airline over data hack of 6 million customers. 

The coverage demonstrates how important it is for companies to move quickly and transparently to respond to a data breach.   It also highlights the poor understanding of privacy law based on some of th claims made. The Qantas data breach saga is a lesson in how not to respond to a data breach.

The SMH’s Qantas hack victims could get compensation ay experts highlights the sketch understanding of how civil penalty proceedings operate and what options are available for seeking compensation.  The story accurately sets out the maximum penalty the Federal Court could impose if a civil penalty action were brought under section 13H of the Privacy Act 1988.  But that does not equate to compensation to consumers.  It is a penalty.  Whether the Privacy Commissioner distributes whatever penalty imposed if unknowable.  Given that, Dr Srivastava’s quoted statement as to how the Privacy Commissioner operates is confusing.  A more likely route for compensation would be a class action alleging various common law causes of action and potentially statutory claims.  It is possible but difficult to consider using the new statutory tort of serious interference with privacy.  It would be necessary to show that Qantas’ conduct was reckless.  provides:

Read the rest of this entry »

Qantas has finally posted details of compromised personal information by way of an update today. Nine days after first detecting the intrusion. The stolen data related to 5.7 million customers.  Of that number:

• 4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
  • 1.2 million customer records contained name and email address.
  • 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
• Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
  • Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
  • Date of birth – 1.1 million
  • Phone number (mobile, landline and/or business) – 900,000
  • Gender – 400,000. This is separate to other gender identifiers like name and salutation.
  • Meal preferences – 10,000

So the majority of the stolen records were limtied to names, email addresses and Frequent flying points.  Plenty to undertake some phishing and a good start for identity theft. Those 1.7 million customers whose residential addresses, data of birth and phone number are in a more vulnerable situation.  Those data points are very useful for a range of illegal activities, especially identity theft. 

Qantas has finally provided some advice and pointed to IDcare as providing assistance.  It is fairly rudimentary but better than the non responsiveness of earlier days.

This has prompted another round of media coverage with the Australian’s Qantas reveals extent of personal details stored on database that was subject to cyber attack and Major update after 5.7 million Qantas customers affected by widespread cyber attack. And some prognosticating with Qantas cyber hack highlights danger of storing huge banks of customer data, says legal expert. Of particular Read the rest of this entry »

The protection of children’s privacy on line is a key area of regulation and development worldwide. The US State of Nebraska has from 30 May 2025 implemented an age-appropriate design code law. The Code mandates online service providers prioritize children’s privacy and safety through proactive design principles. Effective January 1, 2026, the Code imposes stringent requirements on covered entities, including data minimisation, default privacy settings, and restrictions on targeted advertising to minors. Enforcement by the Nebraska Attorney General begins on July 1, 2026, with penalties up to $50,000 per violation.

There is an obligation for online services to have default settings which offer the highest level of privacy protection for minors including:

• limiting communication between minors and other users;
• preventing unauthorised access to minors’ personal data;
• restricting precise geolocation tracking;
• allowing the minor to control all design features unnecessary to operate the services requested by the minor;
• permitting the minor to control personalised recommendation systems by allowing opt-in to chronological feeds or prevent certain types of content from being recommended; and
• controlling the use of in-game purchases by allowing opt-outs or the option to limit such purchases.

These settings apply to ‘covered design features.’.

Under the Code there Read the rest of this entry »

The media report (in the Australian amongst others) that a/the cyber hacker has approached Qantas and it and the Australian Federal Police are determining whether the approach is by the cyber hacker. As per usual with Qantas has stated there has been an approach but said nothing else. It is consistent with approaches taken by many Australian companies affected by data breaches but not consistent with best practice in the United States where there is more candour which, usually, results in more sympathy. It is a different story when it comes to paying to remove ransomware. In that regard non disclosure is universal. Given that the Australian Federal Police are trying to determine whether the approach is from the hacker or just an opportunist there won’t be any payment of ransom.

There is some confusion about what to do regarding ransoms.  It is not illegal to pay a ransom.  It may be illegal not to report such a payment.  Whether such a payment is reportable depends on the circumstances and applying them to the legislation.  It can be quite a technical exercise.

Under Part 3 of the Cyber Security Act 2024 , which took effect on 30 May 2025, entities covered by the legislation must provide notification of ransom payments that have been made in certain circumstances. The legislation sets out the process in detail.  It is important to appreciate that some assessment is required to determine whether an entity is obliged to make a report or not.

Entities covered by the legislation are those:

1. responsible for critical infrastructure assets under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) ; or
2.  carrying on business in Australia with an annual turnover exceeding $3 million.  The coverage is set out in the Cyber Security (Ransomware Payment Reporting) Rules 2025.

An entity must Read the rest of this entry »

Itnews reports in Home Affairs officer accessed data on “friends and associates” that a former immigration officer accessed restricted data relating to 17 friends and associates 1,164 times in 6 years.  These actions were discovered by the National Anti Corruption Commission investigating corrupt, unrelated, practices by this officer.  This is a serious failure of data management under the Privacy Act 1988.  If there was no lawful reason to access the personal information of these individuals then that officer did not have authority to access that information.  The Department’s failure is in not having systems to detect such breaches of the Privacy Act.  Software to detect unusual or unauthorised access exist.  Banks have systems monitored by IT departments which raise flags when an employee seeks to or does access an account which has nothing to do with his or her role.  In the bank setting that results in instant dismissal.  Why there was no such system in the Department is a major failing in the data protection architecture.

The article Read the rest of this entry »

How a company/organisation/agency initially responds to a data breach often sets the tone on how the problem is perceived to be managed afterwards. The quality of the response is directly linked to the preparedness for such a contingency. Recent mega breaches in Australia, such as the Medibank, HWL Ebsworth and Optus data breaches, were notable for the poor intitial responses. That inevitably led to prolonged poor press, unnecessarily drawn out investigation to determine the cause of the breach and fix the problem and often litigation. Qantas’ response has been poor to date. Qantas is not an outlier.  Many companies and organisations give little thought to how they collect and store personal information.  And no thought to what might happen in the event of a data breach.  One of the causes of those inadequate responses is the overall complacency in the market. And a large part of that has been the inadequate laws, poor enforcement and lack of consequences for data breaches. The Australian has good piece dealing with this concerning state of affairs with ‘Disappointing, frustrating’: How Qantas data breach exposes deep flaws in Australia’s cyber defences. The story’s reference to work the Australian Signals Directorate does and Government spending is a distraction from the main issue; the need for companies to have proper data handling practices and security, cyber and otherwise.  

The article Read the rest of this entry »

There are three distinct issues that confront a company dealing with a data breach. The first is the legal issue, who to notify and when and what steps need to be taken to mitigate any loss. The second is the practical and technical issues; find out how the breach occurred, the extent of the damage and what repairs need to be undertaken. The final is the public engagement; notifying the public, media, advising what when wrong and what is being done to fix the problem. Australian companies are a long way back in their sophistication than their contemporaries in the United States and Europe. Given the more effective regulation overseas companies are quicker to notify regulators. In the United States there is a culture of more transparent and effective communication with the public. Not always but commonly. Australian companies tend to be dreadful at advising the public. Many put together bland boilerplate statements which mean nothing, which is their intent. That can lead to escalating problems and great mistrust. And rather than containing the fallout it increases it as more information leaks about about the data breach, much of it inconsistent with the blandly reassuring statements in the media releases.

It is good practice to have a data breach response plan which deals with each issue.  In Australia even the companies that have such a plan rarely conduct practices and simulations.  Many of their lawyers take a very rigid approach to the problem.  As a result many responses are stilted, inflexible, incredibly defensive and often counterproductive.

The ABC piece Qantas executives slow to be seen after data breach affecting up to 6 million customers summarises the problem with tardy and inadequate responses.  And so for Qantas handling has been at best mediocre. About on a par with most large Australian companies hit by a cyber attack.  The Australian also covers the response in How Qantas is managing the fallout of a cyber attack targeting the personal details of 6 million people. The article quotes a class action lawyer from Maurice Blackburn on the inadequacy of the privacy laws.  She claims that the data breaches in other parts of the world are “..not happening to the scale that it happens in Australia and in part that’s because they have different laws in place that focus on things like data minimisation and higher standards of cyber security.” That is partly correct but mostly not.  Australian privacy legislation lags the UK and Europe and even parts of the United States of America, such as California’s Consumer Privacy Act.  It is not fit for purpose in digital age where the collection of data is easy to do and can be done at a rapid pace with an enormous volume.  But the real problem in Australia has been very lax regulation and enforcement.  That has led to a culture of complacency.  For Read the rest of this entry »

The Australian Signals Directorate (“ASD”) and Australian Cyber Security Centre (“ACSC”) has released a guidance urging organizations to enhance their cyber hygiene in response to potential global cyber threats. The guidance emphasises reviewing cybersecurity measures and implementing what is described as the Essential Eight mitigation strategies. These strategies include patching systems, enabling multi-factor authentication, and restricting administrative privileges. The guidance also highlights the importance of preparing for Distributed Denial of Service attacks, Active Directory compromises, and ransomware threats. Of particular use is the cybersecurity incident response planning guidance which was updated and published last December.

The guidance is a Read the rest of this entry »

Cyber attacks on third party providers are common. Companies regard third party providers in some countries as being an effective and, most importantly, cost effective option. Australian Privacy Principle 8 and section 16C of the Privacy Act 1988 specifically deal with data sent to third countries. Under APP 8.1, before a company discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. Where it engages a contractor located overseas to perform services on its behalf, in most circumstances, the provision of personal information to that contractor is a disclosure. What is reasonable depends on the circumstances. It is an objective test.  How companies assess what is reasonable is another matter.  In my experience “reasonable” ranges from comprehensive rules about data handling and cyber security, reviews and inspections to a more general light touch, or no touch, oversight. Clearly the former approach is more in keeping with the text of APP 8.1.  If there is a data breach at a third party provider in another country demonstrating to the regulator that there was a more comprehensive system is more defensible if the regulator comes knocking.

What systems were involved at the at the Manila call centre where Qantas stored personal information of 6 million customers will be the subject of close inspection given Qantas has been hit by a cyber attack which resulted in the personal information of 6 million customers being affected. Qantas believes a “significant” amount of the data has been stolen. In its statement it confirms that the attack on its call centre was detected on 30 June 2025. It does not say when the data breach started and how the hackers gained access though subsequent reporting suggesting the vishing was involved.  The data stolen involved names, email addresses, phone numbers, dates of birth and Frequent Flyer numbers. As usual Qantas tried to make it a good news story by saying that credit card and other financial information and passport details were not affected. But the information stolen is a start in identity theft and opportunities for phishing.

Some of the commentary has been quite confused.  And wrong.  The Australian’s Albanese must step up to protect Aussies after Qantas hack seems to argue that as the Government has a major role in dealing with this breach its  “laissez – faire attitude” emboldens criminals.  It goes so far as to say “A test of his leadership will be how his government responds to the Qantas hack.”  As much as government after government deserves censure for neglecting this area of law that contention is just not correct.  That analysis is a symptom of the incoherence in the regulation of privacy laws and a general lack of understanding of where the respective responsibities lie. 

The prime responsibility falls on the companies holding data, in this case, Qantas.  They have the same responsibility as if the data was held in their offices in paper form.  This responsibility pre dates the internet.  Making it partly the Government’s responsibility, even obliquely, muddies the waters.  If Qantas left the doors to its offices open and thieves stole box loads of documents the Government would not be held to account for this reckless behaviour.  

The second level of responsibility lies with the regulator, the Privacy Commissioner (though the ACCC and ASIC sometimes seek to take action).  If a company fails to properly protect personal information then the Privacy Commissioner should take strong action, especially civil penalty proceedings. Individuals affected by the breach should also be able to bring action.  That action should be very public so that the market will know what to expect if it ignores its obligations.  If no, or inadequate, action is taken the market will notice and act accordingly. For many years the regulator has not been armed with sufficient powers to take strong action.  But even when those powers were provided, especially since March 2014 when the Commissioner could bring civil penalty actions, the regulator was timid at best.  Sometimes the Commissioner has Read the rest of this entry »