Peter A Clarke

The Court of Justice of the European Union (CJEU) has published its judgment (found here)  concerning the Registry Entries Agency of Bulgaria refusal to delete certain personal data concerning an individual contained in a partnership agreement published in the commercial register under the General Data Protection Regulation (GDPR).

The claimant was  a partner of a limited liability company under Bulgarian law.

On July 8, 2021, the claimant asked the Agency to delete the personal data contained in the partnership agreement, specifying that consent was withdrawn. The Agency did not responded which lead to a claim before the Administrative Court of Dobrich which annulled the Agency’s implied refusal to delete the data and referred the case back to the Agency for a new decision. The Agency indicated, by a letter, a certified copy of the relevant partnership agreement concealing the individual’s personal data, with the exception of that required by law.

The individual claimant again brought an action before the Administrative Court seeking the annulment of the letter and an order against the Agency to compensate it for the non-pecuniary damage of the letter, which infringed the rights conferred by the GDPR. The Administrative Court annulled the letter and ordered the Agency to compensate the individual for non-pecuniary damage, pursuant to Article 82 of the GDPR. The Agency appealed to the Supreme Administrative Court which subsequently referred the case to the CJEU.

The CJEU found:

• that Directive 2017/1132 does not impose on a Member State an obligation to authorize the publication, in the commercial register, of a partnership contract subject to the mandatory publication provided for by the Directive and containing personal data other than the minimum personal data required, the publication of which is not required by the law of that Member State.

The CJEU has found that the General Data Protection Regulation (GDPR) does not preclude national legislation that confers on competitors of an alleged perpetrator of a GDPR infringement, the right to bring civil proceedings against the alleged perpetrator on the grounds of such infringements and on the basis of the prohibition of unfair commercial practices. The Court also found that information that customers enter when ordering medicine online, such as names, delivery addresses, and elements necessary for the individualization of medicines, constitute data concerning health, even when the sale of such medicines is not subject to a medical prescription.

The Court found that:

• those data are capable of revealing information about the health status of an identified or identifiable data subject by means of an intellectual operation involving comparison or deduction because a link is established between that person and a medicinal product, its therapeutic indications or its uses, irrespective of whether that information concerns the customer or any other person for whom the customer places the order.
• in the absence of a prescription, it is immaterial whether it is only with a certain degree of probability and not with absolute certainty that those medicinal products are intended for the customers who ordered them.
• to make a distinction according to the type of medicinal product and to whether or not the sale of those medicinal products requires a prescription would be contrary to the GDPR’s objective of ensuring a high level of protection.
• the seller must inform those customers in an accurate, comprehensive and easily understandable manner of the specific characteristics and purposes of the processing of those data and request their explicit consent to that processing.

The case arose due to a dispute between two pharmacies on whether marketing pharmacy-only medicines on Amazon Marketplace constituted an unfair commercial act. The Regional Court of Dessau-Roßlau upheld this action whereas Read the rest of this entry »

In the United States of America the regulators can force very heavy penalties for data breaches. The Federal Trade Commission (“FTC”), the Securities Exchange Commission (“SEC”) and the Federal Communications Commission (“FCC”) all have some jurisdiction relating to data security and bringing a complaint over data breaches. The most recent instance of the regulator taking action is T – Mobile has settled a claim by the FCC for cyber security data breaches as reported by Geekwire in T-Mobile to pay $31.5M in settlement with FCC over cybersecurity data breaches and US reaches $31.5 million settlement with T-Mobile over data breaches. This is on the back of a settlement in September  between the FCC and AT & T relating to a data breach in January 23 for the sum of US $13 million, as reported by Reuters.

The Geekwire article provides:

T-Mobile will pay $31.5 million in a data protection and cybersecurity settlement with the Federal Communications Commission, resolving investigations into data breaches that impacted millions of U.S. consumers, the agency announced Monday. Read the rest of this entry »

Credit Codes under the Privacy Act 1988 are very important and a breach of them can result in serious difficulties for a credit provider. The Information Commissioner has registered the Privacy (Credit Reporting) Code 2024. The Commissioner’s media release provides a useful summary of the features of the new code. That is an overview only.  It is important for credit providers, and those who act for those who have credit related matters to carefully read the Code. It is important that credit providers incorporate the new requirements into their documentation and processes. While that may sound trite the failure to do so is quite common, particularly by non bank credit providers.

The media release Read the rest of this entry »

The ABC reports in Hundreds of email addresses shared in Victims of Crime Assistance Tribunal administrative error that there was an accidental share of email addresses of victims of crime in an email advising of changes to the compensation application process. It appears that the email was a sent to multiple addressees, 480 the ABC has seen, however the addressees were not blind copied so the recipient could read the email address of other recipients.  The addresses included first and last names.  VOCAT sent 2 recall emails, which means very little. 

The damage is done.  Given the addressees are victims of crime, some of which may involve stalking, the presumed damage would be greater than might otherwise be the case. Damages in privacy cases have not been significant in Australian cases.  That is primarily because there have been relatively few reported cases where damages have been considered.  In the United Kingdom the courts also took a restrained approach to damages however with increased litigation and the bench’s greater understanding of how privacy breaches can impact a person the awards have risen.  And egregious privacy breaches have increased the ceiling over time.  In Victoria a complaint can be made under the Privacy and Data Protection Act 2014 with VCAT hearing a complaint.  Under Section 77(1)(a)(iv) it has jurisdiction to award damages of up to $100,000.  There has been only one instance where an award of damages has been made, Zeqaj v Victoria Police (Human Rights) [2018] VCAT 1733.  In that case the breach was proved and an award in the sum of $1,000 was made.  That is derisory.  The analysis was also very disappointing.  The jurisprudence in VCAT should not make a complainant optimistic.  It is very difficult to succeed, hence the award provision in the Act is virtually dead letter.  The analysis by VCAT is very disappointing and not consistent with privacy litigation in the UK or the USA, let alone Europe.   The Office of the Victorian Information Commissioner has a page titled Assessing compensation claims for loss in privacy complaints where it provides an overview of the law. It is fairly basic and not particularly sophisticated given the development of privacy in common law jurisdictions. It is useful given all complaints must proceed through the Victorian Information Commissioner. Many complaints are mediated and resolved there. Better that than taking one’s chances in VCAT. 

This type of error is all too common and especially prevalent in the public service. It is entirely preventable.  Proper training and Read the rest of this entry »

Agencies release corporate plans. They are of variable quality and often drafted in vague enough terms to avoid criticism. The good plans say something even if there is a enough plausible deniability buried into its dense prose. The Information Commissioners’ media release keeps with this approach.

It provides:

As the accountable authority, I am pleased to present the 2024–25 Office of the Australian Information Commissioner (OAIC) corporate plan for the 2024–25 to 2027–28 reporting periods, as required under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

As an independent statutory agency, our office regulates privacy and freedom of information (FOI) under the Commonwealth Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act) and has information policy functions under the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities and how we measure our performance. Read the rest of this entry »

The Parliament of Victoria tabled a special report by Victoria’s Independent Broad Based Anti Corruption Commission (“IBAC”) titled Operation Turton. It is a report about repeated instances where employees
inappropriately accessed and misused sensitive information at the Metropolitan Fire Brigade (MFB). It has been reported in the Australian and the Age. The investigation concluded in 2021.  

The Report clearly goes to the behaviour of individuals and the misuse of private information for improper purposes. But for privacy practitioners it is a useful report to show the need for proper data security practices and training.  Fire Rescue Victoria had clear vulnerabilities in its data security which allowed for the breaches that occurred. 

In the analog age there was misuse of information contained in documents.  Reports and correspondence were copied and leaked.  The challenges of controlling information flow grew with the digitisation of documents, the use of emails and means of leaking material.  Under privacy legislation in every jurisdiction governments or organisations must maintain adequate data security.  That includes password protections and requiring proper authorisation to access certain documents.  But every system has vulnerabilities, the prime one being a failure to properly maintain data security standards and check for weaknesses. 

The Report:

• identified five separate incidents where MFB information was accessed or disclosed without authorisation, with three incidents involving public servants from MFB’s Information and Communications Services business area.
• found individuals shared sensitive MFB information directly with the United Firefighters Union (UFU) without permission.
• Mr Marshall sought assistance from employees to inappropriately gather sensitive information on internal investigations related to him, executive contracts and another confidential organisational matter.
• identified MFB was operating with significant information security vulnerabilities and under a restrictive agreement with the UFU that impaired MFB’s ability to address issues.

The recommendations include:

Recommendation 1
Fire Rescue Victoria develops clear policies and  procedures regarding the matters that may be the
subject of consultation with employees and their representatives at the Consultation Committee,
and in what circumstances Fire Rescue Victoria information may be disclosed to employees and
their representatives to inform that consultation.

Recommendation 2
Fire Rescue Victoria addresses the information and communication technology security vulnerabilities  and risks identified in Operation Turton by:
(a) actioning the consolidated findings of the audit and reviews conducted in this area since 2018 Read the rest of this entry »

Total Tools announced that it suffered a data breach which involved the loss of personal information . Total Tools statement is long and comprehensive.  It is overlong but that is a small criticism compared to the usual vague brief minimalist commentary that many Australian companies prefer publishing.  It is still quite vague as to the cause of the breach, when it happened and for how long.  That information is often provided in statements provided by American companies because often that information comes out. It has been reported that the breach involved the personal information of 38,000.

A media release should be part of a comprehensive data breach notification program. It is better than many Australian statements.  It  provides:

Overview:

Total Tools has experienced a cyber incident on its website that resulted in the compromise of some customers’ personal information. The data that may have been compromised includes customer name, email address, Total Tools password, mobile number, shipping address, and certain credit card information belonging to customers who shopped or registered on our website recently.

What Happened?

We were made aware of an issue with our website, and upon further investigation, we identified evidence of suspicious activity occurring. Our team, along with third-party forensic and cyber security experts took expedited steps to investigate the incident and assist with our response.

What Are We Doing?

• • We are confident that the issue which caused the incident has been removed from our website.
  • We are continuing to monitor our network, and undertaking additional processes to maximise our security.
  • We have informed the relevant authorities, including the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
  • We have set out below several precautions we recommend that impacted customers consider taking to lower the risk of their information being potentially misused.

Read the rest of this entry »

The Office of the Information Commissioner has released its data breach report for first 6 months of 2024. It is a useful if imperfect indication of the number of notifiable data breaches in Australia.  The latest report shows an increased number of reportable breaches, reaching the highest number in three and a half years.  It should be a given that the figures set out in these reports are very much a indication of trends.  The actual number of data breaches is significantly higher.  Some industries are more assiduous than others in reporting.  The legislation allows for considerable interpretation of what is a reportable data breach.  The culture of reporting remains poor because the consequences of non compliance with the legislation

The Commissioner provided a forward to the Report where she foreshadowed a more muscular approach to enforcement.  Finally.  The forward provides:

Since the launch of the Notifiable Data Breaches (NDB) scheme in 2018, the Office of the Australian Information Commissioner (OAIC) has published statistical information about data breach notifications we have received. Our goal in doing so has been to help entities and the public understand privacy risks identified through the scheme, highlight areas that require attention and provide clarity around our regulatory approach.

Six years on, the NDB scheme is now mature, and we are moving into a new era in which our expectations of entities are higher, seen in our recent commencement of civil penalty proceedings against Medibank Private Limited and Australian Clinical Labs Limited. This enforcement action should send a strong message that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities. Read the rest of this entry »

The Australian Financial Review reports in ASIC pursues board directors over cyber breaches that it is investigating how directors deal with cyber attacks, both before and after they happen.  The ASIC Chair’s speech Effective compliance: Perspectives from the regulator highlights this increased focus. 

ASIC has been quite active in taking action against companies who have suffered damage as a result of data breaches, most notably its civil penalty proceeding against RI Advice.

The speech by the ASIC chair Read the rest of this entry »