Peter A Clarke

Data protection laws are undertaking some refining in the UK with the Data (Use and Access) Act 2025 (DUAA) The DUAA received Royal Assent on June 19, 2025. On July 21, 2025, the Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 were published. The DUAA reforms how the UK manages non-personal and personal data. The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).  The aim is to change data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protecting people and their rights.  

The UK legislation is significantly more prescriptive than the Privacy Act 1988.  That is not surprising given it was based on the GDPR.  It is also structured very differently. It is useful to be aware of changes to UK legislation as Australian legislation can be influenced by the UK legislation over time.

The Long title to the Bill states:

A bill to make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the creation and solicitation of purported intimate images and for connected purposes.

The Government states Read the rest of this entry »

The UK Information Commissioner has responded to the growing concern about the development and use of AI and biometrics and its impact on privacy. He has released an AI and biometrics strategy.

The strategy, Read the rest of this entry »

Data breaches, at least the one’s reported, are invariably the result of a cyber attack or phishing. The analog variety are much less common than they were a few decades ago, when I started practising privacy law. Back then data breaches commonly involved records stored in filing cabinets offered for sale or disposal, documents left in the street for recycling, folders of documents taken by disgruntled employees or files left in cars. There was some digital records stolen but that was usually lap tops left in or stolen from places. It was much too hard to exfiltrate masses of data over telephone lines and many records were not on line. That is not to say that analog data breaches don’t occur today. I receive calls about paper form customer lists taken from companies or mail taken from letter boxes. But the data breach suffered by Mercer Super is very unusual. Mail posted to Mercer and collated and placed in its GPO Box at Australia Post Melbourne GPO was targeted by thieves who broke into the GPO. Four times! It is reported by the ABC in Mercer Super reports security breach after Australia Post Melbourne GPO mail theft. Official correspondence and forms completed by clients to Mercer would contain considerable amount of personal information not to mention details of customer accounts.  That can be used for identity theft but also trying to access super accounts which contain considerable sums of money as we have seen from recent cyber attacks on Australian Superannuation funds.  

Theft of mail used to be a very lucrative target for criminals.  Cash, cheques, money orders and securities were transported via mail.  The Great Train Robbery of 1963 involved the theft of £2.61 million from the Royal Mail train on the Glasgow to London run. That haul is worth 62 million pounds today.  Private security vans took over from mail vans and trains and now money is transferred digitally.  

The Australia Post has issued a media release where they say the break ins occurred within the mezzanine area of the Melbourne GPO Box Room in Bourke Street between 6 and 17 July 2025. The thieves were after letters not parcels, which are tracked. It has been repored by the AFR with Post office burglaries spark super fund security alert, Super fund’s warning to customers after post office break-in, Sky’s Major super fund issues alert to customers after mail stolen from Australia Post Melbourne GPO in string of break-ins.

Even though the cause of the data breach can not be blamed on Mercer Super it is important for it to have a viable and effective data breach response plan.  Given the spate of recent attacks on super funds one would have thought it had such a plan.  The question of determining whose personal information has been stolen may be complicated.  Complicated but possible.  Mercer would have a register of mail sent and have a reasonable idea of correspondence it is expecting, such as expected completed forms. But it would necessarily be Read the rest of this entry »

In large data breach incidents affected organisations find controlling the information flow is difficult.  For starters hackers post notices proclaiming their “achievements”.   That is why a more open and transparent approach is the best.  Advise customers/clients/patients what has happened and provided as much information as can safely be given.  It is when companies shut down communication or are obtuse, deliberately or otherwise, that problems arise.  There are often internal leaks from disgruntled staff.  There is often the appearance that there is something to hide.  That gets the media interested.  And sooner or later more information is found. Qantas’ poor communications after the data breach and generally average response is more about having no coherent data breach response plan and any real idea about how to communicate.  It has become an art overseas.

What has come to light is further information about communications between Qantas and the hackers. Qantas provided notification of the data breach on 2 July.  On 4 July it provided an update saying it had not been contacted by anyone.  Sure enough later that day the hackers sent Qantas 4 emails setting out the scope of the data breach.   Qantas’ notices makes no reference to any of that until 7 July, after receiving multiple emails from the hackers. Qantas did not respond to them so the hackers emailed on 7 July.  Only then did Qantas respond. Then there was an exchange with Qantas sending 11 emails.  The emails are heavily redacted but little imagination is required to guess at what the hackers wanted to “resolve” the situation.  Cyberdaily sets out the tortured process in Qantas hack: Court documents reveal scope of communications between hackers and the Flying Kangaroo.  It is more common than one would think for companies to ignore communications from hackers, not appreciate that they are being contacted or, in some situations, not check their emails.  Hackers will Read the rest of this entry »

In February 2025 Genea, a large IVF clinic, suffered a significant data breach involving the theft of its patient’s personal information. I posted on the breach on 19 February 2025. I was unimpressed by the non informative statement regarding the breach. I also posted on Genea’s later activity including obtaining injunctive relief on 27 February 2025. On each of 4 and 10 March 2025 Genea provided an update, of sorts. On 4 March 2025 it confirmed that additional stolen data was published on the dark web, which was part of the original theft, and that it was “working to understand precisely what data [sic] has been published” and notifying affected patients and staff etc… It also put in the usual boiler plate about working with the Information Commissioner, the AFP, the National Cyber Security Co Ordinator and the ACSC. The 10 March update was lengthier though not much more informative. Ganea was still “undertaking a full assessment of the incident” but provided recommendations regarding possible phishing or attempts at identity theft. It also referred to the injunction it obtained and provided a link to the orders made (which is something rarely done). This injunction has followed the same approach taken by the HWL Ebsworth in obtaining injunctive relief in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71. In March 2023 the UK High Court also made granted injunctive relief against person(s) unknown in Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 762.

The latest update was on 3 July 2025 where Genea announced that it has concluded its investigation and that it is “starting to communicate directly with individuals”. Beyond stating that it has engaged IdCare the balance of the announcement is a reworking of earlier announcements.  

Today news.com.au published IVF giant Genea reveals dark web data breach impacting thousands where patients and former patients claim the first time they were contacted about the data breach was last week, Friday late to be precise. The ABC also covers the story with Genea IVF confirms sensitive patient health information on dark web.

Genea has refused to provide any detail on the size of the data breach, how many patients or former patients personal information was affected.  That is quite unusual but consistent with the minimalist approach Genea has adopted.  It is a mistake.  It has also refused to advise whether it has paid a ransom.  That is less unusual if it is the case.  Very few organisations admit to paying ransoms. They are not illegal payments thought failing to report them, as from 30 May 2025, to the Government is now illegal.  

On the page where Genea provides updates on the cyber breach there is a pop up page which is titled “unlock your on-demand fertility webinar library” with the statement “From basics to advanced treatments, get free complete access to our webinar library from leading specialists nationwide. ” There is a tab to click onto to “register here.”  It is unintentionally amusing,  To some it might be seen to be in poor taste, whether intentionally or not. 

Overall Genea has handed the data breach poorly.  The announcements have been more about form than substance.  It took 3 weeks from discovery of the data breach to advise there has been such a breach.  It then spent 5 months putting itself into a position to advise people affected what personal information was stolen. That is a unaccountably and unreasonably long amount of time.   BCI has focused on this in its article Why communication is as critical as cybersecurity: Genea breach.  The article provides a brief accurate summary of where Genea has gone so terribly wrong in the handling of this data breach and why it is fundamental to have a coherent and transparent communications strategy.  It should be mandatory reading.  While communication may not mitigate or vitiate liability it will build some goodwill with those whose data has been stolen.  That may reduce the numbers who want compensation.  More importantly, vague and confusing or even duplicitous communication will enrage people and make it likelier they will sue.  

Given Read the rest of this entry »

The use of AI is becoming ubiquitous. Its impact seems to be the subject of endless articles (mostly not drafted with the assistance of AI) either predicting a rosy future or a dystopian nightmare. This week’s Economist’s To survive the AI age, the web needs a new business model is sober but not hair pullingly negative about the AI. It is disruptive, which is a good thing. But just because it is there does not mean it should be used. Case in point, reports of Qantas using AI to send emails to victims. Smart Company’s Qantas using AI for email to hack victims a “risky move” highlights the potential problems. The initial problem is what sort of message is it that sends emails to customers that were generated by ChatGPT, or at least assisted by it. And some AI can be discerned by the mix of loquacious and clunky prose. And Qantas has confirmed use of AI so it is public knowledge.

There is a skill in drafting letters to clients/patients/shareholders/whoever relating to data breaches.  It has developed in the United States to quite a high level because they have had to deal with significant data breaches over a longer time period and have had obligations and liabilities to deal with which have not reached Australian shores until relatively recently.  They also tend to be very sensitive to reputational damage, something some Australian companies are less concerned with given their poor responses to data breaches.  Australian companies are very resistant to taking on board the hard earned lessons of their US cousins.  They tend to use PR firms whose approach is to churn out media releases and letters full of boilerplate platitudes which make for a wordy vague and overlong document  saying very little.  That is regarded as a smart play.  It almost always continues the controversy.

The Smart Money article Read the rest of this entry »

KNP a Northamptonshire transport company has closed because a hacker was able to guess a password. That entry access throughout the company’s computer system and encrypt its data and lock its internal systems. The story is reported by the BBC in Weak password allowed hackers to sink a 158-year-old company. Hackers successfully guessing at passwords is something of a throwback to an earlier era.  Hackers typically don’t try to work out a moderately strong password (eg 8 characters, with an uppercase, number and character) because that would require either an inordinate amount of time and likely alert the company.  Hackers can guess an easy password by running through the usual default simple and foolish passwords (QUIRTY, 12345, password) or a default of a person’s name or the name spelt backwards.  Those sort of passwords still exist, particularly in organisations without password programs which require a certain password strength.  The other aspect of the breach is that once in the hackers had untrammeled access to the data and were able to lock the internal systems.  This suggests beyond the external cyber defence (the wall to put it another way) there was nothing.  No siloing of data, no programs to detect unusual activity and no authorisation to certain parts of the computer system.  And likely no external back up with programs to block ransomware program.  The consequences are significant, 700 people have lost their jobs.

The article Read the rest of this entry »

Service of court orders are invariably necessary to permit action for contempt for a breach of those orders. In cases of injunctive relief commonly the Court requires service of those orders. It becomes more difficult when the subject of those orders inhabit the dark web, have no representatives to accept service of those orders and can easily disappear. Welcome to the world of service of cyber hackers.Non publication orders against cyber hackers are a relatively recent phenomenon as is the method of service.

Qantas served the non publication orders made by Justice Kunc of the New South Wales Supreme Court via Tox. According to affidavit material filed by Qantas the documents containing the orders were sent last Thursday and a return email was received 3 hours later. What is not clear is how the order has been brought to attention of those who may not be the cyber criminals but come upon this information.  That may be attended to by specific exemptions to the orders.  It is not known. In crafting orders it is important to make them sufficiently focused so as to avoid unwelcome consequences such as a victim of the cyber breach being in contempt because he or she found his or her information on the dark web or elsewhere.

The Australian has covered this story in How Qantas served papers on cyber criminals over hack attack on customer database. What seems to be clear is that cyber hackers are based outside Australia.  That is a perennial problem and one that does not Read the rest of this entry »

ENISA releases annual reports of security incidents every year. This year it reported 188 incidents submitted by national authorities from 26 EU Member States and two European Free Trade Association (EFTA) countries. This is an increase of 20.5% over 2023, with 156 incidents from 26 EU Member States and one EFTA country. That said there was a reduction in user hours lost according to the press release.

According to the Read the rest of this entry »

The case of Kate Aston being videoed walking out of a bathroom and Nathalie Matthews being concerned about intimate videos she filmed would be made public raises issues of privacy protections in each case and what each could do to protect their privacy. Particularly with the statutory tort of serious invasion of privacy coming into operation on 10 June 2025.

While both factual situations are unique they are not, in broad strokes, all that unusual in privacy law.  The use of videos and cameras used in a setting which should be private and which clearly cause serious distress is not unknown. Many cases, almost invariably resulting in a prosecution, involve the use of a camera/video in a toilet. But there is no hard dividing line taking photos or videos of someone in a toilet and photographing or videoing someone with that same equipment who are leaving a toilet.  The question is whether there is a reasonable expectation of privacy.  In case of someone using the toiletry facilities the answer is clearly yes.  In terms of someone leaving a toilet it is most likely yes.  The distinction is slight.  One can have a reasonable expectation of privacy in a semi public or even public space. In 2008 the UK Court of Appeal in Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446 found that a child had a right to privacy in a public space. The Mrs Murray in that case writes under the nome de plume of JK Rowling. While the claim was brought on behalf of the Murray’s child the defendant’s interest was more about capturing an image of Mrs Murray with her family, child especially.  While that case focused on the rights of the child the subsequently developed principles apply to adults. It depends on the circumstances.  And those circumstances do not assist someone who intentionally waits outside a toilet and uses the video to catch another on film leaving the toilet.  And then posts that footage on line.  

According to 7 News Ms Aston has commenced legal action. Whether that is a claim in privacy, equity, defamation or any other cause of action is unknown.  

According to the Australian report of the Matthews case the concern is there are intimate videos would be made public and that motivated her to apply for a domestic violence order.  The abuse of intimate videos, previously made consensualy, have been the subject of two superior court decisions in Australia; the Victorian Court of Appeal decision in  Giller v Procopets [2008] 24 VR 1 and the Western Australian decision of Wilson v Ferguson [2015] WASC 15 which I posted on in 2015.  

Either of these cases could be run without the statutory tort of serious invasion of privacy.  With that tort extant and these fact situations commencing after 10 June 2025 the tort is available to either.  The strength of the case depends on all of the facts, not just the media coverage. 

It is interesting to read Read the rest of this entry »