Group complaint lodged with the Information Commissioner against Optus for data breach involving 50,000 customers in October 2019

April 27, 2020

Lawyers weekly has just reported that Maurice Blackburn has made a representative complaint against  arising out of a data breach in October 2019. It is the first representative complaint made under the Privacy Act 1988.  It seems 2020 is proving to be an active year for use of the Privacy Act with the Commissioner commencing civil penalty proceedings, for the first time, and now this representative complaint.

Maurie Blackburn describes the complaint as Read the rest of this entry »

Australian Information Commission v Facebook Inc [2020] FCA 531 (22 April 2020): application for service outside of Australia, the Commissioner’s prima facie case. The opening round in the first civil proceeding for breach of the Privacy Act by the Commissioner

April 26, 2020

On 23 April 2020 in  Australian Information Commission v Facebook Inc the Australian Information Commissioner successfully obtained interim suppression and non publication orders and orders to serve outside Australia and substituted service against Facebook Inc.

This is the first of what is likely Read the rest of this entry »

Another email bungle, privacy breach involving names, addresses and birthdates

April 23, 2020

The Guardian reports on another email bungle resulting in a significant privacy breach, this time by the Australian Traffic Network.   In an email an operator at the Australian Traffic Network sent out a document containing personal information of more than a 100 current and former staff as part of an internal email to existing staff.  An email was originally sent on Monday to staff asking about eligibility for the jobkeeper payment.  A follow up the next day was the data breach as it contained a table of staff names with their addresses and dates of birth.  It provoked concern within the organisation, little wonder given Read the rest of this entry »

Santin v Sfameni [2020] VSC 26 (7 February 2020); application to restrain solicitor, whether solicitor material witness, misuse of confidential information

April 5, 2020

The latest decision at the superior court level in Victoria dealing with restraint application is Santin v Sfameni [2020] VSC 26.  That judgement considers a case in which I appeared for the, unsuccessful, applicant, Pinnacle Living Pty Ltd v Elusive Image Pty Ltd [2006] VSC 202

FACTS

The dramatis personae are:

  • Emilio Santin (“Emilio”), who died on 2 March 2017 [1].
  • Rosanna Sfameni (“Rosanna”), Emilio’s daughter and executor of his estate [1].
  • Carlo Santin (“Carlo”) and Bruno Santin (“Bruno”), Emilio’s sons and residuary beneficiaries under his last will dated 23 September 2011 [1].
  • Carlo and Bruno are represented by a solicitor, John Whelan (“Whelan”) [3].
  • Whelan acted for Emilio between about September 2015 and January 2017 [3].

Carlo and Bruno commenced proceedings seeking order that Rosanna be removed as executor and trustee of their father’s estate [2].

Rosanna  applied to restrain Whelan from continuing to act for Carlo and Bruno on the bases that:

  • Whelan formerly acted for the deceased; and
  • is likely to be a material witness in relation to contested issues [3].

The loan

Rosanna and her husband, Salvatore (Sam) Sfameni lent Emilio $473,385. They were the mortgagees of a mortgage registered by Rosanna on 29 September 2011 as security for that loan [7].  The loan was used to Read the rest of this entry »

Significant data breach at the Federal Court of Australia revealing names of protection visa applicants

March 31, 2020

It was serendipitous that last Wednesday I presented a paper, via Zoom, at a Legalwise Seminar on Data Breaches: How to Respond, Notify and Remedy  given today’s report that there has been a significant data breach by the Federal Court, an agency for the purposes of the Privacy Act 1988.  The, to use the Federal Court’s spokesman’s description, “major systemic failure” involved the searchable database permitting the identity of 400 asylum seekers being disclosable. 

This breach would fall within Part IIIC of the Privacy Act 1988, the mandatory data breach notification regime. Going through the process would require an assessment of the breach, a determination as to whether the breach is likely to cause serious harm and, if so, the means of notifying the affected individuals.  Based on the ABC report of the breach there would be legal and practical issues to address with each step.  As to the assessment process it is concerning that Read the rest of this entry »

Commonwealth Parliament amends the Corporations Act with Part 9.11 and section 459E, F and G. The statutory period will extend from 21 days to 6 months for 6 months. The statutory minimum is raised from $2,000 to $20,000 for 6 months. Some protection for directors trading while insolvent for the next 6 months.

March 24, 2020

The Commonwealth Parliament passed the Coronavirus Economic Response Package Omnibus Act 2020 yesterday.  It introduced the Bill yesterday as well.

It is a wide ranging Act but to the extent that it relates to those practicing commercial law the relevant provisions are amendments to section 9 and 459E – G for the statutory demand and 588Eff. The statutory minimum has been raised from $2,000 to $20,000.  That is significant but what will have a bigger impact on the use of statutory demands is the statutory period being increased from 21 days to 6 months.  These amendments are to last for 6 months from date of proclamation unless otherwise modified by regulation.  Accordingly, from now until about 24/25 September 2020 at least the new regime regarding the use of statutory demands will be in place.  The statutory period of a statutory demand served tomorrow would not  expire until around 25 September.  As such applications to set aside the statutory demand can be filed any time up to that date.

Given this is a significant area of my practice it is important to be on top of these changes.

The Act provides:

Part 2—Amendments relating to businesses in financial distress

Corporations Act 2001

21  Section 9

Insert:

statutory period means:

                     (a)  if a period longer than 21 days is prescribed—the prescribed period; or

                     (b)  otherwise—21 days.

22  Paragraphs 459E(2)(c) and 459F(2)(b)

Omit “21 days”, substitute “the statutory period”.

23  Subsection 459G(2)

Omit “21 days”, substitute “the statutory period”.

24  Subsection 459G(3)

Omit “those 21 days”, substitute “that period”.

25  In the appropriate position in Chapter 10

Insert:

Part 10.42—Transitional provisions relating to the Coronavirus Economic Response Package Omnibus Act 2020

  

1669  Application of amendments made by Schedule 12 to the Coronavirus Economic Response Package Omnibus Act 2020

 The amendments made by Part 2 of Schedule 12 to the Coronavirus Economic Response Package Omnibus Act 2020 apply to statutory demands that are served on or after the commencement of that Schedule.

Corporations Regulations 2001

26  Before regulation 5.4.01

Insert:

5.4.01AA  Temporary increase to the statutory minimum and statutory period

 (1)  For the purposes of paragraph (a) of the definition of statutory minimum in section 9 of the Act, the amount prescribed is $20,000.

 (2)  For the purposes of paragraph (a) of the definition of statutory period in section 9 of the Act, the period prescribed is 6 months.

 (3)  This regulation is repealed at the end of the period of 6 months starting on the day this regulation commences.

27  Paragraphs 3 and 5 of Form 509H of Schedule 2

Omit “21 days”, substitute “the statutory period”.

28  Form 509H (note 2) of Schedule 2

Omit “minimum of $2,000.”, substitute “minimum. The statutory minimum is $2,000 or a greater amount prescribed by the regulations. For a 6?month period in 2020, a greater amount of $20,000 is prescribed (see the Coronavirus Economic Response Package Omnibus Act 2020).”.

29  Form 509H (note 5) of Schedule 2

Repeal the note, substitute:

    1. The statutory period is 21 days or a longer period prescribed by the regulations. For a 6?month period in 2020, a longer period of 6 months is prescribed (see the Coronavirus Economic Response Package Omnibus Act 2020).

The second amendment to the Corporations Act is to provide temporary relief for directors who may engage in insolvent trading for the next 6 months or any longer time prescribed by regulations.  The amendments are to sections 588E and 588GA and the insertion of 588GAAA.

Part 3—Temporary relief for directors from duty to prevent insolvent trading

Corporations Act 2001

30  Paragraph 588E(8A)(a)

After “subsection 588GA(1)”, insert “or 588GAAA(1)”.

31  After section 588GA

Insert:

588GAAA  Safe harbour—temporary relief in response to the coronavirus

Safe harbour

(1)  Subsection 588G(2) does not apply in relation to a person and a debt incurred by a company if the debt is incurred:

            (a)  in the ordinary course of the company’s business; and

            (b)  during:

                         (i)  the 6?month period starting on the day this section commences; or

                        (ii)  any longer period that starts on the day this section commences and that is prescribed by the regulations for the purposes of this subparagraph; and

 (c)  before any appointment during that period of an administrator, or liquidator, of the company.

  (2)  A person who wishes to rely on subsection (1) in a proceeding for, or relating to, a contravention of subsection 588G(2) bears an evidential burden in relation to that matter.

When the safe harbour does not apply

 (3)  Subsection (1) is taken never to have applied in relation to a person and a debt in the circumstances prescribed by the regulations for the purposes of this subsection.

Definitions

 (4)  In this section:

evidential burden, in relation to a matter, means the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist.

32  Subsection 588GB(7) (paragraph (b) of the definition of relevant proceeding)

After “subsection 588GA(1)”, insert “or 588GAAA(1)”.

33  Paragraph 588HA(1)(a)

After “safe harbour”, insert “described in subsection 588GA(1)”.

34  Subsection 588WA(1)

Repeal the subsection, substitute:

 (1)  Subsection 588V(1) does not apply in relation to a corporation that is the holding company of a company, and to a debt, if:

        (a)  the corporation takes reasonable steps to ensure that either subsection 588GA(1) or 588GAAA(1) (the safe harbour provision) applies in relation to:

                    (i)  each of the directors of the company; and

                    (ii)  the debt; and

       (b)  the safe harbour provision does so apply in relation to each of those directors and to the debt.

The Explanatory Memorandum relevantly Read the rest of this entry »

Government announces increase to threshold for statutory demands and the time period to respond. Also mooted is reduction in personal liability for directors of companies trading while insolvent.

March 22, 2020

As part of the Government’s second stage relief package it has announced that it will amend the Corporations Act 2001 to:

  • increase the threshold for issuing a statutory demand from $2,000 to $20,000; and
  • extend the time within which to apply to set aside a statutory demand from 21` days to 6 months.

The Prime Minister’s media statement of earlier today relevantly provides:

The Government is temporarily increasing the threshold at which creditors can issue a statutory demand on a company and the time companies have to respond to statutory demands they receive. The package also includes temporary relief for directors from any personal liability for trading while insolvent.  The Corporations Act 2001 will be amended to provide temporary and targeted relief for companies to deal with unforeseen events that arise as a result of the Coronavirus.

(Emphasis added_

No details have been provided as to what is meant by relief from liability of directors who may trade while insolvent.  It is too cryptic at this stage.  

The pressure of receiving a statutory demand for relatively small debts is lifted, for the time being.  The threshold of $ 20,000 remains within the scope of many existing statutory demands.  Statutory demands for sums a little over $2,000 are issued but they do not make up the majority of statutory demands. 

The sting of statutory demands has been dulled by the long period within which an application to set it aside can be made, Read the rest of this entry »

Information Commissioner releases report that 537 notifiable data breaches for the last half of 2019 while worldwide the estimate of data records accessed unlawfully in 2019 reached 12.3 billion!

March 15, 2020

At the end of February the Australian Information Commissioner released the Report of Notifiable Data Breaches for the July – December 2019 period.  There were 537 notifications, up from 460 in the previous 6 months and making 997 for the 2019 calendar year. 

As usual health service providers top the list, with 117 notifications, followed by finance with 77 notifications.  Interestingly though less than 10% of notifications there were 40 notifications from the legal/accountancy and management services.  In terms of numbers of individuals affected 132 notifications, about 20%, affected only one person’s personal information but one breach affected more than 10,000,000. The majority of notifications, 309, affected from 2 to 1,000 individuals while 13 notifications covered between 25,000 – 10,000,000. 

Contact information was Read the rest of this entry »

The Australian Information Commissioner commences civil penalty proceedings against Facebook under section 13G of the Privacy Act

March 10, 2020

Yesterday, 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook in the Federal Court.  The actual citation is Australian Information Commissioner v Facebook Inc & Facbook Ireland Limited (court number NSD 246/2020).

It has taken 2 years for the Information Commissioner to conclude her investigations regarding Facebook’s actions in permitting personal information to be misused through the This is Your Digital Life app which was disclosed to Cambridge Analytica. The UK Information Commissioner resolved its investigation and issued a monetary penalty notice of 500,000 pounds in October 2018.  The US Federal Trade Commission imposed $5 billion penalty for its breach of the previous order in July 2019.

This litigation will be significant as it is the first consideration of the operation of section 13G of the Privacy Act, a civil penalty proceeding for serious or repeated interference with privacy.  Unfortunately the Information Commissioner has not proven to be an adept litigator to date though Facebook’s egregious conduct in permitting its users personal information to be misused is well documented.  What is less clear is how the Commissioner will convince the Court that the statutory limit of $1.7million for an infraction is a limit on each breach.  That will be a significant Read the rest of this entry »

Alinta Energy alleged non compliance with privacy regulations highlights what is all too common with poor regulation

March 2, 2020

Today the 7.30 program and the 9 Fairfax press report on possible non compliance with data storage conditions imposed on Alinta when it was sold to overseas, Chinese, purchasers. The source of the story is damaging internal documents questioning compliance. 

The essence of the story, that Alinta is not complying with its obligations under the Privacy Act regarding data security obligations, is not as exciting as the media outlets suggest.  It collects personal information of 1.1 million customers.  As do many large corporations and agencies.  It may not be properly protecting that data.

Inadequate data security is a problem endemic throughout the business sector.  Because regulation is light touch to the point of no contact compliance is patchy at best.  Some sectors are better than others, with banking, insurance and mining having reasonable structures and better compliance than other sectors because they are more often the targets of hackers and the consequences of a breach are significant.  But for many businesses cyber security is an optional extra.  

What makes the Alinta story notable is that there were strict data security conditions imposed on the purchaser, a Chinese entity, as part of the approval process. There is no culture of privacy protection in China and the Chinese government has a well deserved reputation in getting whatever benefit it can from western businesses, including the use of personal information.  Having access to over a million peoples data can be useful.

A better story would have been Read the rest of this entry »