Chapter 6 of the Attorney Generals’ Report into the Privacy Act 1988 considers the small business exemption of the Act. The small business exemption was considered at length by the Australian Law Reform Commission in its 2008 Report on the Privacy Act 1988 (Report 108, For your information).  The Commission was quite explicit then about the small business exemption, that the small business exemption was not necessary or justifiable. The Information Commissioner and a majority of submitters called for the removal of the exemption.

The Report recommends against removing the small business exemption until a long and convoluted process of analysis and consultation with small business, who have been adamantly resistant to any removal of said exemption.  All of this would happen after the other reforms proposed are implemented.  So there will be a second act to this ongoing drama except it has no end date.  It is hard to come to any other conclusion that this part of the Report is the product of poor analysis which may potentially result in a failure of public policy if it is implemented.  How could the authors of this report get it so wrong given the previous analysis by the Law Reform Commission, the overwhelming weight of submissions and cold hard logic?  It may be that there is more politics than law in the drafting of this Chapter and its recommendations.

Australian Law Reform Commission stated, absent footnotes:

39.181 After carefully reviewing stakeholder views, international experience, and the commissioned research, the ALRC concludes that the exemption for small business is neither necessary nor justifiable.

39.182 Associate Professor Moira Paterson has offered a counter to the argument that the requirement to comply with the Privacy Act constitutes a substantial compliance burden. She noted that the costs of compliance on businesses are likely to be significant only where businesses have poor record-keeping practices—citing evidence from Quebec that implementing data protection measures may in fact result in cost reduction or increased productivity due to improved information-handling practices. Furthermore, Paterson observed that, in New Zealand,

the limited information available to date does not suggest that the cost of implementation has been a major problem. For example, the New Zealand Real Estate Institute commented in 1994 that, while the passing of the Privacy Act 1993 (NZ) would have a considerable impact on the manner in which the industry might deal with personal information, it did not expect that there would be any significant cost of compliance; what was required was common sense and fair dealing.

39.183 While cost of compliance with the Privacy Act is an important consideration, this factor alone does not provide a sufficient policy basis to support the small business exemption. The fact that no comparable overseas jurisdictions—including the United Kingdom, Canada and New Zealand—have an exemption for small businesses is indicative. Read the rest of this entry »

A data breach is just the start of an organisation’s problem. Regulators become involved, there is a need for a major organisational review, new hires of experts and a few fires of those who did not do their job properly. And then there is the litigation., In 2022 IBM released a very influential report titled Cost of a data breach 2022.

Some of the findings were:

• 83% of organizations studied have had more than one data breach
• 60% of organizations’ breaches led to increases in prices passed on to customers
• 79% of critical infrastructure organizations didn’t deploy a zero trust architecture.
• 19% of breaches occurred because of a compromise at a business partner
• the average total cost of a data breach was USD 4.35 million
• Average cost of a ransomware attack, not including the cost of the ransom itself is USD 4.54 million
• Average difference in cost where remote work was a factor in causing the breach versus when it wasn’t a factor is $1 million
• healthcare cost industry for data breaches. This was followed by the financial , pharmaceutical, technology and energy industries. The average cost was to USD 10.10 million
• the average time to identify and contain a data breach was 277 days.
• Average cost of a breach for organizations with high levels of compliance failures was USD 5.57 million
• Average total cost for breaches of 50 million to 60 million records was USD 387 million
• with data breaches involving  20 million to 30 million records was USD 241 million.

Today Medibank advised via a media release titled Cybercrime update – Deloitte incident review

The release Read the rest of this entry »

The Victorian Supreme Court in Re Lifestyle Residences Hobsons Bay Pty Ltd (recs & mgrs apptd) [2023] VSC 179 considered a range of issues; whether a director can bring an application when receivers appointed, the operation of section 109X(1)(a) of the Act and the calculation of service. it makes it clear that there is an immutability of filing an application out of time making the application is a nullity.

FACTS

The facts relating to service were:

• on 22 November 2022, Ms Celia Luki, the solicitor with carriage of the matter for the defendant, ascertained the registered office address of the Company from an Australian Securities and Investments Commission (‘ASIC’) company search [35].
• Luki requested the Office Services Clerk in her firm in Redfern, New South Wales, to organise for the documents to be couriered to Melbourne for delivery to the registered office address.
• a Client Services Assistant at McCullough Robertson received Luki’s instructions on the service of the statutory demand in the sum of $213,166.89 in an email forwarded to her by the Office Services Clerk, who also provided the statutory demand and accompanying affidavit.
• the assistant logged into the Toll Priority (Aus) system and inputted those details, recording Luki’s email address as the contact person to receive email updates on the progress of the delivery of the demand. She printed a label from the Toll system, which included all of the recipient’s details which she affixed the label onto a Toll Express Services priority satchel and obtained a tracking number and manifest document.
• in the afternoon of 22 November 2022, a courier from Toll attended the McCullough Robertson office and collected the sealed envelope and two copies of the manifest document [35]
• on 16 December 2022 the tracking log records the documents were delivered to the company at the registered office address on 23 November 2022 at 9:46am. The proof of delivery document clearly records the registered office at which delivery occurred and the signature of Paula accepting delivery of the envelope [36]. Paula was a receptionist an accounting firm engaged by the company, whose business address is the registered office address of the company.
• Paula was unsure who to forward the demand to and sought confirmation from her principal, Mr Sam Cimino. However, because Cimino was extremely busy that day, she was only able to email him and unable to speak to him in person [37].
• on 24 November 2022, Paula had a discussion with Cimino, who instructed her to immediately send the statutory demand to Mr Burgess, Mr Dale Harrison and Mr Peter Van De Steeg, who are nominated contact people at the company. 
• Paula emailed the nominated people at the company, attaching an electronic copy of the statutory demand but erroneously stated the demand had arrived by courier at the registered office address on 24 November 2022 when, in fact, it was delivered by courier the day prior [38]. 

Read the rest of this entry »

In the United States statutory protections of privacy tend to be state based. There have been attempts to pass Federal privacy legislation. The latest attempt is the reintroduction of the Online Privacy Act by Californian Democratic Representatives Anna G Eshoo and Zoe Lofgren. Given Republications control the House of Representatives it will be interesting to see whether it is passed in the House of Representatives. Even if it is not successful it is but the latest in a series of attempts to provide proper nationwide privacy coverage.

The Bill was introduced as part of House Resolution 2701 and described as the Online Privacy Act of 2023 (‘OPA’).  The stated intention is to:

• provide for individual rights relating to privacy of personal information, 
• establish privacy and security requirements for covered entities relating to personal information,
• establish an agency to be known as the Digital Privacy Agency to enforce such rights and requirements.

The Act would:

• regulate any entity, including non-profits and common carriers, that intentionally collects, processes, or maintains personal information and transmits personal information over an electronic network.
• provide several data subject rights, primarily the right:
  • of:
    • access,
    • rectification,
    • deletion,
    • portability,
    • impermanence which would mandate that organisations may not maintain a category of personal information for longer than expressly consented to by the individual
  • to:
    • human review of automated decisions,
    • to be informed, .
• impose obligations on organisations being to:
  • articulate the need for and minimise the user data they collect, process, disclose, and maintain;
  • minimise employee and contractor access to user data;
  • not disclose or sell personal information without explicit consent;
  • not use third-party data to re-identify individuals;
  • not use private communications (e.g. emails and web traffic) for ads or other invasive purposes;
  • not process data in a way that violates civil rights (e.g. employment discrimination);
  • use objectively understandable privacy policies and consent processes, and not use dark patterns to obtain consent; and
  • employ reasonable cybersecurity policies to protect user data.
• create the Digital Privacy Agency (‘DPA’), a federal office.  It would have the power to issue regulations and to impose fines of up to $443,792 for each violation.
• also empower State Attorneys General to enforce violations and grant individuals a private right of action.

Read the rest of this entry »

It is hardly surprising that a class action against Optus would be issued. Yesterday Slater and Gordon made that announcement. This follows from the Medibank Data Breach Class Action which is being funded by Omni Bridgeway. Baker and McKenzie is acting for the claimants. Maurice Blackburn, Centennial Lawyers and Bannister Legal opted for the Privacy Act route making a complaint to the Information Commissioner. The Commission has advised those firms that it won’t be investigating the complaints because the class action on foot would provide the appropriate remedies. It is not surprising that Andrew Watson of Maurice Blackburn is not best pleased given the Commissioner is continuing to investigate the Optus breach. He was reported as saying “They’re proposing to conduct an investigation as to whether there’s a breach, but not deal with compensation. If they’re not going to do it on this one, what are they there for?”. A fair point. At the moment to seek remedies through the Privacy Act is do deal with incoherent processes, given to exercises of discretion by the Commissioner that could bring matters to a sudden stop. I could have said that because I practice in this area. Maurice Blackburn clearly does not. It was always better to go the class action route in the Federal Court. One can only hope that the review of the Review of the Privacy Act and the resulting legislation will provide clearer and more coherent enforcement and compensatory process.

The Slater and Gordon statement Read the rest of this entry »

There are no shortage of discussion papers involving Cyber Security/privacy/data management at the moment.  One of the most recent is the the Department of Home Affairs 2023-2030 Australian Cyber Security Strategy Discussion Paper. It is not particularly long or detailed. Being a Strategy it focuses on high policy and directions rather than detailed amendment and analysis. The Information Commissioner has published Submission to 2023–2030 Cyber Security Strategy Discussion Paper.

The Commissioner’s submissions are consistent with one agency commenting on power arrangements of other agencies, strong on administrative analysis and recommendations The Commissioner’s recommendation that the Strategy.  The Commissioner’s key recommendation is that any strategy has to sync carefully with the amendments to the Privacy Act.  The Commissioner also identifies the need for regulatory frameworks to work cohesively.  Unfortunately in this area matters have gone rapidly from weak regulation to multiple Acts and agencies.  It has been entirely responsive, after years of ignoring the threat of cyber attacks and failing to keep up with regulation.  The Commissioner is right to be concerned that even with multiple agencies and legislation they should cohere and avoid regulatory gaps.  Better to have overlap than gaps.  The Commissioner’s recommendation that she be permitted access to protected information in relation to matters involving data breaches is sensible as is the recommendation to ensure that reporting of breaches be consistent across the board. 

The key with any strategy is enforcement.  There is little point having comprehensive regulation and the affected organisations and agencies ignoring it because they know the regulators are timid and the penalties small.  There has long been a cultural problem in Australia in putting time, effort and money into maintaining proper data protection, of both the analog and digital kind.

The Submission provides, Read the rest of this entry »

Chapter 5 of the Report is devoted to amending the powers in the Privacy Act relating to developing APP Codes and Emergency Declarations. The focus is quite narrow and technical. The amendments should not be controversial given the nature of the changes are build on what is already in the Privacy Act. There are relatively few APP Codes and the Emergency Declarations thankfully do not commonly arise.

The Act sets out a process for making APP codes in which the Commissioner identifies code developers and registers codes developed by them.  An ‘APP code developer’ is any of an APP entity, a group of APP entities, or an association or body representing one or more APP entities.  Currently the Commissioner is only permitted to make an APP code if a code developer has been requested to make a code by the Commissioner and has not complied with the request/  the Commissioner does not to register a proposed code.

The Report proposes to give the Commissioner more power and flexibility in developing Codes.  To that end the Report recommends that the Commissioner be given  additional power to make an APP code on the direction or approval of the Attorney?General:

• where it is in the public interest for a code to be developed, and
• where there is unlikely to be an appropriate industry representative to develop the code.

An APP code could be made in the absence of a suitable industry code developer.

The process would not be unfettered. A code Read the rest of this entry »

Tonight ABC’s Media watch broadcast a segment on the Attorney General’s Report on a Review of the Privacy Act, titled “Media and privacy”, with a focus on a proposed statutory tort of privacy. The coverage followed the traditional line adopted by media commentators in Australia, yes there are breaches but a tort of privacy would suppress free speech and so reform is a bad idea. Being Media Watch it was a reasonably comprehensive story, within the time alloted. But still quite predictable and overall not particularly sophisticated. The usual suspects came out against, such as Justin Quill with the usual lines about how such a reform will help the rich and kill investigative journalism. The supporters were also predictably supportive, being Michael Douglas and Barbara McDonald, but a good deal less shrill. Between now and the release of a draft bill expect strident stories from the participants in the Right to Know Coalition. In the past Chris Merritt (Privacy tort a blow to free speech 18 March 2009), Ainslie Van Onsolen (Push for a tort is misguided and wrong 21 September 2012), The Australian) and Micheal Stutchbury (Lawsuits no way to defend privacy or free speech 26 July 2011), among many others, have dipped their thumbs into the ink barrel when a privacy tort is mentioned and penned jeremiads about the end of journalism, the end of freedom of speech and no more public interest exposes if there such a privacy tort is enacted. There is a sameness about the columns; pictures of a grim future with judges wielding their gavels with abandon crushing story after story and villainous reprobates being protected. The offerings tended to be long on emotion and short on analysis. That does not mean it has not had an effect. Governments of both persuasions have steered clear of adequate privacy law reform for decades.

It is entirely understandable that the media would have an interest in privacy reform.  The problem is that it does not accept that the defence of public interest and freedom of expression in any tort will be given any weight.  That is fear based on emotion not logic.  On a more practical level given the gaping lacuna in the law regarding privacy, and the practical inability of the aggrieved to take any legal action for invasions of their privacy, it is in the media’s interests to keep  the status quo. 

The Media Watch report is quite a reasonable analysis, albeit limited by the fact that as the title suggests it focuses on media and privacy. Which is not the whole issue.  What is lost in this story is that there are many circumstances where the media is not involved, the interference with privacy is one person intruding on the seclusion of another.  Or interfering government officials.  Or organisations and businesses surveilling customers or just ordinary individuals.  With new and increasingly intrusive technology not having legal recourse is a failure of public policy.  None of this will convince the media and the fact that Australia is an outlier in this area of law causes it no concern at all.

The transcript of the story Read the rest of this entry »

The date for submissions to the Attorney General’s Review of the Privacy Act Report closed on 31 March 2023.

I will be undertaking a detailed review of the Report, by related chapters, between now and when the draft Bill is released by the Government, probably before or after the Winter Recess.

This analysis relates to Chapters 3 and 4. The proposals contained in both chapters are not controversial and address weaknesses in the Privacy Act drafting that were identified for some time.  The recommendations regarding de identified and anonymised information attempt to address what remains a very difficult issue. The extent to which de identification is possible in a practical sense is matter of significant debate.  Those issues may come into sharp relief if a data breach involved theft of de identified information which was subsequently re identified.

CHAPTER 3 OBJECTS OF THE ACT

The Report notes that Privacy is not defined in the Act. It is a concept that can be broadly construed and may be understood as comprising a number of related concepts including informational privacy, bodily privacy, privacy of communications, and territorial privacy.

The Report proposes:

The rationale for the amendment is that as the focus of the Act is to provide a framework for the handling and protection of personal information, the objects should more clearly reflect this.

The Report then states that the Act implements Australia’s international obligations in relation to privacy in part by providing a framework for regulating the collection, use, storage, disclosure and destruction of personal information but does not cover all aspects of privacy as the term is commonly understood.

The Report recommends:

The Report notes that:

• protection of privacy sits alongside other important interests: this is recognised in Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and reflected in paragraph 2A(b) of the objects which are are sometimes, but not always, in tension.
• paragraph 2A(b) of the objects should continue to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities.
• the recognition of a public interest, as well as individual interest, in privacy will inform the balancing exercise, retaining sufficient flexibility for ‘countervailing interests to be given the weight they deserve’
• the protection of privacy and the interests of entities in carrying out their functions and activities, including private commercial activities, are not necessarily in conflict. It is not a zero-sum game.
• businesses that use data in a fair and responsible manner may serve the public interest indirectly, and deliver benefits to individuals and the broader economy, as well as their own commercial interests.

4.   Personal information, de-identification and sensitive information

The Report identifies a problem with principles-based definition of a lack of understanding  how to apply it to information in practice.

The Report notes that the definition has to be seen in context in the Act and as such the Act:

• does not prohibit the collection, use and disclosure of personal information.
• requires that the principles around personal information handling set out in the APPs must be followed, including only collecting reasonably necessary information and only using or disclosing it for the purposes for which it was collected unless the individual consents or another exception applies.

The definition of personal information is intentionally broad which ensures that APP entities keep privacy and risk-based personal information handling at the forefront of their minds when conducting their functions or activities,

Section 6 of the Privacy Act defines personal information as follows:

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Individual is defined as a ‘natural person’.

The current definition of personal information has two limbs:

• the information is about an individual, and
• the individual is identified or reasonably identifiable.

The Report identifies two categories of uncertainty about the definition:

1. it is unclear which types of information can be personal information. For example, there is confusion about whether technical information that records service details about a device is the personal information of the owner of the device. Further, there is uncertainty about whether inferred information about an individual, for example in an online profile, will be personal information.
2. there should be more clarity about how to ‘reasonably identify’ an individual and correspondingly how to know when an identifiable individual becomes ‘de-identified’.

The Report proposes to clarify the two categories of uncertainty through proposals that address the two limbs of the test for Read the rest of this entry »

Estimating the number of records accessed or otherwise compromised by data breaches is a fraught business. In the United States, Canada, the United Kingdom, Europe and Australia with mandatory data breach notification laws and a media which has a interest in data breaches it is possible to assemble some reasonable statistics about cyber attacks. There is some data available from Latin America and more advanced economies of Asia, the Middle East and Africa. As for the rest information is spotty and often unreliable. Itgovernance has calculated that in March alone there were 100 publicly disclosed cyber attacks in March which affected 41,970,182 records. These figures should be regarded as an understatement as to the worldwide number of breaches in March. Given the volume of data breaches it is also fair to surmise that the reported breaches to the Australian Information Commissioner is also an understatement of the number and extent of those breaches.

According to itgovernance the biggest of these data breaches were:

• Latitude Financial

The largest confirmed data breach of March 2023 occurred at Latitude Financial, with more than 14 million records being compromised.

The Melbourne-based company, which provides personal loans and credit cards to people in Australia and New Zealand, reported that cyber criminals had captured several different types of data.

Almost 8 million drivers licences were stolen, along with 53,000 of passport numbers and dozens of monthly financial statements.

An additional 6 million records dating back to “at least 2005” were also compromised in the attack, the source of which is not yet known.

The most concerning aspect of this breach is that Latitude Financial originally reported that only 300,000 people had been affected. This suggests that it had a poor understanding of the attack and rushed to disclose the breach.

Having to then update its estimate invites further public scrutiny of the attack and could see customers lose faith in the company. Read the rest of this entry »