Peter A Clarke

The US Supreme Court has been remarkably strong on recognising a right to privacy through various Amendments to the Constitution, mainly the Read the rest of this entry »

The response of governments to the phenomenal rise of the unmanned aerial vehicles across the world has ranged from the tentative to the woeful.  Admittedly it has provided significant challenges to regulators as light, portable drones sold in their thousands are difficult to monitor and where there is a breach of the regulations difficult to prosecute. Governments are also wary of limiting the commercial utility of drones, which can transform transport and delivery, such as delivering blood to hospitals.

The regulation of drones in Australia is spotty at best. The nature of the regulation depends on whether drones are being used for recreational or for business and commercial purposes.  The primary regulator is the Civil Aviation Safety Authority (the “CASA”) . The focus of the regulation is air safety.  Through my posts over the years on drones this sort of regulation is far from adequate.  Drones have the potential, and often do, to interfere with people’s privacy.

The regulation such as it is is poorly enforced.  The complaints process is cumbersome and there are difficulties in identifying the drone and its owner after the fact. CASA could be doing a better job.
Read the rest of this entry »

It has been a bad year for data breaches in Australia.  Perhaps not as bad as America where the Equifax data breach, involving 145 million Americans, took matters to a whole new level in terms of volume of data stolen, the impact of that credit reporting information on the individuals affected and the truly dreadful response. Similarly the recently announced Uber breach, involving 57 million individuals, has been a new low in terms of woeful data security and appalling subsequent management.  But Australian agencies and organisations have, through data breaches most recently a data breach involving 50,000 Australians from the Department of Finance, the Australian Electoral Commission and other agencies, shown that there remains a poor culture of privacy protections and data security.  Lax regulation and little in the way of consequences for breaches of the legislation have largely contributed to this poor state of affairs.

The Guardian reports on a breach at the Department of Social Services involving yet another breach by a third party contractor which has necessitated the department writing to 8,500 individuals, 2,000 current and 6,500 former employees of the Department.  The compromise involved Read the rest of this entry »

Data breach notification laws seem to be in vogue in Australia at the moment. In 90 days, on 22 February 2018, the Commonwealth Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect for those organisations and agencies covered under the Privacy Act 1988.  That has the potential to have a major impact on the way privacy and data security is regulated in Australia and make the extent of data breaches more transparent.  It will bring Australia into line with best practice, even if the Act is far from the gold standard. It is a complicated piece of legislation which requires careful analysis of the extent of data breaches, consideration of exemptions and appreciation of which is the best options available to the affected entity to ensure compliance.

In New South Wales an opposition member, Paul Lynch,  introduced the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017 into the Legislative Assembly on 16 November 2017.  If passed Read the rest of this entry »

Uber, like many modern disrupting businesses, relies on data.  Lots of it to make its app effective.  In October 2016 Uber suffered a disastrous data breach, affecting the personal information of 57 million customers and drivers.  The hackers stole names, email addresses, phone numbers as well as the names and driver licences of 600,000 drivers in the US alone.  That can make up a treasure trove of data that can be used in identity theft.  Uber says that location data, credit card numbers, bank account details, social security numbers and birth dates were not compromised.  Or at least that is what it says.  Uber’s credibility has taken a hit.

The story has been picked up by Read the rest of this entry »

The development of privacy related actions in either common law or equity in Australian courts has been glacial at best.  It has been marked by hesitation and wariness heavily seasoned by a major case of conniptions by decision makers.  Efforts to have the courts here do what is effortlessly done in other common law countries, recognise a tort of an invasion of privacy have come to nought.  As for Tribunals’ decisions on privacy, the less said the better.  The legislature, irrespective of which party occupies the treasury benches, has been equally languid, when not down right resistant, in legislating for a statutory tort of privacy. The need for an actionable tort of privacy has been consistently recommended by whichever law reform commission has looked at the issue. The main opponents these days are media lawyers for news outlets, governments who don’t want a fight with media outlets over such a reform and some of the more conservative commentators who see any such right as being a bill of rights by stealth or some such nonsense.

In the weekend Sydney Morning Herald reports on a class action which may test privacy law in Paramedics launch class action over the sale of their medical records to personal injury solicitors.  The breaches are Read the rest of this entry »

To those who think the cloud is the answer to their security prayers think again. Vulnerabilities in a cloud service occur often enough.  Flaws in service provided by third party providers are a chronic problem.  The onus still remains with the party that collects the data but too many organisations assume that once it is stored via a third party provider, such as in the cloud, that responsibility disappears. Often times data in the cloud is not encrypted or otherwise protected.  ABC has learned these and a few other lessons with a data breach in its cloud services, being a misconfigured storage bucket, according to the the Australian article ABC caught in massive data leak. That data seems to Read the rest of this entry »

Revenge porn,  non consensual posting of intimate pictures or videos on line, is currently regulated by means of criminal offences in Victoria, South Australia, New South Wales and the ACT.  There is no specific civil cause of action or a statute based tort of interference with privacy.  There have been successful prosecutions of individuals, usually ex partners of the victim who posted intimate images in their possession to humiliate and harm the victim.   And that is for the good.  However, a criminal prosecution is a very blunt instrument and one Read the rest of this entry »

It is less than 6 months before the mandatory data breach notification laws take effect.  February 22 2018 to be precise.  It will impact all organisations and agencies covered by the Privacy Act and may  require them to report data breaches of personal information.  This has been the norm in 48 states of the United States for some time.  In the United States receiving notices under whichever data breach legislation is in operation, if not common, then not unusual.  That is an indicator of the frequency and impact of data breaches on business and government.  Cyber crime for profit and malicious hacking is a chronic problem.  In Australia there has been no requirement to notify individuals whose personal information have been accessed through a data breach.  There have been self reported data breaches to the Information Commissioner, sometimes because of good corporate practice but more often because the breach had been publicised.

The Australian legislation is far from the gold standard. It is complex and quite imprecise. It will require considerable care by organisations and agencies to develop policies as early as possible to properly comply with the legislation when there is a data breach.  There is little point trying to comply while dealing with a data breach.  Notifications must be made within 30 days from the date the breach is detected.  That is the outer limit.  While the time frame seems generous, given the Read the rest of this entry »

The Information Commissioner’s Office has been an active regulator in the United Kingdom.  The legislation in the United Kingdom, the Data Protection Act, empowers the ICO to levy heavy monetary penalty notices, technical terms for fines. In Australia the Information Commissioner can commence civil penalty proceedings which penalties of up to $1.7 million.  Each regulator has its own regulatory armaments.  The difference is that the ICO is active.  The Australian Information Commissioner is not.

This fine is the first by the ICO involing the data broking industry.

The ICO  issued a monetary penalty notice, fining Verso Group (UK) Limited for supplying personal information to another company, Prodial Ltd which used that data to make 46 million nuisance calls.  Prodial received a record fine but the investigation continued and went to the source of the data.  That is quite a common feature of regulatory investigations.  Commonly one investigation for Read the rest of this entry »