November 29, 2024
Following the passage of the Privacy and Other Legislation Amendment Bill 2024 this morning it is not surprising that the Attorney General will take a victory lap with a press release titled Delivering stronger privacy protections for Australians. The sobering reality is that the Office of the Information Commissioner is currently under resourced. Innovation Aus reports in OAIC slashes staff to meet $11m budget crunch that the Office is sacking staff to comply with a 23% budget cut from the government.
Not surprisingly the Privacy Commissioner took a moment to welcome her increased powers. She made the point of saying it was only the first step. And never a truer word was said.
It makes little sense to provide enhanced powers to the Commissioner, presumably expecting her to exercise those powers, while cutting the resources necessary to exercise those powers. Unfortunately it is a familiar story with the Privacy Commissioner then Information Commissioner’s office. That is not to say that the Office has occasionally used this problem as an excuse to be a timid regulator when more action was called for.
The Attorney General’s media release provides:
The Albanese Government has delivered landmark legislation to strengthen privacy protections for all Australians and outlaw doxxing.
Australians want their privacy respected. When they are asked to hand over their personal data Australians expect it will be protected.
The Privacy and Other Legislation Amendment Bill 2024 implements a first tranche of recommendations from the Privacy Act Review, including:
-
- a new statutory tort to address serious invasions of privacy
- a Children’s Online Privacy Code to better protect children from a range of online harms, including $3 million over three years for the Office of the Australian Information Commissioner to support its development
- greater transparency for individuals affected by automated decisions
- streamlined information sharing in the case of an emergency data breach, while ensuring that information is appropriately protected
- stronger enforcement powers for the Australian Information Commissioner The legislation also introduces new criminal offences to outlaw doxxing with serious criminal penalties of up to 7 years imprisonment. Doxxing is a form of abuse that can affect all Australians but is often used against women in the context of domestic and family violence.
The Government is committed to ensuring the Privacy Act works for all Australians and is fit for purpose in the digital age.
The legislation builds on the significant steps already taken by the Albanese Government on privacy, including:
-
- significantly increased penalties for repeated or serious privacy breaches
- greater powers for the Australian Information Commissioner to resolve privacy breaches and quickly share information about data breaches
- restoration of the standalone position of the Australian Privacy Commissioner
The legislation passed today is just the first stage of the Albanese Government’s commitment to provide individuals with greater control over their personal information.
The Albanese Government will continue to consult the Australian community on further privacy reforms.
The Privacy Commissioner’s media release provides:
The Office of the Australian Information Commissioner (OAIC) welcomes the passing of the Privacy and Other Legislation Amendment Bill 2024 as a significant step forward in advancing privacy protections for the Australian community.
The Bill contains significant measures including:
-
- the introduction of a statutory tort for serious invasions of privacy, giving individuals a route to seek redress for privacy harms in the courts
- the expansion of the OAIC’s enforcement and investigation powers, including new tiers of civil penalties and the ability to issue infringement notices
- a mandate for the OAIC to develop a Children’s Online Privacy Code, which will cover not only social media platforms but any online services likely to be accessed by children
- a new mechanism to prescribe a ‘white list’ of countries and binding schemes with adequate privacy protections to facilitate cross-border data transfers
- a requirement that privacy policies contain information about substantially automated decisions which significantly affect individuals’ rights or interests, including the kinds of decisions and kinds of personal information used.
“These new powers and functions come at a critical time, as privacy harms increase and the Australian community demands more power over their personal information,” Australian Privacy Commissioner Carly Kind said.
“They have had a long gestation. Many have campaigned for reform – in some cases for more than a decade – so their efforts need to be recognised today.
“The reforms are an important first step. More needs to be done of course, and we appreciate the government’s commitment to further action.”
The Innovation article provides:
The privacy and information watchdog has slashed dozens of staff in response to a 23 per cent budget cut by government and a review by management consultants, sparking fears it will be ill equipped to deal with key policy changes like the social media ban.
Senior officials confirmed the cuts on Wednesday and said a new structure at the Office of the Australian Information Commissioner (OAIC) will in place from early next month. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
November 28, 2024
The Privacy and Other Legislation Amendment Bill 2024 passed the Senate at 9:13PM on Thursday 28 November 2024. The final vote was 31 ayes and 23 noes.
With that the the substantive Bill passed both houses of Parliament. The relatively few amendments to the Bill, from recommendations of the Senate Committee Report, will be passed by the House in a special sitting this morning.
The Statutory tort will be enacted. It will come into effect on a date fixed by proclamation. If no such date is fixed it will commence 6 months after the Act receives Royal Assent. Royal assent occurs when the Bill is signed by the Governor General. The process is that a certificate is signed by the Attorney-General which is sent to the Governor-General. The Governor-General gives the Royal Assent to the Bill by signing 2 copies of the Bill.
Royal Assent will take place very soon.
The Attorney General may advise when the statutory tort will commence but if he doesn’t and there is no specific date fixed by proclamation then it is a fair assumption that the statutory tort will come into effect in early June 2025.
Posted in Privacy
|
Post a comment »
November 27, 2024
The Cyber Security Bill has had very quick progress through the Parliament. It was introduced last month, on 9 October 2024, had its second reading debate in the House of Representatives on 19 November, and was passed in the Senate on Monday 25 November 2024. It is part of a parcel of bills, the others being the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, to amend the Security of Critical Infrastructure Act 2018.
The Bills were supported by the Coalition.
The Ministers Second Reading speech states:
That this bill be now read a second time.
In introducing this legislation, I acknowledge the work done in its development from the former Minister for Home Affairs, now the Minister for Housing, and also acknowledge the work of the very large number of members of the Department of Home Affairs in the cybersecurity section, who have worked for some years in the development of the legislation in the national interest that I present to the House today.
This bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, form the cybersecurity legislative reforms package. This package will collectively strengthen our national cyber defences and build cyber-resilience across the Australian economy.
This suite of legislative reforms will implement key initiatives under the 2023-2030 Australian Cyber Security Strategy. This is a significant step in achieving the Australian government’s vision of becoming a world leader in cybersecurity by 2030. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
November 15, 2024
The Senate Legal and Constitutional Affairs Legislation Committee yesterday released its report on Privacy and Other Legislation Amendment Bill 2024. It is overwhelmingly supportive of the Bill.
Its recommendations are:
Recommendation 1
The committee recommends that the minimum consultation period for the Children’s Online Privacy Code is extended to at least 60 days.
Recommendation 2
The committee recommends that the bill is amended to include a requirement for the Information Commissioner to consult with relevant industry bodies or organisations when developing the Children’s Online Privacy Code.
Recommendation 3
The committee recommends the exclusion for media organisations from accessing personal information during declared emergencies is extended to exclude national broadcasters such as the ABC and Special Broadcasting Service.
Recommendation 4
The committee recommends that the bill is amended to empower the Information Commissioner to issue a discretionary notice to an entity to remedy an alleged breach of one or more of the provisions in section 13K before issuing an infringement notice.
Recommendation 5
The committee recommends that the Explanatory Memorandum to the bill is amended to make clear that the level of information required in privacy policies is not expected to compromise commercial-in-confidence information about automated decision-making systems.
Recommendation 6
The committee recommends that the Commonwealth government considers amending clause 7 of the bill to:
• require a court to consider the matters of public interest that justify the invasion of the plaintiff’s privacy;
• not require a defendant to adduce evidence of public interest in every case; and
•provide that ‘artistic expression’ is a form of freedom of expression.
Recommendation 7
The committee recommends that the Commonwealth government considers amending Schedule 2 of the bill to ensure that the journalism exemption applies to a person involved in the publication, re-publication or distribution of journalistic material.
Recommendation 8
The committee recommends that Schedule 2 of the bill is amended to make clear that the concept of ‘journalistic material’ for the serious invasions of privacy tort includes ‘editorial’ material.
Recommendation 9
The committee recommends that Schedule 2 is amended to make clear that the power conferred on a court to issue an injunction is not limited to an ‘interim’ injunction.
Recommendation 10
Subject to the preceding recommendations, the committee recommends that the Senate passes the bill.
What is notable about the Report is that Read the rest of this entry »
Posted in Privacy
|
Post a comment »
November 5, 2024
Tracking pixels are HTML code snippets which is loaded when someone visits a website. It is used for tracking user behaviour. Advertisers can use this data for online marketing and web analysis. In the latest of a surge of guidances the Office of the Australian Information Commissioner (“OAIC”) has published guidance on tracking pixels.
Given the increased powers proposed in the Privacy and Other Amendments Bill 2024 organisations covered by the Privacy Act 1988 need to consider their use of tracking pixels before the amendments come into force.
The media release provides:
The Office of the Australian Information Commissioner (OAIC) has released guidance for private sector organisations to ensure they meet their obligations under the Australian Privacy Act when using third-party tracking pixels on their website.
Publication of the guidance responds to industry demand for greater detail on the application of the Privacy Act to tracking technologies, as well as interest in the topic across government, media and the community.
Many social media companies and other digital platforms offer tracking pixels. A tracking pixel is a piece of code generated by a third-party provider that can be placed on an organisation’s website to collect information about a user’s activity. When a user visits a webpage with a tracking pixel, the pixel loads and sends certain types of data to the server of the third-party provider.
Pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms. They can be important to business for analysis, advertising and measurement of return on investment.
“However, many of these tracking tools are harmful, invasive and corrosive of online privacy,” Australian Privacy Commissioner Carly Kind said.
“This is a real concern in the community with our Australian Community Attitudes to Privacy Survey 2023 finding that 69% of adults did not think it fair and reasonable that their personal information was used for online tracking, profiling and targeted advertising, with that rising to 89% when material was targeted at children.”
The guidance makes clear that it is the responsibility of the organisation seeking to deploy a third-party tracking pixel on their website to ensure it is configured and used in a way that is compliant with the Privacy Act.
Before deploying a third-party pixel, organisations should ensure they understand how the product works, identify the potential privacy risks involved and implement measures to mitigate those risks, and not adopt a ‘set and forget’ approach.
Failing to conduct appropriate due diligence can create a range of privacy compliance and other legal risks.
Consistent with the OAIC’s recent guidance on the use of generative AI products, the OAIC is seeking to expand its range of guidance for organisations so that they can continue to grow their businesses while meeting privacy obligations in a way that builds community trust.
The guidance Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Privacy
|
Post a comment »
November 1, 2024
It is a annual report season for Government agencies and authorities. And that includes that of the Office of the Australian Information Commissioner.Yesterday the Commissioner released its 194 page Annual Report for 2023 – 24.
Given the significant amendments to the Privacy Act 1988 it is better to look forward to how the Privacy Commissioner approaches her responsibilities with new found powers rather than poring over the activities of the Privacy Commissioner over the past year. On that note the work rate improved but it remained a timid regulator by any measure. Which is a pity given the the Information Commissioner’s remuneration was $576,174 and Deputy Commissioner Elizabeth Hampton was $380,091. The relatively newly appointed Privacy Commissioner, Carly Kind is on $109,239.
In relation to privacy complaints the the Commissioner stated:
Privacy has been very much in the spotlight, with the continuing incidence of major data breaches. In 2023–24, we received 13% more notifications under the Notifiable Data Breaches (NDB) scheme than the year prior, when there was a 4% increase. We lifted our response rate, closing 84% of notifications within 60 days (compared to 77% last reporting year). In the 2022–23 financial year we received a 34% increase in privacy complaints. This year, complaints have remained relatively high, with a slight decrease of 5% year on year. We successfully responded to this high demand, finalising 20% more privacy complaints (3,104 in total), building on last year’s increase of 17% (2,576 finalised in total).
We continued our focus on clearing longer-standing, generally more complex and resource-intensive complaints, finalising 84% (271) of the 322 matters that were over 12 months old as at June 2023. At the same time, more recent complaints increased in age over the reporting period. The volume of complaints, combined with the focus on the longest-standing, meant that by the year’s end there was an overall increase in matters older than 12 months to 729. The OAIC will continue to focus on aging cases through process efficiencies and the strategic application of resources.
What is quite unusual is that Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Legal, Privacy
|
Post a comment »