Peter A Clarke

The charges against Ryan Cho, a junior doctor who worked at Austin Hospital, arising out his alleged use of video devices in staff toilets has grown from a charge of stalking and using an optical device earlier this month (see my post here) to five new offences. According to a Victoria Police media release, and reported by the ABC, last Friday Cho has now been charged with 5 further offences, most relevantly of 3 counts of producing intimate image and 1 count of using an optical surveillance device. The alleged offences are now  believed to have occurred in in more than one health facility. According to the ABC the Victoria Police allege that Cho had over 10,000 “pieces of images” and videos relating to at least 460 females.

The focus of the story is the alleged criminality of the conduct.  And why not. It is a big story and there is a strong interest by the public and public interest (2 very different concepts) in the issue.  The legislatures in Australia were very quick to respond to the practice of surreptitious filming, usually of women by men, in very private places, such as showers, toilets and change areas.  That response however was confined to criminalising such conduct. That is appropriate.  But there are limitations for the victims in this process.  In criminal cases it is the Crown, in indictable cases, or police Informant, in summary jurisdiction cases, which commence and conduct prosecutions.  It is the Crown/Informant which may enter a plea deal.  In some cases some form of monetary order may be made but it is not the same as an assessment of damages.  And it is prosecutors discretion to seek such orders.  

For years the State legislatures refused to legislate a civil right of action for interferences with privacy.  In Victoria what limited scope of action was confined to breaches by government entities under the Privacy and Data Protection Act.  It is an ineffective process and the results at the Victorian Civil and Administrative Tribunal Act has been very unsatisfactory.  On top of that its use is confined to Victorian Government, its agencies and entities or those providing services on their (as the case may be) behalf.  While the Victorian Government, like many government entities, have had major privacy fails and data breaches those incidents are only a small sub set of the total number of privacy interferences, misuse of private information and data breaches in Victoria (let alone the rest of Australia).  

Equity responded to the lack of statutory privacy protection and the inability of individuals to take action to protect their privacy with the Victorian Court of Appeal decision of Giller v Procopets [2008] VSCA 236.  It extended the claim of breach of confidence into a claim of misuse of private information, following the UK authorities.  It was and is not a good fit in many privacy related breaches.  The law developed at a glacial pace in this generally unsatisfactory environment.  That said, the High Court in Smethurst v Commissioner of Police [2020] HCA 14 came tantalisingly close to recognising a stand alone right to privacy as an actionable tort as the UK Court of Appeal did Vidal – Hall v Google Inc [2015] EWCA Civ 311. In Smethurst the Appellant deliberately did not want the High Court to continue consideration of a claim for breach of privacy.  Their Honours Keifel CJ, Bell and Keanne stated, at [48] (absent footnotes):

The plaintiffs’ principal claim to an injunction is based upon the Court’s auxiliary jurisdiction in equity. This would ordinarily require that it be granted in aid of some legal right or interest or title to property. The plaintiffs make no claim to the property in the AFP’s USB stick. They do not claim a right to privacy which is actionable for breach. They do not ask this Court to continue the debate, left open by Gummow and Hayne JJ in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, as to whether the courts should recognise such a tort. The plaintiffs nevertheless contend that an injunction should be granted to reverse or protect them from the effects of the trespass committed as a result of the Second Warrant being invalid. Those effects are that the information may be used to further the investigation as to whether offences against s 79(3) of the Crimes Act have been committed and, if charges are laid, as evidence of the commission of those offences.

(Emphasis added)

The reason for the Appellants reluctance in pressing the question of privacy and “continuing the debate” (which the High Court was most definitely interested in having) is because the media was at 2020, just as it is today, very hostile to the idea of a tort of privacy.  It wanted the relief sought and a finding against the Commissioner of Police but on a more confined basis.  That was a great opportunity wasted but fortunately the legislative has finally enacted a statutory tort of serious invasion of privacy.  As to whether the tort the High Court may have found was a superior form of protection to what has been enacted is something we will never know.  T

he Federal Government enacted a statutory tort of serious invasion of privacy which came into effect on 10 June 2025. 

With the operation of the statutory tort of serious invasion of privacy the gap in the civil law has been closed.  It is able to provide some measure of justice and compensation for victims of the behaviour as alleged in this case.  

The elements of a statutory tort of serious invasion of privacy are set out in section 7(1) of Schedule 2 of the Privacy Act 1988 and they are:

(1)       An individual (the plaintiff ) has a cause of action in tort against another person (the defendant ) if:

(a)     the defendant invaded the plaintiff’s privacy by doing one or both of the following:

(i)      intruding upon the plaintiff’s seclusion;

(ii)     misusing information that relates to the plaintiff; and Read the rest of this entry »

Terry Gene Bollea (known professionally as Hulk Hogan) was  a major celebrity in the curious world of American wrestling and subsequently as a big media personality.  Always good copy.

For lawyers he is at least as well known as winning a very significant privacy case in in 2016,  Hulk Hogan v Gawker case where he defeated Gawker Media ( citation Gawker Media, LLC v. Bollea, 129 So.3d 1196 (Fla. 2d DCA 2014); 170 So.3d 125 (Fla. 2d DCA 2015).  The case demonstrated that not everything a media company does is protected under the First Amendment.  Gawker Media was an online gossip tabloid which specialised in salacious coverage of celebrities private lives. I covered the verdict with posts in March 2016 here and here.

In a trial in Florida in 2016 Hogan won a privacy claim against Gawker which claimed protection under the First Amendment.

It was and remains a very significant case and one which has influenced in jurisprudence in the United States of America,

The facts in brief summary are:

• In 2006, Bollea was videotaped while having sex with Heather Clem, his friend’s wife.  he claimed the videotaping was undertaken without his knowledge or consent. On The Howard Stern Show, Bollea told Stern that he had slept with Heather with Bubba Clem’s (Heather Clem’s husband) blessing and his encouragement because he was so burnt-out from the trauma of his coming divorce that he finally gave in to the “relentless” come-ons from Heather who “kept going down that road.” 
• On October 4, 2012, Gawker editor A. J. Daulerio published a two-minute extract from the 30-minute video, including 10 seconds of explicit sexual activity
• Bollea originally sued Gawker for copyright infringement in the United States District Court for the Middle District of Florida, seeking a temporary injunction. U.S. District Judge James D. Whittemore denied Bollea’s motion, ruling that the validity of the copyright was in question, and that given the degree to which Bollea had already put his own private life into the public arena, the publication of the video might be protected by fair use.
• Bollea withdrew his case in the US district court and sued Gawker in Florida state court.
• Bollea’s request for an injunction was granted by Judge Pamela Campbell in 2013. Gawker announced that it would not comply with the part of the court order requiring the removal of the post and associated commentary because it deemed the order “risible and contemptuous of centuries of First Amendment jurisprudence.” Gawker removed the video itself, but linked readers to another site hosting the video.
• The injunction was stayed on appeal, and was denied in 2014 by the appeals court, which ruled that under the circumstances it was an unconstitutional prior restraint on speech under the First Amendment.
• The trial in 2016 ran for two weeks. Gawker argued that Bollea made his sex life a public matter, although on cross-examination, when asked by Bollea’s lawyer whether a depiction of his genitalia had any “news value”, former Gawker editor AJ Daulerio responded “no”. Bollea said that comments made in interviews were done in his professional wrestling character, an on-air persona different from his own.
• On March 18, 2016, the jury delivered a verdict in favor of Bollea. The jury awarded him $115 million in compensatory damages, which included $60 million for emotional distress. The jury awarded Bollea an additional $25 million in punitive damages on March 21.
• On June 9, 2016, Gawker filed a motion for a stay of execution of judgment pending appeal. In the motion and accompanying affidavits from Gawker Media personnel, the company stated that it could not afford to pay the $140.1 million judgment or the $50 million appeal bond.
• On June 10, 2016, Gawker filed for Chapter 11 bankruptcy protection and put itself up for sale.
• Univision Communications bought Gawker Media’s assets for $135 million at a bankruptcy auction on August 16, 2016 which included six Gawker websites—Deadspin, Gizmodo, Jalopnik, Jezebel, Kotaku, and Lifehacker.
• On November 2, 2016, Gawker Media and Bollea reached a $31 million settlement. As a result of the settlement, Gawker forwent its appeal and three articles from gawker.com were taken down, including the one involving Bollea.

Schedule 2 of the Privacy Act 1988 contains the provisions giving effect to the statutory tort of serious invasion of privacy.  How relevant is the Hulk Hogan case to the consideration of Australia’s statutory tort?  On its face little.  An issue in the Hulk Hogan case was whether the material published by Gawker Media had news value.  And the witness for Gawker said “no.”  Under section 15(1) of Schedule 2 the statutory tort does not apply “..to the extent that the invasion of privacy involves the collection, preparation for publication or publication of journalistic material” while section 15(1A) provides that “..This Schedule does not Read the rest of this entry »

The desire if not obsession of government agencies and private organisations and companies to collect and store information has been a problem as long as there has been the capacity to make records. It has been regularly satirised (eg Brazil). it is no joke.  Digitisation and increased ability to  economically store vast stores of data has meant that governments, organisations and companies could collect much more personal information than thought possible in the analog era.  More importantly, advanced computing especially the use of algorithms made that data particularly valuable.  As a result many government bodies and companies hold an enormous amount of personal information.  In cyber security language that is sometimes described as the honey pot.  The question often posed is, how to reduce this honey pot and thereby minimise the exposure to individuals losing their personal information. One of the solutions raised is to require agencies and companies to remove data.  That is the product of wrong analysis.  It implies that the regulation is lacking.  That is not correct.  The laws are adequate.  It is the regulation and enforcement of those laws, especially the Privacy Act 1988, that has been inadequate over a very long time.  As a result there is complacency in the market place.  Under the Privacy Act 1988 an entity should only collect personal information relevant to its primary purpose.  It should only retain that personal information for as long as it is relevant to that purpose.  That, especially, companies collect as much information as possible on the most tenuous bases is a matter of their desire, not compliance with the law.  The problem is that they have not been called on it.  There have not been enough cases in the Federal Court where those breaches have not been prosecuted.  All of this is not to say the Privacy Act 1988 needs further reform.  It does.  But the issue of data hoarding can be dealt with by a determined, effective and properly resourced regulator.  

The ABC has published an interesting essay Experts say forcing companies to delete data would remove cybercrime ‘honey pot‘ .

It provides, with my notations:

If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

There are exceptions to Read the rest of this entry »

The California Consumer Privacy Act 2018 (“CCPA”) has the most comprehensive privacy protections of all state based privacy legislation in the USA. It took effect on 1 January 2020. Recently the Agency brought action against Honda for breaches of the CCPA. That has resulted in a settlement and a fine of $232,500.

The CCPA grants California consumers the right to:

• know that personal information is collected, used, shared or sold;
• delete personal information held by businesses
• opt out of sale of personal information
• non discrimination in terms of price of service.

Under the CCPA businesses must, inter alia:

• provide notice to consumers before data collection;
• create procedures to respond to requests from consumers to opt out, know and delete
• respond to requests to from consumers to know, delete and opt out
• disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information

According to the final order the breaches related to:

• Excessive Personal Information. “Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit.”
• Lack of Symmetrical Choices. “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way.”
• Difficult to Appoint Authorized Agents. “Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights.”
• Lack of Contracts. “Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

Excessive Personal Information. Honda required matching more than two data points (sometimes requiring up to eight data points) provided by the Read the rest of this entry »

On 4 October 2022 the Canadian House of Commons Standing Committee on Access to Information, Privacy and Ethics published a report, ‘Facial Recognition Technology and the Growing Power of Artificial Intelligence’.

The report explores:

• the benefits and concerns associated with facial recognition technology,
• the use of facial recognition by police forces,
• misidentification and algorithmic bias.
• regulations on facial recognition and artificial intelligence

Read the rest of this entry »

Optus suffered a massive data breach through a cyber attack two days ago. The biggest in Australian history involving Australian data.  Optus released a media release about it yesterday.  The compromised data included names, dates of birth, drivers licences and passport numbers.  The sort of information which would allow a hacker to attempt identity theft.  Very saleable data on the dark web.

A curious aspect of this incident is that some of that data related to former customers.  It will be interesting to see how far back that data goes.  Why it is necessary to hold onto former customers of many years back?  That may be a breach of the Australian Privacy Principles.

With access to key data, including emails, the danger to customers affected is phishing attacks and attempts at identity theft rather than immediate danger that Optus phone or email data will be used or the services disrupted. There is little wonder that the media is reporting a heightened risk of fraud against those affected.  The breach did not include payment details and account passwords.

Optus has notified the Information Commissioner.  One issue to resolve is what notification will be provided to affected Optus customers.  Australian notifications are rarely as open and expansive as those issued in the United States where mandatory data breach notification has been part of the regulatory environment in most states.  Notices by affected organisations in the United States are more candid (though not providing all details for obvious reasons) and contrite and commonly more generous in offering support.  That is good business.

In its own review and probably under scrutiny of the Commissioner there will be a careful analysis of the effectiveness of Optus’s Data Breach Response Plan.  In my experience Australian organisations put less than optimal effort into preparing for a data breach.  Similarly the response to a data breach is too often marked by improvisation than following a plan.

Optus issued a media release today at 2pm titled Optus notifies customers of cyberattack compromising customer information.  It Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has release Engineering Trustworthy Secure Systems for public comment.It is a very useful document for those interested in privacy and cyber security in that it provides a framework for analysis.

This guide has been produced pursuant to a Presidential Executive Order on 12 May 20212 titled Improving the National’s Cyber Security WO 14028.

The key elements of that executive order Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has issued a guideline Blockchain for Access Control Systems.   

The abstract provides:

The rapid development and wide application of distributed network systems have made network security – especially access control and data privacy – ever more important. Blockchain technology offers features such as decentralization, high confidence, and tamper-resistance, which are advantages to solving auditability, resource consumption, scalability, central authority, and trust issues – all of which are challenges for network access control by traditional mechanisms. This document presents general information for blockchain access control systems from the views of blockchain system properties, components, functions, and supports for access control policy models. Considerations for implementing blockchain access control systems are also included.

Blockchain systems provide an alternative (or complimentary) system for reliability, security, accountability, and scalability for AC systems. Blockchain characteristics – such as transparency, distributed computing/storage, and a tamper-evident/tamper-resistant design – help to prevent AC data from being accessed or modified by malicious users. Access logs are also recorded in blocks that allow for the detection of malicious activities. Blockchain system components and their advantages for AC systems are Read the rest of this entry »

As the saying goes, the road to hell is paved with good intentions.  That may be the sombre story of education apps used during the Pandemic.   The Human Rights Watch has undertaken a detailed study, How Dare They Peep into My Private Life.  Of particular interest is some of the practices of EdTech.  The EdTech apps were used by students in Australia during the lockdowns.  The Victorian and New South Wales Governments have announced inquiries.  The Victorian Information Commissioner raised concerns about education apps as far back as August 2020 stating in a report that “..we consider that schools are at risk of breaching the [Information Privacy Principles] IPPs when using apps and web?based learning tools that handle student personal information.” 

The report has been reported in Itnews with Edtech vendors invaded student privacy: Human Rights Watch,  InnovationAus in ‘Dystopian’: Govt-endorsed education apps surveilling Australian children and the ABC with Investigation reveals tracking by EdTech of millions of Australian school students during COVID lockdowns.

Some interesting findings from the Report Read the rest of this entry »

Lawyers are far from immune from data breaches.  In fact law firms are attractive targets for ransomware attacks and malicious actors, sometimes state sponsored ones, who are interested in the sensitive information about clients held behind often poorly protected cyber defences. Nothing so nefarious has hit the State Bar of the US state of California with over 322,000 confidential attorney discipline records being  erroneously published on public records aggregator Judyrecords from 15 October 2021 until 26 February 2022.  The Bar claimed that this error was due to  a bug in its case management system. While a a data breach caused by a flaw in the IT system rather than a malicious hack is a minor consolation the mortification level remains high nevertheless.  And it remains a data breach.  The breach was discovered on 24 February 2022.  It has been required to notify 1,300 complainants, witnesses, or respondents.

The episode highlights the importance of checking the operability of IT systems as well as cyber security defences. Clearly the glitch which caused this data breach was due to a malfunction in the system.  That is an explanation, not an excuse.

The State Bar first issued a Media release, State Bar of California Addresses Breach of Confidential Data, on 26 February 2022.  At that time Read the rest of this entry »