Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396: New South Wales Court considers statutory tort of privacy at interlocutory stage

    October 27, 2025

    The New South Wales District Court in Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396 considered issues regarding the statutory tort of serious invasion of privacy on 7 October 2025.

    FACTS

    The relevant parties are:

    • the defendant, Williams, is the sole director and secretary of Glexia Pty Ltd, a company that briefly leased premises the subject of a development application brought by the first plaintiff, Kurraba [2].
    • Kurraba lodged a development application with the City of Sydney to develop and establish a life science hub in the vicinity of 100 Botany Road Alexandria [10].
    • Botany Road development Pty Ltd as trustee for the Botany Road development trust (“BRD”) is the owner of the real property to be developed and is also the company responsible for the development.
    • the second plaintiff, Smith, is the sole director and shareholder of BRD [10].

    Kurraba publicly announced its intention to lodge the development application in or about 19 and 20 June 2024 [11].  At about that time a property in Wyndham Street was advertised t for short-term rental. BRD exercised an option to purchase the Wyndham Street property. Williams called the real estate agent and said words to the effect that he was interested in leasing the property & was told it was to be sold and knocked down for development[12].

    On 26 June 2024 Glexia Pty Ltd entered into a commercial lease for a period of six months commencing on 1 July 2024. Significantly, Williams did in fact vacate the premise on or around 1 January 2025 [12].

    The first interaction between the plaintiffs and Williams occurred when Williams texted Smith stating [13]:

    “Dear Kurraba Group,

    Your development at 100 Botany Road (SD-63067458 /D/2024/937) intends to cause considerable disruption to my business and likely violates numerous laws, regulations, rules, and policy documents.

    We intend to oppose the development first by submitting it to the State of New South Wales and the City of Sydney Local Government Area and, if still approved, the Land Environment Court and/or Supreme Court.

    I write to establish communications before formal opposition proceedings and litigation to see if there might be a way to resolve these issues amicably, saving us both the immense cost and time of such proceedings.

    We have begun retaining experts to develop a more comprehensive opposition package and to impact the various reports you have submitted as part of your package.

    I have attached our preliminary submissions, which will be submitted to the State of New South Wales and the City of Sydney on 29 November 2024 unless we reach some agreement to mitigate the impacts on our business.

    Regards,

    Michael Williams”

    On 11 November 2024,  Williams and  Smith had a meeting. Mr Smith states that Read the rest of this entry »

    Posted in Privacy | Post a comment »

    American Express is found to have major data flaws after an investigation by the Privacy Commissioner

    October 17, 2025

    One thing that is almost a given in data privacy law is that if the regulator starts investigating a discrete problem or data breach it will end up reviewing the entire entity’s operation and find problems worse than what it started looking at. Often the original problem ends up being a small fraction of the entity’s problem. And so it goes with American Express where the Privacy Commissioner found systemic failures with American Expresses security controls, potentially exposing more than a million cardholders to a privacy breaches. The initial complaint related to a customer complaining about a staff member spying on his personal financial information. It is reported in the Age story Sensitive personal information’: Leaked report reveals American Express security failures. What is unusual and reflects poorly on American Express is that two years ago the Age reported that the Australian Financial Complaints Authority found American Express had breached privacy laws when its employee accessed the complainant’s accounts on at least nine occasions without consent. Ironically the Privacy Commissioner’s interim report was leaked, not surprisingly, to the Age. That is quite unusual and is unlikely to impress the regulator or American Express.

    Based on the article it appears that American Express does not track employee access to customer accounts across 78 per cent of its systems.  This is a classic exposure to  “insider threat” risks.  It is surprising that American Express did not have the technology to restrict staff access to certain customer accounts.  It cites operational complexity as a reason for not implementing those controls.  This is of course nonsensical.  Banks have long had such technology.  Rogue or even just foolishly inquisitive employees who access accounts not related to their job are summarily dismissed a matter of rigid practice.  American Express relied on internal policies and staff training to prevent misconduct. That should be part of the process but not the end of it. What was particularly disturbing is that staff  with basic privileges based in Australia and overseas had “full and unfettered access” to the private information of Australian customers, which includes celebrities, politicians, politically exposed individuals and vulnerable people.  This is quite extraordinary for a company of American Express’ size and profile and especially as it had an internal data breach revealed two years ago.  Unfortunately this level of complacency is all too common for many other entities to give employees broad and sometimes unfettered access to personal information even where they have no need to access that data.  Often companies do not log access so internal threats can’t be identified.

    It is interesting to see American Express adopt Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Privacy Commissioner issues new guidance to Social Media Platforms regarding age limits

    October 16, 2025

    As 10 December approaches the regulators are releasing guidances. Last month the e safety Commissioner issued its guidance.  Last Friday the Privacy Commissioner issued a statement and guidance.  As the Guidance makes clear, more is expected of entities in handling and, importantly, destroying data. Part 4A of the Online Safety Act 2021 sets out quite detailed obligations upon Social Media Platforms.  For Social Media entities this will require a very thorough audit of data collection and use practices.  

    The Statement provides:

    The Office of the Australian Information Commissioner (OAIC) has published regulatory guidance for age-restricted social media platforms and age assurance providers on compliance with the privacy provisions for the Social Media Minimum Age (SMMA) scheme, due to take effect on 10 December.

    Privacy Commissioner Carly Kind said that the guidance reflects the stringent legal obligations on entities to ensure that age assurance is applied proportionately and through privacy-respecting approaches.

    “Today we’re putting age-restricted social media platforms on notice,” Ms Kind said. “The OAIC is here to guard and uplift the privacy protections of all Australians by ensuring that the age assurance methods used by age-restricted social media platforms and age assurance providers are lawful.”

    The OAIC co-regulates SMMA alongside eSafety. Last month, eSafety published their regulatory guidance – external site detailing what ‘reasonable steps’ age-restricted social media platforms must take to prevent age-restricted users from having accounts, including guiding principles for the implementation of age assurance to meet SMMA obligations.

    The OAIC’s guidance published today provides information for age-restricted social media platforms and third-party age assurance providers on handling personal information for age assurance purposes in the SMMA context.

    “The OAIC is committed to ensuring the successful rollout of the SMMA regime by robustly applying and regulating the privacy rules contained in the legislation, in order to reassure the Australian community that their privacy is protected,” said Privacy Commissioner Carly Kind.

    “eSafety has provided the rules of the game with their ‘reasonable steps.’ Now the OAIC is setting out what is out-of-bounds when it comes to the handling of personal information for age assurance in the social media minimum age context.

    “Together, eSafety and the OAIC’s regulatory guidance outlines the field of play for age-restricted social media platforms and third-party age assurance providers.

    “SMMA is not a blank cheque to use personal or sensitive information in all circumstances; we’ll be actively monitoring platforms to ensure they stay within the bounds by deploying age assurance proportionately and lawfully.”

    Key considerations detailed in the guidance call on entities to:

      • note the additional privacy obligations in the SMMA scheme operate alongside the Privacy Act 1988 and the Australian Privacy Principles.
      • choose age-assurance methods that are necessary and proportionate, and assess the privacy impacts associated with each method.
      • minimise the inclusion of personal and sensitive information in age assurance processes.
      • note pre-existing personal information later used for SMMA purposes does not need to be destroyed where the original purposes are ongoing.
      • destroy personal information collected for SMMA purposes once purposes are met.
      • make sure that any further use of personal information collected for SMMA purposes is strictly optional, has the user’s unambiguous consent and can be easily withdrawn.
      • be transparent about the handling of personal information for SMMA purposes in privacy notices and at the moments it matters.

    Together, these privacy safeguards impose stringent legal obligations on age-restricted social media platforms and age assurance providers. Failure to meet these obligations may constitute ‘an interference with the privacy of an individual’ and may trigger enforcement action.

    Further OAIC resources will be released soon to help Australians understand what personal information may be handled through age assurance methods, as well as educational resources for children and families to help them navigate the changes and support conversations about children’s privacy online.

    For more information and to view the guidance, visit: www.oaic.gov.au/privacy/privacy-legislation/related-legislation/social-media-minimum-age

    Background

    The OAIC co-regulates the Social Media Minimum Age Scheme with eSafety. Specifically, the OAIC oversees the compliance and enforcement of the privacy provisions set out in Section 63F of Part 4A of the Online Safety Act 2021, which operate in tandem with the Privacy Act 1988.

    Key aspects of the guidance are:

    1. Purpose Limitation – section 63F(1) Entities that hold personal information collected for, or including, SMMA purposes must not use or disclose that information for any other purpose.  There are limited Limited exceptions under APP 6.2(b)–(e) which permits use or disclosure, or where the individual gives voluntary, informed, current, specific and unambiguous consent under section 63F(2).  This standard goes beyond the general APP 6 framework. The inclusion of “unambiguous” as an element of consent precludes the use of pre-selected settings or opt-outs when seeking consent. Also the reuse of information is prohibited unless clearly authorised or in the exceptional circumstances set out in APP 6.2(b) – (e).
    2. Information Destruction – section 63F(3) Once personal information collected for SMMA purposes which has been used or disclosed for those purposes that personal information must be destroyed.  De-identification is not permitted.  The destruction must happen as soon as all SMMA purposes are met.  This obligation is stricter than APP 11.2, which permits de-identification or retention for ancillary business needs. Pre-existing data used to support age assurance  remains governed by APP 11.2.
    3. Enforcement. The Privacy Commissioner has the power to investigate and take action for breaches as a breach of section 63F constitutes an “interference with the privacy of an individual” under the Privacy Act.  Those actions include investigating, make determinations, and require remediation or compensation. Individuals may also lodge complaints directly with the Privacy Commissioner.
    4. Part 4A does not replace the APPs.  It is an overlay of stricter duties in addition to the existing APPs.  The APPs still apply in their entirety.

    Under the Guidelines Platforms cannot retain information “just in case” it is useful later. The OAIC can investigate and enforce directly, even against entities not previously regulated, such as small technology providers or overseas processors.

    The OAIC expects age assurance solutions to be privacy by design, backed by an early-stage Privacy Impact Assessment (PIA) that examines proportionality, necessity and data minimisation.  That may be a new concept for some entities.  In establishing the processes and procedures the least privacy-invasive method should be used.  It should be teated through a PIA before deployment.

    The OAIC recommends establishing a “ring-fenced SMMA environment” — a segregated technical and data structure where age assurance information is processed, stored and destroyed separately from other systems. Only minimal artefacts, such as a binary “16+ yes/no” result, method and timestamp, should persist. Inputs like ID scans or selfies must be deleted immediately after use.

    The OAIC supports inference-based and AI-driven approaches but with clear restrictions: they must be transparent, demonstrably accurate, and not rely on continuous behavioural tracking or unnecessary sensitive data such as biometric or content analysis.

    The process must be transparent. That includes:

    • just-in-time notifications at the point of data collection,
    • explaining what information is being collected, by whom, for how long, and why.
    • having privacy policies which clearly describe SMMA-specific processing and destruction practices.

    Legal, product and design teams need to collaborate. Poorly designed consent or information screens — even if legally accurate — can amount to non-compliance.

    Part 4A sets a higher bar for consent to secondary uses of information collected for SMMA purposes than the standard APP test. It must be:

    • voluntary,
    • informed,
    • current,
    • specific and unambiguous and
    • be able to be withdrawn.

    The OAIC Guidance says that there should be:

    • no:
      • bundled or pre-ticked consents,
      • reliance on general terms of use, and
    • simple withdrawal mechanisms in dedicated privacy settings or contextually appropriate screens.
    • purpose specific and time limited consent which is purpose-specific and time-limited.

    Section 63F’s destruction requirement is specific and Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner | Post a comment »

    With Salesforce failing to pay Scattered Lapsus$Hunters ransom 150 gigabytes of personal information stolen from Qantas has been dumped onto the dark web.

    October 13, 2025

    The Scattered Lapsus$Hunters have followed through on their threat to publish data stolen from a range of targets of their Salesforce data breach. They published Qanta data on the dark web. It is reported widely, including by the Australian with Cyber expert warns release of Qantas data on dark web amounts to opening virtual Pandora’s box. It has also been covered by Nine News with Qantas to face scrutiny after personal data of 5.7 million customers released, minister says, the Guardian’s Hackers leak Qantas data containing 5 million customer records after ransom deadline passes and Australian Cyber Security Magazine’s Stolen Qantas Customer Records Surface on Dark Web to name but a few. The Government has predictably stated it will not negotiate with cyber criminals or pay ransoms. The thing is that its data was not stolen and it isn’t the subject of any demand. Qantas has released a statement. Maurice Blackburn has made a representative complaint to the Office of the Australian Information Commissioner alleging that Qantas has breached the Privacy Act 1988 in failing to adequately protect the personal information of its customers.

    Qantas has placed significant store on the permanent injunction made by the New South Wales Supreme Court.  It will have some impact on media and those who may otherwise be inquisitive. It’s impact on cyber criminals who may wish to use personal information for social engineering or identity theft.

    While Qantas is looking forward and recounting what additional security measures have been put in place the melancholy reality is that poor cyber security, in particular training, has put Qantas in this current predicament.  The sober reality is that many companies have inadequate security and woeful training of its staff and contractors.

    The Qantas statement provides:

    Qantas is one of a number of companies globally that has had data released by cyber criminals following a cyber incident in early July, where customer data was stolen via a third party platform. With the help of specialist cyber security experts, we are investigating what data was part of the release.   Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Scattered spiders, Lapsu$ and Shiny Hunters combine to threaten Qantas with exposure of stolen data unless a ransom is paid by Friday

    October 9, 2025

    Ransomware attacks can be protracted, expensive and deeply uncomfortable affairs. As Qantas is discovering with the the collective known as Scattered Lapsus$ Hunters threatening to publish data stolen from Qantas on line unless it is paid a ransom. The sum of the ransom is not disclosed. It is reported in the Australian with Cyber hackers threaten to release stolen Qantas data in ransom demand. It is also reported by the ABC with the audio story Qantas facing ransom deadline and Qantas says ‘legal protections in place’ as cyber hacking group threatens to release personal data. Qantas has gone to extraordinary lengths to get an injunction but also obtain a non publication order over its solicitors. 

    That the hackers have paid no heed to the permanent injunction is hardly a surprise.  The question is whether it is more broadly effective.  It may Read the rest of this entry »

    Posted in Privacy | Post a comment »

    The damage and danger of revenge porn and the ongoing drama of the Latham v Matthews fight

    October 6, 2025

    Revenge porn, the use (usually by sharing) of intimate images to harm another (often a former partner) has been chronic problem for some time. It existed in the analog era with the distribution of photos taken with film. It existed through the use of video tape (such as in Giller v Procopets). Its misuse has exploded through the digital photography and videography. The common law and equity was slow to deal with this pernicious practice. Too slow. That said, the Western Australian Supreme Court took strong action in Wilson v Ferguson. The legislature in all states enacted crimes relating revenge porn. While the (stereo)typical perpetrator is a male and often ex partner that is not an element of the offence. The ongoing saga between Mark Latham and his former partner Nathalie Matthews has thrown up another example of alleged revenge porn, this time the accussed is Nathalie Matthews. The Australia reports the story with Mark Latham’s former partner bailed after revenge porn charges. It is reported also by 9 News, the SMH and even the prefer to be serious AFR.

    The underlying facts giving rise to the charges are unknown though speculation is rife that it relates to sexual encounters in Mark Latham’s parliamentary office.  He admits the encounters but denies consenting to recordings being made.

    Matthews and Latham are locked in a 3 day hearing over the domestic violence application on 20 May 2025.  The prosecution of these charges will proceed independently of that application however the prosecution will no doubt complicate matters for Matthews’ legal team.

    The Australian article provides:

    One-time federal Labor leader Mark Latham’s former partner, Nathalie Matthews, has been granted conditional bail after being arrested on revenge porn charges.

    She was arrested at Sydney Airport on Sunday morning after arriving on an international flight from Dubai, one of the cities from which she runs her e-commerce business. Read the rest of this entry »

    Posted in Privacy | 1 Comment »

    News South Wales Reconstruction Authority suffers significant data breach. Third party use of AI partly to blame

    Artificial Intelligence is the runaway train of administration, the law and most areas which use it. Its capabilities are rarely fully understood, its dangers are not considered and most users have no idea of how it works. If the use of AI causes or contributes to the misuse of personal information the aforementioned ignorance is no excuse for failing to comply with privacy legislation. The New South Wales Reconstruction Authority (the “Authority”) today announced that it has been the subject of a data breach. The data breach occurred from 12 – 15 March 2025 with names, addresses, email addresses, phone numbers and “some personal and health information.”  Names and addresses are personal information.  While the Authority stresses the contractor did not use authorised AI that does not change its liability.  Third party providers are a chronic weak link in any data security network.  They are often used because they are cost effective.  That may mean they are less invested in data security and proper training.  Organisations should include proper cyber security requirements in contracts but also insist on a right to inspect the effectiveness of cyber security.

    This episode highlights the need to determine whether the AI used is properly integrated and compatiable with existing systems and whether there are appropriate security measures and there is a proper assessment of risk.

    Some of the factors organisations needs to consider are:

    • Security – In this regard an organisation needs to consider the model type.   The starting prefrence shoudl be a “Closed Model”. This is different to an “Open Model” such as standard ChatGPT.   “Closed Models” generally do not allow prompts and results to train the underlying model, and do not retain any data. This deals with unapproved disclosure of confidential or personal information. Such as in this case.  Any AI system should comply with local and international data sovereignty laws. That would mean data remaining within Australian borders. It is critical to know the frequency, and how, the underlying Large Language Model (LLM) is trained and updated. It is critical to ensure that these underlying updates are secure and trustworthy, or otherwise subject to sufficient controls.

    • Quality of data and training – In addition to quality in, quality out for data it is important to have quality training. It is necessary to look at models that have invested in industry-specific pre-training to achieve optimal results. .

    • Quality Assurance – If an organisation uses AI to make decisions it is critical to have quality assurance. That involves using statistical methods, such as precision and recall.  There should be Regular testing and validation.

    • Tracking  – It is important to trace work products and decisions.  That should involve having methods to monitor and document where AI has been involved in the development of work products. That could involve logs of AI interactions or tagging outputs generated by AI systems.

    Clearly the Authority will have to review how its third party providers use their AI.  There was a failure to properly monitor and proscribe practices involving the personal information collected by the Authority and used by third parties.

    The data breach has been reported by the ABC with Read the rest of this entry »

    Posted in General | Post a comment »

    Legal Practice Board suffers data breach, notifying data breach victims

    October 3, 2025

    The Legal Practice Board of Western Australia suffered a data breach on 21 May 2025. It claimed the incident was swiftly contained and it implemented changes to avoid a reoccurrence. In the subsequent 5 months it discovered that additional data was accessed by the cyber hacker in addition to that determined in May. Unfortunately that involved health, identity and financial information. Unusually for updates the Legal Practice Board has advised there is low risk of misuse of data because it believes the third party no longer has the Board data.  That is far from the norm.  Usually hackers hold onto stolen data unless they are convinced to destroy it or hand it back.  In the context of ransomware attacks that invariably happens after payment of the ransom.  Unfortunately the Legal Board will not share the basis for the belief.  The Board also claims an injunction will prevent any access or sharing of data.  That is more assertion than evidence.  Injunctions are now becoming quite a standard form response to cyber atacks.  Whether that slows the publication of data on the dark web or the sale of personal information is yet to be seen. 

    It is ironic that the statutory body responsible for standards and discipline of the legal profession in Western Australia has had its cyber security been found wanting.  Even more interesting that it took 5 months to discover that more information was stolen than was previously thought.  There is a problem there, either in the nature of the remediation, the resources provided for it or the process for notifying victims.  

    The Legal Pratice Board’s recent media release and the history of this data breach provides:

    The Legal Practice Board (the Board) experienced a cyber incident in late May 2025 which resulted in some of our systems being taken offline, including our online website services.

    Since this time, the Board has worked to restore and ensure the security of our systems, implement temporary manual workarounds where needed, and fully investigate the incident and potential data access. We would like to assure you that the incident was swiftly contained, and we have implemented a range of measures to prevent risk of reoccurrence.

    Following a comprehensive investigation, the Board has determined that some additional data was accessed by the third party, beyond the small amount of information disclosed in May which was addressed at the time.

    The Board is undertaking a detailed review of this data and on Wednesday 1 October, 2025, commenced notifying individuals whose health, identity and financial information was involved. 

    If you have not received a notification by email or post there is no action you need to take. Please note, emails may be sent to work or personal email addresses.

    The Board is continuing to assess whether any other information was involved and will issue further notifications should this be required. This webpage will be updated when the data review and notifications are complete.  

    Importantly, the Board considers there is a low risk of misuse of the data involved, based on the following factors:  

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    US Federal Trade Commission takes action against Disney and Apitor for unlawful collection of children’s personal information

    September 24, 2025

    Protection of children’s privacy has been the subject of increasing focus by regulators worldwide. In Australia under the Privacy and Other Legislation Amendment Act 2024 the Office of the Australian Information Commissioner (OAIC) must develop a Children’s Online Privacy Code by 10 December 2026. The Code will specify how online services accessed by children must comply with the Australian Privacy Principles impose additional requirements provided they are not inconsistent with the existing principles. Legislation protecting children’s privacy has been in place in the United States for some time with legislation including the Children’s Online Privacy Protection Rule (“COPPA”). Recently the Federal Trade Commission (“FTC”) has taken action against Disney and Apitor, a robot toy maker, regarding unlawful collection of their personal information.

    Complaint against Disney

    Disney has entered into a settlement with the FTC to settle allegations that it enabled the unlawful collection of Children’s personal information in breach of COPPA.  The breach was Read the rest of this entry »

    Posted in Federal Trade Commission, Privacy | Post a comment »

    Interest in Genea data breach class action growing

    September 22, 2025

    The SBS has published a very interesting piece on the Gena data breach and medical privacy in general with ‘Really angry’: Isabel is one of hundreds considering class action against this IVF provider. The Story reports that Phi Finney McDonald are investigating whether to undertake a class action.

    The story highlights the chronic problem of organisations holding personal information much longer than is reasonable.  The health sector is particularly prone to this data hoarding.  There have been cases where the medical practices of patients who have died.  The deceased have no privacy protections but there is no basis for holding onto such records.  It is a systemic problem.  Because the cost of storing digitised personal records is inexpensive and becoming less and less expensive there is little urgency or financial need to purge data bases.  The Genea and Optus data breach reveal that such poor data handling results in personal information being taken which should not have been in the possession of the organisations to start with.  

    The Genea data breach also highlights how a poor data breach response plan can aggravate a damaging situation.  Genea initially treated its patients and ex patients poorly,  has been very closed mouthed about the data breach generally and took an inordinate amount of time to properly notify those patients affected.  

    The article provides:

    Hundreds of Australians have shown interest in a class action lawsuit, which could be the first test of new reforms to Australia’s Privacy Act.

    Isabel Lewis wanted to have children so badly that her friends nicknamed her “clucky”.

    She would write letters to the child she dreamed of having, but there was a stumbling block for Lewis.

    “I was 38 and single,” she tells SBS News.

    “It was hard to date when you are single, but you are desperate to have children.”

    It was then that Lewis made a big life decision: to pursue motherhood without a partner.

    “In that process, I was like, ‘Well, clearly then I’ll be single forever. No-one will ever want to date somebody with children,'” she says.

    “But then I met Chris.”

    The pair clicked, and for her next cycle, Lewis put her initial donor on hold and used her new partner Chris Lewis’s sperm instead.

    A few cycles later, they were trying for a fifth time, a cost that put the pair into debt.

    Lewis says this was going to be their last try, but to her amazement, not one but two of her embryos were successful.

    “We had twins, baby boys, and they’re Chris’s biological children,” she says. They’re the jackpot babies.

    Eight years on, her boys are happy and healthy, and she and Chris are married.

    The now 46-year-old holds her journey to motherhood close to her chest, but since a data breach targeted the fertility clinic she used, she’s become concerned it could be exploited for malicious purposes.

    In February, Genea Fertility informed clients, including Lewis, via email that personal data had been breached by cybercriminals and posted to the dark web.

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    « Previous Entries