Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • Global privacy sweep finds that nearly all of 1,000 websites and mobile apps tested use deceptive design patterns

    July 20, 2024

    The Privacy Commissioner in GPEN Sweep finds majority of websites and mobile apps use deceptive design to influence privacy choices to highlight the results of annual Global Privacy Enforcement Network. The GPEN issued a press release on this with 2024 GPEN Sweep on deceptive design patterns. The sweep highlights the poor design, intentional or not, which frustrates users in either finding out what happens to their personal information or determining their rights via privacy policies.  Unfortunately regulators do not take a strong enough position on incomprehensible privacy policies or complex processes designed to thwart individuals which organisations comply with legislation. 

    The GPEN media statement provides:

    A global privacy sweep that examined more than 1,000 websites and mobile applications (apps) has found that nearly all of them employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Medisecure reveals that data breach earlier this year resulted in the theft of personal information of 12.9 million Australians. That makes the need for proper reform of the Privacy Act even more urgent

    July 19, 2024

    The numbers used to be staggering. Thousands, then hundreds of thousands of records taken in this or that cyber attack. Now the administrator of Medisecure Ltd and the liquidators of Operations MDS Pty Ltd made a statement that the personal information of 12.9 million Australians has been compromised (fancy word for stolen). This prompted the Department of Home Affairs curating that statement into its own press release. This has been followed by reports on the ABC and the Guardian. As with many health related services the personal information collected is both voluminuous and comprensive.  It included individuals:

    • full name;
    • title;
    • date of birth;
    • gender;
    • email address;
    • address;
    • phone number;
    • individual healthcare identifier (IHI);
    • Medicare card number, including individual identifier, and expiry;
    • Pensioner Concession card number and expiry;
    • Commonwealth Seniors card number and expiry;
    • Healthcare Concession card number and expiry;
    • Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
    • prescription medication, including name of drug, strength, quantity and repeats; and
    • reason for prescription and instructions.

    The administrator and liquidator’s statement relevantly Read the rest of this entry »

    Posted in Privacy | Post a comment »

    AT & T lose 109 million US customer accounts from illegal download

    July 15, 2024

    Another telco has suffered a data breach according to Itnews reports in AT&T says data from 109 million US customer accounts illegally downloaded.  The pattern is very familiar, exfiltration of files via a weakness in the system over a few days.  What is also Read the rest of this entry »

    Posted in Privacy | Post a comment »

    AI Models using images of Australian children without their consent (meaning parent’s) consent

    July 6, 2024

    AI models and programs needing vast data on individuals, such as facial recognition technology, needs vast troves of data to be effective. Hoovering up that data has been the business model of companies in those fields. The level of discrimination has been low and respect for the privacy of those whose data is used has generally been non existent. This is highlighted in an ABC piece The world’s biggest AI models were trained using images of Australian kids, and their families had no idea.

    The genesis of the ABC story is a report by Human Rights Watch titled Australia: Children’s Personal Photos Misused to Power AI Tools.

    The article provides:

    In short:

    Images of Australian children were found in a dataset called LAION-5B, which is used to train AI.

    The images have since been removed from the dataset, but AI models are unable to forget the material they’re trained on, so it’s still possible for them to reproduce elements of those images, including faces, in their outputs.

    What’s next?

    The federal government is expected to unveil proposed changes to the privacy act next month, including specific protections for children online.

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Australian Government signals that small business exemption will be retained in any Privacy Act amendment

    July 3, 2024

    Privacy reform is no easy task in Australia. Even when the need is clear. The Australian in Privacy relief set for small business reports that the small business exemption will likely be retained in any amendments to the Privacy Act. The Government says it will introduce a Bill in the August session of Parliament. The story relies on “sources” informing the reporter. The story is a classic informal signalling of intention by the Government without it making any announcement. It is a tried and true way method of setting the agenda and dealing with possible unwelcome commentary prior to the bill being introduced. It is all about politics, nothing about policy.

    The retention of the small business exemption is a retrograde step. It makes little legal and policy sense.  The collection of data and the impact of a data breach or other interferences with privacy is not related to the size of an organsiation.  An arbitrary cut off of a $3 million dollar turnover determining whether an an organisation is required to comply with the Privacy Act or not never made much sense when introduced.  It makes less sense now given that a “small business” can collect and use more  data than an organisation covered by the Act.  It is more dependent on the type of business and its emphasis on data collection. 

    In its massive 3 volume report, For your Information, the Australian Law Reform Commission specifically recommended removing the small business exemption.  In its executive report it stated:

    The ALRC recommends that the number of exemptions be reduced—in particular, the existing exemptions for small business, employee records and registered political parties should be removed.

    and

    The small business exemption

    When the provisions of the Privacy Act were extended to cover the private sector in December 2000, an exemption was granted to small businesses (including not-for-profit organisations) with an annual turnover of $3 million or less.[11] The exemption was explained, at that time, by the desire to achieve widespread acceptance for privacy regulation from the private sector, and a reluctance to impose additional compliance burdens on small businesses.

    No other comparable jurisdiction in the world exempts small businesses from the general privacy law—and the European Union specifically has cited this unusual exemption as a major obstacle to Australia being granted ‘adequacy’ status under the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the EU Directive).[12]

    The business community argued strongly for the retention of the exemption, primarily on the basis of the cost of compliance. However, almost all other stakeholders supported removal of the exemption arguing that there is no compelling justification for a blanket exemption for small businesses, as consumers have the right to expect that their personal information will be treated in accordance with the privacy principles.

    The ALRC recommends that this exemption be removed. This would bring Australian privacy laws into line with laws in similar jurisdictions, such as the United Kingdom (UK), Canada and New Zealand, and could facilitate trade by helping to ensure that Australia’s privacy laws are recognised as ‘adequate’ by the European Union. The removal of the small business exemption would have the additional benefits of simplifying the law and removing uncertainty for many small businesses that have difficulty establishing whether they are required to comply with the Privacy Act.

    The ALRC appreciates that the removal of the small business exemption will have cost implications for the sector—although nowhere near as great as is sometimes predicted.[13] An independent research study commissioned by the ALRC indicated that a lower proportion of organisations will be affected—since not all small businesses collect personal information from customers—and the costs should be considerably more modest—about $225 in start-up costs and $301 per year thereafter for each small business—than the predicted $842 and $924 per year respectively cited in the Office of Small Business costing.[14] Further, the ALRC is confident that additional savings will be achieved by the substantial simplification and harmonisation of privacy laws recommended in this Report.

    Nevertheless, the ALRC remains attentive to the economic concerns of small business owners, and recommends a number of other initiatives aimed at supporting small businesses and minimising the compliance burden. Before the exemption is removed, the OPC should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Privacy Act. This should include a national hotline for small businesses, education materials and templates to assist in preparing privacy policies.

    If anything the need to remove the exemption now is greater than it was Read the rest of this entry »

    Posted in Privacy | Post a comment »