Peter A Clarke

The Privacy Act Review Report recommends, at Chapter 26, that individuals or representative groups have a right to a direct action under the Privacy Act. It is a good idea with terrible design flaws. It is an improvement on the current legislation but could be much better.

The Report with no hint of understatement stated that the avenues available to individuals to litigate a claim for breach of their privacy under the Act are limited.

Currently Individuals may:

• make a complaint to the Commissioner about an alleged interference with their privacy. If the Commissioner chooses to investigate then it may result in a determination which can be enforced in the Federal Court and Federal Circuit Court.  It generally takes around 2 years to go from complaint to determination.
• apply to the Federal Court and the Federal Circuit Court for injunctive relief for contraventions of the Act.
• apply for a compensation order after the Federal Court or Federal Circuit Court has made a civil penalty order or the entity has been found guilty of an offence relating to credit provisions. The Commissioner has not completed a civil penalty prosecution in the almost 10 years the provision has been in place.

A majority of the submissions supported introducing a direct right of action. As it would provide consumers with greater control over their personal information, whilst also creating additional incentives for APP entities to comply with their obligations under the Act.  The opponents to a direct right are the usual suspects; digital platforms, telecommunications companies, media organisations, technology industry groups, industry bodies and medical indemnity insurers.  The arguments against are familiar, a direct right of action would burden the courts, adversely impact business and the current system works just fine.  Old and stale arguments which are driven by self interest, not rational policy.

The rationale for the direct right of action Read the rest of this entry »

Chapter 12 of the Privacy Act Review Report is significant and the recommendations, if accepted, will improve accountability in the collection and use of personal information. It will certainly involve more than ticking boxes and relying on voluminous privacy statements which aim to ensure compliance with the APPs but do not properly address the “why” it is necessary to collect the troves of data many entities currently do.

The chapter focuses on personal information handling practices.  Consistent with complaints by privacy practitioners for years submissions to the review also complained about practices which do not meet community expectations, including the ACCC.  Submissions recommended to improve the quality of collection notices and consent indicated that reform of privacy policy, collection notice and consent requirements alone would not adequately address emerging privacy risks.  They also highlighted the shortcomings of a regulatory approach in which individuals are expected to read and understand voluminous collection notices and privacy policies to evaluate current and future privacy risks.  They suggested that at present entities have significant discretion in determining whether a collection is reasonably necessary for their functions and activities under APP 3, which could include practices that may not meet consumer expectations.

The Report stated it is not reasonable that individuals should bear primary responsibility for ensuring that they do not experience harm as a result of an entity’s information-handling practices.

The Report noted the role of legitimacy and proportionality assessing collections of personal information, citing Jurecek v Director, Transport Safety Victoria, where Bell J noted that the collection limitation principle, in the Information Privacy Act 2000 (Vic), whether a collection of personal information is ‘reasonably necessary’ should include ‘balancing, in a reasonably proportionate way, the nature and importance of any legitimate purpose and the extent of the interference.’ Jurecek has been cited and applied by the Information Commissioner when interpreting APP 3 of the Act.

The identified weaknesses of the current principles are:

• they do not require consideration of the impact on individuals, individuals’ reasonable expectations
• they regulate the relationship between a chosen objective (purpose of processing) and the type of processing/ personal data being processed – without imposing particular restrictions as to the objective (purpose) that may be pursued.’
• that under APP 6, ‘there is no requirement for the “primary purpose” to be a purpose that consumers are aware of, or a purpose that is necessary or beneficial to consumers’.
• that the APPs do not currently require entities to expressly consider whether personal information handling is within the reasonable expectations of an individual, except when using or disclosing for a secondary purpose under APP 6.2.
• the requirement for a collection to be fair and lawful is limited to the means by which personal information is collected, and has been narrowly interpreted as a collection ‘that does not involve intimidation or deception, and is not unreasonably intrusive.’
• that individuals can be required to consent to entities’ information-handling practices as a condition of accessing many digital services, including intrusive or harmful practices.

Read the rest of this entry »

Data scraping has been a chronic problem for some time, particularly of social media sites. Regulators have not really grappled with it. Advances in programming and technology has made it both a chronic problem and a real harm to privacy of individuals. The Australian Information Commissionergf- and the UK Information Commissioner have issued a joint statement warning about the dangers of data scraping. The joint statement makes the obvious point that data scraping is a breach of the data security/privacy legislation, including the Privacy Act in Australia.

• Office of the Australian Information Commissioner
• Office of the Privacy Commissioner of Canada
• Information Commissioner’s Office – United Kingdom
• Office of the Privacy Commissioner for Personal Data – Hong Kong, China
• Federal Data Protection and Information Commissioner – Switzerland
• Datatilsynet – Norway
• Office of the Privacy Commissioner – New Zealand
• Superintendencia de Industria y Comercio – Columbia
• Jersey Office of the Information Commissioner
• CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) – Morocco
• AAIP (Agency for Access to Public Information) – Argentina
• INAI (National Institute for Transparency, Access to Information and Personal Data Protection) – Mexico

Key takeaways 

• • Personal information that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions.
  •  Social media companies and the operators of websites that host publicly accessible personal data have obligations under data protection and privacy laws to protect personal information on their platforms from unlawful data scraping. ?
  • Mass data scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions. 
  • Individuals can also take steps to protect their personal information from data scraping, and social media companies have a role to play in enabling users to engage with their services in a privacy protective manner

I

f it wasn’t for bad luck the various UK police services would have no luck at all. The Times reports that the Metropolitan Police have suffered a data breach. This time the photos, names and rank of 47,000 personnel may have been exposed to hackers. The means of entry to the Metropolitan site, through a compromised IT system of a contractor engaged to print police warrant cards. The implications of this data breach are particularly serious and multi pronged.  Not only do the hackers have details of police and their warrant card numbers but also there is the potential of creating false warrant cards. 

Hackers regularly use 3rd party contractors as  means of access to the intended target or get data belonging to the intended target.  Small contractors tend to have less effective and extensive cyber security defences and large businesses use a lot of contractors. 

The Times article Read the rest of this entry »

It has been a bad month for the police in the United Kingdom. Privacy wise at least. The Northern Ireland Police Service had suffered a significant data breach Cumbria Police said that on March 6 it found out information about pay and allowances had been uploaded on its website following a “human error”. The force’s admission comes after an “industrial scale breach of data” in Northern Ireland this week which saw some details of around 10,000 officers and staff published online for a number of hours.

The Norfolk Police data breach involved personal details of 1,230 victims of abuse being shared accidentally. The breach occurred because of poor data handling, with data being attached as part of a response to a Freedom of Information Request. This has attracted the early attention of the Information Commissioner’s Office.

Most of the recent data breaches involving the loss of data from various police forces in the United Kingdom related to human error rather than criminal activity by hackers.  In short, poor privacy practices.  It highlights the need for proper training and processes.  That is particularly the case for police where the data is almost invariably Read the rest of this entry »

In keeping with the times and the speed of the UK Information Commissioner has commenced the guidance development process regarding the use of biometric data. The draft guidance is found here.

The guidance details how data protection law will apply in the use of biometric data in biometric recognition systems. To that end it is aimed at organizations that use or are considering using biometric recognition systems.

• the definition of biometric data and special category biometric data;
• how biometric data is used in biometric recognition systems; and
• the legal data protection requirements when using biometric data including when a Data Protection Impact Assessment (DPIA) is required.

Helpfully the guidance Read the rest of this entry »

In Texas a woman has won an award of $1.2 billion in a judgment where she claimed he had been the victim of revenge porn. The allegation was that her ex boyfriend posted intimate images of her on line to humiliate her. This follows a decision in 2021 when a judge ordered a former boyfriend pay $500,000 for posting nude photographs and videos of his girlfriend on a pornography site. In that case the court also ordered the former boyfriend to remove the images and destroy them, failing which he would be found in contempt of court.

The BBC’s coverage provides::

Read the rest of this entry »

It has been a dreadful week for cyber security in the United Kingdom. First, on 8 August the UK electoral commission publicly announced that it had detected access to its data in October 2022. It determined that the first attack had occurred in August 2021. The attackers gained access to its electoral registers, holding information of registered voters between 2014 – 2022. That has prompted an investigation by the Information Commissioner. Given the Read the rest of this entry »

The Office of the Information Commissioner has released the he Australian Community Attitudes to Privacy Survey (ACAPS) 2023 provides a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them. The survey finds that Australians care about their privacy, they feel they have little control over it and are concerned how their information is handled. They want more to be done to protect their privacy. These findings reinforce findings of previous surveys in Australia. They are also consistent with the Pew Research Center’s 2019 survey of Americans with Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information in 2019.    

The problem has never been that discerning Australians’ attitude to privacy.  Repeated surveys show they value it and want it protected. The problems are well known as well; ineffective legislation & timid enforcement of what there is, chronic under investment in cyber security and privacy training and a lack of any right to take action for breaches.  Report after report into privacy legislation has made this clear.  What has been lacking is the will. Governments of both persuasions have alternated between hostility and tentativeness towards privacy reform.  The result has been minimum protection.   

The Government is considering the Privacy Act Review Report prepared by the Attorney General’s Department. The recommendations do not go far enough in legislating best practice privacy protections. If the Government accepted all of the recommendations the legislative structure will provide robust protections. Then it is a question of properly funding the regulator and staffing it with people who will be much more assertive in taking action against breaches. Even with greater powers provided in 2014 the Commissioner’s Office has been a timid regulator and poor litigator in the Federal Court.

The media release sets out a reasonable summary of the findings.  It provides:

There has been a sharp increase in the number of Australians who feel data breaches are the biggest privacy risk they face today, according to a major survey released today by the Office of the Australian Information Commissioner (OAIC).

The Australian Community Attitudes to Privacy Survey (ACAPS) 2023 provides a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them.

The survey tested attitudes on topics such as data practices, privacy legislation, data breaches, biometrics, artificial intelligence and children’s privacy.

“Our survey shows privacy is a significant concern for Australians, especially in areas that have seen recent developments like artificial intelligence and biometrics,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk. Read the rest of this entry »

It seems now that the Australian Competition and Consumer Commission (ACCC) have taken a real interest, and lead, in responding to egregious data collection practices. Its Data Platform Inquiry has been influential, it has made submissions to the review of the Privacy Act and now has successfully brought a claim in Australian Competition and Consumer Commission v Meta Platforms Inc [2023] FCA 842.  Meta subsidiaries were found to have misused personal information.  At paragraph 2 his Honour summarised the issue thus:

Onavo and Facebook Israel admit contraventions of ss 18 and 33 of the Australian Consumer Law, contained in Schedule 2 of the Competition and Consumer Act 2010 (Cth) (CCA). The contraventions occurred during the period from 1 February 2016 to 31 October 2017 (Available Period), when Onavo and Facebook Israel advertised and promoted Onavo Protect on the Play Store and App Store in Australia (in the form set out in Schedule A to the orders) (the Listings), without making disclosures to Australian consumers that were sufficiently prominent and proximate to those Listings that data collected from users of Onavo Protect would be used for purposes other than providing Onavo Protect. While Onavo Protect was advertised and promoted as protecting users’ personal information and keeping their data safe, in fact, Facebook Israel and Onavo used the app to collect an extensive variety of data about users’ mobile device usage. An anonymised and aggregated form of that data was provided to their parent company, Meta Platforms Inc (Meta), and used by Meta for a range of commercial purposes.

The ACCC media release, $20m penalty for Meta companies for conduct liable to mislead consumers about use of their data, provides:

The Federal Court has ordered two subsidiaries of social media giant Meta, Facebook Israel and Onavo Inc, to each pay $10 million for engaging in conduct liable to mislead in breach of the Australian Consumer Law, in an action brought by the ACCC.

The Court declared that the two companies engaged in conduct liable to mislead the public in promotions for the Onavo Protect app, by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes. Read the rest of this entry »