The Attorney General’s Report on the Privacy Act review considers the status of the of the journalistic exemption at chapter 9.  Unlike the small business exemption and the business records exemption the exemption for journalism has a strong public policy basis.  Notwithstanding the media being involved in very serious privacy breaches over the years there has always been an acknowledgment that that there should be some form of exemption.  The Report did not alter the core of the exemption but proposes bringing media organisations under the regulation of the Privacy Act regarding data security and data breach notification. 

There was never likely to be a significant change to the way in which the Privacy Act dealt with the journalism exemption.  In 2008 the Australian Law Reform Commission did not recommend a change to the exemption.  That does not mean that the current regime is without flaws and problems which will continue after the Act is amended. 

In the main the responses ranged from strongest supporters of retaining the exemption, primarily media companies,  to those who wanted reform but were not prepared to remove the exemption.  The rationale for the exemption is that it recognises the important and beneficial role of journalistic output in Australian society.  That is made clear from the Explanatory Memorandum which provides that it is to balance ‘the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information to the public through the media.’

The exemption is set out in section 7B(4) of the Privacy Act.  It provides:

(4)  An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in:

(a)     by the organisation in the course of journalism; and

(b)     at a time when the organisation is publicly committed to observe standards that:

(i)      deal with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters); and

 (ii)    have been published in writing by the organisation or a person or body representing a class of media organisations.

A media organisation may publish such standards itself, or be a member of an industry body which has a published code of conduct containing privacy standards.

The Report noted Read the rest of this entry »

At the moment it is all about Artificial Intelligence and the threat it poses.  There are issues but the concerns are at the moment more hypothetical than actual but the benefits are real.  Regulation is required.  

What is missing from the discussion about technology, certainly involving privacy and cyber security, is the likely impact of quantum computers.  Quantum computers have the potential of upending encrypted networks if they can find the key within a reasonable time.  This issue is highlighted by The Times article Quantum computers that will decode your private app.  The quantum computer threat is not immediate but not far away.  

Meanwhile at the other end government’s loathing of encryption, as discussed in And in Banning encryption is foolish and illiberal can be equally damaging to viable privacy protection. In the United Kingdom, as here, there is an obsessive anti encryption lobby.  Encryption is critical for trusted communications which are vital for effective and efficient business transactions.  Banning encrypted communications or creating back doors, damages trust in communications.  In an information orientated, service dominated economy the harm far outweighs the concerns that criminals use encrypted communications.  Law enforcement has long dealt with and found ways around codes of silence and attempts to avoid surveillance.  They have successfully done done as well.  It is a matter of same problem, different tools. 

The Quantum Computer article provides:

Matt Hancock, be warned. It is not just fellow MPs and ghost writers who might leak your WhatsApp messages. You should start fretting about foreign intelligence agencies too.

Quantum computers that can crack internet encryption may be closer than we think, security experts say. If so, that means that anything sent securely today might be stored to be decrypted when such systems arrive — possibly within a decade. Read the rest of this entry »

There is sometimes fear and often plenty of pain going to the dentist. For patients of Managed Care of North America (MCNA) Dental that experience got a lot worse. According to Bleeping Computer a massive data breach has affected 8.9 million patients.  Medical/Dental insurance companies are prime targets for hackers as they contain huge troves of personal information including payment details.  That was the case with this attack.  Names, addresses, social security numbers and other forms of personal information were accessed. 

The Notice of Data Breach provides:

What happened?

On March 6, 2023, MCNA became aware of certain activity in our computer system that happened without our permission. We quickly took steps to stop that activity. We began an investigation right away. A special team was hired to help us. We learned a criminal was able to see and take copies of some information in our computer system between February 26, 2023 and March 7, 2023.

What information may have been involved?

Here is the kind of information that was seen and taken: Read the rest of this entry »

The Information Commissioner’s Office (the “ICO”) has issued the Ministry of Justice a formal reprimand after confidential waste documents were left in an unsecured area. The focus of recent reporting about data breaches has been on the large scale hacks of databases.  However data breaches involving documents left n public places or sent to parties not entitled to them can be as equally damaging.  In this reported data breach (at an unnamed prison facility) the damage is serious as it revealed personal information about prison staff and inmates. 

The press release provides:

The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.

Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days.

During this time staff challenged prisoners who were openly reading the documents, but did nothing proactive to ensure the personal information was secured. At least 44 people had access to the information, which had remained on site as a contracted shredder waste removal company had not collected as scheduled.

The ICO investigation uncovered a lack of robust policies at the prison including:

• • no pre-agreed areas for staff to leave confidential waste in a secure place;
  • staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents;
  • inaccurate records of the number of staff who had completed data protection training; and
  • a general lack of staff understanding of the risks to personal data and the need to report data breaches.

The reprimand details a number of required or recommended actions including:

• • a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation; and
  • the creation of a separate data breach reporting policy for staff.

The MoJ is also required to provide the ICO with a progress report by the end of October 2023.

The reprimand relevantly Read the rest of this entry »

• a fine of €1.2 billion;
• an order, under Article 58(2)(d) of the GDPR, to bring its processing operations into compliance with Chapter V of the GDPR, by way of ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta; and
• an order, under Article 58(2)(j) of the GDPR, to suspend future transfers of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta.

The press release announcing Read the rest of this entry »

Facebook/Meta continues to find itself in a . The Data Protection Commission (DPC) announced, that it had issued its decision to fine Meta Platforms Ireland Limited €1.2 billion for breach of Article 46(1) of the General Data Protection Regulation (GDPR) relating to its delivery of its Facebook service.

The DPC commenced its inquiry into Meta cin August 2020. In its draft decision it found that:

• Meta’s data transfers to its US counterpart, Meta Platforms, Inc., were in breach of Article 46(1) of the GDPR 
• such transfers should be suspended.
• the transfers were made on the basis of a transfer and processing agreement between Meta and its US counterpart, which incorporated the European Commission’s 2021 Standard Contractual Clauses (SCCs), and included a Transfer Impact Assessment (TIA), noting a record of safeguards Meta and/or its US counterpart had in place to safeguard transfers, among other things.

In its final decision the DPC found Meta in breach of Article 46(1) of the GDPR in relation to its transfer of personal data from the EU/EEA to the US, following the delivery of the Court of Justice of the European Union’s (CJEU) judgment in Schrems II case.

The DPC noted that while the transfers took place on the basis of the updated 2021 SCCs, along with additional supplementary measures implemented by Meta, the arrangements were not sufficient to address the risks to fundamental rights and freedoms of data subjects identified by the CJEU in the Schrems II case.

It found that:

• US law does not provide a level of protection that is essentially equivalent to that provided by EU law;
• neither the 2010 SCCs, nor the 2021 SCCs, could compensate for the inadequate protection provided by US law;
• the measures set out in Meta’s record of safeguards that form part of the TIA did not compensate for the inadequate protection provided by US law; and
• it was not open to Meta to rely on the derogations provided for in Article 49(1) of the GDPR (or any of them) when making the data transfers.

As a consequence of that and on the basis of the EDPB’s decision of April 13, 2023, the DPC made the following orders:

• a fine of €1.2 billion;
• an order, under Article 58(2)(d) of the GDPR, to bring its processing operations into compliance with Chapter V of the GDPR, by way of ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta; and
• an order, under Article 58(2)(j) of the GDPR, to suspend future transfers of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta.

The press release announcing Read the rest of this entry »

Justice Keogh in Turner v Bayer Australia Ltd (No 6) [2023] VSC 244 considered the application of the Victorian law and the European Privacy law, the General Data Protection Regulation (GDPR). The issue was whether releasing and reporting on personal information of individuals in documents generated in the EU attract protections that the Court should consider in the context of media reporting of a Victorian proceeding.

FACTS

The  proceeding is a product liability action concerning implanted permanent contraceptive medical devices identified collectively as the Essure device [1].

The trial commenced on 11 April 2023 and is estimated to run for 12 weeks [2].

Media organisations sought access to transcript and some of the documents relied on by the parties at trial.

The second defendant, Bayer Aktiengesellschaft,  is a corporation registered in Germany [4].

Some of the defendant’s discovery was of documents that originated from Germany (‘EU documents’), which some of which contained  personal data of natural persons residing in the European Union (‘EU’), including:

• names,
• job titles,
• signatures,
• business email addresses,
• street addresses and phone numbers, and
• personal email addresses,
• street addresses and phone numbers (‘EU data’) [4].

The defendants opposed the media having general access to transcript and EU documents used at trial because, they argue, the release of EU data would be a breach of the GDPR [4].

The defendants sought orders requiring that media apply to the Court for release of transcript and any EU documents tendered at trial and give details of the context and purpose underpinning their request when applying for access, provide the parties with time to object to media access, and provide the parties further time  to redact personal information from documents to be released [5].

The defendants relied on a report of Professor Dr Gregor Thüsing, a jurist and professor at the University of Bonn in Germany who has has expertise in the European law of data protection and data security [12].

The court summarised Read the rest of this entry »

Te political exemption in the Privacy Act raises public policy questions that the small business operator and employee records do not. It is also an area of law where the common law has developed to protect free speech. The Report undertakes a significant analysis.

The extent of the exemption:

Under the Privacy Act:

• registered political parties are entirely exempt
• under section 7C political representatives (MPs and local government councillors), and their affiliates and the affiliates of registered political parties are exempted from acts and practices done for any purpose in connection with an election, a referendum, or participation in another aspect of the political process.

This means that currently if a registered political party collects, uses or discloses personal information for a purpose unconnected with the political process, it is not required to comply with the Act. Other political entities are only exempt from the Act’s requirements to the extent that they are handling information for purposes connected to the political process under section 7C.

Under this exemption a registered political party can handle personal information other than for a purpose connected to the political process and still be exempted from the Privacy Act provisions. This is an anomaly given the  the rationale for the exemption was to encourage freedom of political communication.  There has been no reported instances of a political party taking advantage of this situation.  That is probably because political parties are focused on collecting information only for political reasons.

Rationale for exemption

The stated rationale for the exemptions was:

• to encourage freedom of political communication and enhance the operation of the electoral and political process in Australia.
• to operate in a manner consistent with the implied freedom of political communication under the Australian Constitution.

While the Australian Law Reform Commission in its Report 108 recognised the special status of political acts and practices under the Constitution as the most compelling reason for exempting political acts and practices of political entities it still concluded that registered political parties should be brought within the scope of the act and the exemption for political entities should be removed to promote public confidence in the political process and remove the advantage which the exemption confers on incumbent political entities.

The Issues Paper sought feedback on whether political acts and practices should continue to be exempted from the operation of some or all of the Australian Privacy Principles.

The Discussion Paper canvassed the approach to regulating political parties under data protection laws in the UK, Canada and New Zealand.

The Report noted that almost all submissions on this exemption considered it was not justifiable and should be narrowed or removed. The OAIC submitted that there was little evidence that data protection laws operating in other countries have had any considerable impact on political parties’ ability to perform their basic democratic roles, including political communication.

The Report proposed amending the definition of ‘organisation’ to include registered political parties, and that they be included within the scope of the exemption in section 7C of the Act.  Accordingly registered political parties would be required to comply with the APPs in the handling of personal information, to the same extent as political representatives (and political affiliates) unless exempted by the operation of the exemption in section 7C.

Regarding transparency the Report:

• confirmed there were concerns about transparency in the handling of voters’ information whereby political parties in collecting personal information about voters from a variety of sources such as media and data brokerage services and the electoral rolls, can build large databases with detailed information about voters without their knowledge or consent. They are not required to inform voters of the ways in which their personal information is collected, or specify how it will be used or disclosed.
• considered that greater transparency in relation to political communication may, be consistent with and support the constitutionally-prescribed system of government but serve to protect it citing LibertyWorks Inc v Commonwealth where the High Court found the purpose of the Foreign Influence Transparency Act 2018 intention of making transparent the involvement of foreign interests in political communication , was consistent with the freedom of political communication and ‘reinforces the freedom despite doing so by burdening some political communication.’
• proposed that the Act be amended to require political entities to be more transparent about how they handle personal information by requiring entities that are covered by the political exemption in section 7C to have a privacy policy in accordance with APP 1.

Read the rest of this entry »

The Australian Communications and Media Authority (“ACMA”) has found that A Current Affair has breached its privacy rules in relation to a report about a neighbourhood dispute on 21 March 2022.

The media release provides:

The Australian Communications and Media Authority (ACMA) has found TCN Channel Nine (Nine) breached privacy rules in a story on A Current Affair that included mobile phone footage of a dispute between neighbours.  

An ACMA investigation found the story breached a participant’s privacy by including his name, part of his residential address and unobscured video footage of his face without his consent.

Under the Commercial Television Industry Code of Practice, broadcasters must not air personal information without consent unless it is in the public interest. 

ACMA Chair Nerida O’Loughlin said broadcasters must respect the privacy of individuals included in news and current affairs reporting.

“Broadcasters may only disclose personal information without consent if it is relevant and proportional to the public interest,” Ms O’Loughlin said.  

“In this case our investigation found it wasn’t in the public interest for Nine to disclose the individual’s name and address because it wasn’t necessary to enable the audience to understand the overall issue.

“Even if material is already available in the public sphere, as some of this footage was, a licensee has an obligation to consider how broadcasting the material may further impact people’s privacy.”

As a result of the ACMA’s investigation the licensee will train staff in the privacy requirements of the code.

FACTS

In July 2022, the Australian Communications and Media Authority (the ACMA) commenced an investigation under the Broadcasting Services Act 1992 (the BSA) into an episode of A Current Affair.

The episode was broadcast Read the rest of this entry »

Apps are notorious for having poor security and privacy controls. The reason is often as simple as the app designers wanting to get an app on the market as quickly as possible s are designed quickly, often in competition with other designers for a similar product. The developers see no point in privacy by design and have scant regard to any privacy laws. That makes them easy target for criminals.

And then there are the apps designed to skim information, as part of a hack or are otherwise used for fraudulent purposes.

It is little wonder then that Apple blocks so many apps as Bleeping Computer writes in Apple blocked 1.7 million apps for privacy, security issues in 2022.

The article Read the rest of this entry »

The National Institute of Science and Technology has produced the updated Advanced Encryption Standard (AES) on 9 May 2023.

At 46 pages it is the usual Read the rest of this entry »