Peter A Clarke

The case of Kate Aston being videoed walking out of a bathroom and Nathalie Matthews being concerned about intimate videos she filmed would be made public raises issues of privacy protections in each case and what each could do to protect their privacy. Particularly with the statutory tort of serious invasion of privacy coming into operation on 10 June 2025.

While both factual situations are unique they are not, in broad strokes, all that unusual in privacy law.  The use of videos and cameras used in a setting which should be private and which clearly cause serious distress is not unknown. Many cases, almost invariably resulting in a prosecution, involve the use of a camera/video in a toilet. But there is no hard dividing line taking photos or videos of someone in a toilet and photographing or videoing someone with that same equipment who are leaving a toilet.  The question is whether there is a reasonable expectation of privacy.  In case of someone using the toiletry facilities the answer is clearly yes.  In terms of someone leaving a toilet it is most likely yes.  The distinction is slight.  One can have a reasonable expectation of privacy in a semi public or even public space. In 2008 the UK Court of Appeal in Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446 found that a child had a right to privacy in a public space. The Mrs Murray in that case writes under the nome de plume of JK Rowling. While the claim was brought on behalf of the Murray’s child the defendant’s interest was more about capturing an image of Mrs Murray with her family, child especially.  While that case focused on the rights of the child the subsequently developed principles apply to adults. It depends on the circumstances.  And those circumstances do not assist someone who intentionally waits outside a toilet and uses the video to catch another on film leaving the toilet.  And then posts that footage on line.  

According to 7 News Ms Aston has commenced legal action. Whether that is a claim in privacy, equity, defamation or any other cause of action is unknown.  

According to the Australian report of the Matthews case the concern is there are intimate videos would be made public and that motivated her to apply for a domestic violence order.  The abuse of intimate videos, previously made consensualy, have been the subject of two superior court decisions in Australia; the Victorian Court of Appeal decision in  Giller v Procopets [2008] 24 VR 1 and the Western Australian decision of Wilson v Ferguson [2015] WASC 15 which I posted on in 2015.  

Either of these cases could be run without the statutory tort of serious invasion of privacy.  With that tort extant and these fact situations commencing after 10 June 2025 the tort is available to either.  The strength of the case depends on all of the facts, not just the media coverage. 

It is interesting to read Read the rest of this entry »

The desire if not obsession of government agencies and private organisations and companies to collect and store information has been a problem as long as there has been the capacity to make records. It has been regularly satirised (eg Brazil). it is no joke.  Digitisation and increased ability to  economically store vast stores of data has meant that governments, organisations and companies could collect much more personal information than thought possible in the analog era.  More importantly, advanced computing especially the use of algorithms made that data particularly valuable.  As a result many government bodies and companies hold an enormous amount of personal information.  In cyber security language that is sometimes described as the honey pot.  The question often posed is, how to reduce this honey pot and thereby minimise the exposure to individuals losing their personal information. One of the solutions raised is to require agencies and companies to remove data.  That is the product of wrong analysis.  It implies that the regulation is lacking.  That is not correct.  The laws are adequate.  It is the regulation and enforcement of those laws, especially the Privacy Act 1988, that has been inadequate over a very long time.  As a result there is complacency in the market place.  Under the Privacy Act 1988 an entity should only collect personal information relevant to its primary purpose.  It should only retain that personal information for as long as it is relevant to that purpose.  That, especially, companies collect as much information as possible on the most tenuous bases is a matter of their desire, not compliance with the law.  The problem is that they have not been called on it.  There have not been enough cases in the Federal Court where those breaches have not been prosecuted.  All of this is not to say the Privacy Act 1988 needs further reform.  It does.  But the issue of data hoarding can be dealt with by a determined, effective and properly resourced regulator.  

The ABC has published an interesting essay Experts say forcing companies to delete data would remove cybercrime ‘honey pot‘ .

It provides, with my notations:

If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

There are exceptions to Read the rest of this entry »

The Cambridge Analytica scandal has a very long tail. Shareholders of Meta brought an action against Mark Zuckerberg and other Facebook directors over privacy violations. It is reported in the Times with Mark Zuckerberg settles $8bn lawsuit over Facebook privacy claims and the BBC with Meta investors settle $8bn lawsuit with Zuckerberg over Facebook privacy.  The core of the case was a claim against Facebook directors for their failures which resulted in fines and legal costs associated with the Cambridge Analytica scandal. The problem for the defendants was that Facebook entered into an agreement in 2012 regarding compliance with privacy obligations. The other difficulty for the defendants was the scale of the data harvesting and the deceptive practices to do it.

The timing of the settlement is ironic given Read the rest of this entry »

The Australian reports in Maurice Blackburn launches compensation case against Qantas over cyber attack that a claim against Qantas is in the offing. It is a representative complaint under the Privacy Act 1988. It is also reported in Compensation sought for millions of Qantas customers hit in major cyber data breach. Representative complaints may be commenced under Division 1 of Part V of hte Privacy Act. Under section 36 an individual may complain to the Commissioner about an act or practice that is an interference with privacy of that individual. Under section 38 a representative complaint can be made on behalf of a class if all the members have complaints against the same entity and they arise out of the, in this case, same circumstances.

In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious.  To call for a change to the law while appealing a decision involving the extant law is not illegal.  But it is quite arrogant.  Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act. 

Meanwhile in CBA using facial recognition logins to verify disputed payment the CBA is showing itself to be an enthusiastic user of facial recognition.  

The AFR article Read the rest of this entry »

It is becoming common practice for companies affected by the significant data breaches to seek injunctive relief. The Australian reports in Qantas goes to court over cyber attack in attempt to stop stolen data being released or used. that Qantas has obtained an interim injunction in the New South Wales Supreme Court. A copy of the orders has not been released but it is reported as intending “..to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.” There is no identified respondent to the application.  It is also covered by 9 News and Reuters.  If the process follows the approach taken by the court in the HWL Ebsworth application for injunctive relief in 2024.

Interestingly the National Office of Cyber Security prepared a report on the HWL Ebsworth Cyber Security Incident titled “Lessons Learned Review”.  Under the hearing “What was interesting” the report says the following about the injunction HWL Ebsworth obtained from the Supreme Court of New South Wales.  

The granting of an injunction from the Supreme Court of New South Wales to HWL Ebsworth was a key point of interest during the management of the incident. The injunction was sought by HWL Ebsworth to restrain further access to or publication of information exposed during the incident, in an attempt to protect client data, and minimise ‘online rubbernecking’. Overwhelmingly, government entities viewed this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response.

HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.

There is quite a bit of supposition in that assessment.  It is not possible to know whether the injunction performed that role.  There has been no reported contempt of court proceedings for breaching the injunction.  It would also be quite difficult to determine whether there was a reduction in ‘online rubbernecking’ to start with and whether it was reduced.  How to monitor on line rubber necking is another issue.  If the data is stored on the dark web in a particular site removing the data, highly improbable, would be a better solution than working out who viewed it, even more difficult.  That said injunctive relief is now part of the response in large scale data breaches.  

It is clear from the assessment that the orders were almost certainly more involved and complicated than a blanket prohibition.  There is reference to exemptions.  That is an important issue when seeking such orders.  It is important to avoid putting those who are victims who discover their personal information and in viewing it may in a position where they may be in contempt of court.  Clearly not an intended consequence.

The Australian story Read the rest of this entry »

That data breaches cause damage is trite. The damage may be economic or psychological. It can also be life threatening as the Times story Revealed: Leak that risked lives of 100,000 Afghans — and £7bn cover-up makes clear. As does the BBC report Thousands of Afghans were moved to UK in secret scheme after data breach. A data breach by a British official at the Ministry of Defence in February 2022 resulted in the personal details of 19,000 people who applied to move to the UK after the Taliban took over were leaked. That prompted a resettlement scheme which has resulted in 4,500 Afghans moving to UK so far. So far, so bad.

What is very interesting to legal practitioners is that the Government sought and obtained a super injunction which involved a gag order relating to the data breach and its contents.  It was the first time the Government sought a super injunction and it was the longest ever granted.That was lifted yesterday in Ministry of Defence v Global Media and Entertainment Ltd & ors [2025] EWHC 1806.   

In reviewing and ultimately lifting the gag order teh court made the following points regarding the grant and Read the rest of this entry »

Implementing proper password protection is one of the foundation blocks of proper cyber security. It has been since the internet was established. But it remains a real problem with many organisations. Bleeping Computer with ‘123456′ password exposed chats for 64 million McDonald’s job chatbot applications reports on a spectacular fail with both log ins and passwords, both being 123456.

The Bleeping Computer article Read the rest of this entry »

The National Institute of Science and Technology (“NIST”) has publisheda guideline on High-Performance Computing (HPC) Security Overlay,

Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance and

The announcement about the HPC provides:

High-performance computing (HPC) systems provide fundamental computing infrastructure for large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations at exceptional speeds. Securing HPC systems is essential for safeguarding AI models, protecting sensitive data, and realizing the full benefits of HPC capabilities.

This NIST Special Publication introduces an HPC security overlay that is designed to address the unique characteristics and requirements of HPC systems. Built upon the moderate baseline defined in SP 800-53B, the overlay tailors 60 security controls with supplemental guidance and/or discussions to enhance their applicability in HPC contexts. This overlay aims to provide practical, performance-conscious security guidance that can be readily adopted. For many organizations, it offers a robust foundation for securing HPC environments while also allowing for further customization to meet specific operational or mission needs.

The recommendations for best practices for key management organisations, part 2 provides:

NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Part 2 (this document) 1) identifies the concepts, functions and elements common to effective systems for the management of symmetric and asymmetric keys; 2) identifies the security planning requirements and documentation necessary for effective institutional key management; 3) describes Key Management Specification requirements; 4) describes cryptographic Key Management Policy documentation that is needed by organizations that use cryptography; and 5) describes Key Management Practice Statement requirements. Appendices provide examples of some key management infrastructures and supplemental documentation and planning materials.

The recommendations for Key Management part 3;  Application-Specific Key Management Guidance provides:

IST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.

Read the rest of this entry »

The New South Wales Audit Office has published its report, titled Cyber Security insights 2025, on state agencies cyber health and preparedness against a cyber attack. it is a mixed report, which is a concern given the fact that the state collects and holds a vast amount of information of people of New South Wales and encourages, if not requires, people to do business with the state on line. The Report is quite critical about aspects of preparedness.

The ABC has done a story on the report with NSW audit finds gaps in state, local government cyber protections which provides:

The highlights of the report Read the rest of this entry »