O’Carroll v Meta: Facebook agrees to stop targeting ads to the plaintiff.

March 25, 2025

Tanya O’Carroll commenced proceedings against Meta seeking orders that Facebook stop using her personal data to create targeted ads on subjects that it believed she would be interested in. She argued that Facebook’s campaign was direct marketing under the UK legislation. Meta has settled the claim agreeing to stop sending targeting advertisements using her personal information. The Information Commissioner’s Office is very happy. So happy that it issued a statement. The ICO has always regarded targeted advertising as being direct marketing under the legislation.it intervened in the case with an amicus curiae brief.

Under the Australian Privacy Act 1988 Australian Privacy Principle 7 addresses direct marketing directly, with the key issues being:

  • APP 7 provides that an organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies. APP 7 may also apply to an agency in the circumstances set out in s 7A.
  • Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
  • Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always:
    • allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and
    • comply with that request.
  • An organisation must, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

There has been no similar case in Australia to O’Carroll v Meta.  There is a basis for making the same argument here given the content of APP 7.

The ICO statement provides:

An ICO spokesperson said:

“People have the right to object to their personal information being used for direct marketing, and we have been clear that online targeted advertising should be considered as direct marketing. 

“Organisations must respect people’s choices about how their data is used. This means giving users a clear way to opt out of their data being used in this way. 

“If people believe that an organisation is not complying with their request to stop processing their data, they can file a complaint to us. We will continue to engage with Meta on this issue.”

A BBC article Read the rest of this entry »

Metropolitan police in UK install first permanent facial recognition cameras in London

The Times reports that the first permanent facial recognition cameras have been installed in London.  It is a being touted as a pilot project but it may be precursor to the scheme being extended across London.  The Information Commissioner’s Office has released guidance on the use of the facial recognition, described as Biometric recognition.  It has also issued specific guidance for Live Facial Recognition Technology for police. There has been significant cases of misuse of facial recognition technology and its privacy implications. The misuse of facial recognition by police is well documented.  And it is misused by the private sector. In February 2024 the ICO ordered Serco Leisure to stop using facial recognition to monitor employee attendance.   The use of CCTV technology and facial recognition technology is more extensive in the United Kingdom than in Australia.  That said, the regulator is quite active in reviewing its operation and the legislation is more rigorous than in Australia. 

It is likely that the use of the facial recognition technology will quickly become more widespread, especially with the use of AI.  Doing so without propely adhering to the provision of the Privacy Act 1988 may attract the attention of the regulator.  On 19 November the Privacy Commissioner published a determination finding Bunnings use of facial recognition breached the Privacy Act.  On the same day the Privacy Commissioner published a guidance on the use of facial recognition technology. It is critical that organisations contemplating using this technology understand their obligations under the Privacy Act 1988.

The Times article provides:

Facial recognition cameras that scan for wanted criminals are being installed permanently on UK high streets for the first time.

The Metropolitan Police will permanently put up live facial recognition (LFR) cameras in Croydon, south London, as part of a pilot project that may see the scheme extended across the capital. Read the rest of this entry »

China publishes security measures on the use of facial recognition technology

March 23, 2025

In one of those “one for the books” events the Chinese agencies of Cyberspace Administration of China, in collaboration with the Ministry of Public Security have published security measures for the use of facial recognition technology. The measures will take effect on 1 June 2025. Given how intrusive Chinese authorities have been in the past with surveillance and the use of facial recognition technology it will be interesting to see how much of a real change will result.

The measures apply to activities using facial recognition technology, which is individual biometric recognition technology that uses facial information to identify an individual’s identity, to process facial information within China.

Interestingly the do not cover the processing of facial information from their scope for research and development or algorithm training purposes.

Under the measures, facial recognition activities must comply with applicable laws and regulations and, inter alia:

  • have a specific purpose;
  • be necessary;
  • minimizes the impact on personal rights and interests; and
  • implement strict protection measures.

Personal information handlers must, inter alia:

  • before processing, inform individuals in a prominent manner and clear and understandable language of certain information, such as contact information and purposes and method of processing;
  • inform individuals of any changes to the information provided to them;
  • when the processing is based on consent, obtain voluntary and explicit consent, including providing the right to withdraw consent;
  • when processing minor’s information, obtain the consent of a parent or other guardians;
  • stored information on facial recognition devices and not transmit it through the internet;
  • conduct a Personal Information Protection Impact Assessment (PIPIA) and include the contents outlined in the measures; and
  • if processing data of more than 100,000 individuals, notify the provincial-level or higher cybersecurity and informatization department within 30 working days, and provide the information outlined in the measures.

The measures require personal information handlers to Read the rest of this entry »

Federal Communications Commission is taking action to protect submarine cables from cyber security attacks

March 18, 2025

Most advanced countries now have comprehensive data protection legislation dealing with critical infrastructure. In Australia the most notable is the Security of Critical Infrastructure Act 2018 which covers 11 sectors. Most advanced countries now have comprehensive data protection legislation dealing with critical infrastructure.

There is also the

In that vein the US Federal Communications Commission is reviewing its submarine cable rules since 2001 to enhance the protection of the nation’s submarine cable infrastructure amid evolving national security concerns.   The FCC is following the now standard approach of requiring cable operators to confirm they take reasonable measures to protect the confidentiality, integrity, and availability of their systems and provide cybersecurity plans.

The FCC proposals are reported in FCC proposes new cybersecurity mandates for submarine cable operators in major rule review, seeks public input which Read the rest of this entry »

ASIC commences action against FIIG Securities for cyber security failures

March 14, 2025


The Australian Securities and Investment Commission announced yesterday that it was suing FIIG Securities for “systemic and prolonged cyber security failures” from March 2019 until 8 June 2023. As a result hackers entered FIIG’s IT system and stole personal information which was released onto the dark web. ASIC specifically referred to the Federal Court decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 84. This was the first case where the failure to manage cyber risk was found to be a breach of its financial services obligations. That case was settled with the proposed parties proposing consent orders containing declarations and consequential orders. Given the nature of the repeated breaches RI Advices legal representatives negotiated quite a favourable outcome notwithstanding orders were made against their client. In the United States or the UK the penalties would have been much more severe.

Helpfully ASIC has provided a concise statement of facts and the Orginating Process.  From that ASIC alleges that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) to:

  1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
  2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and
  3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

ASIC alleges that FIIG failed to have the following cybersecurity measures:

  • Planning and training: here was no cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at commencement of employment and annually);
  • Access restrictions:
    • there were no proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
    • configuration of group policies to disable legacy and insecure authentication protocols;
  • Technical monitoring, detection, patches and updates: there was a failure to have or inadequate
    • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
    • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
    • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
    • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with compensating controls to systems incapable of patching or updates; and
    • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);
  • Testing: there was a lack of
    • processes to review and evaluate efficacy of technical controls at least quarterly; and
    • penetration and vulnerability tests from internal and external points.

Read the rest of this entry »

NIST announces a review of its cyber security framework in light of developments in AI

Artificial Intelligence is becoming the great disrupter. And in privacy and cyber security its impact is especially acute. the National Institute of Science and Technology (“NIST”) has announced the process to develop a new cyber AI profile.

The NIST notes Read the rest of this entry »

EU release pseudonymisation guidelines

March 13, 2025

On 16 January the European Data Protection Board (EDPB) adopted Guidelines 01/2025 on Pseudonymisation which is effective on 17 January 2025. Pseudonymisation is poorly understood by organisations and some practitioners. It is also an important means of data protection.

t should be noted that OVIC has undertaken a very detailed assessment into de identification and higlighted the problems with it.

The guidelines sets out in details guidance on on the use and benefits of pseudonymisation under the General Data Protection Regulation (GDPR). Importantly it clarifies

  • what pseudonymization means,
  • how to use it to meet data protection requirements, and
  • how to implement it.

Australia operates under the Privacy Act and is not bound by the GDPR.  That said many organisations in Australia operate in Europe nad to that extent are bound by hte operation of the GDPR.  Further, the guidelines from the EU like the NIST publications provide valuable assistance in dealing with privacy issues. 

What is Pseudonymization?

Art. 4(5) of the GDPR defines pseudonymisation as “the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that it is not attributed to an identified or identifiable natural person.”

Pseudonymisation can be implemented through various techniques, such as the use of tables that map pseudonyms to original identifiers while keeping pseudonyms and original identifiers separate and secure (e.g., in the hands of two separate organizations). 

Pseudonymisation should at least concern direct identifiers (e.g. passport or social security numbers, but also the combination of the full name of a person with his or her date of birth) which, alone, allow to identify data subjects. The pseudonymising entity should also be mindful of indirect identifiers (e.g. by deleting such indirect identifiers, generalising or randomising them), which may also allow to identify a data subject despite the pseudonymisation.
Read the rest of this entry »

The EU Commission announces the publication of general purpose AI code of practice

March 12, 2025

The European Commission has released the third draft of the General-Purpose AI Code of Practice. It includes commitments by providers of general-purpose artificial intelligence (AI) models, including:

  • documentation: the signatories commit to drawing up and keeping up-to-date model documentation, including ensuring quality, security, and integrity of the documented information and providing it to providers of AI systems and to the AI Office upon request; and
  • copyright policy

Providers of general-purpose AI models with systemic risk must commit to :

  • adopting and implementing a Safety and Security Framework that will apply to the AI models with systemic risk, as well as detail the systemic risk assessment;
  • conducting systemic risk assessment systematically at appropriate points along the entire model lifecycle;
  • selecting and further characterizing systemic risks;
  • determining the acceptability of the systemic risks;
  • implementing technical safety mitigations along the entire model lifecycle of the model, and ensuring they are proportionate and state-of-the-art;
  • mitigating systemic risks that could arise from unauthorized access to unreleased models;
  • reporting to the AI Office on the safety and security of the models;
  • carrying out adequacy assessments;
  • implementing systemic risk responsibility allocation;
  • obtaining independent external systemic risk assessments, including model evaluations;
  • keeping track of, documenting, and reporting serious incidents to the AI Office and, as appropriate, to national competent authorities;
  • ensuring protections on non-retaliation against any worker providing information about systemic risks;
  • notifying the AI Office of relevant information and the implementation of commitments;
  • carrying out documentation, as prescribed by the code of practice and the Artificial Intelligence Act (AI Act); and
  • implementing public transparency on systemic risks stemming from their AI models with systemic risk.

The AI Office will:

  • report on the feedback received from stakeholders on the template for an adequate public summary of the training data under Article 53(1)d) of the AI Act and outline the next steps for adopting the template; and
  • publish guidance clarifying the scope of the AI Act rules for general-purpose AI, including information on:
    • the definitions of general-purpose AI models;
    • placement of models on the market and providers;
    • exemptions for models provided under free and open-source licenses; and
    • the effects of the AI Act on models placed on the market before August 2025.

The press release Read the rest of this entry »

Office of the Information Commissioner attend Estimates

March 1, 2025


Senate Estimates is an annual event. For Governments it is a mandatory evil. For oppositions it promises to reveal a cornucopia of a information to embarrass the government and burnish its credentials. For the agencies, in particular the public servants who front the various Estimates Committees, it is a burden to be carried as part of the job. This year the Information Commissioner’s attendance before the Legal and Constitutional Affairs Legislation Committee proved to be no different. The Commissioner’s opening statement was the usual anodyne, nothing to see here, statement providing.

With the chair’s leave I take this opportunity to acknowledge the committee’s role and in doing so provide a brief opening statement outlining the important work of the Office of the Australian Information Commissioner (OAIC).

I appear today with the assistance of the FOI Commissioner Ms Toni Pirani and with the chair’s leave the Privacy Commissioner Ms Carly Kind appearing via link and Executive General Manager, Information Rights Ms Ashleigh McDonald.

Supported by our new organisational structure we are better positioned to operate as a contemporary and proactive regulator. Some of our recent initiatives and outcomes demonstrate our future direction. We have:

    • commenced preliminary inquiries into the privacy impacts of connected vehicles
    • commenced the development of a Children’s Online Privacy Code
    • developed a public facing dashboard to ensure that agency freedom of information (FOI) data is reported and presented more effectively
    • We will shortly deliver a report examining the use of messaging apps by Australian government agencies
    • We are building our strategic intelligence capabilities.

To deliver a proactive and contemporary regulatory approach to benefit the Australian community, agencies and industry alike, we will also focus on building staffing capabilities through an investment in new ways of working and professional development. Within our budgetary parameters, our technology and systems will also be a focus to support our new direction.

However, we are also mindful to deal with our core case management responsibilities and reduce our backlog in both FOI and privacy cases. Our resources are challenged by a 25% increase in FOI Information Commissioner review (IC review) applications compared to the same period last year. This is against a backdrop of an increase in FOI IC review applications over the last 5 years that is estimated to double the number of FOI IC review applications received in 2019–20. We also face an overall growth in privacy case work and increasing complexity in our case work arising from digital services and emerging technologies. This has a particular impact on our privacy case work.

Our enforcement capabilities have been assisted by an increase of funding in recognition of the complexities of enforcement. Similarly designated funding has been provided to the OAIC to develop the Children’s Online Privacy Code and guidance regarding the social media age limit.

Our appearance and preparatory papers are informed by data as at 15 January 2025.  However, to assist the committee, as at 23 February 2025 the OAIC 2024–25 case statistics are as follows:

    • 1,279 FOI review applications were received and 1,494 finalised.
    • 196 FOI complaints were received and 216 finalised.
    • 1,966 privacy complaints were received and 1,687 finalised.

During this period, we also finalised a number of complex privacy matters that have delivered a strong enforcement message and importantly established our expectations of the regulated community. In doing so, we are upholding the rights of privacy and information access enshrined in statute by the Australian Parliament and better serving the values and expectations of the Australian community.

I wish to acknowledge the significant work and expertise of the OAIC leadership in taking forward this major change program and recognise with gratitude OAIC staff for their dedication and commitment as we secure the fundamental human rights of privacy and information access in an increasingly complex environment.

The hearing before the Estimates Committee focused on the reduction in staffing in the office from 200 to 138 staff in the Office.  A 23% reduction in staff.  Also of interest is the Privacy Commissioner’s admission that the the findings of the Property Lovers determination is not being complied with.  In short, the behaviour complained of is continuing.  The Privacy Commissioner is investigating what to do next.  

An understaffed office is bad news for effective regulation.  That has been a chronic problem for this office.  Fortunately there will be a statutory tort as of June 2025 so in many cases individuals will not need to rely on the Commissioner taking up an investigation from a member of the public.

The Transcript provides:

CHAIR: With 20 minutes to go in our hearing, we’re going to politely and apologetically, dismiss the Australian Human Rights Commission. We won’t get to them this evening. We thank them for their time and for travelling. We do have questions for them, but we won’t have time to put them. We thank them for their ongoing work, particularly in the current environment. I know they’re working very hard. So thank you very much.

Welcome, commissioners. Do you have an opening statement you’d like to table?

Ms Tydd : I do have a very brief opening statement and I’m happy to table that.

CHAIR: Thank you very much. That will be circulated to senator so they can read from that when they have it in front of them. In the meantime, I’ll pass the call to Senator Scarr.

  Senator SCARR: Commissioner, how many staff have left the OAIC since August last year?

Ms Tydd : I don’t think I could speak with authority from the date of August, but I can give you the very high-level numbers of staffing pre and post our organisational redesign.

  Senator SCARR: Can you give me the dates for the organisational redesign, so I can calibrate that with my August date.

Ms Tydd : Yes. That was finalised in mid-November, about 17 November. The organisational redesign responded to our significant budgetary situation, in which we would be operating at a deficit. Action was taken around that. At the time, in July, we had an FTE of just over 200. Our organisational redesign that allowed us to operate within our budgetary parameters—

  Senator SCARR: Sorry; it’s late. I’ve got to get these numbers right. In July your FTE was just over 200?

Ms Tydd : Correct. And our ASL cap came down to 173. We knew that within our budgetary parameters we’d need to operate at around 165. We didn’t purely look at staffing levels in relation to meeting our budgetary parameters; we looked at a range of measures. They included external supply costs. Legal costs were something that we focused on as well. So, yes, we were required to reduce staffing in response to our revised budgetary parameters, and that process was completed around mid-November.

  Senator SCARR: Okay. What were the FTE numbers as at mid-November, when you completed that process?

Ms Tydd : There probably was still some lag. I’d say it would be about 175. I’ll see if I have any dates that will help you further. I can tell you that as at 18 December, as we were still working through that process, our staffing level was 175.

  Senator SCARR: Do you have the data as at today or the most recent data as at the end of the month? Do you have any most recent data?

Ms Tydd : As at 29 January, it was 138.4.

  Senator SCARR: So you went from 175 as at 18 December—that was the figure you gave?—

Ms Tydd : Correct.

  Senator SCARR: to 138.4 as at 29 January?

Ms Tydd : That’s correct, with a headcount of 156.

  Senator SCARR: Okay, so you’ve got part-time—

  Senator SHOEBRIDGE: So as we don’t have to traverse across this, do you mind if I ask: you’ve been talking FTE all the time through, so these have all been the same dataset of FTE, full-time equivalents?

Ms Tydd : Yes.

  Senator SCARR: So you went from—we’ll try and use the common terminology—FTE as at 18 December of 175 to FTE as at 29 January, which is only a month later, of 156. Is that correct?

Ms Tydd : The figure I have is 138.4.

  Senator SCARR: 175 to 138.4?

Ms Tydd : Yes. They’re the figures I have before me. Read the rest of this entry »

Patient information from the Genea data breach posted on the dark web..

February 27, 2025


Exactly a week ago I posted on the Genea data breach and raised concerns about the way it was handling the matter. The public statement was dreadful and it was clear from the subsquent reporting that it was keeping a lot of information away from the public eye. Information that is commonly provided by US companies when they suffer data breaches. That dreadful approach has given way to a much more expansive attitude with a long statement on 24 February 2025 and notice of an injunction yesterday.

The Genea statement of 24 February provides:

We are endeavouring to communicate with all current and former Genea patients the latest updates of our investigation into the incident. A copy of our communication is included below.
 
Thank you for your patience as we investigate the cyber incident that has impacted our organisation (Genea Pty Limited). We understand that hearing about an incident like this can cause concern and we sincerely apologise for this. We want to reassure you that our teams of specialists, nurses, scientists and support staff are working tirelessly to minimise any impact to the treatment of our patients which is always our highest priority. Our technology teams have also been working around the clock with cyber security professionals to securely restore our systems while progressing our investigation.
 
We are committed to doing all we can to protect your privacy. In this letter, we’ll step you through what happened, what types of personal information relating to you may have been involved in the incident and identify clear steps you can take to help ensure your information is protected.

What has happened?

On 14 February 2025, we became aware of suspicious activity on our network. Following this, we promptly launched an investigation to determine the nature and scope of the activity. In the course of these investigations, Genea discovered that it had been impacted by a cyber security breach.  
 
Since the incident, we have undertaken extensive remediation efforts and actions in line with our incident response process to prevent reoccurrence. This has involved securing our networks in partnership with our cybersecurity partners and bringing our core systems online to ensure that we can continue to provide the very best care to our patients.
 
We advised in our prior communication that we were continuing to investigate the nature and extent of data that had been accessed and the extent to which it contained personal information. As a result of our ongoing investigation, we now believe the attacker may have accessed and taken personal information which we hold.
 
We have notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre of the incident. We are meeting with the National Office of Cyber Security, the Australian Cyber Security Centre and other government departments to discuss the incident with them.
 
Our investigation is ongoing, and we will continue to communicate any relevant updates you.
 

What personal information has been impacted?

Our investigation has identified that Genea’s patient management systems, which contain information about you, was accessed by an unauthorised third party. We stress that at this point in time it is unknown what personal information within the folders on the patient management system has been compromised. However, the folders on the patient management system include the following types of your information:  

Read the rest of this entry »