Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • Report of 2025 Global Privacy Network sweep highlights problems with websites and apps used by children

    March 31, 2026

    The Privacy Commissioner has issued a media release of a report by the Global Privacy Network seep which was published last week. The nub of it, risks to children’s privacy has increased . The figures are quite sobering with more being collected to access a site now than in 2015.

    The media release provides:

    The results of the latest Global Privacy Enforcement Network sweep, published today, show risks to children’s privacy have increased over the last decade.

    The OAIC participated in the global sweep, which involved 27 data protection and privacy authorities from around the world, and examined almost 900 websites and apps that are used by children. While some are designed for children’s use more specifically, others are used by the general population but are popular with children.

    The sweep found that more than half (59%) of the websites and mobile applications required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, participants noted an increase in the collection of certain types of information compared to 2015. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    The Privacy Commissioner releases exposure draft of the Children’s Online Privacy Code today

    The Privacy Commissioner has published an exposure draft of the Children’s Online Privacy Code. The Consultation period is open until 5 June 2026. The legislature has mandated that the Code will be registered on 10 December 2026.

    The documents the Commissioner has produced as part of the Code are:

    The media release Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Federal Trade Commission takes action against Match & OK Cupid for sharing personal information with third parties

    The US Federal Trade Commission (“FTC”) relies on breach of contract or representations in having jurisdiction to take action for misuse of personal information and data security. Its decision today to take action against Match and OK Cupid for sharing personal information with an undisclosed third party is quite typical in that regard.What is not typical here is that Match and OK Cupid breached its users privacy since 2014 and actively hid that misuse.  The data of three million customers were involved and the data involved photos and location information.

    This case is a cautionary tale for organisations making representations and being loose in their language about how information is being handled.  In this case Match and OK Cupid adopted a very resistant and obstructive response to the FTC in its investigations.  That is quite foolish and short sighted.  It is better to co operate with the regulator where the breach is clear and the facts are not in dispute.

    The settlement agreement will last for 10 years and involves considerable reporting requirements.

    The Statement provides:

    The Federal Trade Commission is taking action against OkCupid and its affiliate Match Group Americas over allegations OkCupid deceived users of its dating app by sharing their personal information, including photos and location information, with an unrelated third party, contrary to OkCupid’s privacy promises.

    As part of a settlement, OkCupid, operated by Dallas-based Humor Rainbow, Inc., and Match Group Americas, which provides services for Humor Rainbow, will be prohibited from misrepresenting its privacy policies. Read the rest of this entry »

    Posted in Federal Trade Commission, Privacy | Post a comment »

    Fiig Securities fined $2.5 million for cyber security failures in first action against financial services licensee for this sort of breach

    February 12, 2026

    ASIC has successfully obtained a fine of $2.5 million, plus legal costs of $500,000, against Fiig Securities for cyber security failures over 4 years and a data breach in 2023 which resulted in the loss of 385GB of data effecting 18,000 of its clients. ASIC is, needless to say, very satisfied with the outcome. Not only is the fine and costs order totalling $3 million painful but there is also the reputational damage. The legal action has been reported widely including by cyber daily, itnews and financial standards.

    The action highlights the changing litigation landscape.  Cyber attacks will not be considered “one of those things” or acts of god or the cost of doing business.  If, as they do, regulators look at the systems, protocols and training of organisations hity by cyber attacks and find inadequacies there is a real chance they will be the subject of civil proceedings, whether by ASIC or the Privacy Commissioner.  The best solution is to have proper, up to date cyber protection and a decent regime of training to properly handle data.  Even if there is a cyber attack having a good system will counter a regulator looking for a scalp.

    The story is covered by Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Privacy Commissioner starts 2026 with compliance sweep of privacy policies of 60 entities in the rental & property, chemists and pharmacists licensed venues, car rentals & car dealerships and pawnbrokers & second hand dealer industries

    February 1, 2026

    The lack of enforcement of the Privacy Act 1988 has been a chronic problem for many years. That reflected in a poor level of compliance and a dreadful privacy culture by many companies and organisations. It seems the Privacy Commissioner wants to change that. On 9 December 2025 the Privacy Commissioner announced that there would be a privacy compliance sweep of privacy policies of 60 entities in 6 industries.  

    The statement provides:

    Australia’s privacy regulator will start 2026 with its first-ever compliance sweep, conducting a targeted review of selected businesses’ privacy policies to ensure they meet strict rules.

    The compliance sweep, which will begin in the first week of January, will scrutinise the privacy policies of businesses that collect information in person. For example, real estate agents asking for phone numbers at open houses, or car rental agencies presenting customers with lengthy forms.

    Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000. Legislative changes to the Privacy Act passed by Parliament in 2024 expanded the possible regulatory consequences for infringements of certain foundational requirements of the Act. This includes the failure to have a privacy policy containing certain information.

    The Privacy Commissioner has trained her gaze on sectors and practices involving the in-person collection of personal information for the Office of the Australian Information Commissioner’s (OAIC) first privacy compliance sweep, after identifying that such practices often involve power and information asymmetries. “When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” said the Privacy Commissioner, Carly Kind. “This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”

    “In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person. We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”

    “The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information. The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.”

    The OAIC will review the privacy policies of approximately 60 entities from the following 6 sectors that may collect information in-person for compliance with requirements under APP 1.4:

      • Rental and property – collection of individuals’ personal information during property inspections.
      • Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
      • Licenced venues – collection of identity information to enable individuals to access a venue.
      • Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
      • Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
      • Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

    The target sectors have been selected noting the particular privacy risks associated with collection of personal information, particularly personal identification documents, and the privacy breaches that have occurred within these sectors. Target entities will be identified having regard to their size and location, as well as by reference to high profile and high-risk entities within each sector (including entities which may previously have been subject to a data breach).

    Entities’ privacy policies will be assessed to ensure they meet the requirements of Australian Privacy Principle (APP) 1.4, which sets out what a privacy policy must include. The OAIC has recently updated its APP 1 guidance.

    The OAIC takes a risk based and proportionate approach to regulation and if non-compliance is detected as part of the sweep, the OAIC will consider its recently expanded regulatory toolkit in determining the most appropriate regulatory response.

    This compliance sweep is consistent with a more robust and assertive approach to  enforcement by a more assertive Privacy Commissioner.  While the Commissioner has not indicated what will be the consequences of an organisation caught up in a sweep being non compliant the Commissioner referred specifically to the increased enforcement options, including issuing infringement notices.

    The Australian Privacy Principles (APPs) require Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    UK Information Commissioner fines a password manager 1.2 million pounds for data breach

    The raison d’etre of password manager companies is to protect and manage customers’ passwords for the plethora of passwords that they must use for their work, play or just personal use. Those companies must store customer passwords/logins in their data bases. Of course it would be disastrous if those companies suffered a data breach and even more damaging if personal details of their customers were stolen. Which is exactly what happened to LasstPass in the UK. The UK Information Commissioner found that LastPass suffered a data breach which resulted in personal information of 1.6 million individuals being compromised. As the media makes clear, the hacker was very thorough in testing the weaknesses in LastPass’s defences.

    They first accessed an employee’s corporate lap top to gain encrypted company credentials then targeted another employee who had access to decryption key by way of a known vulnerability in a third party streaming service.  That gave the hackers access to the LastPass vaults which were only protected by a single master password.  That gave them access to the access key to the Amazon Web Service which, combined with other stolen information enabled hackers to extract personal information on the backup database.

    As if it need be said, proper defences should not be focused on a perimeter protection.  Comprehensive protection throughout the organisation is necessary.  That means protection at all levels and any point of contact with the internet.

    The media release provides:

      • Service which promises to help people improve their security, has failed them, leaving them vulnerable 
      • Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer 
      • ‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted   

    We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. 

    We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass. 

    The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs. 

    John Edwards, UK Information Commissioner, said: 

    “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced. 

    “LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today. 

    “I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”. 

    Details of the two incidents 

    Incident one

      • A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
      • No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
      • LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.

    Incident two

      • The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
      • A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
      • The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
      • The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
      • This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.

    Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    Data breach access names and email addresses of Victorian students

    January 15, 2026

    There has been a major data breach of the Victorian Department of Education which resulted in hackers accessing names, email addresses and encrypted passwords of current and formal students of Victorian Government schools. It is reported widely with coverage in the Age, cyber daily, AFR and the Saturday Paper.

    While the names and email addresses were stolen the students’ data of birth and other forms of personal information were not.  That makes it likely that the data was siloed.  Notwithstanding the problems with the data breach itself at least there was some sophistication in the storage of the data.  The Victorian Department of Education Read the rest of this entry »

    Posted in Privacy | Post a comment »

    UK Information Commissioner reprimands UK Post Office over data breach relating to the Horizon IT scandal

    December 5, 2025

    Accidental, usually negligent, publication of documents containing the personal information of multiple people is a public service specialty and common enough to be almost passe. But it is almost always serious. And so it was when the communications team of the Post Office published an unredacted version of a legal settlement document which set out the personal information of 502 former postmasters who had sued the Post Office for its egregious use of Horizon IT to make allegations against them.

    Having proper protocols for publishing documents on line is vitally important.  Most additions to web sites are non controversial and pose no privacy risks because the information does not identify individuals and is generally about the organisation.  But organisations create or hold documents which do contain personal information and with most documents stored in digital form they can be passed across to a whole range of people in an organisation. Here it was the communications team, who are culturally and technically as far away from dealing with sensitive information as one can get.  They specialise in spinning and putting out press releases.  Not analysing legal documents.  The ICO sets out matters that an organisation should consider in the handling of information.

    The media release provides:

    The Information Commissioner’s Office (ICO) has issued a reprimand to Post Office Limited following a data breach that resulted in the unauthorised disclosure of personal information belonging to hundreds of postmasters involved in the Horizon IT scandal.  

    The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation. It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm.

    When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. We found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices. Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    Federal Trade Commission fines Avast for deceptive privacy claims and distributes $15.3 million to affected users

    December 3, 2025

    The Federal Trade Commission is one of the main regulators the deal with privacy breaches. The usual basis for action is the deceptive conduct by companies and organisations. Most recently the FTC took action against Avast for using iits browser extensions and antivirus software to collect, store and sell browsing information without notice and proper consent. The FTC took action in February 2024 seeking $16.5 million from Avast. The claim settled in June 2024.

    This type of privacy breach is common enough in Australia, and other places, though not as egregious as what Avast did.  Avast engaged in active deception. Companies continue to collect more information than they require to provide the service to their customers, subscribers or visitors to their sites.  Organisations continue to justify this conduct.  The danger to them and their clients is that if there is a data breach the misuse or overcollection or both of data will be discovered.  And regulatory action will follow. Or a class action.  Or both.

    The most recent announcement about distribution of payments Read the rest of this entry »

    Posted in Federal Trade Commission, Privacy | Post a comment »

    Australian Information Commissioner releases the its annual report.

    November 24, 2025

    The Australian Information Commissioner has published its Annual Report.

    The media release provides:

    The Office of the Australian Information Commissioner (OAIC) upheld and advanced information access and privacy rights throughout 2024-25 as it strengthened its ability to deliver better regulatory outcomes for the Australian community.

    Releasing the OAIC’s Annual report 2024-25, Australian Information Commissioner Elizabeth Tydd said: “This report demonstrates the impact and credibility of the OAIC as the national regulator for privacy and freedom of information. Our broad reaching jurisdiction means that we are instrumental in securing democratic rights and promoting a healthy economy.

    “This environment requires a proactive contemporary approach to regulation in this complex digital environment; that approach is tethered to regulatory transparency and proportionality.

    “We apply a proactive and harm-focused approach to prioritise our efforts. We take regulatory action to encourage and support compliance by regulated entities and to address high-risk matters with the greatest potential for harm.”

    During the year the OAIC finalised significant privacy breaches including a $50 million payment program as part of an enforceable undertaking received from Meta Platforms, Inc. (Meta) and an enforceable undertaking offered by Oxfam Australia after the not-for-profit experienced a data breach in January 2021.  Court action commenced the previous year also recently led to Australian Clinical Labs (ACL) paying $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business, the first civil penalties ordered under the Privacy Act.

    “The OAIC’s impact is also well demonstrated by our data and the increase in positive results from our annual stakeholder survey. In 2024–25 we increased our performance in five of our six stakeholder measures. In case work the OAIC finalised 41% more Information Commissioner (IC) reviews than the preceding year, outpacing a 21% increase in IC reviews received,” Commissioner Tydd said.

    The OAIC also published a separate FOI volume (PDF, 6006 KB) of the Annual report to improve accessibility of agency performance data and provide more detailed regulatory information. “This approach delivers greater transparency to the community and provides policy makers and agencies with reliable and insightful data regarding agency performance and the operation of the FOI system more broadly,” Commissioner Tydd said.

    The OAIC strengthened the effectiveness of its educational and advisory functions during 2024-25, publishing a range of guidance and tools during the year. The privacy foundations self-assessment tool, the FOI self-assessment tool, and a new Freedom of Information (FOI) statistics dashboard all position regulated entities to achieve compliance by clearly articulating better practice and reporting against outcomes.

    The results of the OAIC’s annual stakeholder survey demonstrated positive results with five out of six measures increasing, including:

      • advancing online privacy protections increased from 60% to 66%
      • encouraging and supporting proactive disclosure of government information increased from 56% to 65%
      • OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust increased from 63% to 66%
      • OAIC’s regulatory activities demonstrate collaboration and engagement increased from 58% to 64%
      • OAIC’s regulatory activities are based on risk and data rose from 56% to 59%.

    “The OAIC’s strategic positioning will enable us to further deliver impactful regulatory outcomes to the Australian community in 2025-26,” Commissioner Tydd said.

    Key 2024–25 statistics

      • Finalised 2,470 Information Commissioner (IC) reviews in 2024–25, a 41% increase compared to 1,748 in 2023–24.
      • Issued 248 IC review decisions, compared to 207 previous financial year.
      • Finalised 3,123 privacy complaints compared to 3,103 in 2023–24.
      • Issued 10 determinations following investigations of privacy complaints and continued to reduce the number of older complaints on hand.
      • Finalised 1,155 notifications under the NDB scheme, with 86% of notifications finalised within 60 days, exceeding the OAIC target of 80%.

    The overview from the Privacy Commissioner provides:

    This has been my first full year in the role of Privacy Commissioner, and has been characterised by ever- increasing risks to the protection of Australian’s privacy. With data breaches continuing to mount, AI and other emerging technologies becoming part of our day-to- day reality, and novel scams and online harms creating community concern, the work of the OAIC has never been more important, or more challenging.

    The period of 1 July to 31 December 2024 saw the OAIC notified of 595 data breaches, an increase of 15% compared to the previous 6 months. Across the 2024 calendar year, data breach notifications were up 25% year on year. Individual and representative complaints to the OAIC, arising out of data breaches as well as other privacy interferences, also increased this financial year, totalling 3,295. Health service providers, the financial sector and Australian government agencies were the sectors most likely to notify of a data breach, and most likely to be the subject of a complaint.

    In response to these building trends, the OAIC has focused on a dual-track regulatory response which prioritises both education and enforcement. Acknowledging the uplift required across the public and private sectors to ensure robust Privacy Act compliance, the OAIC has invested in and developed resources to support businesses and agencies to enhance their privacy governance. For example, in embodying the Privacy Awareness Week 2025 theme of ‘Privacy – It’s Everyone’s Business’ we released the Privacy Foundations self-assessment tool, a simple resource designed to help businesses who want to embed a culture of privacy and improve practices procedures and systems. Throughout the year, we issued new guidance clarifying the application of the Australian Privacy Principles (APPs) to a range of emerging technologies, including tracking pixels, facial recognition and AI, and we updated our charities and non-profits guidance. We launched a blog which we used to share information in a more accessible manner, and to explain the impact of some of the 10 determinations we issued in 2024–25. And together with our Digital Platform Regulators Forum partners, we released a working paper on multimodal foundation models. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    « Previous Entries