• a fine of €1.2 billion;
• an order, under Article 58(2)(d) of the GDPR, to bring its processing operations into compliance with Chapter V of the GDPR, by way of ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta; and
• an order, under Article 58(2)(j) of the GDPR, to suspend future transfers of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta.

The press release announcing Read the rest of this entry »

Facebook/Meta continues to find itself in a . The Data Protection Commission (DPC) announced, that it had issued its decision to fine Meta Platforms Ireland Limited €1.2 billion for breach of Article 46(1) of the General Data Protection Regulation (GDPR) relating to its delivery of its Facebook service.

The DPC commenced its inquiry into Meta cin August 2020. In its draft decision it found that:

• Meta’s data transfers to its US counterpart, Meta Platforms, Inc., were in breach of Article 46(1) of the GDPR 
• such transfers should be suspended.
• the transfers were made on the basis of a transfer and processing agreement between Meta and its US counterpart, which incorporated the European Commission’s 2021 Standard Contractual Clauses (SCCs), and included a Transfer Impact Assessment (TIA), noting a record of safeguards Meta and/or its US counterpart had in place to safeguard transfers, among other things.

In its final decision the DPC found Meta in breach of Article 46(1) of the GDPR in relation to its transfer of personal data from the EU/EEA to the US, following the delivery of the Court of Justice of the European Union’s (CJEU) judgment in Schrems II case.

The DPC noted that while the transfers took place on the basis of the updated 2021 SCCs, along with additional supplementary measures implemented by Meta, the arrangements were not sufficient to address the risks to fundamental rights and freedoms of data subjects identified by the CJEU in the Schrems II case.

It found that:

• US law does not provide a level of protection that is essentially equivalent to that provided by EU law;
• neither the 2010 SCCs, nor the 2021 SCCs, could compensate for the inadequate protection provided by US law;
• the measures set out in Meta’s record of safeguards that form part of the TIA did not compensate for the inadequate protection provided by US law; and
• it was not open to Meta to rely on the derogations provided for in Article 49(1) of the GDPR (or any of them) when making the data transfers.

As a consequence of that and on the basis of the EDPB’s decision of April 13, 2023, the DPC made the following orders:

• a fine of €1.2 billion;
• an order, under Article 58(2)(d) of the GDPR, to bring its processing operations into compliance with Chapter V of the GDPR, by way of ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta; and
• an order, under Article 58(2)(j) of the GDPR, to suspend future transfers of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta.

The press release announcing Read the rest of this entry »

Justice Keogh in Turner v Bayer Australia Ltd (No 6) [2023] VSC 244 considered the application of the Victorian law and the European Privacy law, the General Data Protection Regulation (GDPR). The issue was whether releasing and reporting on personal information of individuals in documents generated in the EU attract protections that the Court should consider in the context of media reporting of a Victorian proceeding.

FACTS

The  proceeding is a product liability action concerning implanted permanent contraceptive medical devices identified collectively as the Essure device [1].

The trial commenced on 11 April 2023 and is estimated to run for 12 weeks [2].

Media organisations sought access to transcript and some of the documents relied on by the parties at trial.

The second defendant, Bayer Aktiengesellschaft,  is a corporation registered in Germany [4].

Some of the defendant’s discovery was of documents that originated from Germany (‘EU documents’), which some of which contained  personal data of natural persons residing in the European Union (‘EU’), including:

• names,
• job titles,
• signatures,
• business email addresses,
• street addresses and phone numbers, and
• personal email addresses,
• street addresses and phone numbers (‘EU data’) [4].

The defendants opposed the media having general access to transcript and EU documents used at trial because, they argue, the release of EU data would be a breach of the GDPR [4].

The defendants sought orders requiring that media apply to the Court for release of transcript and any EU documents tendered at trial and give details of the context and purpose underpinning their request when applying for access, provide the parties with time to object to media access, and provide the parties further time  to redact personal information from documents to be released [5].

The defendants relied on a report of Professor Dr Gregor Thüsing, a jurist and professor at the University of Bonn in Germany who has has expertise in the European law of data protection and data security [12].

The court summarised Read the rest of this entry »

Te political exemption in the Privacy Act raises public policy questions that the small business operator and employee records do not. It is also an area of law where the common law has developed to protect free speech. The Report undertakes a significant analysis.

The extent of the exemption:

Under the Privacy Act:

• registered political parties are entirely exempt
• under section 7C political representatives (MPs and local government councillors), and their affiliates and the affiliates of registered political parties are exempted from acts and practices done for any purpose in connection with an election, a referendum, or participation in another aspect of the political process.

This means that currently if a registered political party collects, uses or discloses personal information for a purpose unconnected with the political process, it is not required to comply with the Act. Other political entities are only exempt from the Act’s requirements to the extent that they are handling information for purposes connected to the political process under section 7C.

Under this exemption a registered political party can handle personal information other than for a purpose connected to the political process and still be exempted from the Privacy Act provisions. This is an anomaly given the  the rationale for the exemption was to encourage freedom of political communication.  There has been no reported instances of a political party taking advantage of this situation.  That is probably because political parties are focused on collecting information only for political reasons.

Rationale for exemption

The stated rationale for the exemptions was:

• to encourage freedom of political communication and enhance the operation of the electoral and political process in Australia.
• to operate in a manner consistent with the implied freedom of political communication under the Australian Constitution.

While the Australian Law Reform Commission in its Report 108 recognised the special status of political acts and practices under the Constitution as the most compelling reason for exempting political acts and practices of political entities it still concluded that registered political parties should be brought within the scope of the act and the exemption for political entities should be removed to promote public confidence in the political process and remove the advantage which the exemption confers on incumbent political entities.

The Issues Paper sought feedback on whether political acts and practices should continue to be exempted from the operation of some or all of the Australian Privacy Principles.

The Discussion Paper canvassed the approach to regulating political parties under data protection laws in the UK, Canada and New Zealand.

The Report noted that almost all submissions on this exemption considered it was not justifiable and should be narrowed or removed. The OAIC submitted that there was little evidence that data protection laws operating in other countries have had any considerable impact on political parties’ ability to perform their basic democratic roles, including political communication.

The Report proposed amending the definition of ‘organisation’ to include registered political parties, and that they be included within the scope of the exemption in section 7C of the Act.  Accordingly registered political parties would be required to comply with the APPs in the handling of personal information, to the same extent as political representatives (and political affiliates) unless exempted by the operation of the exemption in section 7C.

Regarding transparency the Report:

• confirmed there were concerns about transparency in the handling of voters’ information whereby political parties in collecting personal information about voters from a variety of sources such as media and data brokerage services and the electoral rolls, can build large databases with detailed information about voters without their knowledge or consent. They are not required to inform voters of the ways in which their personal information is collected, or specify how it will be used or disclosed.
• considered that greater transparency in relation to political communication may, be consistent with and support the constitutionally-prescribed system of government but serve to protect it citing LibertyWorks Inc v Commonwealth where the High Court found the purpose of the Foreign Influence Transparency Act 2018 intention of making transparent the involvement of foreign interests in political communication , was consistent with the freedom of political communication and ‘reinforces the freedom despite doing so by burdening some political communication.’
• proposed that the Act be amended to require political entities to be more transparent about how they handle personal information by requiring entities that are covered by the political exemption in section 7C to have a privacy policy in accordance with APP 1.

Read the rest of this entry »

The Australian Communications and Media Authority (“ACMA”) has found that A Current Affair has breached its privacy rules in relation to a report about a neighbourhood dispute on 21 March 2022.

The media release provides:

The Australian Communications and Media Authority (ACMA) has found TCN Channel Nine (Nine) breached privacy rules in a story on A Current Affair that included mobile phone footage of a dispute between neighbours.  

An ACMA investigation found the story breached a participant’s privacy by including his name, part of his residential address and unobscured video footage of his face without his consent.

Under the Commercial Television Industry Code of Practice, broadcasters must not air personal information without consent unless it is in the public interest. 

ACMA Chair Nerida O’Loughlin said broadcasters must respect the privacy of individuals included in news and current affairs reporting.

“Broadcasters may only disclose personal information without consent if it is relevant and proportional to the public interest,” Ms O’Loughlin said.  

“In this case our investigation found it wasn’t in the public interest for Nine to disclose the individual’s name and address because it wasn’t necessary to enable the audience to understand the overall issue.

“Even if material is already available in the public sphere, as some of this footage was, a licensee has an obligation to consider how broadcasting the material may further impact people’s privacy.”

As a result of the ACMA’s investigation the licensee will train staff in the privacy requirements of the code.

FACTS

In July 2022, the Australian Communications and Media Authority (the ACMA) commenced an investigation under the Broadcasting Services Act 1992 (the BSA) into an episode of A Current Affair.

The episode was broadcast Read the rest of this entry »

The small business exemption is a real weakness in the Privacy Act. The exemption applies to businesses with a turnover of $ 3 million or less. It was included in the amendments which brought the private sector under the regulation of the Privacy Act in 2001. The rationale for the exemption was not legal. Far from it. The stated reason was a concern about regulatory burden and cost of compliance. Given other universal regulatory obligations at the time and since, exempting small business operators from keeping records secure and not interfering with customers privacy was poor public policy. It remains so. In 2001 the volume of data held by the typical small business was modest compared with now. As costs of storing data decrease and the speed of processing increases coupled with programs to analyse data small businesses are as enthusiastic in collectng and analysing personal information as their larger counterparts. It is not hard setting up loyalty schemes and email lists. Or just want the information full stop. Real Estate agents are, generally speaking, voracious collectors of data. Of more concern is that many Real Estate agents collect more information than they need to deal with renters and register interest of potential purchasers. They have also been the subject of significant data breaches (see here, here, here, here and here).

It is then more than passing strange that the President of the Real Estate Institute of Australia, Hayden Groves, resists reform to the Privacy Act by removing the small business exemption as reported in Real estate agents push back against Australian privacy law changes designed to protect personal data. The arguments encompass the original justification for the exemption, the cost fo compliance, and then moves onto a claim that other form of regulations make coverage by the Privacy Act unnecessary. No details are provided. Of course. The additional cost complained off is not specified. There has never been Read the rest of this entry »

Apps are notorious for having poor security and privacy controls. The reason is often as simple as the app designers wanting to get an app on the market as quickly as possible s are designed quickly, often in competition with other designers for a similar product. The developers see no point in privacy by design and have scant regard to any privacy laws. That makes them easy target for criminals.

And then there are the apps designed to skim information, as part of a hack or are otherwise used for fraudulent purposes.

It is little wonder then that Apple blocks so many apps as Bleeping Computer writes in Apple blocked 1.7 million apps for privacy, security issues in 2022.

The article Read the rest of this entry »

The National Institute of Science and Technology has produced the updated Advanced Encryption Standard (AES) on 9 May 2023.

At 46 pages it is the usual Read the rest of this entry »

Itgovernance has published the list of reported or otherwise discovered data breaches in April 2023 and found that there were 120 publicly disclosed breaches which resulted in 4,353,257 records being compromised. Fortunately Australian entities did not feature April’s tally. They made up a significant part of the tallies in late 2022 and earlier this year.

Some of the prominent breaches involved:

• Shields Health Care Group suffering a cyber attack involving 2,380,483 records
• NCB Management breach affecting former Bank of America 494,969 credit card holders
• Kodi suffers security breach with user records and private messages stolen involving 400,635

Itgovernance highlight the the following data breaches in April:

1. Shields Health Care Group

The largest data breach of April 2023 was at the Shields Health Care Group, a Massachusetts-based medical services provider. Reports emerged near the end of the month that a cyber criminal had gained unauthorised access to the organisation’s systems and had stolen the personal data of 2.3 million people. Read the rest of this entry »

Facebook has been the subject of action from the Federal Trade Commission (the “FTC”) on two occasions to date. The FTC announced on 3 May that it wants to amend its 2020 order against Facebook because it believes that Facebook has failed to comply with that order. Worse it claims the Facebook has misled parents about their control through its Messenger Kids app and misrepresented how much access it provides app developers to private user data.

The use and misuse of children’s personal information is a very serious and topical issue.  The FTC clearly believes that Facebook is incorrigible in its collection of this data and the use it puts it to.  The orders it seeks are quite severe, including Read the rest of this entry »

Today the Attorney General announced that the Government will create a stand alone position of Privacy Commissioner. The statement provides:

Read the rest of this entry »