Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • Privacy Commissioner starts 2026 with compliance sweep of privacy policies of 60 entities in the rental & property, chemists and pharmacists licensed venues, car rentals & car dealerships and pawnbrokers & second hand dealer industries

    February 1, 2026

    The lack of enforcement of the Privacy Act 1988 has been a chronic problem for many years. That reflected in a poor level of compliance and a dreadful privacy culture by many companies and organisations. It seems the Privacy Commissioner wants to change that. On 9 December 2025 the Privacy Commissioner announced that there would be a privacy compliance sweep of privacy policies of 60 entities in 6 industries.  

    The statement provides:

    Australia’s privacy regulator will start 2026 with its first-ever compliance sweep, conducting a targeted review of selected businesses’ privacy policies to ensure they meet strict rules.

    The compliance sweep, which will begin in the first week of January, will scrutinise the privacy policies of businesses that collect information in person. For example, real estate agents asking for phone numbers at open houses, or car rental agencies presenting customers with lengthy forms.

    Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000. Legislative changes to the Privacy Act passed by Parliament in 2024 expanded the possible regulatory consequences for infringements of certain foundational requirements of the Act. This includes the failure to have a privacy policy containing certain information.

    The Privacy Commissioner has trained her gaze on sectors and practices involving the in-person collection of personal information for the Office of the Australian Information Commissioner’s (OAIC) first privacy compliance sweep, after identifying that such practices often involve power and information asymmetries. “When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” said the Privacy Commissioner, Carly Kind. “This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”

    “In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person. We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”

    “The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information. The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.”

    The OAIC will review the privacy policies of approximately 60 entities from the following 6 sectors that may collect information in-person for compliance with requirements under APP 1.4:

      • Rental and property – collection of individuals’ personal information during property inspections.
      • Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
      • Licenced venues – collection of identity information to enable individuals to access a venue.
      • Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
      • Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
      • Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

    The target sectors have been selected noting the particular privacy risks associated with collection of personal information, particularly personal identification documents, and the privacy breaches that have occurred within these sectors. Target entities will be identified having regard to their size and location, as well as by reference to high profile and high-risk entities within each sector (including entities which may previously have been subject to a data breach).

    Entities’ privacy policies will be assessed to ensure they meet the requirements of Australian Privacy Principle (APP) 1.4, which sets out what a privacy policy must include. The OAIC has recently updated its APP 1 guidance.

    The OAIC takes a risk based and proportionate approach to regulation and if non-compliance is detected as part of the sweep, the OAIC will consider its recently expanded regulatory toolkit in determining the most appropriate regulatory response.

    This compliance sweep is consistent with a more robust and assertive approach to  enforcement by a more assertive Privacy Commissioner.  While the Commissioner has not indicated what will be the consequences of an organisation caught up in a sweep being non compliant the Commissioner referred specifically to the increased enforcement options, including issuing infringement notices.

    The Australian Privacy Principles (APPs) require Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    UK Information Commissioner fines a password manager 1.2 million pounds for data breach

    The raison d’etre of password manager companies is to protect and manage customers’ passwords for the plethora of passwords that they must use for their work, play or just personal use. Those companies must store customer passwords/logins in their data bases. Of course it would be disastrous if those companies suffered a data breach and even more damaging if personal details of their customers were stolen. Which is exactly what happened to LasstPass in the UK. The UK Information Commissioner found that LastPass suffered a data breach which resulted in personal information of 1.6 million individuals being compromised. As the media makes clear, the hacker was very thorough in testing the weaknesses in LastPass’s defences.

    They first accessed an employee’s corporate lap top to gain encrypted company credentials then targeted another employee who had access to decryption key by way of a known vulnerability in a third party streaming service.  That gave the hackers access to the LastPass vaults which were only protected by a single master password.  That gave them access to the access key to the Amazon Web Service which, combined with other stolen information enabled hackers to extract personal information on the backup database.

    As if it need be said, proper defences should not be focused on a perimeter protection.  Comprehensive protection throughout the organisation is necessary.  That means protection at all levels and any point of contact with the internet.

    The media release provides:

      • Service which promises to help people improve their security, has failed them, leaving them vulnerable 
      • Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer 
      • ‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted   

    We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. 

    We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass. 

    The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs. 

    John Edwards, UK Information Commissioner, said: 

    “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced. 

    “LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today. 

    “I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”. 

    Details of the two incidents 

    Incident one

      • A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
      • No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
      • LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.

    Incident two

      • The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
      • A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
      • The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
      • The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
      • This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.

    Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    Data breach access names and email addresses of Victorian students

    January 15, 2026

    There has been a major data breach of the Victorian Department of Education which resulted in hackers accessing names, email addresses and encrypted passwords of current and formal students of Victorian Government schools. It is reported widely with coverage in the Age, cyber daily, AFR and the Saturday Paper.

    While the names and email addresses were stolen the students’ data of birth and other forms of personal information were not.  That makes it likely that the data was siloed.  Notwithstanding the problems with the data breach itself at least there was some sophistication in the storage of the data.  The Victorian Department of Education Read the rest of this entry »

    Posted in Privacy | Post a comment »

    UK Information Commissioner reprimands UK Post Office over data breach relating to the Horizon IT scandal

    December 5, 2025

    Accidental, usually negligent, publication of documents containing the personal information of multiple people is a public service specialty and common enough to be almost passe. But it is almost always serious. And so it was when the communications team of the Post Office published an unredacted version of a legal settlement document which set out the personal information of 502 former postmasters who had sued the Post Office for its egregious use of Horizon IT to make allegations against them.

    Having proper protocols for publishing documents on line is vitally important.  Most additions to web sites are non controversial and pose no privacy risks because the information does not identify individuals and is generally about the organisation.  But organisations create or hold documents which do contain personal information and with most documents stored in digital form they can be passed across to a whole range of people in an organisation. Here it was the communications team, who are culturally and technically as far away from dealing with sensitive information as one can get.  They specialise in spinning and putting out press releases.  Not analysing legal documents.  The ICO sets out matters that an organisation should consider in the handling of information.

    The media release provides:

    The Information Commissioner’s Office (ICO) has issued a reprimand to Post Office Limited following a data breach that resulted in the unauthorised disclosure of personal information belonging to hundreds of postmasters involved in the Horizon IT scandal.  

    The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation. It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm.

    When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. We found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices. Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    Federal Trade Commission fines Avast for deceptive privacy claims and distributes $15.3 million to affected users

    December 3, 2025

    The Federal Trade Commission is one of the main regulators the deal with privacy breaches. The usual basis for action is the deceptive conduct by companies and organisations. Most recently the FTC took action against Avast for using iits browser extensions and antivirus software to collect, store and sell browsing information without notice and proper consent. The FTC took action in February 2024 seeking $16.5 million from Avast. The claim settled in June 2024.

    This type of privacy breach is common enough in Australia, and other places, though not as egregious as what Avast did.  Avast engaged in active deception. Companies continue to collect more information than they require to provide the service to their customers, subscribers or visitors to their sites.  Organisations continue to justify this conduct.  The danger to them and their clients is that if there is a data breach the misuse or overcollection or both of data will be discovered.  And regulatory action will follow. Or a class action.  Or both.

    The most recent announcement about distribution of payments Read the rest of this entry »

    Posted in Federal Trade Commission, Privacy | Post a comment »

    Australian Information Commissioner releases the its annual report.

    November 24, 2025

    The Australian Information Commissioner has published its Annual Report.

    The media release provides:

    The Office of the Australian Information Commissioner (OAIC) upheld and advanced information access and privacy rights throughout 2024-25 as it strengthened its ability to deliver better regulatory outcomes for the Australian community.

    Releasing the OAIC’s Annual report 2024-25, Australian Information Commissioner Elizabeth Tydd said: “This report demonstrates the impact and credibility of the OAIC as the national regulator for privacy and freedom of information. Our broad reaching jurisdiction means that we are instrumental in securing democratic rights and promoting a healthy economy.

    “This environment requires a proactive contemporary approach to regulation in this complex digital environment; that approach is tethered to regulatory transparency and proportionality.

    “We apply a proactive and harm-focused approach to prioritise our efforts. We take regulatory action to encourage and support compliance by regulated entities and to address high-risk matters with the greatest potential for harm.”

    During the year the OAIC finalised significant privacy breaches including a $50 million payment program as part of an enforceable undertaking received from Meta Platforms, Inc. (Meta) and an enforceable undertaking offered by Oxfam Australia after the not-for-profit experienced a data breach in January 2021.  Court action commenced the previous year also recently led to Australian Clinical Labs (ACL) paying $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business, the first civil penalties ordered under the Privacy Act.

    “The OAIC’s impact is also well demonstrated by our data and the increase in positive results from our annual stakeholder survey. In 2024–25 we increased our performance in five of our six stakeholder measures. In case work the OAIC finalised 41% more Information Commissioner (IC) reviews than the preceding year, outpacing a 21% increase in IC reviews received,” Commissioner Tydd said.

    The OAIC also published a separate FOI volume (PDF, 6006 KB) of the Annual report to improve accessibility of agency performance data and provide more detailed regulatory information. “This approach delivers greater transparency to the community and provides policy makers and agencies with reliable and insightful data regarding agency performance and the operation of the FOI system more broadly,” Commissioner Tydd said.

    The OAIC strengthened the effectiveness of its educational and advisory functions during 2024-25, publishing a range of guidance and tools during the year. The privacy foundations self-assessment tool, the FOI self-assessment tool, and a new Freedom of Information (FOI) statistics dashboard all position regulated entities to achieve compliance by clearly articulating better practice and reporting against outcomes.

    The results of the OAIC’s annual stakeholder survey demonstrated positive results with five out of six measures increasing, including:

      • advancing online privacy protections increased from 60% to 66%
      • encouraging and supporting proactive disclosure of government information increased from 56% to 65%
      • OAIC’s regulatory activities demonstrate a commitment to continuous improvement and building trust increased from 63% to 66%
      • OAIC’s regulatory activities demonstrate collaboration and engagement increased from 58% to 64%
      • OAIC’s regulatory activities are based on risk and data rose from 56% to 59%.

    “The OAIC’s strategic positioning will enable us to further deliver impactful regulatory outcomes to the Australian community in 2025-26,” Commissioner Tydd said.

    Key 2024–25 statistics

      • Finalised 2,470 Information Commissioner (IC) reviews in 2024–25, a 41% increase compared to 1,748 in 2023–24.
      • Issued 248 IC review decisions, compared to 207 previous financial year.
      • Finalised 3,123 privacy complaints compared to 3,103 in 2023–24.
      • Issued 10 determinations following investigations of privacy complaints and continued to reduce the number of older complaints on hand.
      • Finalised 1,155 notifications under the NDB scheme, with 86% of notifications finalised within 60 days, exceeding the OAIC target of 80%.

    The overview from the Privacy Commissioner provides:

    This has been my first full year in the role of Privacy Commissioner, and has been characterised by ever- increasing risks to the protection of Australian’s privacy. With data breaches continuing to mount, AI and other emerging technologies becoming part of our day-to- day reality, and novel scams and online harms creating community concern, the work of the OAIC has never been more important, or more challenging.

    The period of 1 July to 31 December 2024 saw the OAIC notified of 595 data breaches, an increase of 15% compared to the previous 6 months. Across the 2024 calendar year, data breach notifications were up 25% year on year. Individual and representative complaints to the OAIC, arising out of data breaches as well as other privacy interferences, also increased this financial year, totalling 3,295. Health service providers, the financial sector and Australian government agencies were the sectors most likely to notify of a data breach, and most likely to be the subject of a complaint.

    In response to these building trends, the OAIC has focused on a dual-track regulatory response which prioritises both education and enforcement. Acknowledging the uplift required across the public and private sectors to ensure robust Privacy Act compliance, the OAIC has invested in and developed resources to support businesses and agencies to enhance their privacy governance. For example, in embodying the Privacy Awareness Week 2025 theme of ‘Privacy – It’s Everyone’s Business’ we released the Privacy Foundations self-assessment tool, a simple resource designed to help businesses who want to embed a culture of privacy and improve practices procedures and systems. Throughout the year, we issued new guidance clarifying the application of the Australian Privacy Principles (APPs) to a range of emerging technologies, including tracking pixels, facial recognition and AI, and we updated our charities and non-profits guidance. We launched a blog which we used to share information in a more accessible manner, and to explain the impact of some of the 10 determinations we issued in 2024–25. And together with our Digital Platform Regulators Forum partners, we released a working paper on multimodal foundation models. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Data breaches in January – June 2025 . Five hundred and thirty two notifications

    The Privacy Commissioner has published notifications of data breaches in the first half of 2025 under the National Data Breach Notification Scheme. The health sector continues to have the most reported data breaches (18% of reported data breaches), followed by the finance sector (14%) and Australian Government agencies (13%).

    The details are:

    • Number of notifications: 532
    • 33% of data breaches were caused by cyber security incidents of which:
      • 28% were due to phishing
      • 21% due to compromised or stolen credentials
      • 21% due to ransomware
      • 17% hacking
      • 6% brute force attacks
      • 4% malware
    • 3 data breaches affected between 100,000 – 250,000.  The same number as the July December 2024 period.  3 data breaches affected 250,000 – 500,000 people. The same number as the July December 2024 period
    • Contact information was the most common information affected by data breaches (456),  Identify information was affected in 303 data breaches.  Financial details were involved in 194 and health information in 161 data breaches.
    • 56% data breaches were reported in 10 or less days from discovery.  27% of data breaches were reported more than 30 days after the data breachess.
    • 308 of the data breaches were caused by malicious/criminal attacks and 193 caued by human error.

    Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Groth v Herald & Weekly Times (VID 1130/2025) First directions hearing. Orders made for interlocutory hearing on 6 November 2025

    November 1, 2025

    At the first directions hearing on 30 October 2025 in the Federal Court proceeding of SAM GROTH and another v THE HERALD AND WEEKLY TIMES PTY LTD and others the Respondent succeeded to have an application to determine whether the journalist exemption applies. The hearing will occur on 6 November 2025. The directions hearing is reported by the Guardian in News Corp had no first-hand source suggesting Sam Groth’s wife underage at start of relationship, MP’s lawyer tells court, the AFR with News Corp allegedly claimed to be writing puff piece on Groths, and 9 News with ‘Salacious gossip’ or news? Tennis star turned MP to test new privacy law (to name but 3 stories).

    The orders made Justice MceLwaine are:

    1. The interlocutory application of the respondent accepted for filing on 2 October 2025 is set down for hearing at 30am on 6 November 2025.
    2. Any evidence proposed to be relied upon by the respondent at the hearing of the interlocutory application is to be in the form of an affidavit which is to be filed and served by 4pm on 4 Novemebr 2025.
    3. Any evidence proposed to be relied upon by the applicant at the hearing of the interlocutory application is to be in the form of an affidavit which is to be filed and served by 12pm on 5 November 2025.
    4. The matter be set down for hearing in Melbourne at 15am on 11 May 2026, with an estimate of 10 days.
    5. The parties are to attend a mediation to be organised by the parties, such mediation to take place on 7 November 2025.

    The Guardian article provides:

    Australia’s new privacy laws to be tested as Victorian Liberal MP and wife Brittany Groth sue over Herald Sun articles

    A News Corp journalist had “not one piece of information” to suggest the deputy Victorian Liberal leader, Sam Groth, began a relationship with his wife when she was underage, the MP’s lawyers have told a court.

    In what a federal court judge described as a “test case” for Australia’s new privacy laws, Groth and his wife, Brittany, are suing the Herald and Weekly Times (HWT), reporter Stephen Drill and the Herald Sun’s editor, Sam Weir, over a series of articles published in July.

    The articles allege the couple met at a tennis club in suburban Melbourne and began a sexual relationship when Brittany was 16 or 17 and Sam – then a professional player – was 23 or 24 and working as her coach, the court has been told.

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Gmail passwords included in data breach involving 183 million accounts

    October 30, 2025

    When reports appear that Gmail suffers a data breach involving 183 million accounts the likelihood of panic is great and the reputational damage to Google is greater. Gmail is a now well established form of email communication. It is ubiquitous, easy to set up and maintain and, until recently, had the cache of being part of the Google Empire thereby being safe to use. But what happens when claims that mass theft of gmail passwords isn’t so so mass after all.  Google has to scramble to set the facts straight. It can and does get messy.  The Forbes article Gmail Passwords Confirmed Within 183 Million Account Infostealer Leak and the Sydney Morning Herald article Panic as breached details of 183m accounts, including Gmail, emerge report that the very significant data breach has occurred and part of the data stolen included gmail passwords.  Google has had to scramble to clarify.

    The issue for businesses is to be as clear and transparent as possible.  Many statements in response to data breaches are models of obfuscation and confusion when they are not boilerplate about working with authorities and doing all they can etc..

    The Forbes article Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396: New South Wales Court considers statutory tort of privacy at interlocutory stage

    October 27, 2025

    The New South Wales District Court in Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396 considered issues regarding the statutory tort of serious invasion of privacy on 7 October 2025.

    FACTS

    The relevant parties are:

    • the defendant, Williams, is the sole director and secretary of Glexia Pty Ltd, a company that briefly leased premises the subject of a development application brought by the first plaintiff, Kurraba [2].
    • Kurraba lodged a development application with the City of Sydney to develop and establish a life science hub in the vicinity of 100 Botany Road Alexandria [10].
    • Botany Road development Pty Ltd as trustee for the Botany Road development trust (“BRD”) is the owner of the real property to be developed and is also the company responsible for the development.
    • the second plaintiff, Smith, is the sole director and shareholder of BRD [10].

    Kurraba publicly announced its intention to lodge the development application in or about 19 and 20 June 2024 [11].  At about that time a property in Wyndham Street was advertised t for short-term rental. BRD exercised an option to purchase the Wyndham Street property. Williams called the real estate agent and said words to the effect that he was interested in leasing the property & was told it was to be sold and knocked down for development[12].

    On 26 June 2024 Glexia Pty Ltd entered into a commercial lease for a period of six months commencing on 1 July 2024. Significantly, Williams did in fact vacate the premise on or around 1 January 2025 [12].

    The first interaction between the plaintiffs and Williams occurred when Williams texted Smith stating [13]:

    “Dear Kurraba Group,

    Your development at 100 Botany Road (SD-63067458 /D/2024/937) intends to cause considerable disruption to my business and likely violates numerous laws, regulations, rules, and policy documents.

    We intend to oppose the development first by submitting it to the State of New South Wales and the City of Sydney Local Government Area and, if still approved, the Land Environment Court and/or Supreme Court.

    I write to establish communications before formal opposition proceedings and litigation to see if there might be a way to resolve these issues amicably, saving us both the immense cost and time of such proceedings.

    We have begun retaining experts to develop a more comprehensive opposition package and to impact the various reports you have submitted as part of your package.

    I have attached our preliminary submissions, which will be submitted to the State of New South Wales and the City of Sydney on 29 November 2024 unless we reach some agreement to mitigate the impacts on our business.

    Regards,

    Michael Williams”

    On 11 November 2024,  Williams and  Smith had a meeting. Mr Smith states that Read the rest of this entry »

    Posted in Privacy | Post a comment »

    « Previous Entries