Peter A Clarke

The Privacy and Other Legislation Amendment Bill 2024 passed the Senate at  9:13PM on Thursday 28 November 2024.  The final vote was 31 ayes and 23 noes.

With that the the substantive Bill passed both houses of Parliament. The relatively few amendments to the Bill, from recommendations of the Senate Committee Report, will be passed by the House in a special sitting this morning.

The Statutory tort will be enacted.  It will come into effect on a date fixed by proclamation.  If no such date is fixed it will commence 6 months after the Act receives Royal Assent.  Royal assent occurs when the Bill is signed by the Governor General.  The process is that a certificate is signed by the Attorney-General which is sent to the Governor-General. The Governor-General gives the Royal Assent to the Bill by signing 2 copies of the Bill.

Royal Assent will take place very soon.

The Attorney General may advise when the statutory tort will commence but if he doesn’t and there is no specific date fixed by proclamation then it is a fair assumption that the statutory tort will come into effect in early June 2025.

The Cyber Security Bill has had very quick progress through the Parliament. It was introduced last month, on 9 October 2024, had its second reading debate in the House of Representatives on 19 November, and was passed in the Senate on Monday 25 November 2024. It is part of a parcel of bills, the others being the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, to amend the Security of Critical Infrastructure Act 2018.

The Bills were supported by the Coalition.

The Ministers Second Reading speech states:

That this bill be now read a second time.

In introducing this legislation, I acknowledge the work done in its development from the former Minister for Home Affairs, now the Minister for Housing, and also acknowledge the work of the very large number of members of the Department of Home Affairs in the cybersecurity section, who have worked for some years in the development of the legislation in the national interest that I present to the House today.

This bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, form the cybersecurity legislative reforms package. This package will collectively strengthen our national cyber defences and build cyber-resilience across the Australian economy.

This suite of legislative reforms will implement key initiatives under the 2023-2030 Australian Cyber Security Strategy. This is a significant step in achieving the Australian government’s vision of becoming a world leader in cybersecurity by 2030. Read the rest of this entry »

The Senate Legal and Constitutional Affairs Legislation Committee yesterday released its report on Privacy and Other Legislation Amendment Bill 2024.  It is overwhelmingly supportive of the Bill. 

Its recommendations are:

Recommendation 1
 The committee recommends that the minimum consultation period for the Children’s Online Privacy Code is extended to at least 60 days.
Recommendation 2
The committee recommends that the bill is amended to include a requirement for the Information Commissioner to consult with relevant industry bodies or organisations when developing the Children’s Online Privacy Code.
Recommendation 3
The committee recommends the exclusion for media organisations from accessing personal information during declared emergencies is extended to exclude national broadcasters such as the ABC and Special Broadcasting Service.
Recommendation 4
The committee recommends that the bill is amended to empower the Information Commissioner to issue a discretionary notice to an entity to remedy an alleged breach of one or more of the provisions in section 13K before issuing an infringement notice.
Recommendation 5
The committee recommends that the Explanatory Memorandum to the bill is amended to make clear that the level of information required in privacy policies is not expected to compromise commercial-in-confidence information about automated decision-making systems.
Recommendation 6
The committee recommends that the Commonwealth government considers amending clause 7 of the bill to:
• require a court to consider the matters of public interest that justify the invasion of the plaintiff’s privacy;
• not require a defendant to adduce evidence of public interest in every case; and
•provide that ‘artistic expression’ is a form of freedom of expression.
Recommendation 7
The committee recommends that the Commonwealth government considers amending Schedule 2 of the bill to ensure that the journalism exemption applies to a person involved in the publication, re-publication or distribution of journalistic material.
Recommendation 8
The committee recommends that Schedule 2 of the bill is amended to make clear that the concept of ‘journalistic material’ for the serious invasions of privacy tort includes ‘editorial’ material.
Recommendation 9
The committee recommends that Schedule 2 is amended to make clear that the power conferred on a court to issue an injunction is not limited to an ‘interim’ injunction.
Recommendation 10
Subject to the preceding recommendations, the committee recommends that the Senate passes the bill.

What is notable about the Report is that Read the rest of this entry »

Tracking pixels are HTML code snippets which is loaded when someone visits a website. It is used for tracking user behaviour. Advertisers can use this data for online marketing and web analysis. In the latest of a surge of guidances the Office of the Australian Information Commissioner (“OAIC”) has published guidance on tracking pixels.

Given the increased powers proposed in the Privacy and Other Amendments Bill 2024 organisations covered by the Privacy Act 1988 need to consider their use of tracking pixels before the amendments come into force.

The media release provides:

The guidance Read the rest of this entry »

It is a annual report season for Government agencies and authorities. And that includes that of the Office of the Australian Information Commissioner.Yesterday the Commissioner released its 194 page Annual Report for 2023 – 24. 

Given the significant amendments to the Privacy Act 1988 it is better to look forward to how the Privacy Commissioner approaches her responsibilities with new found powers rather than poring over the activities of the Privacy Commissioner over the past year.  On that note the work rate improved but it remained a timid regulator by any measure.   Which is a pity given the the Information Commissioner’s remuneration was $576,174 and Deputy Commissioner Elizabeth Hampton was $380,091. The relatively newly appointed Privacy Commissioner, Carly Kind is on $109,239.

In relation to privacy complaints the the Commissioner stated:

Privacy has been very much in the spotlight, with the continuing incidence of major data breaches. In 2023–24, we received 13% more notifications under the Notifiable Data Breaches (NDB) scheme than the year prior, when there was a 4% increase. We lifted our response rate, closing 84% of notifications within 60 days (compared to 77% last reporting year). In the 2022–23 financial year we received a 34% increase in privacy complaints. This year, complaints have remained relatively high, with a slight decrease of 5% year on year. We successfully responded to this high demand, finalising 20% more privacy complaints (3,104 in total), building on last year’s increase of 17% (2,576 finalised in total).
We continued our focus on clearing longer-standing, generally more complex and resource-intensive complaints, finalising 84% (271) of the 322 matters that were over 12 months old as at June 2023. At the same time, more recent complaints increased in age over the reporting period. The volume of complaints, combined with the focus on the longest-standing, meant that by the year’s end there was an overall increase in matters older than 12 months to 729. The OAIC will continue to focus on aging cases through process efficiencies and the strategic application of resources.

 What is quite unusual is that Read the rest of this entry »

The Australian Government has put forward a Bill to increase penalties for breaches of the Privacy Act. That is to be welcomed. However the penalties available to the regulators under the GDPR dwarf anything the Australian authorities could levy and the obligations are far stricter. That is demonstrated by the Irish Data Protection Commission fining Linked In Ireland 310 million euros for breaches of the GDPR for processing personal data to use it for behavioural analysis and targeted advertising.

The Commission’s media release:

The Irish Data Protection Commission (DPC) has today announced its final decision following an inquiry into LinkedIn Ireland Unlimited Company (LinkedIn). This inquiry was launched by the DPC, in its role as the lead supervisory authority for LinkedIn, following a complaint initially made to the French Data Protection Authority.

The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles (members). The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, and notified to LinkedIn on 22 October 2024, concerns the lawfulness, fairness and transparency of this processing. The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million. Read the rest of this entry »

The Department of Home Affairs is partly responsible for the Governments handling and regulation of cyber security. It has developed the 2023-2030 Australian Cyber Security Strategy. So it is all the more galling that it has reportedly suffered a data breach which has exposed visa and passport details. But there should not be too much surprise.  The Information Commissioner identified a trend of increasing attacks on a Government websites.  Government departments rely on and enjoy collecting masses of information.

The Australian article on the breach provides:

Cyber criminals have accessed sensitive visa and passport details, drivers’ licences and other personal information held by a data firm contracted by the ­Department of Home Affairs, which oversees Australia’s cyber security architecture and policy.

Visa-holders using the department’s Free Translating Service have been warned their visa application, grant and subclass numbers, full names, dates of birth, mobile numbers, email addresses, drivers licences and passports are compromised. Read the rest of this entry »

The Australian Information Commissioner has issued updated guidances of charities and other not for profit organisations,  Guidances are not regulations but they are very important.  Organisations which comply with the guidances and somehow still have a data breach or other form of interference with privacy may be able to argue that they have done all that was required of them.  The reality is that if more organisations focused on complying with guidances and standards there would be far fewer data breaches.  Clearly all investigations are fact specific and compliance with a guideline does not provide any sort of immunity.

The statement from the Commissioner provides:

The updated guidance includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

In particular, the updated guidance includes discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. This area is particularly topical in the wake of high-profile data breaches affecting charities and NFPs.

Privacy Commissioner Carly Kind said the guidelines aim to help charities navigate their privacy responsibilities when collecting and handling personal information, and understand their obligations under the Privacy Act.

“We know how critical trust is to the work of not-for-profits and charities, and how important good privacy practices are to that trust”. Read the rest of this entry »

The Personal Data Protection Commission of Singapore issued three undertakings on Orchid Hotel Pte Ltd, Absolute Telecom Pte Ltd and Hiap Seng Engineering Ltd stemming from ransomware attacks involving each of the companies.  The cause of those data breaches were due to insufficient IT security measures.  The attacks affected the personal data of over 690,000 individuals.

The Commission requires affected organisations to implement remediation plans to rectify the immediate breach and address any systemic shortcomings to ensure compliance with the PDPA on a continual basis, such as:

• Enforce a stricter password policy requiring strong and unique passwords for all accounts
• Implementing Multi-Factor Authentication (MFA)
• Engaging a DPE service provider to implement basic data protection and cybersecurity measures
• Conduct training sessions for employees to raise their awareness on data protection and cybersecurity best practices

The National Institute of Standards and Technology (“NIST”) has released a public draft of for the use of cryptography and transitioning to stronger cryptographic keys and algorithms.

The abstract provides:

NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. This publication provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms.

Interesting points Read the rest of this entry »