Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • American Express is found to have major data flaws after an investigation by the Privacy Commissioner

    October 17, 2025

    One thing that is almost a given in data privacy law is that if the regulator starts investigating a discrete problem or data breach it will end up reviewing the entire entity’s operation and find problems worse than what it started looking at. Often the original problem ends up being a small fraction of the entity’s problem. And so it goes with American Express where the Privacy Commissioner found systemic failures with American Expresses security controls, potentially exposing more than a million cardholders to a privacy breaches. The initial complaint related to a customer complaining about a staff member spying on his personal financial information. It is reported in the Age story Sensitive personal information’: Leaked report reveals American Express security failures. What is unusual and reflects poorly on American Express is that two years ago the Age reported that the Australian Financial Complaints Authority found American Express had breached privacy laws when its employee accessed the complainant’s accounts on at least nine occasions without consent. Ironically the Privacy Commissioner’s interim report was leaked, not surprisingly, to the Age. That is quite unusual and is unlikely to impress the regulator or American Express.

    Based on the article it appears that American Express does not track employee access to customer accounts across 78 per cent of its systems.  This is a classic exposure to  “insider threat” risks.  It is surprising that American Express did not have the technology to restrict staff access to certain customer accounts.  It cites operational complexity as a reason for not implementing those controls.  This is of course nonsensical.  Banks have long had such technology.  Rogue or even just foolishly inquisitive employees who access accounts not related to their job are summarily dismissed a matter of rigid practice.  American Express relied on internal policies and staff training to prevent misconduct. That should be part of the process but not the end of it. What was particularly disturbing is that staff  with basic privileges based in Australia and overseas had “full and unfettered access” to the private information of Australian customers, which includes celebrities, politicians, politically exposed individuals and vulnerable people.  This is quite extraordinary for a company of American Express’ size and profile and especially as it had an internal data breach revealed two years ago.  Unfortunately this level of complacency is all too common for many other entities to give employees broad and sometimes unfettered access to personal information even where they have no need to access that data.  Often companies do not log access so internal threats can’t be identified.

    It is interesting to see American Express adopt Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | 1 Comment »

    Privacy Commissioner issues new guidance to Social Media Platforms regarding age limits

    October 16, 2025

    As 10 December approaches the regulators are releasing guidances. Last month the e safety Commissioner issued its guidance.  Last Friday the Privacy Commissioner issued a statement and guidance.  As the Guidance makes clear, more is expected of entities in handling and, importantly, destroying data. Part 4A of the Online Safety Act 2021 sets out quite detailed obligations upon Social Media Platforms.  For Social Media entities this will require a very thorough audit of data collection and use practices.  

    The Statement provides:

    The Office of the Australian Information Commissioner (OAIC) has published regulatory guidance for age-restricted social media platforms and age assurance providers on compliance with the privacy provisions for the Social Media Minimum Age (SMMA) scheme, due to take effect on 10 December.

    Privacy Commissioner Carly Kind said that the guidance reflects the stringent legal obligations on entities to ensure that age assurance is applied proportionately and through privacy-respecting approaches.

    “Today we’re putting age-restricted social media platforms on notice,” Ms Kind said. “The OAIC is here to guard and uplift the privacy protections of all Australians by ensuring that the age assurance methods used by age-restricted social media platforms and age assurance providers are lawful.”

    The OAIC co-regulates SMMA alongside eSafety. Last month, eSafety published their regulatory guidance – external site detailing what ‘reasonable steps’ age-restricted social media platforms must take to prevent age-restricted users from having accounts, including guiding principles for the implementation of age assurance to meet SMMA obligations.

    The OAIC’s guidance published today provides information for age-restricted social media platforms and third-party age assurance providers on handling personal information for age assurance purposes in the SMMA context.

    “The OAIC is committed to ensuring the successful rollout of the SMMA regime by robustly applying and regulating the privacy rules contained in the legislation, in order to reassure the Australian community that their privacy is protected,” said Privacy Commissioner Carly Kind.

    “eSafety has provided the rules of the game with their ‘reasonable steps.’ Now the OAIC is setting out what is out-of-bounds when it comes to the handling of personal information for age assurance in the social media minimum age context.

    “Together, eSafety and the OAIC’s regulatory guidance outlines the field of play for age-restricted social media platforms and third-party age assurance providers.

    “SMMA is not a blank cheque to use personal or sensitive information in all circumstances; we’ll be actively monitoring platforms to ensure they stay within the bounds by deploying age assurance proportionately and lawfully.”

    Key considerations detailed in the guidance call on entities to:

      • note the additional privacy obligations in the SMMA scheme operate alongside the Privacy Act 1988 and the Australian Privacy Principles.
      • choose age-assurance methods that are necessary and proportionate, and assess the privacy impacts associated with each method.
      • minimise the inclusion of personal and sensitive information in age assurance processes.
      • note pre-existing personal information later used for SMMA purposes does not need to be destroyed where the original purposes are ongoing.
      • destroy personal information collected for SMMA purposes once purposes are met.
      • make sure that any further use of personal information collected for SMMA purposes is strictly optional, has the user’s unambiguous consent and can be easily withdrawn.
      • be transparent about the handling of personal information for SMMA purposes in privacy notices and at the moments it matters.

    Together, these privacy safeguards impose stringent legal obligations on age-restricted social media platforms and age assurance providers. Failure to meet these obligations may constitute ‘an interference with the privacy of an individual’ and may trigger enforcement action.

    Further OAIC resources will be released soon to help Australians understand what personal information may be handled through age assurance methods, as well as educational resources for children and families to help them navigate the changes and support conversations about children’s privacy online.

    For more information and to view the guidance, visit: www.oaic.gov.au/privacy/privacy-legislation/related-legislation/social-media-minimum-age

    Background

    The OAIC co-regulates the Social Media Minimum Age Scheme with eSafety. Specifically, the OAIC oversees the compliance and enforcement of the privacy provisions set out in Section 63F of Part 4A of the Online Safety Act 2021, which operate in tandem with the Privacy Act 1988.

    Key aspects of the guidance are:

    1. Purpose Limitation – section 63F(1) Entities that hold personal information collected for, or including, SMMA purposes must not use or disclose that information for any other purpose.  There are limited Limited exceptions under APP 6.2(b)–(e) which permits use or disclosure, or where the individual gives voluntary, informed, current, specific and unambiguous consent under section 63F(2).  This standard goes beyond the general APP 6 framework. The inclusion of “unambiguous” as an element of consent precludes the use of pre-selected settings or opt-outs when seeking consent. Also the reuse of information is prohibited unless clearly authorised or in the exceptional circumstances set out in APP 6.2(b) – (e).
    2. Information Destruction – section 63F(3) Once personal information collected for SMMA purposes which has been used or disclosed for those purposes that personal information must be destroyed.  De-identification is not permitted.  The destruction must happen as soon as all SMMA purposes are met.  This obligation is stricter than APP 11.2, which permits de-identification or retention for ancillary business needs. Pre-existing data used to support age assurance  remains governed by APP 11.2.
    3. Enforcement. The Privacy Commissioner has the power to investigate and take action for breaches as a breach of section 63F constitutes an “interference with the privacy of an individual” under the Privacy Act.  Those actions include investigating, make determinations, and require remediation or compensation. Individuals may also lodge complaints directly with the Privacy Commissioner.
    4. Part 4A does not replace the APPs.  It is an overlay of stricter duties in addition to the existing APPs.  The APPs still apply in their entirety.

    Under the Guidelines Platforms cannot retain information “just in case” it is useful later. The OAIC can investigate and enforce directly, even against entities not previously regulated, such as small technology providers or overseas processors.

    The OAIC expects age assurance solutions to be privacy by design, backed by an early-stage Privacy Impact Assessment (PIA) that examines proportionality, necessity and data minimisation.  That may be a new concept for some entities.  In establishing the processes and procedures the least privacy-invasive method should be used.  It should be teated through a PIA before deployment.

    The OAIC recommends establishing a “ring-fenced SMMA environment” — a segregated technical and data structure where age assurance information is processed, stored and destroyed separately from other systems. Only minimal artefacts, such as a binary “16+ yes/no” result, method and timestamp, should persist. Inputs like ID scans or selfies must be deleted immediately after use.

    The OAIC supports inference-based and AI-driven approaches but with clear restrictions: they must be transparent, demonstrably accurate, and not rely on continuous behavioural tracking or unnecessary sensitive data such as biometric or content analysis.

    The process must be transparent. That includes:

    • just-in-time notifications at the point of data collection,
    • explaining what information is being collected, by whom, for how long, and why.
    • having privacy policies which clearly describe SMMA-specific processing and destruction practices.

    Legal, product and design teams need to collaborate. Poorly designed consent or information screens — even if legally accurate — can amount to non-compliance.

    Part 4A sets a higher bar for consent to secondary uses of information collected for SMMA purposes than the standard APP test. It must be:

    • voluntary,
    • informed,
    • current,
    • specific and unambiguous and
    • be able to be withdrawn.

    The OAIC Guidance says that there should be:

    • no:
      • bundled or pre-ticked consents,
      • reliance on general terms of use, and
    • simple withdrawal mechanisms in dedicated privacy settings or contextually appropriate screens.
    • purpose specific and time limited consent which is purpose-specific and time-limited.

    Section 63F’s destruction requirement is specific and Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner | Post a comment »

    Privacy Commissioner finds that KMart’s use of facial recognition technology breached the Privacy Act and was unlawful

    September 18, 2025

    First it was Bunnings and now KMart have breached the Privacy Act 1988 in the use of facial recognition technology. Today the Privacy Commissioner published the results of a Commissioner instigated Investigation that found K Mart Australia breached Australian Privacy Principles in the collection of personal and sensitive information through facial recognition technology in the period June 2022 to July 2022. The story is covered by Information Age’s article Kmart facial recognition broke privacy laws, regulator finds. It is also covered by the ABC, the Australian Financial Review, Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    iiNet hacked with data relating to 280,000 customers affected

    August 19, 2025

    Another day, another data breach in Australia. This time iiNet has announced that it has suffered a data breach. Mode of entry, use of employee credentials to get into iiNet’s order management system. The breach is reported by the Australian in iiNet latest Aussie company to be hit by hackers. iiNet released a media release earlier today titled Cyber incident involving iiNet customers. As is the way the story has been covered across the media with News.com.au, Information Age, Australian Cyber Security Magazine, AFR, Cyber Daily amongst others.

    This data breach will be hugely embarrassing for iiNet.  It’s whole image is based around being more accessible (not in that way) and different from other telco providers.  And better in a geekier more friendly but more efficient sort of way.  Now it finds itself suffering the sort of data breach other big organisations suffer.  

    iiNet’s media statement is quite good.   For Australia.  It provides some detail of what happened and how though much is not revealed.  That will be revealed if the Privacy Commissioner takes action or there is a class action.  But being as transparent as possible is preferable to saying virtually nothing as Genea has done with its much more serious data breach.  iiNet provided detail of the nature of the personal information stolen; emails (280,000), phone numbers (20,000) and user names, streeet addresses (10,000) and modem set up passwords (1,700).  Distressing and damaging as that may be it did not involve financial information, dates of birth and any other personal information.  iiNet has been more specific than most in how it responded.  It can’t help itself in advising how it is liasing with the ACSC, the NOCS and the OAIC.  On a more relevant note it has set up a dedicated hotline.  That is an excellent initiative.  By contrast Genea has been very difficult to contact and responses have been wholly unhelpful, enraging patients.   It provided some preliminary advice on what to do and answering frequently asked questions.  Interestingly iiNet responds to the question as to why it was holding information on people who are no longer customers of iiNet.  The answer is somewhat mealy mouthed including being due “to legal, regulatory, or operational requirements.” Mmmm.  

    The statement provides:

    iiNet has been impacted by a cyber incident involving unauthorised access to its order management system by an unknown third party.

    The iiNet ordering system is used to create and track orders for iiNet services, such as NBN connections. The system contains limited personal information. Importantly, it does not contain copies or details of customer identity document details (such as passport or driver’s licences), credit card or banking information.

    What we are doing

    Upon confirmation of this incident on Saturday, 16 August 2025, we enacted our incident response plan, began work to ensure the security of the system and to determine what occurred. We have engaged external IT and cyber security experts to assist with our investigation. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Office of the Information Commissioner commences civil penalty proceedings against Optus in the Federal Court of Australia

    August 10, 2025

    It doesn’t rain for Optus. It poors. Optus announced on 22 September 2022 that it suffered a major data breach. On 21 April 2023 Slate and Gordon filed a class action in the Federal Court of Australia with PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS. It is scheduled to have a case management hearing on 15 August 2025. In June 2025 Optus paid $100 million penalty for unconscionable conduct.

    The Australian Information Commissioner has announced that it has filed civil penalty proceedings against Singtel Optus Limited and Optus Systems Pty Ltd arising out of the 2022 data breach. The reference is AUSTRALIAN INFORMATION COMMISSIONER v SINGTEL OPTUS PTY LIMITED (ACN 052 833 208) & ANOR with Court number VID 1019/2025. The Information Commissioner is represented by the Australian Government Solicitor. Previously it was represented by HWL Ebsworth. A concise statement and Originating Application were filed last Friday, 8 August 2025. The First Case Management Hearing will be head before Justice Beach this Friday, 15 August 2025. That day will be a very busy day for Optus.

    A key issue is the reasonableness of Its cybersecurity having regard to its size and the nature of the data it possessed.

    The statement from the Information Commissioner provides:

    The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

    The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    The Information Commissioner releases its regulatory action priorities for 2025 – 26

    July 29, 2025

    Today the OAIC released its regulatory action priorities for 2025 – 26. In the privacy sphere the Commissioner states that it is:

    Rebalancing power and information asymmetries

    The OAIC will focus on sectors and technologies that compromise rights and create power and information imbalances including:

      • the rental and property, credit reporting and data brokerage, sectors
      • advertising technology (Ad tech) such as pixel tracking
      • practices that erode information access and privacy rights in the application of artificial intelligence
      • excessive collection and retention of personal information
      • systemic failures to enable timely access to government information

    Rights preservation in new and emerging technologies

    The OAIC will protect and uphold privacy and information access rights when dealing with new and emerging technologies with high impact, including:

      • facial recognition technology and forms of biometric scanning
      • new surveillance technologies such as location data tracking in apps, cars and other devices
      • the preservation of both privacy and information access rights in government use of artificial intelligence and automated decision making.

    It is interesting to note that the Commissioner has previously flagged a focus on data collection by cars.  The Commissioner has already taken action in relation to facial recognition technology.  

    The media release Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    A representative complaint under the Privacy Act 1988 made against Qantas

    July 18, 2025

    The Australian reports in Maurice Blackburn launches compensation case against Qantas over cyber attack that a claim against Qantas is in the offing. It is a representative complaint under the Privacy Act 1988. It is also reported in Compensation sought for millions of Qantas customers hit in major cyber data breach. Representative complaints may be commenced under Division 1 of Part V of hte Privacy Act. Under section 36 an individual may complain to the Commissioner about an act or practice that is an interference with privacy of that individual. Under section 38 a representative complaint can be made on behalf of a class if all the members have complaints against the same entity and they arise out of the, in this case, same circumstances.

    There should be no surprise in Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Bunnings CEO now wants the Government to pass laws to make facial recognition legal after Bunnings was found to have breached the Privacy Act when using facial recognition

    July 17, 2025

    In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious.  To call for a change to the law while appealing a decision involving the extant law is not illegal.  But it is quite arrogant.  Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act. 

    Meanwhile in CBA using facial recognition logins to verify disputed payment the CBA is showing itself to be an enthusiastic user of facial recognition.  

    The AFR article Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Qantas data breach follows a familiar pattern in Australia of the company saying too little too late. Soon the legal problems will appear

    July 4, 2025

    There are three distinct issues that confront a company dealing with a data breach. The first is the legal issue, who to notify and when and what steps need to be taken to mitigate any loss. The second is the practical and technical issues; find out how the breach occurred, the extent of the damage and what repairs need to be undertaken. The final is the public engagement; notifying the public, media, advising what when wrong and what is being done to fix the problem. Australian companies are a long way back in their sophistication than their contemporaries in the United States and Europe. Given the more effective regulation overseas companies are quicker to notify regulators. In the United States there is a culture of more transparent and effective communication with the public. Not always but commonly. Australian companies tend to be dreadful at advising the public. Many put together bland boilerplate statements which mean nothing, which is their intent. That can lead to escalating problems and great mistrust. And rather than containing the fallout it increases it as more information leaks about about the data breach, much of it inconsistent with the blandly reassuring statements in the media releases.

    It is good practice to have a data breach response plan which deals with each issue.  In Australia even the companies that have such a plan rarely conduct practices and simulations.  Many of their lawyers take a very rigid approach to the problem.  As a result many responses are stilted, inflexible, incredibly defensive and often counterproductive.

    The ABC piece Qantas executives slow to be seen after data breach affecting up to 6 million customers summarises the problem with tardy and inadequate responses.  And so for Qantas handling has been at best mediocre. About on a par with most large Australian companies hit by a cyber attack.  The Australian also covers the response in How Qantas is managing the fallout of a cyber attack targeting the personal details of 6 million people. The article quotes a class action lawyer from Maurice Blackburn on the inadequacy of the privacy laws.  She claims that the data breaches in other parts of the world are “..not happening to the scale that it happens in Australia and in part that’s because they have different laws in place that focus on things like data minimisation and higher standards of cyber security.” That is partly correct but mostly not.  Australian privacy legislation lags the UK and Europe and even parts of the United States of America, such as California’s Consumer Privacy Act.  It is not fit for purpose in digital age where the collection of data is easy to do and can be done at a rapid pace with an enormous volume.  But the real problem in Australia has been very lax regulation and enforcement.  That has led to a culture of complacency.  For Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Privacy Awareness week starts and runs to 22 June 2025

    June 16, 2025

    Today kicks off Privacy Awareness Week for 2025. The Privacy Commissioner has published rights under the Privacy Act 1988 which includes material on Australian Privacy Principles and Privacy guidances. The Victorian Information Commissioner has published a page on Privacy Awareness Week.

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    « Previous Entries