Privacy and Other LegislationAmendment Bill 2024 – Government moves the Second Reading and publishes Second Reading speech

October 8, 2024

The Government has published the Second Reading Speech and adjourned debate of the Bill. The Second Reading Speech is dated 12 September 2024 however the Daily Program lists the Speech as being moved today. It only recently appeared on the Bill’s homepage.

The Bill provides the Privacy Commissioner with more flexibility with enforcement, allowing for infringement notices and new civil penalties.  The real issue there is getting the Commissioner to use those powers.  The existing civil penalty provisions have only been used twice, and then only very recently and neither case has reached resolution. 

The statutory tort for serious invasions of privacy is welcome however the exemption carve outs, for journalism, law enforcement and security limit its effectiveness.  There is no consideration of whether the actions of the journalist is excessive and irresponsible in breaching a person’s privacy.  In the UK there is a balancing between Article 8, a right to privacy, and Article 10 a freedom of expression as applies to the media.  

There is specific provision for the development of a Children’s Privacy Code.  According to the Attorney General that is designed to align the protections with those that exist overseas. 

Doxxing will be criminalised.

There are other provisions which clarify the sharing of information when there are data breaches and during emergencies and regarding overseas data flows.

The amendments are conservative and modest but a move in the right direction. These changes will not make Australia’s Privacy Act the gold standard but if the further reforms proposed by the Attorney General’s Department are implemented then the level of protections will allow for a more effective regulation and protections.

The Second Reading provides:

Introduction

The digital economy has unleashed enormous benefits for Australians. But it has also increased the privacy risks we face through the collection and storage of enormous amounts of our personal data.

The Privacy Act 1988 represented the first time that a comprehensive, integrated set of legal rules protecting interests in privacy existed in Australia. On introducing it, Attorney-General Lionel Bowen told the parliament that ‘enormous developments in technology for the processing of information are providing new and, in some respects, undesirable opportunities for the greater use of personal information.’

In that respect, little has changed. Evolutions in technology and the way people use it continue to vex those who share information online, and those charged with regulating it. It is essential that Australians are protected by a legal framework that is flexible and agile enough to adapt to changes in the world around them.

The Privacy Act has not kept pace with the adoption of digital technologies. The vast data flows that underpin digital ecosystems have also created the conditions for significant harms—like major data breaches that have revealed the sensitive information of millions of Australians, exposing us to the risk of identity fraud and scams. Read the rest of this entry »

US Department fines Providence Medical Institute $240,000 after ransomware attacks

In the United States the fines for breaches of data security can be quite heavy, much heavier than in Australia. Like Australia there is more than one regulator that can take action against organisations on various grounds for breaches of data security. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced, found here, the notice of final determination finaliising a civil penalty of $240,000 against Providence Medical Institute for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules, following a ransomware attack breach report investigation. The final determination is found here.

As can be the way, the background has quite a long history.  In July 2016, Providence acquired the Center for Orthopedic Specialists and initiated a two-year transition plan linking the Center for Orthopedic Specialists IT system into Providence’s IT structure. In April 2018 Providence filed a breach report which resulted into an investigation. The breach report concerned the unauthorized access and encryption of the Center for Orthopedic Specialists’ systems on February 18, 2018, February 25, 2018, and March 4, 2018. The attacks compromised Read the rest of this entry »

Court of Justice of the European Union rules that Meta must minimise the amount of personal information for personalised advertising, in this case about sexual orientation

October 7, 2024

Max Shrems has struck again. He has been successful in his claim against Meta on the user of sexual orientation about a user’s sexual orientation in personalised advertising as reported by the BBC in Meta must limit data for personalised ads – EU court and by breaking news in Activist wins privacy case against Meta over personal data on sexual orientation

Meta and other social media platforms use data to drive the effectiveness of personalised ads.  That means the collection of data, especially personal information, is a priority. In practice sensitive information, such as sexual orientation, may assist in refining the nature of ads directed at a person. 

The final judgment has not been published as yet. 

The BBC article provides:

Facebook-owner Meta must minimise the amount of people’s data it uses for personalised advertising, the EU’s highest court says.

The Court of Justice for the European Union (CJEU) ruled in favour of privacy campaigner Max Schrems, who complained that Facebook misused his personal data about his sexual orientation to target ads at him.

In complaints first heard by Austrian courts in 2020, Mr Schrems said he was targeted with adverts aimed at gay people despite never sharing information about his sexuality on the platform.

The CJEU said on Friday that data protection law does not unequivocally allow the company to use such data for personalised adverting.

“An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data,” it said.

Data relating to someone’s sexual orientation, race or ethnicity or health status is classed as sensitive and carries strict requirements for processing under EU data protection law.

Meta says it does not use so-called special category data to personalise adverts.

“We await the publication of the Court’s judgment and will have more to share in due course,” said a Meta spokesperson responding to a summary of the judgement on Friday.

They said the company takes privacy “very seriously” and it has invested more than five billion Euros “to embed privacy at the heart of all of our products”.

Facebook users can also access a wide range of tools and settings to manage how their information is used, they added.

“We are very pleased by the ruling, even though this result was very much expected,” said Mr Schrems’ lawyer Katharina Raabe-Stuppnig.

“Following this ruling only a small part of Meta’s data pool will be allowed to be used for advertising – even when users consent to ads,” they added.

Read the rest of this entry »

Court of Justice of the European Union publishes judgment concerning the the Registry Entries Agency of Bulgaria refusal to delete certain personal data concerning an individual contained in a partnership agreement

The Court of Justice of the European Union (CJEU) has published its judgment (found here)  concerning the Registry Entries Agency of Bulgaria refusal to delete certain personal data concerning an individual contained in a partnership agreement published in the commercial register under the General Data Protection Regulation (GDPR).

The claimant was  a partner of a limited liability company under Bulgarian law.

On July 8, 2021, the claimant asked the Agency to delete the personal data contained in the partnership agreement, specifying that consent was withdrawn. The Agency did not responded which lead to a claim before the Administrative Court of Dobrich which annulled the Agency’s implied refusal to delete the data and referred the case back to the Agency for a new decision. The Agency indicated, by a letter, a certified copy of the relevant partnership agreement concealing the individual’s personal data, with the exception of that required by law.

The individual claimant again brought an action before the Administrative Court seeking the annulment of the letter and an order against the Agency to compensate it for the non-pecuniary damage of the letter, which infringed the rights conferred by the GDPR. The Administrative Court annulled the letter and ordered the Agency to compensate the individual for non-pecuniary damage, pursuant to Article 82 of the GDPR. The Agency appealed to the Supreme Administrative Court which subsequently referred the case to the CJEU.

The CJEU found:

  • that Directive 2017/1132 does not impose on a Member State an obligation to authorize the publication, in the commercial register, of a partnership contract subject to the mandatory publication provided for by the Directive and containing personal data other than the minimum personal data required, the publication of which is not required by the law of that Member State.
Read the rest of this entry »

The Court of Justice of the European Union has published a judgment on health related data

The CJEU has found that the General Data Protection Regulation (GDPR) does not preclude national legislation that confers on competitors of an alleged perpetrator of a GDPR infringement, the right to bring civil proceedings against the alleged perpetrator on the grounds of such infringements and on the basis of the prohibition of unfair commercial practices. The Court also found that information that customers enter when ordering medicine online, such as names, delivery addresses, and elements necessary for the individualization of medicines, constitute data concerning health, even when the sale of such medicines is not subject to a medical prescription.

The Court found that:

  • those data are capable of revealing information about the health status of an identified or identifiable data subject by means of an intellectual operation involving comparison or deduction because a link is established between that person and a medicinal product, its therapeutic indications or its uses, irrespective of whether that information concerns the customer or any other person for whom the customer places the order.
  • in the absence of a prescription, it is immaterial whether it is only with a certain degree of probability and not with absolute certainty that those medicinal products are intended for the customers who ordered them.
  • to make a distinction according to the type of medicinal product and to whether or not the sale of those medicinal products requires a prescription would be contrary to the GDPR’s objective of ensuring a high level of protection.
  • the seller must inform those customers in an accurate, comprehensive and easily understandable manner of the specific characteristics and purposes of the processing of those data and request their explicit consent to that processing.

The case arose due to a dispute between two pharmacies on whether marketing pharmacy-only medicines on Amazon Marketplace constituted an unfair commercial act. The Regional Court of Dessau-Roßlau upheld this action whereas Read the rest of this entry »

T – Mobile ordered to pay $31.5 million for data breach

In the United States of America the regulators can force very heavy penalties for data breaches. The Federal Trade Commission (“FTC”), the Securities Exchange Commission (“SEC”) and the Federal Communications Commission (“FCC”) all have some jurisdiction relating to data security and bringing a complaint over data breaches. The most recent instance of the regulator taking action is T – Mobile has settled a claim by the FCC for cyber security data breaches as reported by Geekwire in T-Mobile to pay $31.5M in settlement with FCC over cybersecurity data breaches and US reaches $31.5 million settlement with T-Mobile over data breaches. This is on the back of a settlement in September  between the FCC and AT & T relating to a data breach in January 23 for the sum of US $13 million, as reported by Reuters.

The Geekwire article provides:

T-Mobile will pay $31.5 million in a data protection and cybersecurity settlement with the Federal Communications Commission, resolving investigations into data breaches that impacted millions of U.S. consumers, the agency announced Monday. Read the rest of this entry »

Information Commissioner registers new Privacy Credit reporting Code (version 3.0)

October 2, 2024

Credit Codes under the Privacy Act 1988 are very important and a breach of them can result in serious difficulties for a credit provider. The Information Commissioner has registered the Privacy (Credit Reporting) Code 2024. The Commissioner’s media release provides a useful summary of the features of the new code. That is an overview only.  It is important for credit providers, and those who act for those who have credit related matters to carefully read the Code. It is important that credit providers incorporate the new requirements into their documentation and processes. While that may sound trite the failure to do so is quite common, particularly by non bank credit providers.

The media release Read the rest of this entry »

Hundreds of email addresses shared by Victorian Victims of Crime Assistance Tribunal email error

October 1, 2024

The ABC reports in Hundreds of email addresses shared in Victims of Crime Assistance Tribunal administrative error that there was an accidental share of email addresses of victims of crime in an email advising of changes to the compensation application process. It appears that the email was a sent to multiple addressees, 480 the ABC has seen, however the addressees were not blind copied so the recipient could read the email address of other recipients.  The addresses included first and last names.  VOCAT sent 2 recall emails, which means very little. 

The damage is done.  Given the addressees are victims of crime, some of which may involve stalking, the presumed damage would be greater than might otherwise be the case. Damages in privacy cases have not been significant in Australian cases.  That is primarily because there have been relatively few reported cases where damages have been considered.  In the United Kingdom the courts also took a restrained approach to damages however with increased litigation and the bench’s greater understanding of how privacy breaches can impact a person the awards have risen.  And egregious privacy breaches have increased the ceiling over time.  In Victoria a complaint can be made under the Privacy and Data Protection Act 2014 with VCAT hearing a complaint.  Under Section 77(1)(a)(iv) it has jurisdiction to award damages of up to $100,000.  There has been only one instance where an award of damages has been made, Zeqaj v Victoria Police (Human Rights) [2018] VCAT 1733.  In that case the breach was proved and an award in the sum of $1,000 was made.  That is derisory.  The analysis was also very disappointing.  The jurisprudence in VCAT should not make a complainant optimistic.  It is very difficult to succeed, hence the award provision in the Act is virtually dead letter.  The analysis by VCAT is very disappointing and not consistent with privacy litigation in the UK or the USA, let alone Europe.   The Office of the Victorian Information Commissioner has a page titled Assessing compensation claims for loss in privacy complaints where it provides an overview of the law. It is fairly basic and not particularly sophisticated given the development of privacy in common law jurisdictions. It is useful given all complaints must proceed through the Victorian Information Commissioner. Many complaints are mediated and resolved there. Better that than taking one’s chances in VCAT. 

This type of error is all too common and especially prevalent in the public service. It is entirely preventable.  Proper training and Read the rest of this entry »

Information Commissioner releases corporate plan for 2024 – 2025

September 30, 2024

Agencies release corporate plans. They are of variable quality and often drafted in vague enough terms to avoid criticism. The good plans say something even if there is a enough plausible deniability buried into its dense prose. The Information Commissioners’ media release keeps with this approach.

It provides:

As the accountable authority, I am pleased to present the 2024–25 Office of the Australian Information Commissioner (OAIC) corporate plan for the 2024–25 to 2027–28 reporting periods, as required under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013.

As an independent statutory agency, our office regulates privacy and freedom of information (FOI) under the Commonwealth Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act) and has information policy functions under the Australian Information Commissioner Act 2010. This corporate plan sets out our key activities and how we measure our performance. Read the rest of this entry »

Operation Turton, IBAC’s special report into hacking and misuse of information highlights the overlap of security, corruption and basic issues of privacy and data security. And the inadequacy of Australian privacy regulation

September 25, 2024

The Parliament of Victoria tabled a special report by Victoria’s Independent Broad Based Anti Corruption Commission (“IBAC”) titled Operation Turton. It is a report about repeated instances where employees
inappropriately accessed and misused sensitive information at the Metropolitan Fire Brigade (MFB). It has been reported in the Australian and the Age. The investigation concluded in 2021.  

The Report clearly goes to the behaviour of individuals and the misuse of private information for improper purposes. But for privacy practitioners it is a useful report to show the need for proper data security practices and training.  Fire Rescue Victoria had clear vulnerabilities in its data security which allowed for the breaches that occurred. 

In the analog age there was misuse of information contained in documents.  Reports and correspondence were copied and leaked.  The challenges of controlling information flow grew with the digitisation of documents, the use of emails and means of leaking material.  Under privacy legislation in every jurisdiction governments or organisations must maintain adequate data security.  That includes password protections and requiring proper authorisation to access certain documents.  But every system has vulnerabilities, the prime one being a failure to properly maintain data security standards and check for weaknesses. 

The Report:

  • identified five separate incidents where MFB information was accessed or disclosed without authorisation, with three incidents involving public servants from MFB’s Information and Communications Services business area.
  • found individuals shared sensitive MFB information directly with the United Firefighters Union (UFU) without permission.
  • Mr Marshall sought assistance from employees to inappropriately gather sensitive information on internal investigations related to him, executive contracts and another confidential organisational matter.
  • identified MFB was operating with significant information security vulnerabilities and under a restrictive agreement with the UFU that impaired MFB’s ability to address issues.

The recommendations include:

Recommendation 1
Fire Rescue Victoria develops clear policies and  procedures regarding the matters that may be the
subject of consultation with employees and their representatives at the Consultation Committee,
and in what circumstances Fire Rescue Victoria information may be disclosed to employees and
their representatives to inform that consultation.

Recommendation 2
Fire Rescue Victoria addresses the information and communication technology security vulnerabilities  and risks identified in Operation Turton by:
(a) actioning the consolidated findings of the audit and reviews conducted in this area since 2018 Read the rest of this entry »