Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • About 160,000 members join the Optus data breach class action

    December 11, 2024

    The Australian reports in Class action against Optus after 2022 data breach registers 160,000 members that about 160,000 members have joined in the class action against Optus resulting from the 2022 data breach. This report is based on submissions made at a case management hearing before Justice Beach today. 

    The class action is brought in proceeding PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS (number VID256/2023).

    The article provides:

    About 160,000 people whose passport and Medicare numbers were leaked online after Optus was hacked in 2022 have registered to partake in a class action against the telco.

    Appearing for class action behemoth Slater & Gordon, barrister William Edwards, KC, told the Federal Court on Wednesday the estimated number of members to join the action, which alleges Optus failed to protect the personal information of 9.8 million of its current and former customers whose personal data was leaked online after a cyber attack.

    The court was told Optus and Slater & Gordon were still trying to settle the case by mediation, with a hearing possible if that failed.

    In court, the parties argued over how much security Slater & Gordon should give Optus since it insisted on a secretive regime to keep documents exchanged in the case away from the public. Read the rest of this entry »

    Posted in Federal Court, Privacy | 13 Comments »

    Federal Trade Commission Report on product support for smart devices raises key issues for data security

    December 10, 2024

    A fairly to update programs and install patches provided by the suppliers is a common way hackers can access websites and smart devices. In those cases the breach is caused by the negligence of the owner of the website or smart device who fails to update. But what if the supplier fails to provide support after a time? With time the program or smart device will become more and more vulnerable to cyber attacks not to mention potentially losing functionality. It is a ubiquitous problem. The Federal Trade Commission has considered it with its report released under a cover of a media release titled Smart Products Surveyed Fail to Provide Consumers with Information on How Long Companies will Provide Software Updates.

    The FTC media release provides:

    A new paper from Federal Trade Commission staff finds that nearly 89% of products surveyed failed to disclose on their websites how long the products would receive software updates, which help ensure the devices are protected against security threats and operate properly.

    FTC staff from the agency’s East Central Regional Office looked for information about 184 different “smart” products—ranging from hearing aids to security cameras to door locks—about how long companies would provide updates for those products. If the manufacturer stops providing software updates, these products may lose their “smart” functionality, become insecure or stop working, according to the FTC Staff Perspective.

    “Consumers stand to lose a lot of money if their smart products stop delivering the features they want,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Our study shows that nearly 89% of manufacturers of products we examined failed to post this information prominently or make it readily available. When shopping for smart devices, consumers should ask questions and consider how long their product will last.”

    Staff reviewed the manufacturer’s product webpages, where consumers might look for detailed information about a connected device, and found 161 of the products surveyed failed to provide information about the support duration or end date. Staff also conducted basic internet searches to determine if consumers could track down support duration and end dates for the smart devices surveyed. Those searches did not uncover support information for two-thirds (124) of the devices surveyed.

    The staff paper noted that manufacturers’ failure to inform prospective purchasers about the duration of software updates for products sold with written warranties may violate the Magnuson Moss Warranty Act, which requires that written warranties on consumer products costing more than $15 be made available to prospective buyers prior to sale and requires other disclosures. Failing to provide software update information to consumers could also violate the FTC Act if manufacturers make express or implied representations about how long the product is useable, according to the staff perspective.

    This report comes after a Read the rest of this entry »

    Posted in Federal Trade Commission, Privacy | Post a comment »

    New Zealand Privacy Commissioner releases report showing that data breaches are on the increase, like in Australia

    December 9, 2024

    New Zealand has a Privacy Commissioner and a Privacy Act. The regulator has quite limited powers and the legislation is inadequate compared to other common law and European countries. The Commissioner has released the annual report (found here).

    The Commissioner reported that the office:

    • received a total of 1,003 privacy complaints, up 15% from the previous year, with 279 of those complaints received for investigation.
    • there were 2,751 in-house privacy inquiries.
    • there were 864 privacy breach notifications, of which 414 were serious privacy breaches.
    Read the rest of this entry »

    Posted in New Zealand Privacy Commissioner, Privacy | Post a comment »

    Amendments to the Privacy Act commenced on 30 November 2024. No date proclaimed for commencement of Schedule 2, the statutory tort, so it will commence on 29 May 2025

    December 3, 2024

    Most of the amendments to the Privacy Act 1988 through the Privacy and Other Legislation Amendment Bill 2024 commenced on 30 November 2024. There has been no date proclaimed for Schedule 2 as yet.  In the normal course it would be very surprising if the Government was to, at some stage in the future, actually specify a commencement date if it did not do so immediately. 

    Posted in Privacy | Post a comment »

    Attorney gives insight into Privacy at Law Council of Australia Gala Dinner

    At a Law Council Dinner on Sunday 1 December 2024 the Attorney General waxed lyrical about matters pertaining to his portfolio. In the the course of his speechifying discussed the statutory tort and the anti doxxing provisions.  His defence of the journalist exception is wrong headed.  He claims it is necessary to protect freedom of the press.  That is nonsense.  There is no such exemption in any jurisdiction where there is a tort of privacy and somehow the press thrives in those places.  It was a political not policy decision. It is a terrible mistake.  That said having a tort even if in a weakened form is better than no tort.

    His speech provides:

    Acknowledgements

    Thank you to the Law Council of Australia for hosting yet another wonderful dinner, a dinner I’m delighted to be attending for my third consecutive year since returning as Attorney-General in 2022.

    I acknowledge the traditional owners of the land on which we meet, the Ngunnawal people, and pay my respects to their Elders, past and present. I extend that respect to all Aboriginal and Torres Strait Islander people here today. 

    I thank the President of the Law Council, Greg McIntyre SC, for inviting me to speak tonight. I congratulate and welcome the incoming President, Ms Juliana Warner.

    I also acknowledge

      • Her Excellency the Honourable Sam Mostyn AC, Governor-General of the Commonwealth of Australia, and His Excellency Simeon Beckett SC;
      • My parliamentary colleagues;
      • Current and former members of the judiciary; and
      • Members of the legal profession.

    Legal assistance services

    On 6 September this year First Ministers reached a landmark agreement for a new five year National Access to Justice Partnership.

    And I am very pleased to say that yesterday, 28 November, the final signature from an Attorney-General was obtained, and it has been published today.

    This agreement provides $3.9 billion in support for legal assistance services over five years – the largest Commonwealth funding contribution to the legal assistance sector ever.

    It is a vast improvement on the previous agreement, which expires on 30 June next year.

    Every single part of the legal assistance sector will get more funding.

    The agreement contains nearly $800 million in additional funding, including $500 million to support frontline legal assistance services delivered by Community Legal Centres, Women’s Legal Services, Aboriginal and Torres Strait Islander Legal Services, Legal Aid Commissions and Family Violence Prevention and Legal Services.

    Critically, funding will be ongoing. This means an end to a rolling five-year funding cliff. Instead of fighting for its very existence, the sector will be able to plan for the future. It will be able to more easily attract and retain employees because there is job security. This change may be an underreported element of the new agreement but its significance cannot be underestimated.

    The new agreement also addresses long-standing pay parity issues in the sector. For the first time, the Commonwealth is acting to lift rates of pay for the community legal assistance sector, bringing them closer to Legal Aid Commissions – again increasing the ability of services to attract and retain good lawyers.

    Unlike the previous agreement, with its inadequate fixed rate of indexation, funding will be increased in line with the Wage Cost Index – meaning Commonwealth funding will not go backwards in real terms over the life of the agreement.

    The previous agreement did not provide funding security for individual parts of the sector. States and territories could, if they wished, move money from one part to another, reducing the effective value of the Commonwealth contribution. The new agreement requires jurisdictions to maintain their investment for each part of the sector over the life of the agreement.

    This both maintains the value of the Commonwealth contribution and provides funding certainty to each part of the legal assistance sector.

    As some in this room may remember, the new agreement was announced at a meeting of First Ministers focused on gender-based violence, and appropriately so.

    Access to justice is vital for women and children trying to escape gender-based violence. It can be the difference between leaving and staying in a violent situation. It can be the difference between life and death.

    I’m proud that the largest relative funding increase for legal assistance in the new agreement was for Family Violence Prevention and Legal Services – a 112 per cent increase in Commonwealth funding compared to the preceding five years.

    We know that First Nations women experience disproportionate rates of family violence.

    Nationally, First Nations women are seven times more likely to be homicide victims than non-Indigenous women, and of those women, 75 per cent are killed by a current or former partner.

    First Nations women are 33 times more likely to be hospitalised due to family and domestic violence than non-Indigenous women.

    As my colleague Senator Malarndirri McCarthy, the Minister for Indigenous Australians, has said, this is a national shame.

    Doubling the funding for legal assistance services which help First Nations women escape domestic violence will not solve this problem on its own, but it is an important step forward.

    Let me be clear – I know there will always be unmet need in the sector.

    But I believe the new National Access to Justice Partnership is a momentous step forward.

    That’s why I have been disappointed to see some misrepresentation of what the new Agreement delivers.

    I expect demands from the legal profession for government to do more for the legal assistance sector.

    But misrepresenting facts helps no one, least of all those in the sector.

    Further, it makes little sense to make demands of the Commonwealth only.

    Legal assistance is a shared responsibility, and demands on government should not focus on the national government alone.

    For those in the audience who work in the community legal sector, I would like to say thank you.

    You are among the most talented, committed and hardworking lawyers in the country. The Australian Government values your work. I value your work.

    Privacy

    You may have noticed we passed a few bills last night and early this morning.

    I will go to just two of those tonight.

    The first enacts tranche one of our privacy reform agenda.

    The legislation does a great deal. It:

      • Creates a new statutory tort for serious invasions of privacy;
      • Creates a new criminal offence for the malicious release of personal data online, known as doxxing; and
      • Establishes provisions to enable the development of a new Children’s Online Privacy Code.

    A privacy tort is not a new idea. In fact, that is something of an understatement.

    In his 1969 Boyer Lectures Sir Zelman Cowen endorsed legislation to create an actionable right to seek redress for breaches of privacy.

    The bill provides for a new statutory cause of action for individuals who have suffered a serious invasion of their privacy, and applies it to both physical privacy and information privacy. Read the rest of this entry »

    Posted in Legal, Privacy | Post a comment »

    First the celebration about Privacy Reform quickly followed by a more assessment of the Privacy Commissioner’s resources to exercise her newly granted powers. The reality is sobering

    November 29, 2024

    Following the passage of the Privacy and Other Legislation Amendment Bill 2024 this morning it is not surprising that the Attorney General will take a victory lap with a press release titled Delivering stronger privacy protections for Australians. The sobering reality is that the Office of the Information Commissioner is currently under resourced. Innovation Aus reports in OAIC slashes staff to meet $11m budget crunch that the Office is sacking staff to comply with a 23% budget cut from the government.

    Not surprisingly the Privacy Commissioner took a moment to welcome her increased powers. She made the point of saying it was only the first step. And never a truer word was said.

    It makes little sense to provide enhanced powers to the Commissioner, presumably expecting her to exercise those powers, while cutting the resources necessary to exercise those powers. Unfortunately it is a familiar story with the Privacy Commissioner then Information Commissioner’s office.  That is not to say that the Office has occasionally used this problem as an excuse to be a timid regulator when more action was called for.

    The Attorney General’s media release provides:

    The Albanese Government has delivered landmark legislation to strengthen privacy protections for all Australians and outlaw doxxing.

    Australians want their privacy respected. When they are asked to hand over their personal data Australians expect it will be protected.

    The Privacy and Other Legislation Amendment Bill 2024 implements a first tranche of recommendations from the Privacy Act Review, including:

      • a new statutory tort to address serious invasions of privacy
      • a Children’s Online Privacy Code to better protect children from a range of online harms, including $3 million over three years for the Office of the Australian Information Commissioner to support its development
      • greater transparency for individuals affected by automated decisions
      • streamlined information sharing in the case of an emergency data breach, while ensuring that information is appropriately protected
      • stronger enforcement powers for the Australian Information Commissioner The legislation also introduces new criminal offences to outlaw doxxing with serious criminal penalties of up to 7 years imprisonment. Doxxing is a form of abuse that can affect all Australians but is often used against women in the context of domestic and family violence.

    The Government is committed to ensuring the Privacy Act works for all Australians and is fit for purpose in the digital age.

    The legislation builds on the significant steps already taken by the Albanese Government on privacy, including:

      • significantly increased penalties for repeated or serious privacy breaches
      • greater powers for the Australian Information Commissioner to resolve privacy breaches and quickly share information about data breaches
      • restoration of the standalone position of the Australian Privacy Commissioner

    The legislation passed today is just the first stage of the Albanese Government’s commitment to provide individuals with greater control over their personal information.

    The Albanese Government will continue to consult the Australian community on further privacy reforms.

    The Privacy Commissioner’s media release provides:

    The Office of the Australian Information Commissioner (OAIC) welcomes the passing of the Privacy and Other Legislation Amendment Bill 2024 as a significant step forward in advancing privacy protections for the Australian community.

    The Bill contains significant measures including:

      • the introduction of a statutory tort for serious invasions of privacy, giving individuals a route to seek redress for privacy harms in the courts
      • the expansion of the OAIC’s enforcement and investigation powers, including new tiers of civil penalties and the ability to issue infringement notices
      • a mandate for the OAIC to develop a Children’s Online Privacy Code, which will cover not only social media platforms but any online services likely to be accessed by children
      • a new mechanism to prescribe a ‘white list’ of countries and binding schemes with adequate privacy protections to facilitate cross-border data transfers
      • a requirement that privacy policies contain information about substantially automated decisions which significantly affect individuals’ rights or interests, including the kinds of decisions and kinds of personal information used.

    “These new powers and functions come at a critical time, as privacy harms increase and the Australian community demands more power over their personal information,” Australian Privacy Commissioner Carly Kind said.

    “They have had a long gestation. Many have campaigned for reform – in some cases for more than a decade – so their efforts need to be recognised today.

    “The reforms are an important first step. More needs to be done of course, and we appreciate the government’s commitment to further action.”

    The Innovation article provides:

    The privacy and information watchdog has slashed dozens of staff in response to a 23 per cent budget cut by government and a review by management consultants, sparking fears it will be ill equipped to deal with key policy changes like the social media ban.

    Senior officials confirmed the cuts on Wednesday and said a new  structure at the Office of the Australian Information Commissioner (OAIC) will in place from early next month. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Privacy and Other Legislation Amendment Bill 2024 passes Senate. It has passed both houses of Parliament and upon receiving Royal Assent will become law

    November 28, 2024

    The Privacy and Other Legislation Amendment Bill 2024 passed the Senate at  9:13PM on Thursday 28 November 2024.  The final vote was 31 ayes and 23 noes.

    With that the the substantive Bill passed both houses of Parliament. The relatively few amendments to the Bill, from recommendations of the Senate Committee Report, will be passed by the House in a special sitting this morning.

    The Statutory tort will be enacted.  It will come into effect on a date fixed by proclamation.  If no such date is fixed it will commence 6 months after the Act receives Royal Assent.  Royal assent occurs when the Bill is signed by the Governor General.  The process is that a certificate is signed by the Attorney-General which is sent to the Governor-General. The Governor-General gives the Royal Assent to the Bill by signing 2 copies of the Bill.

    Royal Assent will take place very soon.

    The Attorney General may advise when the statutory tort will commence but if he doesn’t and there is no specific date fixed by proclamation then it is a fair assumption that the statutory tort will come into effect in early June 2025.

    Posted in Privacy | Post a comment »

    Cyber Security Bill passed into Law on Wednesday

    November 27, 2024

    The Cyber Security Bill has had very quick progress through the Parliament. It was introduced last month, on 9 October 2024, had its second reading debate in the House of Representatives on 19 November, and was passed in the Senate on Monday 25 November 2024. It is part of a parcel of bills, the others being the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, to amend the Security of Critical Infrastructure Act 2018.

    The Bills were supported by the Coalition.

    The Ministers Second Reading speech states:

    That this bill be now read a second time.

    In introducing this legislation, I acknowledge the work done in its development from the former Minister for Home Affairs, now the Minister for Housing, and also acknowledge the work of the very large number of members of the Department of Home Affairs in the cybersecurity section, who have worked for some years in the development of the legislation in the national interest that I present to the House today.

    This bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, form the cybersecurity legislative reforms package. This package will collectively strengthen our national cyber defences and build cyber-resilience across the Australian economy.

    This suite of legislative reforms will implement key initiatives under the 2023-2030 Australian Cyber Security Strategy. This is a significant step in achieving the Australian government’s vision of becoming a world leader in cybersecurity by 2030. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    The Senate Legal and Constitutional Affairs Legislation Committee releases its report on Privacy and Other Legislation Amendment Bill 2024 [Provisions]

    November 15, 2024

    The Senate Legal and Constitutional Affairs Legislation Committee yesterday released its report on Privacy and Other Legislation Amendment Bill 2024.  It is overwhelmingly supportive of the Bill. 

    Its recommendations are:

    Recommendation 1
     The committee recommends that the minimum consultation period for the Children’s Online Privacy Code is extended to at least 60 days.
    Recommendation 2
    The committee recommends that the bill is amended to include a requirement for the Information Commissioner to consult with relevant industry bodies or organisations when developing the Children’s Online Privacy Code.
    Recommendation 3
    The committee recommends the exclusion for media organisations from accessing personal information during declared emergencies is extended to exclude national broadcasters such as the ABC and Special Broadcasting Service.
    Recommendation 4
    The committee recommends that the bill is amended to empower the Information Commissioner to issue a discretionary notice to an entity to remedy an alleged breach of one or more of the provisions in section 13K before issuing an infringement notice.
    Recommendation 5
    The committee recommends that the Explanatory Memorandum to the bill is amended to make clear that the level of information required in privacy policies is not expected to compromise commercial-in-confidence information about automated decision-making systems.
    Recommendation 6
    The committee recommends that the Commonwealth government considers amending clause 7 of the bill to:
    • require a court to consider the matters of public interest that justify the invasion of the plaintiff’s privacy;
    • not require a defendant to adduce evidence of public interest in every case; and
    •provide that ‘artistic expression’ is a form of freedom of expression.
    Recommendation 7
    The committee recommends that the Commonwealth government considers amending Schedule 2 of the bill to ensure that the journalism exemption applies to a person involved in the publication, re-publication or distribution of journalistic material.
    Recommendation 8
    The committee recommends that Schedule 2 of the bill is amended to make clear that the concept of ‘journalistic material’ for the serious invasions of privacy tort includes ‘editorial’ material.
    Recommendation 9
    The committee recommends that Schedule 2 is amended to make clear that the power conferred on a court to issue an injunction is not limited to an ‘interim’ injunction.
    Recommendation 10
    Subject to the preceding recommendations, the committee recommends that the Senate passes the bill.

    What is notable about the Report is that Read the rest of this entry »

    Posted in Privacy | Post a comment »

    The Australian Information Commissioner publishes a guidance on tracking pixels

    November 5, 2024

    Tracking pixels are HTML code snippets which is loaded when someone visits a website. It is used for tracking user behaviour. Advertisers can use this data for online marketing and web analysis. In the latest of a surge of guidances the Office of the Australian Information Commissioner (“OAIC”) has published guidance on tracking pixels.

    Given the increased powers proposed in the Privacy and Other Amendments Bill 2024 organisations covered by the Privacy Act 1988 need to consider their use of tracking pixels before the amendments come into force.

    The media release provides:

    The Office of the Australian Information Commissioner (OAIC) has released guidance for private sector organisations to ensure they meet their obligations under the Australian Privacy Act when using third-party tracking pixels on their website.

    Publication of the guidance responds to industry demand for greater detail on the application of the Privacy Act to tracking technologies, as well as interest in the topic across government, media and the community.

    Many social media companies and other digital platforms offer tracking pixels. A tracking pixel is a piece of code generated by a third-party provider that can be placed on an organisation’s website to collect information about a user’s activity. When a user visits a webpage with a tracking pixel, the pixel loads and sends certain types of data to the server of the third-party provider.

    Pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms. They can be important to business for analysis, advertising and measurement of return on investment.

    “However, many of these tracking tools are harmful, invasive and corrosive of online privacy,” Australian Privacy Commissioner Carly Kind said.

    “This is a real concern in the community with our Australian Community Attitudes to Privacy Survey 2023 finding that 69% of adults did not think it fair and reasonable that their personal information was used for online tracking, profiling and targeted advertising, with that rising to 89% when material was targeted at children.”

    The guidance makes clear that it is the responsibility of the organisation seeking to deploy a third-party tracking pixel on their website to ensure it is configured and used in a way that is compliant with the Privacy Act.

    Before deploying a third-party pixel, organisations should ensure they understand how the product works, identify the potential privacy risks involved and implement measures to mitigate those risks, and not adopt a ‘set and forget’ approach.

    Failing to conduct appropriate due diligence can create a range of privacy compliance and other legal risks.

    Consistent with the OAIC’s recent guidance on the use of generative AI products, the OAIC is seeking to expand its range of guidance for organisations so that they can continue to grow their businesses while meeting privacy obligations in a way that builds community trust.

    The guidance Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    « Previous Entries
    Next Entries »