Federal Government announces reforms to Privacy Act to increase penalties for data breaches

March 24, 2019

There is nothing quite like the combination of a Government under stress and high profile privacy breaches to channel the inner reform in what was otherwise a reluctant Attorney General on matters privacy.

The Attorney General has been widely reported as flagging increased fines for serious and repeated interferences with privacy, from $2.1 to 10 million.  Alternatively the fine will be calculated on turnover or value of the misuse.  The flagged amendments will also permit the Australian Information Commissioner to issue infringement notices for minor data breaches.  As importantly the Commissioner will get $25 million to ramp up investigations of data breaches.

The media release provides:

Attorney-General, Christian Porter and Minister for Communications and the Arts, Mitch Fifield, announced the new penalty regime under the Privacy Act and other measures to ensure Australians were protected online and that major social media companies took action to protect the personal information they collect about Australians, particularly children.

“Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade,” the Attorney-General said.

“What the Morrison Government is doing today is outlining a new regime of protections for Australians and penalties for those who misuse Australians’ personal information.  This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space.”

Minister for Communications and the Arts, Mitch Fifield, said it was clear the Australian community enjoyed using social media and technology platforms, but was increasingly concerned about how personal data is captured, analysed and shared. This was particularly the case for children and members of other vulnerable community segments, he said.

“The tech industry needs to do much more to protect Australians’ data and privacy,” Minister Fifield said.

“Today we are sending a clear message that this Government will act to ensure consumers have their privacy respected and we will punish those firms and platforms who defy our norms and our laws.”

The amendments to the Privacy Act will:

  • Increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company’s annual domestic turnover – whichever is the greater
  • Provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches
  • Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised
  • Require social media and online platforms to stop using or disclosing an individual’s personal information upon request
  • Introduce specific rules to protect the personal information of children and other vulnerable groups.

“This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information,” the Attorney-General said.

“We will also be requiring platforms to implement a mechanism to ensure they can take all reasonable action to stop using an individual’s personal information if a user requests them to do so and have even stronger regimes to address these issues when the user is a child or other vulnerable person.”

The OAIC will be provided with an additional $25 million over three years to give it the resources it needs to investigate and respond to breaches of individuals’ privacy and oversee the online privacy rules.

Legislation will be drafted for consultation in the second half of 2019.

“This new regime builds on other Government initiatives to improve online safety and provide Australians with greater control over their personal data, including the Online Safety Charter and Online Safety Research program, and the Consumer Data Right,” the Attorney-General said.

“The draft legislation will also incorporate any relevant findings of the current Digital Platforms inquiry by the Australian Competition and Consumer Commission which is due to issue its final reportin June 2019.  Whilst focused on the impact of large digital media platforms on competition in news media, it is also touching on privacy-related issues and, in its interim report late last year, recommended the tougher penalty regime being outlined today by the Morrison Government.”

The Australian has the best coverage to date in Read the rest of this entry »

Linklaters LLP Linklaters Business Services Intended Claimants v Frank Mellish [2019] EWHC 177 (QB): breach of confidence, injunctions

March 4, 2019

Mr Justice Warby in Linklaters LLP Linklaters Business Services Intended Claimants v Frank Mellish [2019] EWHC 177 (QB) considered an application for injunctive relief regarding a breach of confidence action.  The information was sensitive but not commercially sensitive in the strict sense of the word. The decision does demonstrate the relative flexibility of the principles applied to more unusual fact situations.

FACTS

The claimants are:

  • the multi-national law firm Linklaters; and
  • the company through which Linklaters employed its UK-based employees (“LBS”).

Read the rest of this entry »

Likely ransomware attack at Melbourne Heart Group located at Cabrini Hospital affects 15,000 medical files

February 21, 2019

The Fairfax press reports in Crime syndicate hacks 15,000 medical files at Cabrini Hospital, demands ransom that the Melbourne Heart Group, specialists who lease rooms at the Cabrini Hospital has suffered what is almost certainly a ransomware attack. 

Ransomware attacks are particularly prevalent in the health care industry.  The impact of an attack is immediate and serious if not catastrophic and the need to remedy it, by paying the ransom, urgent.  Health data is particularly sensitive.  In early February an optometry clinic in Connecticut was hit impacting 23,578 patient records, In Jacksonvill Florida a Obstetrics and Gynecology practice suffered a data breach involving ransomware in early January while a health center in Rhode Island was hit by a ransomware attack in early December last year.   In November hospitals in Ohio and Ireland were hit by ransomware attacks.  And the list goes on and on and on.

Ransomware attacks are maturing and becoming more, not less effective.  The average ransom in the US has increased by 13% in the last quarter of last year over the previous quarter from $5,973 to $6,733. 

That a specialist cardiology unit at Cabrini could be so compromised by the attack indicates that there was either no or inadequate back up of the health records  in that unit.  If the records were Read the rest of this entry »

Out of a lot of nonsense about cyber attacks by foreign governments there comes a good article dealing with the key issue… poor privacy practices by individuals

February 20, 2019


There has been no shortage of breathless and generally meaningless articles about the Government’s statement that political parties and the Australian Parliament have been the subject of state sponsored cyber attacks.  The Government boffins have come out with statements both  highlighting the risk and claiming everything is under control.  It has given rise to ponderous commentary about attacks on democracy and then spins out to truly odd dystopian pieces as Peter Hartcher did with Farewell tech utopia: how governments are readying the web for war which swallows the  twaddle about the internet being balkanised and ruined. 

The reality is that cyber attacks by state players, mainly Russia, China and North Korea have been a regular occurrence for a decade.  Then there are the plethora of non state hackers in India, the various Stans and Africa who sometimes are engaged by instruments of state to create mischief.  It is a feature of life in the age of the internet. 

Rather than reading the Henny Penny the sky is falling reportage and the end of innocence blather the best article to get an understanding of what is going on and why is the ABC piece Cyber attacks by foreign governments, malicious companies and enterprising hackers are on the rise. And the biggest problem is you. It sets out in plain undramatic terms that most cyber attacks succeed because someone in an organisation or government agency is fooled by an email containing malware.  And, as the article makes clear, that problem is one of Read the rest of this entry »

Nearly one in ten adults admit to taking nude images without consent

February 19, 2019

The Guardian with Revenge porn: nearly one in 10 adults admit to taking nude images without consent and the Canberra Times in One in 10 Australians have perpetrated ‘image-based abuse’ have reported on research by RMIT and Monash University in Image-based sexual abuse: The extent, nature, and predictors of perpetration in a community sample of Australian residents which found that 10% of adults have engaged in this problematical (and in many jurisdictions is criminal) conduct.  

The stories are not a product of detailed analysis but a pick up of the media release by the RMIT on Monday, 18 February 2019 which Read the rest of this entry »

Yet another reheated article about the Privacy Act exemptions for political parties being wrong… correct but nothing new in any of that

David Crowe, one of the more energetic commentators at the Fairfax Press has put together a piece about the ridiculous exemption that political parties have from regulation of the Privacy Act 1988 in Political parties should be stripped of Privacy Act exemptions after hack: experts.  It is one of those topics that columnists dust off from time to time. Peter Van Onselen has repeatedly drawn from that well though pretty much saying the same thing again and again and again in an Australian article in Political parties violate our rights to privacy  on 23 July 2011, raising the issue Read the rest of this entry »

ACCC Chairman Sims gives speech on Digital Platforms Inquiry, raising privacy issues to be addressed

February 12, 2019

Yesterday, Rod Sims in a speech to the IIC Australian Chapter highlighted the issues that the ACCC raised in its Preliminary report on the Digital Platforms Inquiry.  The final submissions close on 15 February 2019.

As with the Preliminary Report Sims highlights the privacy issues that are associated with the current regime of data collection, the matching and lack of consent.  These are matters that should of primary concern to Read the rest of this entry »

Australian Information Commissioner publishes data breach statistics for 1 October – 31 December 2018 with 262 notified data breaches. Likely it is a understatement of the number of breaches in that quarter


The Information has published its Notifiable Data Breaches Quarterly Statistics Report for the last quarter of 2018.

The media release provides:

The latest quarterly report from the Office of the Australian Information Commissioner (OAIC) shows 262 data breaches involving personal information were notified between October and December 2018.

Read the rest of this entry »

Google’s tangles with the regulators continue with French regulator fining it 80 million for breach of GDPR

January 23, 2019

Facebook had a worse 2018 than Google but to a large extent that is merely a matter of degree. Facebook’s travails with its association with Cambridge Analytica and not doing much with the proliferation of false news stories planted by Russia and other actors made 2018 an annus horribilis. Google has had to deal with the phenonama of false news issues as well as years of litigation in the European Union, the UK and Australia.
It might be that Google will have a hotter time of it in 2019 with the French Regulators, the National Data Protection Commission, fining it 50 million euros for not getting valid user consent to gather data for targeted advertising. The regulators claim that Google breached the GDPR, the General Data Protection Regulation.

Read the rest of this entry »

Singapore’s worst data breach which resulted in access to personal data of 1.5million results in a fine of $1 million Singaporean dollars

January 21, 2019

In July 2018 the Singaporean Government announced that there was a cyber attack which compromised the personal data of 1,495,364 people and led to outpatient prescription information for nearly 160,000 people being “exfiltrated”.

Read the rest of this entry »