Sam and Brittany Groth have issued proceedings in the Federal Magistrates Court against the Herald and Weekly Times alleging a breach of privacy. Or more accurately a breach of the statutory tort of serious invasion of privacy. The Court number is VID1130/2025 and there are 3 respondents; the Herald and Weekly Times, Stephen Drill and Sam Weir. The story is covered by 3AW (with audio) in Deputy opposition leader launches legal action over controversial reporting. The Australian Financial Review also covers it Read the rest of this entry »

In late July 2025 the Attorney General, Michelle Rowland, said to the Australian Financial Review that the Privacy Act was not fit for the digital age”. She later said during an an appearance on Sky News’ Sunday Agenda regarding the Privacy Act that “..Well, this is the second tranche of privacy reforms. I think it’s fair to say, Andrew, that Australians are sick and tired of their personal information not only being exploited for benefit by third parties, but also the way in which that information is not being protected. We’ve seen that in recent times with data breaches, both by Australian companies as well as multinational tech giants.”

Modern reform often begins with Ministers making noises about the need to address this or that reform.  Putting the issue onto the agenda.  In the privacy context that was done in 2022 – 2023.  The 2022 Privacy Act Review Report proposed 116 recommendations to reform the Privacy Act 1988.

The government accepted 38 of the proposed reforms and agreed to 68 in principle.  It said it would implement the changes in phases.  The first tranche, as it became known, was found in the Privacy and Other Legislation Amendment Act 2024 which passed in November 2024 and became law on 10 December 2024.  It implemented 23 of the reforms, including the introduction of a statutory tort of privacy, anti-doxxing offences and a new tiered civil penalty regime, as well as the development of a new Children’s Privacy Code, which is currently the subject of consultation undertaken by the Office of the Australian Information Commissioner (OAIC). The  obligation to disclose the use of personal information for automated decision making will commence in December 2026.

The Attorney General has now dropped two not very subtle hints that more privacy reform is required.  Nothing detailed about the what and the when but that is not required.  Starting the conversation is the key.  Given the Government has already responded to a report’s recommendation going from discussion to action is a short step.

As to when the second tranche will be introduced into Parliament as a Bill is the subject of some speculation.  It is a more comprehensive  set of reforms and some are Read the rest of this entry »

Regulators are increasing their focus on the proper use of biometrics. Advances in technology has made the collection and mandatory use of biometrics more prevalent. Even common in some industries. That has meant more attention by the regulators as compliance is an issue when it comes to collection, storage, use and disposal of this sort of personal information. On 11 August 2025 the Privacy Commissioner of Canada issued its guidance on the use of biometrics. This follows the New Zealand Privacy Commissioner publishing rules on the use of biometrics earlier this month. The UK Information Commissioner has probably issued the most comprehensive biometric data guidance. While it is referable to UK legislation it’s general advice is very good. The Australian Information Commissioner has not published guidelines on biometrics however has advised that biometric information is sensitive information for the purpose of the Privacy Act 1988.

The key issues from the Canadian guidelines are:

1. Collection, use and dislosure.  Appropriate use
   • At the outset the organisation must have  lawful authority for the collection, use and disclosure of biometric information. The issue is slightly different between sectors:
     • Public sector: In establishing whether Federal institutions have lawful authority to collect biometric information the information must directly relate to a government program or activity.
     • Private sector: organisations must identify a legitimate need for using biometrics.  The collection and use must be effective, minimally intrusive and proportionate to its purpose.
2. Consent
   • As with all privacy legislation consent is important.  As the guidance states it must be valid, informed and meaningful. That includes advising people what biometric information will be collected, why it is needed, who it may be shared with and any risks of harm.
   • Biometrics is not the first and only option.  Where biometrics are not integral to the service, alternatives must be offered.
3.  Privacy Impacts; Necessity and ProportionalityAs is good practice generally prior to implementing a biometrics program there should be a privacy impact assessment. That means showing that biometrics are:
   • Necessary for a specific, legitimate and defensible objective;
   • Effective and reliable in achieving that purpose;
   • Minimally intrusive, with no less invasive alternatives available; and
   • Proportional, ensuring that privacy impacts are commensurate to the benefits gained.
4. Limiting Collection, Use and Retention

   Organisations must only collect and use the biometric characteristics strictly necessary for the stated purpose. The process involves:

   • Favouring verification (one-to-one) systems over identification (one-to-many), where feasible;
   • Avoiding large, centralised biometric databases;
   • Avoiding the extraction of secondary information t;
   • Limiting disclosure; and
   • Retaining biometric information only as long as necessary and destroying it once no longer required.
5. Security/Safeguards

   This encompases having measures to protect personal information against loss, theft or unauthorised access. Biometric information must be secured with physical, administrative and technical measures proportionate to its sensitivity. Best practices involves:

   • Encryption during storage and transmission;
   • Regular penetration testing and vulnerability assessments;
   • Control of employee access; and
   • Breach reporting.
6. Accuracy

   It is important to have accurate information.  The consequences can be even greater with  biometric recognition.  Erroneous information can lead to wrongful denial of services or misidentification. Best practice includes:

   • adopting technologies with appropriate accuracy rates;
   • Testing systems in real-world conditions and across demographic groups to minimise bias and discrimination;
   • Monitoring accuracy on an ongoing basis, as system updates can affect performance; and
   • Developing procedures for false positives and negatives, ensuring timely resolution and human review where decisions have significant consequences.
7. Accountability

   While holding biometric information organisations remain responsible for that biometric information even when using third-party service providers. In that respect organisations obligations include:

   • due diligence on service providers’ practices;
   • having contracts and information-sharing agreements that embed privacy protections;
   • establishing clear governance structures, audit rights and breach response plans; and
   • ensuring there is adequate employee training and oversight.
8. Openness and Transparency

Read the rest of this entry »

Cryptographic keys are a key part of any proper protection of an organisation’s operations. And the compromise of those keys can have catastrophic effect on an organisation. The ACSC has developed a guide to assist organisations develop a Key Management Plan to deal with internal and external threats. It should be used in conjunction with appropriate NIST standards.  The guidance contains references, by way of hyperlink, to other guidances and publications.  They should be read as well.

The guide relevantly provides:

The world is increasingly relying on online services, digitalisation of data and interconnected systems, cyber security is a vital way in which we protect critical sectors. Good security hygiene keeps participants from making mistakes and makes it harder for malicious cyber actors to cause damage. One important aspect of cyber security is cryptographic keys and secrets management systems. Cryptographic keys and secrets are required for services that secure data, provide integrity, confidentiality, non-repudiation and access control. Cryptographic keys and secrets are a critical asset of many organisations and a core component of cyber security, which must be carefully managed and protected throughout their life cycle.

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the Department of Industry Science and Resources (DISR) have developed this guide to help organisational personnel in understanding the threat environment and the value of implementing secure keys and secrets management to make better informed decisions.

The compromise of any private key or secret can have significant, or even severe, negative operational, financial and reputational impacts on an organisation. Organisations must seek to implement mitigations to ensure their organisational keys and secrets are protected and so they are positioned to respond quickly and effectively in the case of a security incident. Read the rest of this entry »

The National Institute of Science and Technology (NIST) provides invaluable support to those developing privacy and data security controls for businesses and government agencies. On 6 June 2025 Donald Trump issued an executive order titled SUSTAINING SELECT EFFORTS TO STRENGTHEN THE NATION’S CYBERSECURITY AND AMENDING EXECUTIVE ORDER 13694
AND EXECUTIVE ORDER 14144. Previous Presidents have issued Executive Orders to deal with threats to cyber security.

In response to the Executive Order the NIST  revised its catalog of security and privacy controls, focusing on improving the security and reliability of software updates and patches.  They are:

• SP 800-53 Release 5.2.0 which addresses multiple aspects of the software development and deployment process, including software and system resiliency by design, developer testing, the deployment and management of updates, and software integrity and validation. 
• updates to the control catalog through the Cybersecurity and Privacy Reference Tool (CPRT), which allows downloads of machine-readable formats, including OSCAL and JSON.

The Executive Order provides:

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, it is hereby ordered:

Section 1.  Amendments to Executive Order 14144.  Executive Order 14144 of January 16, 2025 (Strengthening and Promoting Innovation in the Nation’s Cybersecurity), is hereby amended by: Read the rest of this entry »

The Safetrac saga continues apace with allegations that it installed listening devices without consent or updating its surveillance policy. The AFR reports on these concerning developings in Safetrac surveillance installed without staff agreement: HR manager. Safetrac installed the Teramind program. Teramind proudly admits that itts program is designed to Monitor, analyze, and manage employee activity to prevent insider threats, safeguard sensitive information, and optimize team performance.According to the piece Safetrac used microphones of employees’ laptops to record sound close to their computer from 15 April until 2 June 2025.  Not so coincidentally the statutory tort of serious invasion of privacy came into effect on 10 June 2025. It amended its policy on use of surveillance equipment from 4 sentences to 2 pages.  Whether that is sufficient to constitute proper awareness and consent is another story.

And interesting issue may be whether Safetrac used the Teramind program while monitoring compliance on behalf of some of its clients employees laptops and whether they were aware of it.

The article provides:

Read the rest of this entry »

The fact that there is effective surveillance technology in the market does not mean it should be used. Pegasus spyware can be remotely and covertly be installed on mobile phones running IOS and Android. It is marketed as being used for fighting crime and terrorism. And it could even be sold as a supervision tool by companies. But because the way it operates is via secrecy and is effectively a form of spying it has not been used by businesses but rather is used by autocratic governments to spy on journalists and dissidents. There is other software which is less pernicious than Pegasus but can spy on individuals through the use of their computers. That intrudes into people’s privacy.  And enter Safetrac which according to the AFR’s quite brilliant article titled Company turned laptops into covert recording devices to monitor WFH has used a used software to eavesdrop on staff, for up to 10 hours a day, and video them as well. Safetrac claims to have provided notice and got consent. The notice is 4 sentences in a policy and some commentary during a “Town Hall.” That is inadequate. The fact that the surveillance picked up non work related sounds, such as private conversations and out of hours will also make its actions privacy instrusive. This story is not over.  The Privacy Commissioner has jurisdiction to consider whether there has been a breach of an Australian Privacy Principle of the Privacy Act 1988.  If the recordings took place after 10 June 2025 then those affected may have a cause of action for the statutory tort of serious invasion of privacy.  Even if not there are options in equity.  

The article provides:

Read the rest of this entry »

There are strong protections for childrens’ privacy in the USA, notably COPPA. There is also a constant pressure to collect personal information to assist in targeting ads. Google was accused collecting personal information when children accessed You Tube without parental consent. It is reported by Reuters in Google settles YouTube children’s privacy lawsuit. It is also covered by Malwarebytes with Google settles YouTube lawsuit over kids’ privacy invasion and data collection. While a settlement of $30 million is a large figure in absolute terms it is important to note that Alphabet, Google’s owner, posted a net income of $62.7 billiion on $186.7 billion in the first half of 2025.  

The Reuters article provides:

Google will pay $30 million to settle a lawsuit claiming it violated the privacy of children using YouTube by collecting their personal information without parental consent, and using it to send targeted ads.

Read the rest of this entry »

The demand. by some governments to have a back door to end to end encryption is hugely controversial.  The National Security Agency in the United States had Yahoo install a backdoor for NSA’s use in 2014/5, although Yahoo says it challenged the NSA about this. In 2015 it built custom software to search client’s incoming emails. Since 2013 the NSA has been keen to get around or through encrypted messaging.In February this year the UK ordered Apple to let it have access to users’ encrypted accounts.  In 2015/2016 Apple was embroiled in a dispute with the FBI.  The FBI wanted Apple to unlock phones whose data was cytographically protected.  Apple refused and objected to at least 11 orders issued by the US District Courts.

The issue of concern is that the US government is concerned that overseas governments are attempting to weaken the level of encryption and data security.  This directive, for want of a better word, poses real challenges for companies operating in other jurisdictions. Like Australia.  But the US policy has had an impact with the UK agreeing to drop its plan for encryption backdoor mandate for Apple.

The chairman of the Federal Trade Commission (“FTC”) has written letters to the largest and well known cloud computing, data security, social media, computer and other technology companies warning them not to censor themselves or weaken data security of Americans if asked by foreign governments. The rationale is set out in its media release titled FTC Chairman Ferguson Warns Companies Against Censoring or Weakening the Data Security of Americans at the Behest of Foreign Powers.

The media release provides:

Read the rest of this entry »

The Full bench of the Federal Court in The Game Meats Company of Australia Pty Ltd v Farm Transparency International Ltd [2025] FCAFC 104 upheld an appeal of the decision of Snaden J in The Game Meats Company of Australia v Farm Transparency International Ltd [2024] FCA 1455 where his owner held that video images taken by trespassers were not held on trust for the owner of the property. The balance of the primary judge’s decision was unaffected by the appeal. It is a very significant decision and important for those intellectual property and privacy practitioners.

FACTS

The appellant (GMC):

• operates a halal abattoir in Eurobin, Victoria, which slaughters and processes goats for export under a licence [3].
• operates from private premises (the Eurobin Premises) which:
  • was secured by means of a six-foot cyclone metal chain and barbed wire fence located around its perimeter.
  • was accessible  by an electronically-controlled iron gate, which is typically kept closed.
  • had signs outside of the gate displays signs, which relevantly stated “Restricted Area. Do Not Enter, Authorised Personnel Only”, and  “Stop. All Visitors Must Report to the Office” [3].

The respondent (FTI) is an animal protection advocacy operation which aims, among other things, to educate members of the public about matters concerning animal exploitation and suffering at farms, slaughterhouses and other commercial businesses [4].

On seven occasions between 9 January and 13 April 2024, FTI’s employees or agents:

• gained access to the Eurobin Premises for the purposes of installing and later retrieving covert video recording equipment.
• entered the Eurobin Premises at night by crawling under a section of the perimeter fence without the knowledge or authority of GMC.
• were trespassing as agents of FTI and with its authority [5]

The equipment that FTI installed was used to obtain footage of activity within the Eurobin Premises. From that footage, FTI created a video of 13 minutes and 57 seconds in duration (the 14-minute Footage) [5].

On 3 May 2024, an employee of FTI sent the 14-minute Footage by way of complaint to the Department of Agriculture, Fisheries and Forestry (the Department) [6].

On 5 May 2024, an officer of the Department sent a copy of FTI’s complaint to GMC [6].

On 13 or 14 May 2024, FTI sent the 14-minute Footage to a local television news network (Channel Seven), which ran a story about the matters depicted in it on 17 May 2024, although it did not publish the footage itself [6].

On 17 May 2024, FTI uploaded the 14-minute Footage on its website, together with a media release and a number of still images obtained from the 14-minute Footage [6].

On 17 May 2024 GMC commenced the present proceedings [6].

An expedited final hearing was conducted on 5–9 August and 3 September 2024 and the Primary Judgment was delivered on 19 December 2024 [7].

The primary judge:

• awarded GMC damages in the sum of $130,000, comprising:
  • general damages of $30,000 and
  • exemplary damages of $100,000.
• held that GMC:
  • was not entitled to an injunction to restrain FTI from publishing any of the video footage that it obtained at the Eurobin Premises,
  •  was not entitled to the benefit of a constructive trust over the copyright in the 14-minute Footage [7].
• found that by sending the 14-minute Footage to Channel Seven and publishing it on the FTI website:
  • FTI sought to subject GMC to a measure of publicity that could only ever have been harmful to GMC,
  • those publications were made in pursuance of FTI’s objective to end all forms of business that involved causing harm to animals:
• held that the making of those publications was actuated by a desire to harm GMC’s business
• found that FTI’s purpose in seeking to publish the 14-minute Footage was to visit loss upon GMC and harm it commercially,
• described FTI’s intention as being to subject GMC to a “public shaming campaign”:
• found that it was more likely than not that, if it was able to publish the footage that it has obtained, FTI would use (or seek to use) the ensuing publicity to further its objectives, both in terms of its advocacy of “meat-free living” and its ongoing efforts to raise funds in support of its activities [8]
• refused to find that FTI held the video footage on constructive trust for GMC.

The issue of constructive trust was the core of the appeal by GMC.

DECISION

The Full Bench upheld the appeal.

Justices Burley and Horan concurred with Jackman J’s reasons.  

Jackman J reviewed the High Court decision of Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63; (2001) 208 CLR 199 (ABC v Lenah) , specifically the judgments of Hayne and Gummow which stated:

• that where a cinematograph film is made in circumstances involving the invasion of the legal or equitable rights of the plaintiff or a breach of the obligations of the maker to the plaintiff it may then be inequitable and against good conscience for the maker to assert ownership of the copyright against the plaintiff and to broadcast the film.
• in those circumstances:
  • the maker may be regarded as a constructive trustee of an item of personal (albeit intangible) property, namely the copyright conferred by s 98 of the Copyright Act 1968 (Cth) (the Copyright Act). 
  • the plaintiff may obtain:
    • a declaration as to the subsistence of the trust and
    • a mandatory order requiring an assignment by the defendant of the legal (ie statutory) title to the intellectual property rights in question, noting that s 196(3) of the Copyright Act provides that an assignment of copyright does not have effect unless it is in writing signed by or on behalf of the assignor [9].
• there is no objection in legal principle to the imposition of a constructive trust over the relevant copyright which was created by means of unlawful conduct if the circumstances show that it is inequitable and against good conscience for the maker of the film to assert the copyright conferred by statute [10]. Jackman noted that the passage was referred to with apparent approval by Kiefel CJ, Bell and Keane JJ in Smethurst v Commissioner of the Australian Federal Police [2020] HCA 14; (2020) 272 CLR 177 (Smethurst) at [84] [10]
• there are authorities which discussed when copyright, although belonging to an author at law, was held on trust for another person such as  where it would be inequitable for the maker to claim copyright over the intellectual property.  Those cases involve pre-existing relationships between the parties, such as works created by a partnership, a director or employee of a company, or copyright works brought into existence or at the request of or on the instructions of an intended owner who has paid for the making of the work. 
• even when there is no pre-existing relationship it is possible a constructive trust may arise. The remedy was not imposed in that case as no claim was made by Lenah as to copyright over the cinematograph film (at [103]) [11]
• unconscionable behaviour does not operate wholly at large as has been stated by the High Court in:
  •  Garcia v National Australia Bank Limited [1998] HCA 48; (1998) 194 CLR 395 at [34], where Gaudron, McHugh, Gummow and Hayne JJ said that the statement that enforcement of the transaction would be “unconscionable” is to characterise the result rather than to identify the reasoning that leads to the application of that description.
  • Australian Competition and Consumer Commission v CG Berbatis Holdings Pty Ltd [2003] HCA 18; (2003) 214 CLR 51 at [43], where Gummow and Hayne JJ acknowledged that the uses of the terms “unconscionable” and “unconscientious” in diverse areas may have masked rather than illuminated the underlying principles at stake [16]. 

Read the rest of this entry »