There are strong protections for childrens’ privacy in the USA, notably COPPA. There is also a constant pressure to collect personal information to assist in targeting ads. Google was accused collecting personal information when children accessed You Tube without parental consent. It is reported by Reuters in Google settles YouTube children’s privacy lawsuit. It is also covered by Malwarebytes with Google settles YouTube lawsuit over kids’ privacy invasion and data collection. While a settlement of $30 million is a large figure in absolute terms it is important to note that Alphabet, Google’s owner, posted a net income of $62.7 billiion on $186.7 billion in the first half of 2025.  

The Reuters article provides:

Google will pay $30 million to settle a lawsuit claiming it violated the privacy of children using YouTube by collecting their personal information without parental consent, and using it to send targeted ads.

Read the rest of this entry »

The demand. by some governments to have a back door to end to end encryption is hugely controversial.  The National Security Agency in the United States had Yahoo install a backdoor for NSA’s use in 2014/5, although Yahoo says it challenged the NSA about this. In 2015 it built custom software to search client’s incoming emails. Since 2013 the NSA has been keen to get around or through encrypted messaging.In February this year the UK ordered Apple to let it have access to users’ encrypted accounts.  In 2015/2016 Apple was embroiled in a dispute with the FBI.  The FBI wanted Apple to unlock phones whose data was cytographically protected.  Apple refused and objected to at least 11 orders issued by the US District Courts.

The issue of concern is that the US government is concerned that overseas governments are attempting to weaken the level of encryption and data security.  This directive, for want of a better word, poses real challenges for companies operating in other jurisdictions. Like Australia.  But the US policy has had an impact with the UK agreeing to drop its plan for encryption backdoor mandate for Apple.

The chairman of the Federal Trade Commission (“FTC”) has written letters to the largest and well known cloud computing, data security, social media, computer and other technology companies warning them not to censor themselves or weaken data security of Americans if asked by foreign governments. The rationale is set out in its media release titled FTC Chairman Ferguson Warns Companies Against Censoring or Weakening the Data Security of Americans at the Behest of Foreign Powers.

The media release provides:

Read the rest of this entry »

The Full bench of the Federal Court in The Game Meats Company of Australia Pty Ltd v Farm Transparency International Ltd [2025] FCAFC 104 upheld an appeal of the decision of Snaden J in The Game Meats Company of Australia v Farm Transparency International Ltd [2024] FCA 1455 where his owner held that video images taken by trespassers were not held on trust for the owner of the property. The balance of the primary judge’s decision was unaffected by the appeal. It is a very significant decision and important for those intellectual property and privacy practitioners.

FACTS

The appellant (GMC):

• operates a halal abattoir in Eurobin, Victoria, which slaughters and processes goats for export under a licence [3].
• operates from private premises (the Eurobin Premises) which:
  • was secured by means of a six-foot cyclone metal chain and barbed wire fence located around its perimeter.
  • was accessible  by an electronically-controlled iron gate, which is typically kept closed.
  • had signs outside of the gate displays signs, which relevantly stated “Restricted Area. Do Not Enter, Authorised Personnel Only”, and  “Stop. All Visitors Must Report to the Office” [3].

The respondent (FTI) is an animal protection advocacy operation which aims, among other things, to educate members of the public about matters concerning animal exploitation and suffering at farms, slaughterhouses and other commercial businesses [4].

On seven occasions between 9 January and 13 April 2024, FTI’s employees or agents:

• gained access to the Eurobin Premises for the purposes of installing and later retrieving covert video recording equipment.
• entered the Eurobin Premises at night by crawling under a section of the perimeter fence without the knowledge or authority of GMC.
• were trespassing as agents of FTI and with its authority [5]

The equipment that FTI installed was used to obtain footage of activity within the Eurobin Premises. From that footage, FTI created a video of 13 minutes and 57 seconds in duration (the 14-minute Footage) [5].

On 3 May 2024, an employee of FTI sent the 14-minute Footage by way of complaint to the Department of Agriculture, Fisheries and Forestry (the Department) [6].

On 5 May 2024, an officer of the Department sent a copy of FTI’s complaint to GMC [6].

On 13 or 14 May 2024, FTI sent the 14-minute Footage to a local television news network (Channel Seven), which ran a story about the matters depicted in it on 17 May 2024, although it did not publish the footage itself [6].

On 17 May 2024, FTI uploaded the 14-minute Footage on its website, together with a media release and a number of still images obtained from the 14-minute Footage [6].

On 17 May 2024 GMC commenced the present proceedings [6].

An expedited final hearing was conducted on 5–9 August and 3 September 2024 and the Primary Judgment was delivered on 19 December 2024 [7].

The primary judge:

• awarded GMC damages in the sum of $130,000, comprising:
  • general damages of $30,000 and
  • exemplary damages of $100,000.
• held that GMC:
  • was not entitled to an injunction to restrain FTI from publishing any of the video footage that it obtained at the Eurobin Premises,
  •  was not entitled to the benefit of a constructive trust over the copyright in the 14-minute Footage [7].
• found that by sending the 14-minute Footage to Channel Seven and publishing it on the FTI website:
  • FTI sought to subject GMC to a measure of publicity that could only ever have been harmful to GMC,
  • those publications were made in pursuance of FTI’s objective to end all forms of business that involved causing harm to animals:
• held that the making of those publications was actuated by a desire to harm GMC’s business
• found that FTI’s purpose in seeking to publish the 14-minute Footage was to visit loss upon GMC and harm it commercially,
• described FTI’s intention as being to subject GMC to a “public shaming campaign”:
• found that it was more likely than not that, if it was able to publish the footage that it has obtained, FTI would use (or seek to use) the ensuing publicity to further its objectives, both in terms of its advocacy of “meat-free living” and its ongoing efforts to raise funds in support of its activities [8]
• refused to find that FTI held the video footage on constructive trust for GMC.

The issue of constructive trust was the core of the appeal by GMC.

DECISION

The Full Bench upheld the appeal.

Justices Burley and Horan concurred with Jackman J’s reasons.  

Jackman J reviewed the High Court decision of Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63; (2001) 208 CLR 199 (ABC v Lenah) , specifically the judgments of Hayne and Gummow which stated:

• that where a cinematograph film is made in circumstances involving the invasion of the legal or equitable rights of the plaintiff or a breach of the obligations of the maker to the plaintiff it may then be inequitable and against good conscience for the maker to assert ownership of the copyright against the plaintiff and to broadcast the film.
• in those circumstances:
  • the maker may be regarded as a constructive trustee of an item of personal (albeit intangible) property, namely the copyright conferred by s 98 of the Copyright Act 1968 (Cth) (the Copyright Act). 
  • the plaintiff may obtain:
    • a declaration as to the subsistence of the trust and
    • a mandatory order requiring an assignment by the defendant of the legal (ie statutory) title to the intellectual property rights in question, noting that s 196(3) of the Copyright Act provides that an assignment of copyright does not have effect unless it is in writing signed by or on behalf of the assignor [9].
• there is no objection in legal principle to the imposition of a constructive trust over the relevant copyright which was created by means of unlawful conduct if the circumstances show that it is inequitable and against good conscience for the maker of the film to assert the copyright conferred by statute [10]. Jackman noted that the passage was referred to with apparent approval by Kiefel CJ, Bell and Keane JJ in Smethurst v Commissioner of the Australian Federal Police [2020] HCA 14; (2020) 272 CLR 177 (Smethurst) at [84] [10]
• there are authorities which discussed when copyright, although belonging to an author at law, was held on trust for another person such as  where it would be inequitable for the maker to claim copyright over the intellectual property.  Those cases involve pre-existing relationships between the parties, such as works created by a partnership, a director or employee of a company, or copyright works brought into existence or at the request of or on the instructions of an intended owner who has paid for the making of the work. 
• even when there is no pre-existing relationship it is possible a constructive trust may arise. The remedy was not imposed in that case as no claim was made by Lenah as to copyright over the cinematograph film (at [103]) [11]
• unconscionable behaviour does not operate wholly at large as has been stated by the High Court in:
  •  Garcia v National Australia Bank Limited [1998] HCA 48; (1998) 194 CLR 395 at [34], where Gaudron, McHugh, Gummow and Hayne JJ said that the statement that enforcement of the transaction would be “unconscionable” is to characterise the result rather than to identify the reasoning that leads to the application of that description.
  • Australian Competition and Consumer Commission v CG Berbatis Holdings Pty Ltd [2003] HCA 18; (2003) 214 CLR 51 at [43], where Gummow and Hayne JJ acknowledged that the uses of the terms “unconscionable” and “unconscientious” in diverse areas may have masked rather than illuminated the underlying principles at stake [16]. 

Read the rest of this entry »

In Privacy and Data Protection Commissioner has found that the University of Melbourne breached Information Privacy Principle (IPP) 1.3 in tracking its students who were engaged in a sit in protest in May 2024 and a direction by the Vice Chancellor to leave on 20 May 2024.

The investigation is a useful consideration of IPP 1.3 and 2.1 of the Privacy and Data Protection Act (Vic). The analysis and principles are applicable in relation to the extent to which the collector of personal information informs those who own that information what it will be used for.  It is considered whether the use was consistent with the purpose of gathering the information or a permissible secondary purpose.

Beyond making a finding against the University the Information Commissioner’s Office could take no action against the University notwithstanding an egregrious and serious breach of the Act.  The only action that could be taken is a Compliance Notice which is little more than a notice saying one should fix problems.  That’s it.  That highlights the fundamental weakness in the legislation. In the United Kingdom the Information Commissioner has the power to impose monetary penalties on agencies. 

Notwithstanding the lack of meaningful action taken against the University by the regulator that does not mean those whose privacy was interfered with don’t have causes of action in the courts.  

The Report is 31 pages long but some relevant points made include:

Regarding Function creep

Foreword

Social licence and function creep are two important concepts in interpretation of the relationship between human rights and technology. When governments or other official bodies implement technology, society expects them to respect human rights, including the right to privacy. This is usually achieved through the preparation of a Privacy Impact Assessment, and through communication with affected stakeholders about the purpose of the technology and the ways in which its use will be governed.

The University engaged in function creep by using surveillance of users of on-campus Wi-Fi in disciplinary proceedings it began after a protest. The University introduced the Wi-Fi tracking capability some years ago, for the purpose of network management, with a reassurance that it would not be used to surveil individuals. The University subsequently used the capability for disciplinary purposes, because it was already in place, without substantially considering the human rights or privacy impacts of doing so. In failing to consult with stakeholders about the policy change, the University failed to obtain a social licence for the use of this technology.

and 

The delivery method for the Notices related to Wi-Fi use – an on-screen pop-up – was also not an effective mechanism for explaining complex terms and conditions.

and 

…the governance and authorising processes the University used to authorise access to staff email accounts fell below the standard the Deputy Commissioner expects. This access occurred after the urgency of protest had passed, and could have been dealt with more carefully Read the rest of this entry »

Data breaches often bring on multiple levels of pain and repeated expense. The initial data breach involves the affected company bringing in technical experts to figure out where the breach occurred and undertake remedial action. Often cyber attackers leave compromised or wrecked systems in their weight, requiring reprogramming. Then there is the expense of dealing with the regulator or regulators for a prolonged period. In Australia, the regulator moves slowly so the process can be excruciating for companies. To that extent the recent comments by Malcolm Turnbull that companies regard data breaches as the cost of doing business is a little glib and a major generalisation. That said his comments about complacency is spot on. In the United States the cost of data breaches include civil claims by governments, usually through Attorneys General and Government departments. Last week the Department of Financial Services settled a claim with Healthplex for $2 million arising out of a data breach which violated state cyber security regulation. The settlement requires Healthplex to hire an auditor to examine the multi factor authentication controls.

The statement by the Department of the Financial Services provides:

Read the rest of this entry »

The National Institute of Science and Technology (“NIST”) has published a very valuable lightweight cryptography standard to protect information created and transmitted by the Internet of Things as well as other small electronics. It is very important for those developing small devices which require protection from cyber attack, which is pretty much all small internet connected devices. 

The NIST has published a page on Lightweight Cryptography. 

The Read the rest of this entry »

Another day, another data breach in Australia. This time iiNet has announced that it has suffered a data breach. Mode of entry, use of employee credentials to get into iiNet’s order management system. The breach is reported by the Australian in iiNet latest Aussie company to be hit by hackers. iiNet released a media release earlier today titled Cyber incident involving iiNet customers. As is the way the story has been covered across the media with News.com.au, Information Age, Australian Cyber Security Magazine, AFR, Cyber Daily amongst others.

This data breach will be hugely embarrassing for iiNet.  It’s whole image is based around being more accessible (not in that way) and different from other telco providers.  And better in a geekier more friendly but more efficient sort of way.  Now it finds itself suffering the sort of data breach other big organisations suffer.  

iiNet’s media statement is quite good.   For Australia.  It provides some detail of what happened and how though much is not revealed.  That will be revealed if the Privacy Commissioner takes action or there is a class action.  But being as transparent as possible is preferable to saying virtually nothing as Genea has done with its much more serious data breach.  iiNet provided detail of the nature of the personal information stolen; emails (280,000), phone numbers (20,000) and user names, streeet addresses (10,000) and modem set up passwords (1,700).  Distressing and damaging as that may be it did not involve financial information, dates of birth and any other personal information.  iiNet has been more specific than most in how it responded.  It can’t help itself in advising how it is liasing with the ACSC, the NOCS and the OAIC.  On a more relevant note it has set up a dedicated hotline.  That is an excellent initiative.  By contrast Genea has been very difficult to contact and responses have been wholly unhelpful, enraging patients.   It provided some preliminary advice on what to do and answering frequently asked questions.  Interestingly iiNet responds to the question as to why it was holding information on people who are no longer customers of iiNet.  The answer is somewhat mealy mouthed including being due “to legal, regulatory, or operational requirements.” Mmmm.  

The statement provides:

iiNet has been impacted by a cyber incident involving unauthorised access to its order management system by an unknown third party.

The iiNet ordering system is used to create and track orders for iiNet services, such as NBN connections. The system contains limited personal information. Importantly, it does not contain copies or details of customer identity document details (such as passport or driver’s licences), credit card or banking information.

What we are doing

Upon confirmation of this incident on Saturday, 16 August 2025, we enacted our incident response plan, began work to ensure the security of the system and to determine what occurred. We have engaged external IT and cyber security experts to assist with our investigation. Read the rest of this entry »

Australian Privacy Principles 12 and 13 of the Privacy Act 1988 permits individuals to have access to their personal information and correct that personal information respectively. Exercising those rights can be more complicated than it should be. Given companies engage in the over collection of personal information and are reluctant to remove personal information once they have no legitimate need for it this poses a real problem.  It is not an Australian only problem.  It is a worldwide problem where many companies wrongly take the view that personal information is to do with as they see fit. That explains their common resistence to requests to delete personal information.   This is explained in the excellent piece by The Markup with We caught companies making it harder to delete your personal data online.

There is nothing quite like an ex politician complaining about this or that aspect of the country when he/she did nothing about the problem when in power. It is even more galling when it is an ex Prime Minister. And so it is quite extraordinary that Malcolm Turnbull complains about the complacency in the market to cyber attacks in the Australian’s Malcolm Turnbull warns of alarming pattern in cyber attacks on Australian companies.  What needs to be understood is that the poor privacy culture has been an endemic problem for decades.  Successive Federal Governments have either ignored the issue or did the bare minimum.  Turnbull was a minister in the Howard Government, which did as little as possible to reform the Privacy Act and did nothing to enervate the Information Commissioner.  The Abbott Government, where Turnbull was also a minister, reduced funding to the Information Commissioner and removed the Privacy Commissioner as a position.  Turnbull was the Australian Prime MInister from 2015 – 2018.  No privacy reform took place then even though the Australian Law Reform Commission had published Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  it recommended comprehensive privacy reform.  His Government also had in its possession For Your Information: Australian Privacy Law and Practice (ALRC Report 108), an even more comprehensive 2008 report recommending privacy reform. If those reports had been properly acted upon, the regulator had been properly funded, a  more assertive person was at the helm of the regulator and the government had given a focus given to cyber protection things may have been different.  If there had been proper prosecutions with real consequences for malefactors the price of complacency may have been too high. But none of that happened and there is widespread complacency.

The article (in red), with a few of my comments (in black), provides:

New data from cyber security firm Semperis has revealed almost half of all attacks are on understaffed weekends, with hackers repeatedly targeting the same businesses in the past year.

Despite the strikes, politicians and business leaders aren’t taking the breaches seriously enough, with Mr Turnbull – who advises Semperis – saying many are “treating ransomware attacks as just a cost of doing business”. Read the rest of this entry »

It is common that Australian companies and organisations refer to liaising with the Australian Cyber SecuSecurity Centre amongst other authorities and agencies after a data breach. It is so common that it is now boilerplate. All of that relates to damage mitigation. What is less common is organisations using the guides prepared by the ACSC to improve cyber security so as to prevent data breaches. The ACSC publishes quite good guides, as does the Information Commissioner even if they tend to the general. Other resources include standards prepared by the NIST and the ISO series. The NIST guides while highly technical are the most useful. The UK Information Commissioner publishes guidelines which cover general issues as well as guides relating to UK legislation. Guidelines are already important but will take on greater significance as privacy related litigation grows. The question of whether a defendant acted reasonably and proportionately is likely to be determined on the facts having regard to appropriate standards and best practice. On 13 August 2025 the ACSC released Foundations for OT cybersecurity: Asset inventory guidance for owners and operators.  For practitioners whose clients manage critical infrastructure it is an important document.  It is generally useful in setting out the methodology when ordering and prioratising assets which may be the subject of internet access.   

The Executive Summary provides:

When building a modern defensible architecture, it is essential for operational technology (OT) owners and operators across all critical infrastructure sectors to create an OT asset inventory supplemented by an OT taxonomy. Using these tools helps owners and operators identify which assets in their environment should be secured and protected, and structure their defenses accordingly to reduce the risk a cybersecurity incident poses to the organization’s mission and service continuity. Read the rest of this entry »