The collection of vast amounts of data fuels any number of programs from basic analytics to facial recognition and AI. Not surprisingly then that Tools for Humanity, a company co founded by Sam Altman the CEO of OpenAI is collecting iris data. For money. This has quite legitimately attracted the ire of the Brazliian National Data Protection Authority which has reportedly moved to ban the practice.

The article provides:

Brazil bans iris scan company co-founded by Sam Altman from paying citizens for biometric data

Brazilian data privacy regulators say they are prohibiting Tools for Humanity (TFH), a biometric identity company co-founded by OpenAI CEO Sam Altman, from paying citizens for iris scans. Read the rest of this entry »

The United States has quite an effective child privacy protection law, the Children’s Online Privacy Act. It also has a very sophisticated data broking and analytic industry. And some businesses have no problem in collecting data on children to assist in marketing products and services. The Federal Trade Commission has announced changes to Children’s Online Privacy Protection Rule which sets new requirements about the collection, use and disclosure of childrens’ personal information, requires parents to opt in to the third party advertising and places limits on data retention.

The United States and the European Union are far ahead of Australia when it comes to dedicated privacy protection. The E Safety Commissioner provides some regulatory assistance but it is not focused enough on privacy. In the amendments to the Privacy Act 1988, the Privacy and Other Legislation Amendment Bill 2024, passed late November last year the Commissioner will develop a a Children’s Online Privacy Code to better protect children from a range of online harms. That Code will take effect in 2 years.

The media release from the FTC provides:

The Federal Trade Commission finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized. Read the rest of this entry »

Chris Merritt is a good journalist and has ably edited the Legal Affairs section of the Australian. But he has bug bears which defy logic and fact. One of them is a statutory tort of privacy. The Australian has always had a set against the tort, primarily because of fears that it would interfere with the practice of journalism. Given the exemption which precludes a claim from being brought against journalists this is no longer a thing for the Australian. That of course does not stop Merritt from having a major rant against the statutory tort in last week’s Business to pay the price for new privacy tort. It is quite surprising that the Australian has been so slow to start its complaint about the statutory tort.  In the past it campaigned a long time before any tort was even proposed.  Here the complaint is made after the fact.

Now Merritt’s complaint is that businesses will be bankrupted for being vicariously liable for the breaches of privacy

The focus of the article is on the possible impact on businesses.  The reliance is on the submissions by the Business Council of Australia and the Australian Industry Group to the Senate Committee reviewing the Bill.  The BCA and the AIG have always been hostile to any form of actionable right to privacy.  Their submissions to this heavily circumscribed statutory right have followed that line.  They were not particularly analytical submissions and had a heavy dose of Henny Penny “the sky is falling” hypotheticals.  One hypothetical is how this tort will impact insurance premiums in the future.  Merritt draws a very long bow in drawing a comparison of the impact of the tort with the insurance disruption following the collapse of HIH.  That a similar result is in the offing.  Given the general damages award is capped this is quite a stretch.  It is quite an illogical analysis because given the tort requires an intentional or reckless act it is not proper to compare those claims, in the future, with claims of a sort and awards of the quantum associated with personal injury and medical negligence. The statutory tort provisions makes no comment on vicarious liability so the principle applies.  But so what?  The situations where that happens will be quite limited.  But if a person uses company resources to interfere with someone’s privacy then a company may be called to account if it is done in the course of company business and not inconsistent with its activities.

It is a quite a poor article but does highlight the continuing, largely ideological, fighting retreat by some areas of the media to a statutory tort.

The article provides:

Unfortunately, that’s exactly what federal parliament did on November 29 when it approved a new statutory tort for serious invasions of privacy.

Despite warnings from peak industry groups, parliament did nothing to stop innocent employers being held vicariously liable for invasions of privacy committed by employees who break corporate rules.

Everyone should be accountable for their misdeeds – but not the wrongs committed by others. ?Yet that is a key feature of the new privacy tort sitting on the federal statute book, just waiting for enterprising lawyers to give it a run when it comes into force in June.

In October, the Business Council of Australia warned about the potential unfairness of holding employers vicariously liable for the wrongful actions of their employees – particularly if companies have taken all reasonable steps to prevent staff from invading anyone’s privacy. Read the rest of this entry »

With the end of 2024 there has been a compiling of data breaches in 2024. It makes for sombre reading. According to Proven Data the biggest data breaches in the United States were:

National Public Data breach.

• Records compromised: 2.7-3 billion
• Scope: Affected individuals in the United States, Canada, and the United Kingdom
• Key details: Included social security numbers, names, addresses, and other personal information

Ticketmaster data breach

• Records compromised: 560 million
• Key details: Exposed personal and financial information, including names, email addresses, phone numbers, and payment details

Change Healthcare ransomware attack

• Records compromised: Approximately 145 million
• Scope: Potentially affecting one-third of Americans
• Key details: Exposed personal, medical, and billing information through a ransomware attack

AT&T data breach

• Records compromised: 73 million
• Key details: Exposed customer data, including Social Security numbers, account numbers, and passcodes

Snowflake Cloud data breaches

• Total records: Over 165 customer environments were compromised
• Notable victims:
  • Ticketmaster: Up to 560 million customer records exposed
  • Santander Bank: 30 million customer records compromised
  • AT&T: Call and text records spanning multiple months
  • Advance Auto Parts: Over 2.3 million individuals were affected, with sensitive job application data exposed

In December alone the significant data breaches were:

1. SRP Federal Credit Union Breach

On December 19, SRP Federal Credit Union disclosed Read the rest of this entry »