Peter A Clarke

Yesterday the Government, via the Attorney General, introduced the Privacy and Other Legislation Amendment Bill 2024. If passed before Parliament is prorogued prior to next years Federal election (which must be held by 17 May 2025 for there to be a concurrent House of Representatives and half Senate election) it will constitute a significant but modest reform of the quite inadequate Privacy Act. 

The most significant change is the introduction of a Statutory Tort for Serious Invasions of Privacy.  It will be found at Schedule 2.  I have reproduced the entire Bill below.  

I will post on this proposal in more detail later but the highlights are:

• the cause of action is confined to intrusion upon seclusion and/or misuse of information (clause 7) where a person had a reasonable expectation of privacy (clause 7(b)), the act(s) was/were intentional or reckless (clause 7(c)) and it was serious (clause 7(d)).
• it is actionable per se.
• a defence may rely on a public interest defence (clause 7(3) which matters of public interest are listed at clause 7(4)
• reasonable expectation of privacy is defined using a non exclusive list of matters for the Court to consider (clause 7(5)
• seriousness is defined using factors to be weighed (clause 7(6)
• there are other specific defences set out at clause 8
• general damages are capped at the greater or $478,550 (clause 11(5)(c)) or the maximum awarded under defamation law.  Aggravated damages cannot be awarded but exemplary damages may be awarded.
• the court can order an account of profits, issue an injunction, or an apology, a correction order and a declaration.
• the limitations period (clause 14) is:
  • for a plaintiff under the age of when the invasion of privacy occurred, before that person’s 21st birthday
  • for all other plaintiffs the earlier of:
    • the day that is 1 year after the day on which the plaintiff became aware of the invasion of privacy
    • the day that is 3 years after the invasion of privacy occurred.
• there are immunity from suit, described as exemptions (at Part 3) for:
  • journalists
  • enforcement bodies
  • intelligence agencies
  • persons under the age of 18
• Federal Circuit and Family Court of Australia (Division 2) has jurisdiction.

Other notable provisions are:

• Part 3 — Emergency declarations
• Part 4 — Children’s privacy; the development of a Children’s Online Privacy Code
• Part 8 — Penalties for interference with privacy
• Part 9 — Federal court orders; expanded scope of orders that can be made
• Part 15 — Automated decisions and privacy policies
• Schedule 3- creation of doxxing offences, to be section 474.17C of the Criminal Code.

Given the significant recommendations that have not be acted upon in the 2008 and 2014 ALRC reports and even the Attorney General’s Report the word “modest” is the best description for the proposed amendments. It could have been a whole lot more and led to a much better Privacy Act and by extension must better privacy protections for Australians. 

The Conversation’s Long-overdue Australian privacy law reform is here – and it’s still not fit for the digital era  aptly summarises the disappointing the scope of the reform.  It provides:

Almost four years since the Privacy Act review commenced, the Australian government has introduced a reform bill that fails to make most of the fundamental changes needed to modernise our privacy laws.

Attorney-General Mark Dreyfus said in May that the government would introduce legislation to reform a privacy regime that’s “woefully outdated and unfit for the digital age”. Read the rest of this entry »

With amendments to the Privacy Act about to be introduced into the House of Representatives, or at least that is the expectation, it is worth listing the known significant data breaches in Australia in August>

Bloom Hearing

• Bloom Hearing Specialists, which operates hundreds of clinics around Australia, confirmed that a “threat actor” had stolen data from the audiologist’s network.  The data includes medical and financial records of current, past and prospective patients as well as current and former employees and contractors.  Bloom released a statement, Bloom Hearing confirms that the data includes medical and financial records of current, past and prospective patients as well as current and former employees and contractors.

Regent Caravans – August 2024

• Regent Caravans was hit by RansomHub, losing 30 gigabytes of data included a large amount of CAD files for the company’s caravans, ordering details, and a folder full of ID card photos of the company’s employees.

NIST has released a  an update on Digital Identity Guidelines.   The that involves an update of the draft Digital Identity Guidelines (NIST Special Publication [SP] 800-63 Revision 4 and its companion publications SPs 800-63A, 800-63B and 800-63C). While the focus of these guidelines are US practice and laws the issues they deal with are universal when it comes to data management, privacy and security.

“Today’s draft revision from NIST highlights the Biden-Harris administration’s commitment to strengthening anti-fraud controls while ensuring broad and equitable access to digital services,” said Jason Miller, deputy director for management at the Office of Management and Budget. “By incorporating feedback from private industry, federal agencies, privacy and civil rights advocacy groups, and members of the public, NIST has developed strong and fair draft guidelines that, when finalized, will help federal agencies better defend against evolving threats while providing critical benefits and services to the American people, particularly those that need them most.”

“Everyone should be able to lawfully access government services, regardless of their chosen methods of identification,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “These improved guidelines are intended to help organizations of all kinds manage risk and prevent fraud while ensuring that digital services are lawfully accessible to all.”   Read the rest of this entry »

Regulators are now publishing guidelines on AI at a rapid rate while legislatures are grappling with legislation. On September 5, 2024, the Council of Europe (CoE) announced that the Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (the Convention) was open for signature. The latest is the New South Wales Information Commissioner’s guide on Public Impact Assessments on AIs. It released the Guide on Friday. The guide also supports agencies in undertaking privacy-related assessments under the NSW AI Assessment Framework (AIAF) and the National framework for the assurance of AI in government.

• determining when a PIA is necessary;
• determining the likely scope and scale of a PIA;
• PIA considerations when assessing AI systems and projects; and
• common AI privacy risks and mitigations.

The Information and Privacy Commission (IPC) has released its new Guide to undertaking Privacy Impact Assessments on AI systems and projects for consultation and feedback.

The Guide has been developed to support agencies in understanding, assessing and mitigating privacy risks in relation to the use of AI systems and projects when undertaking Privacy Impact Assessments (PIAs). It also supports agencies in undertaking privacy related assessments under the NSW AI Assessment Framework (AIAF) and the National framework for the assurance of artificial intelligence in government.

The new Guide builds on and is complementary to the Guide to Privacy Impact Assessments in NSW, to provide more specific guidance on AI-related privacy risks.

The IPC values the input of privacy practitioners in NSW and is seeking feedback on this updated guidance. In particular, feedback would be appreciated for the following focus questions: Read the rest of this entry »

On September 5, 2024, the UK Ministry of Justice (MoJ) announced that the UK had signed the first legally binding treaty governing the safe use of artificial intelligence (AI). The new framework, agreed by the Council of Europe, commits parties to collective action to manage AI products and protect the public from potential misuse.

The  treaty has three over-arching safeguards, namely:

• protecting human rights, including ensuring people’s data is used appropriately, their privacy is respected, and AI does not discriminate against them;
• protecting democracy by ensuring countries take steps to prevent public institutions and processes from being undermined; and
• protecting the rule of law by putting the onus on signatory countries to regulate AI-specific risks, protect its citizens from potential harm, and ensure it is used safely.

The treaty requries countries to monitor AI development and ensure any technology is managed within strict parameters and includes provisions to protect the public and their data, human rights, democracy, and the rule of law.

Countries must also act against activities that fall outside of these parameters to tackle the misuse of AI models which pose a risk to public services and the wider public.

Meanwhile in Australia, again on September 5, 2024, the Department of Industry, Science, and Resources (DISR) announced a public consultation on a 69 page proposal paper to introduce mandatory guardrails for the safe and responsible use of artificial intelligence (AI) in high-risk settings.

The proposed mandatory guardrails Read the rest of this entry »

Western Australia is slowly moving towards having a Privacy Act. The Privacy and Responsible Information Sharing Bill 2024 has passed the Legislative Assembly and is working its way through the Legislative Council. It is principles based legislation. It is modeled broadly on the Victorian/New South Wales/Queensland legislation.  Its complaint and enforcement provisions are, like the other State Acts, quite process orientated and generally weak. It has a significant weakness in dealing with complaints which are not resolved by conciliation.  Under the legislation a complaint is determined by the Information Commissioner (section 104). However the Commission is involved in the mandatory attempt at conciliation of a complaint.  A party should have a complaint heard by an independent judicial or quasi judicial body.  Preferably a court.  Tribunals have a poor record in considering privacy complaints.  The jurisprudence by the Victorian Civil and Administrative Tribunal has been so ineffective as to render the enforcement provisions in Victoria dead letter. 

There will be 11 Information Privacy Principles (“IPPs”) will apply to IPP Entities which will include WA public entities, its contracted service providers WA Government trading enterprises and departments, local and regional governments.

Most of the IPPs follow the same structure as the Commonwealth APPs and State IPPs.  A new development is aprinciples involving the Automated Decision Making.  The weakness of the IPPs are that they are replete with exceptions, being drafted in general terms and with vague terminonology (such as what is reasonable).  That has tended to be interpreted by Courts, Tribunals and Commissioners in favour of the entities.  As such the protections are not as effective as appears on paper.

Some of the key IPPs are:

IPP 1: Collection

Collection must be “necessary” for one or more of the IPP Entity’s functions or activities.  Personal information must be collected in a “fair and reasonable”, Read the rest of this entry »

Privacy reform in Australia is an object lesson on what not to do. Reform has been tentative, minimalist and always inadequate. It has been handled poorly by governments of all persuasions. The latest turn of the screw is the news, courtesy of Innovationau, that the bills to amend the Privacy Act 1988 will not be introduced into the House of Representatives in the August session. Instead it will be introduced in the September sittings, commencing 9 September, 2024. The stated reason for this was legislative congestion. It will be referred to committee and any amendment proposal(s) is likely to occur there. It is hard to see the Bill returning to the House for a 3rd reading and vote before the November sittings. Even if it passes the House of Representatives in November it is ambitious to expect it to be introduced into the Senate and pass later in November 2024. Which means it will be carried over to the sittings in 2025. And that may pose a problem. The latest the Government can have an election for both Houses of Parliament simultaneously is 17 May 2024. The budget is in May and Easter commences 18 April 2025. That means an election in March or early April is possible if not likely. That means proroguing Parliament in late January or February. If the Bill has not been passed before Parliament is prorogued then it lapses and the process has to start over.

It is a very disappointing development.  It shows what happen Read the rest of this entry »

Last month the Office of the Victorian Information Commissioner was conducting preliminary enquiries with the University of Melbourne regarding the use of its surveillance technology to identify and bring misconduct hearings against students who undertook Pro Palestine sit ins. In July the University released a statement under the heading Conflict in the Middle East and activism on campus where it stated that “Last month the Office of the Victorian Information Commissioner was conducting preliminary enquiries with the University of Melbourne regarding the use of its surveillance technology to identify and bring misconduct hearings against students who undertook Pro Palestine sit ins. In July the University released a statement under the heading Conflict in the Middle East and activism on campus where it stated that it ” University of Melbourne”.. is a diverse, multi-cultural and multi-faith community..”, it “has a duty to uphold the principles of academic freedom and freedom of speech, and respect for legitimate and peaceful protest is core to our university’s values, as well as an activity protected by law”, it “operates fairly and in accordance with the law. Our policies also provide the basis for addressing actions or behaviours that adversely affect other members of the University community” and “to understand and implement appropriate support for students and graduate researchers during this time, with an increase in provisions for health and wellbeing, assessments, and safety on our campuses.” Waffly boilerplate that many organisations cobble together to cover and justify other activities and mask other behaviours not so consistent with the principles of the Enlightment which Universities should use as a touchstone. Such as using surveillance technology to bring action against students for conducting a sit in. As a result of disciplinary hearings 21 students received warnings. OVIC has now confirmed that it will launch an investigation into the University of Melbourne under the Privacy and Data Protection Act 2014.

The confirmation was reported by the Australian in “OVIC to probe Melbourne Uni over student surveillance” which provides:

The Office of the Victorian Information Commissioner will launch an investigation into the University of Melbourne after the academic institution used surveillance technology to gather evidence against students involved in a sit-in at a campus building.
Last month OVIC confirmed it was conducting preliminary enquiries with the university.
Victorian Information Commissioner Sean Morrison on Thursday confirmed the office has now decided to escalate the matter.
“Following conducting preliminary inquiries, the Privacy and Data Protection Deputy Commissioner has decided to commence an investigation under the Privacy and Data Protection Act 2014,” he said in a statement to The Australian.
“Given this is an active matter OVIC is unable to comment further until the investigation has concluded.”
In July, 21 students faced misconduct hearings before senior university representatives.
The students were notified of the disciplinary proceedings when the university sent them an email informing them they had breached its code of conduct during demonstrations and cited evidence from CCTV footage and Wi-Fi data obtained from the university’s network tracking their movements within the Arts West building during the 10-day sit in. Read the rest of this entry »

Cyber attacks on service providers working for large institutions, especially in the health sector, are common. Health Services often contract out IT services, as they did with Advanced Computer Software Group Ltd (Advanced). Unfortunately organisations and agencies spend insufficient time in ensuring that those contractors maintain adequate cyber protections and proper training regimes for their staff. Advanced provided IT services and handled personal information collected by the UK National Health Service in its capacity as a data processor. In August 2022 Advanced was hit with a ransomware attack which also involved personal information of 82,946 people being exfiltrated. NHS was impacted in not being able to access patient records. The ICO has announced that it will fine Advanced 6.09 million pounds.

The announcement provides:

We have provisionally decided to fine Advanced Computer Software Group Ltd (Advanced) £6.09m, following an initial finding that the provider failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.  

Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. Read the rest of this entry »

The FTC, through the Department of Justice, has commenced an action against the video-sharing platform TikTok, and its parent company ByteDance,alleging that they flagrantly violating Children’s Online Privacy Protection Act.  The FTC also alleges Tick Tok infringed an existing FTC 2019 consent order against TikTok for violating COPPA shortly after it went into effect. The FTC also allege that two TikTok entities (previously Musical.ly and Musical.ly Inc., which ByteDance acquired in 2017 and renamed) agreed to the terms of the order to settle allegations that they violated the COPPA Rule by unlawfully collecting personal information from children under the age of 13.

The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

The Press Release provides:

On behalf of the Federal Trade Commission, the Department of Justice sued video-sharing platform TikTok, its parent company ByteDance, as well as its affiliated companies, with flagrantly violating a children’s privacy law—the Children’s Online Privacy Protection Act—and also alleged they infringed an existing FTC 2019 consent order against TikTok for violating COPPA.

The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

“TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina M. Khan. “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.” Read the rest of this entry »