Peter A Clarke

Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

The Commonwealth Attorney General’s Department has released an exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020.

The Attorney General’s media release provides:

The COVIDSafe app is a critical tool in helping our nation fight the COVID-19 pandemic.

With more than 4 million COVIDSafe registrations many Australian’s are already doing their part to help protect and save lives.

Attorney-General, Christian Porter, today released draft legislation which will codify the existing protections for individuals’ data collected by the COVIDSafe app that have been established in the Health Minister’s Biosecurity Act Determination.

The Privacy Amendment (Public Health Contact Information) Bill 2020, will reinforce the protections set out in the Determination made by the Minister for Health under the Biosecurity Act 2015on 25 April 2020, placing the protections into primary legislation through amendments to the Privacy Act 1988. Read the rest of this entry »

On 23 April 2020 in  Australian Information Commission v Facebook Inc the Australian Information Commissioner successfully obtained interim suppression and non publication orders and orders to serve outside Australia and substituted service against Facebook Inc.

This is the first of what is likely Read the rest of this entry »

At the end of February the Australian Information Commissioner released the Report of Notifiable Data Breaches for the July – December 2019 period.  There were 537 notifications, up from 460 in the previous 6 months and making 997 for the 2019 calendar year. 

As usual health service providers top the list, with 117 notifications, followed by finance with 77 notifications.  Interestingly though less than 10% of notifications there were 40 notifications from the legal/accountancy and management services.  In terms of numbers of individuals affected 132 notifications, about 20%, affected only one person’s personal information but one breach affected more than 10,000,000. The majority of notifications, 309, affected from 2 to 1,000 individuals while 13 notifications covered between 25,000 – 10,000,000. 

Contact information was Read the rest of this entry »

Yesterday, 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook in the Federal Court.  The actual citation is Australian Information Commissioner v Facebook Inc & Facbook Ireland Limited (court number NSD 246/2020).

It has taken 2 years for the Information Commissioner to conclude her investigations regarding Facebook’s actions in permitting personal information to be misused through the This is Your Digital Life app which was disclosed to Cambridge Analytica. The UK Information Commissioner resolved its investigation and issued a monetary penalty notice of 500,000 pounds in October 2018.  The US Federal Trade Commission imposed $5 billion penalty for its breach of the previous order in July 2019.

This litigation will be significant as it is the first consideration of the operation of section 13G of the Privacy Act, a civil penalty proceeding for serious or repeated interference with privacy.  Unfortunately the Information Commissioner has not proven to be an adept litigator to date though Facebook’s egregious conduct in permitting its users personal information to be misused is well documented.  What is less clear is how the Commissioner will convince the Court that the statutory limit of $1.7million for an infraction is a limit on each breach.  That will be a significant Read the rest of this entry »

Even after writing about privacy for a decade and more, it still never ceases to amaze me that media write in breathless tones about the problem with organisations using and misusing data and personal information as if it was some form of revelation.  The only thing that has changed has been the great efficiency in the misuse.  The latest offering is the Australian’s piece Giants’ data haul sparks call to reform privacy act which is a bit of a spruik dressed up as an article for a conference to be hosted by the Consumer Policy Research Centre on 19 November 2019.

The chief executive is calling for “urgent reform of the Privacy Act” to better protect consumers.  She also wants a Consumer Data Right.  The call to reform the Privacy Act is misconceived.  There is no point increasing the powers of Read the rest of this entry »

The Australian Information Commissioner has recently released a Guide to Health Privacy.  At over 50 pages it is quite comprehensive.  It is less equivocal than previous guides published by the Information Commissioner.  That is not to say it does not descend into vague generality more than it should. The Commissioner’s guidelines have no force of law under the Privacy Act 1988.  That obvious fact has been stated by the Administrative Appeals Tribunal and the Federal Court.  As they are not regulations their use as a legal document is relatively limited.  They do however serve as a standard which the Information Commissioner expects agencies and organisations to follow in order to comply with the Privacy Act.

While some of the Commissioner’s previous and current guidelines are so vague, rubbery and equivocal as to be of little use that is not really the key regulatory issue.  The problem has always been the reluctance by the regulator in taking enforcement action.  That has been a 30 year problem. The powers available to the Commissioner have grown over the years.  That has not been matched by Read the rest of this entry »

The Information Commissioner has released the latest report on reported, rather than actual data breaches, for the last quarter; April – June 2019.  The report highlights what has long been known, that human factors are a major cause of breaches.

The report reveals that:

• 34% of the breaches were caused by human error;
• 62% were motivated by malicious or criminal attacks
• the number of reported breaches, at 245 is statistically greater than the breaches in the January – March period of 215 but in line with the previous 2 quarters of 245 and 262.
• 1 breach affected over a million people, 21 breaches affected over a thousand but less than 5,000 people, 52 breaches affected between 100 and 1,000 and the largest category of 61 breaches affected a single person. The report does not identify which industries are affected by breaches impacting a large number of people.
• contact information was affecetd in 220 of the breaches while financial details were affected in 102 and health information on 67 occasions.
• as is commonly the case wrong email addresses were the cause of the most human errors. Most of those errors were in the health sector.
• phishing is by far and away the most common cause of cyber incidents
• the most notifications were from the health sector, 47, while finance had 42 notifications followed by lawyers and accountants, 24.

Read the rest of this entry »

On 27 June the relatively new Information Commissioner signed off on an enforceable undertaking with the Commonwealth Australia Bank arising out of 2 data breaches, the first involving the loss of 2 magnetic data tape containing what the Information Commissioner customer statements relating to 20 million customers in 2016.  The CBA was not able to work out whether the records were destroyed or something else came of them.  The second breach arose in August 2018 with sensitive information being available to those who were not able to access that material. This enforceable undertaking was entered into with the CBA already the subject of a very critical APRA report on the CBA’s risk management and reactive approach to compliance.  The CBA entered into a enforceable undertaking from the CBA in early May 2018.  And yet the CBA was involved in a second data breach 3 months later, in August 2018.  What does that say about CBA’s commitment to risk management?

There is a contrast in styles between the Information Commissioner’s media release and that of the Bank.

The Commissioner’s media release reads Read the rest of this entry »

Mandatory data breach notification has been law for over 12 months now.  The legislation is complex, convoluted and vague in parts but it does set out an obligation for organisations and agencies to notify the Information Commissioner of data breaches. As expected that has produced a volume of reported instances of data breaches in excess of those reported when reporting was voluntary there.  Based on overseas experience, where the obligations are more specific and the legislation less vague, the number of actual data breaches is far larger than those reported to the Information Commissioner. 

The Commissioner has released the Notifiable Data Breaches Scheme 12?month Insights Report.   

The Commissioner’s media statement Read the rest of this entry »