Peter A Clarke

C’est chic to do an in depth piece by over an extravagantly priced breakfast or lunch. Not only does the reader get to know something about the subject but we get an insight of what the movers and shakers are eating and where they congregate to consume. The Australian Financial Review has recently published a profile of Carly Kind, the recently appointed Privacy Commissioner. This is something of a first for Privacy Commissioners. The most recent Information Commissioners (who covered privacy), Timothy Pilgrim (a pleasant but through and through public servant) and Angeline Falk (a long serving deputy in the Office of the Australian Information Commissioner), were not media averse as such. But their media forays were relatively few and brief. Usually confined to an interview on the ABC or quotes for other media. Their speeches at conferences were safe and predictable and certainly not designed to shake up the woeful privacy culture in the Australian marketplace. Even by the grey standards of Australian regulators they were distinctly in the background. Which was a shame. Privacy issues did not get ventilated as much as they should have. That is perhaps understandable given the generally ineffective regulation and enforcement of the Privacy Act. To be fair the last few years has seen a marked improvement in enforcement but has come off a low base and has not had a significant impact on the market yet.  And to be fair Pilgrim and Falk were marked improvements on their predecessors.

Carly Kind has had a good start as Privacy Commissioner.  A distinct up tick in enforcement action and more assertive commentary.  That she has a pedigree largely outside the Australian Public Service is a huge advantage.  She may be less hidebound by conservative self restraining litigation guidelines.  We can only hope given she has been handed even more enforcement powers in the most recent amendments to the Privacy Act late last year. In this article she was candid in criticising poor public policy which has led to privacy invasive practices.  As I have been writing about for years.  She needs to bring high profile actions which puts high profile privacy breaching companies into the media spotlight.  This is a common approach of ASIC and the ACCC.  That is the only way of changing the culture in the market place.

The article gives some restrained hope that the coming years will see more effective and high profile regulation of privacy breaches.  It is well overdue.

The article provides:

My lunch with the Australian Privacy Commissioner, Carly Kind, begins with a confession.

“I tried to stalk you on social media on my Uber on the way,” I say as she sits down at Manly’s Noon café, bike helmet in hand.

Looking up other people’s social media is something everyone does but no one should ever admit to, particularly not to the woman charged with protecting the nation’s privacy by upholding the Privacy Act of 1988.

Kind is taken aback and for a moment, I think I’ve blown it before we’ve even ordered a coffee, let alone lunch.

“Did you find anything interesting?” she responds after what feels like an age.

No. She is on Instagram and on Facebook. But both attempts to glean any information of value were foiled despite me being a Millennial journalist well versed in the art of lurking.

Her Instagram is set to private. Her Facebook isn’t locked but the only photo I can click on is of the back of her head. I did manage to deduce she has 737 Facebook friends, but there are no workplaces, relationships, or really any other information to show.

When I lament my efforts were dashed, she’s nonchalant, “I really don’t use Facebook these days, but I can’t get rid of it because of Marketplace.”

I feel seen immediately.

Read the rest of this entry »

In the dying days of 2024, when the focus is on presents, holidays and plum pudding (for some at least) Meta has settled the civil penalty proceeding in the Federal Court. Meta will also enter into an enforceable undertaking.   The $50 million will not be distributed immediately. Eligibility will depend on whether a person ws in Australia between November 2013 and mid December 2015 and installed This is Your Digital Life App or was a friend of someone who had that app installed.

This is a very welcome development.  The civil penalty proceedings power in the Privacy Act has until recently been underutilised.

The Commissioner’s media release provides:

The Australian Information Commissioner today agreed to a $50 million payment program as part of an enforceable undertaking (EU) received from Meta Platforms, Inc. (Meta) to settle civil penalty proceedings. The payment scheme will be open to eligible Australian Facebook users impacted by the Cambridge Analytica matter.

The Commissioner alleged that the personal information of some Australian Facebook users was disclosed to the This is Your Digital Life app in breach of the Privacy Act 1988 (Cth). The information was exposed to the risk of disclosure to Cambridge Analytica and other third parties, and risked being used for political profiling purposes.

The agreement announced today follows a court-ordered mediation, which has been ongoing since February 2024, as part of the Federal Court civil penalty proceedings the Commissioner commenced in March 2020.

“Today’s settlement represents the largest ever payment dedicated to addressing concerns about the privacy of individuals in Australia,” Australian Information Commissioner Elizabeth Tydd said.

“It represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter, gives potentially affected Australians an opportunity to seek redress through Meta’s payment program, and brings to an end a lengthy court process.”

As part of the resolution, the Commissioner has withdrawn the civil penalty proceedings in the Federal Court.

The EU requires Meta to set up a payment scheme, which will be run by an independent third-party administrator. Meta will appoint the third party to administer the payment scheme, who will be announced early next year. The scheme will be open to individuals who:

• • held a Facebook Account between 2 November 2013 and 17 December 2015;
  • were present in Australia for more than 30 days during that period; and
  • either installed the This is Your Digital Life app or were Facebook friends with an individual who installed the app.

The payment scheme will be structured into two tiers of payments. The first will permit individuals to apply for a base payment if they believe they experienced generalised concern or embarrassment because of the matter. The second category will provide for specific payment, likely to be higher than the base payment, to those who can demonstrate they have suffered loss or damage. The third-party administrator will also establish a timely internal review avenue for individuals in relation to the payment scheme. The Office of the Australian Information Commissioner anticipates individuals may be able to start applying to the payment program in the second quarter of 2025.

Any residual funds not exhausted in the payment scheme will be paid into the Commonwealth’s Consolidated Revenue Fund. Meta also paid a contribution to the Commissioner’s legal costs.

“The payment scheme is a significant amount that demonstrates that all entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law, and give users reasonable choice and control about how their personal information is used,” Commissioner Tydd said.

“This also applies to global corporations that operate here. Australians need assurance that whenever they provide their personal information to an organisation, they are protected by the Privacy Act wherever that information goes.”

“We remain committed to applying our powers under the Privacy Act to achieve proportionate outcomes to ensure that Australians’ privacy is protected, particularly with respect to technologies that have a high privacy impact. This groundbreaking outcome reflects the significant concerns of the Australian community,” Privacy Commissioner Carly Kind said.

Since then Australian Information Commissioner Angelene Falk commenced the civil penalty proceedings against Meta in March 2020, the penalties for serious or repeated interferences with privacy (which can only be imposed following the commencement of civil penalty proceedings in the Federal Court), have increased from $1.7 million for each serious and/or repeated interference with privacy, to whichever is the greater of $50 million, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.

Read the enforceable undertaking.

Details of payment scheme

• • Funds of $50 million will be available.
  • Individuals who were present in Australia for more than 30 days between 2 November 2013 and 17 December 2015, and either installed the This is Your Digital Life app, or who were Facebook friends of an individual who installed the This is Your Digital Life app, can apply for a base payment based on generalised concern or embarrassment, or an alternative amount if they can demonstrate specific loss or damage.
  • The third-party administrator will take reasonable steps to publicise the payment scheme.
  • Meta is required to make reasonable best efforts to notify those who are potentially impacted.
  • The payment scheme will be administered by a third-party administrator to be appointed by Meta. Payment is required to be made in a timely manner.
  • Details for accessing the payment scheme will be made public by the administrator in the second quarter of 2025.

The Enforceable Undertaking Read the rest of this entry »

Tracking pixels are HTML code snippets which is loaded when someone visits a website. It is used for tracking user behaviour. Advertisers can use this data for online marketing and web analysis. In the latest of a surge of guidances the Office of the Australian Information Commissioner (“OAIC”) has published guidance on tracking pixels.

Given the increased powers proposed in the Privacy and Other Amendments Bill 2024 organisations covered by the Privacy Act 1988 need to consider their use of tracking pixels before the amendments come into force.

The media release provides:

The guidance Read the rest of this entry »

It is a annual report season for Government agencies and authorities. And that includes that of the Office of the Australian Information Commissioner.Yesterday the Commissioner released its 194 page Annual Report for 2023 – 24. 

Given the significant amendments to the Privacy Act 1988 it is better to look forward to how the Privacy Commissioner approaches her responsibilities with new found powers rather than poring over the activities of the Privacy Commissioner over the past year.  On that note the work rate improved but it remained a timid regulator by any measure.   Which is a pity given the the Information Commissioner’s remuneration was $576,174 and Deputy Commissioner Elizabeth Hampton was $380,091. The relatively newly appointed Privacy Commissioner, Carly Kind is on $109,239.

In relation to privacy complaints the the Commissioner stated:

Privacy has been very much in the spotlight, with the continuing incidence of major data breaches. In 2023–24, we received 13% more notifications under the Notifiable Data Breaches (NDB) scheme than the year prior, when there was a 4% increase. We lifted our response rate, closing 84% of notifications within 60 days (compared to 77% last reporting year). In the 2022–23 financial year we received a 34% increase in privacy complaints. This year, complaints have remained relatively high, with a slight decrease of 5% year on year. We successfully responded to this high demand, finalising 20% more privacy complaints (3,104 in total), building on last year’s increase of 17% (2,576 finalised in total).
We continued our focus on clearing longer-standing, generally more complex and resource-intensive complaints, finalising 84% (271) of the 322 matters that were over 12 months old as at June 2023. At the same time, more recent complaints increased in age over the reporting period. The volume of complaints, combined with the focus on the longest-standing, meant that by the year’s end there was an overall increase in matters older than 12 months to 729. The OAIC will continue to focus on aging cases through process efficiencies and the strategic application of resources.

 What is quite unusual is that Read the rest of this entry »

The Australian Information Commissioner has issued updated guidances of charities and other not for profit organisations,  Guidances are not regulations but they are very important.  Organisations which comply with the guidances and somehow still have a data breach or other form of interference with privacy may be able to argue that they have done all that was required of them.  The reality is that if more organisations focused on complying with guidances and standards there would be far fewer data breaches.  Clearly all investigations are fact specific and compliance with a guideline does not provide any sort of immunity.

The statement from the Commissioner provides:

The updated guidance includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

In particular, the updated guidance includes discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. This area is particularly topical in the wake of high-profile data breaches affecting charities and NFPs.

Privacy Commissioner Carly Kind said the guidelines aim to help charities navigate their privacy responsibilities when collecting and handling personal information, and understand their obligations under the Privacy Act.

“We know how critical trust is to the work of not-for-profits and charities, and how important good privacy practices are to that trust”. Read the rest of this entry »

AI presents a major regulatory challenge across a range of governmental and private activities. And that is especially the case with privacy. The UK Information Commissioner’s Office has issued detailed guidance and other resources on Artificial Intelligence. The US Federal Trade Commission raised issues on AI, by way of a Big Data report in 2016, by post in 2017, issued a guidance by way of Q & A in 2020 and a finding on the use of Artificial Intelligence In the Matter of DoNotPay, Inc. Matter Number 2323042 September 25, 2024. Which brings us to the Australian Information Commissioner’s release of AI guidance today. There are actually 2 guides, one on the use of commercially available AI products.  The second relates to developers using personal information to great AI models.

AI needs personal information to properly work.  Lots of it.  Each of the guides and highlight the care that needs to be taken in considering the operation of the Privacy Act when using and developing Artificial Intelligence.  

The media release provides:

The first guide Read the rest of this entry »

The Government has published the Second Reading Speech and adjourned debate of the Bill. The Second Reading Speech is dated 12 September 2024 however the Daily Program lists the Speech as being moved today. It only recently appeared on the Bill’s homepage.

The Bill provides the Privacy Commissioner with more flexibility with enforcement, allowing for infringement notices and new civil penalties.  The real issue there is getting the Commissioner to use those powers.  The existing civil penalty provisions have only been used twice, and then only very recently and neither case has reached resolution. 

The statutory tort for serious invasions of privacy is welcome however the exemption carve outs, for journalism, law enforcement and security limit its effectiveness.  There is no consideration of whether the actions of the journalist is excessive and irresponsible in breaching a person’s privacy.  In the UK there is a balancing between Article 8, a right to privacy, and Article 10 a freedom of expression as applies to the media.  

There is specific provision for the development of a Children’s Privacy Code.  According to the Attorney General that is designed to align the protections with those that exist overseas. 

Doxxing will be criminalised.

There are other provisions which clarify the sharing of information when there are data breaches and during emergencies and regarding overseas data flows.

The amendments are conservative and modest but a move in the right direction. These changes will not make Australia’s Privacy Act the gold standard but if the further reforms proposed by the Attorney General’s Department are implemented then the level of protections will allow for a more effective regulation and protections.

The Second Reading provides:

Introduction

The digital economy has unleashed enormous benefits for Australians. But it has also increased the privacy risks we face through the collection and storage of enormous amounts of our personal data.

The Privacy Act 1988 represented the first time that a comprehensive, integrated set of legal rules protecting interests in privacy existed in Australia. On introducing it, Attorney-General Lionel Bowen told the parliament that ‘enormous developments in technology for the processing of information are providing new and, in some respects, undesirable opportunities for the greater use of personal information.’

In that respect, little has changed. Evolutions in technology and the way people use it continue to vex those who share information online, and those charged with regulating it. It is essential that Australians are protected by a legal framework that is flexible and agile enough to adapt to changes in the world around them.

The Privacy Act has not kept pace with the adoption of digital technologies. The vast data flows that underpin digital ecosystems have also created the conditions for significant harms—like major data breaches that have revealed the sensitive information of millions of Australians, exposing us to the risk of identity fraud and scams. Read the rest of this entry »

Credit Codes under the Privacy Act 1988 are very important and a breach of them can result in serious difficulties for a credit provider. The Information Commissioner has registered the Privacy (Credit Reporting) Code 2024. The Commissioner’s media release provides a useful summary of the features of the new code. That is an overview only.  It is important for credit providers, and those who act for those who have credit related matters to carefully read the Code. It is important that credit providers incorporate the new requirements into their documentation and processes. While that may sound trite the failure to do so is quite common, particularly by non bank credit providers.

The media release Read the rest of this entry »

Agencies release corporate plans. They are of variable quality and often drafted in vague enough terms to avoid criticism. The good plans say something even if there is a enough plausible deniability buried into its dense prose. The Information Commissioners’ media release keeps with this approach.

It provides:

As the accountable authority, I am pleased to present the 2024–25 Office of the Australian Information Commissioner (OAIC) corporate plan for the 2024–25 to 2027–28 reporting periods, as required under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

As an independent statutory agency, our office regulates privacy and freedom of information (FOI) under the Commonwealth Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act) and has information policy functions under the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities and how we measure our performance. Read the rest of this entry »

The Office of the Information Commissioner has released its data breach report for first 6 months of 2024. It is a useful if imperfect indication of the number of notifiable data breaches in Australia.  The latest report shows an increased number of reportable breaches, reaching the highest number in three and a half years.  It should be a given that the figures set out in these reports are very much a indication of trends.  The actual number of data breaches is significantly higher.  Some industries are more assiduous than others in reporting.  The legislation allows for considerable interpretation of what is a reportable data breach.  The culture of reporting remains poor because the consequences of non compliance with the legislation

The Commissioner provided a forward to the Report where she foreshadowed a more muscular approach to enforcement.  Finally.  The forward provides:

Since the launch of the Notifiable Data Breaches (NDB) scheme in 2018, the Office of the Australian Information Commissioner (OAIC) has published statistical information about data breach notifications we have received. Our goal in doing so has been to help entities and the public understand privacy risks identified through the scheme, highlight areas that require attention and provide clarity around our regulatory approach.

Six years on, the NDB scheme is now mature, and we are moving into a new era in which our expectations of entities are higher, seen in our recent commencement of civil penalty proceedings against Medibank Private Limited and Australian Clinical Labs Limited. This enforcement action should send a strong message that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities. Read the rest of this entry »