Australian Information Commissioner and Marriott International enter into enforceable undertaking on 4 February 2023

March 10, 2023

The Marriot Hotel entered into an enforceable undertaking with the Australian Privacy Commissioner for a data breach arising out of breaches between 2015 – 2018. I have posted on those breaches and the regulatory action taken by the UK Information Commissioner here, here, here and here. Worldwide the breaches affected the personal information of 339 million individuals. In Australia the records of 2.2 million were compromised. The Marriot Breach highlighted poor data security practices, with the breach occurring over a 3 year period, and the challenges of legacy IT issues. All too often IT systems are cobbled together and not properly maintained.

The enforceable undertaking is operable for 5 years.  Compared to agreements in the United States between the Federal Trade Commission and organisations for similar transgressions, that is a short time frame.  It is not uncommon for the FTC to enter into 20 year agreements.  This enforceable undertaking is more robust than the previous few enforceable undertakings the Commissioner has entered into however it is not as stringent as those imposed in the United States. In the United States such agreements usually incorporate a very significant fine.  Given the legislation in Australia that was not possible.

Some of the relevant matters of note from the enforceable undertaking Read the rest of this entry »

High Court revokes Facebook’s special leave application on the day of hearing. Information Commissioner’s civil penalty proceeding will now proceed beyond the service stage…almost 3 years after the originating application was filed

March 7, 2023

The High Court today revoked Facebook’s special leave application. The transcript is not available yet and reasons have not been published but the key argument for this volte face was a change to the Federal Court Rules on overseas service.

The Information Commissioner released a media release providing:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Full Court of the High Court of Australia’s decision to revoke Facebook Inc’s special leave to appeal to the High Court.

The High Court granted the Commissioner’s application to revoke special leave due to a change in the Federal Court Rules in relation to overseas service.

This clears the way for proceedings to return to the Federal Court. The substantive proceeding seeking civil penalties against Facebook Ireland and Facebook Inc over the Cambridge Analytica matter will now progress.

“Today’s decision is an important step in ensuring that global digital platforms can be held to account when handling the personal information of Australians,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Entities operating in Australia are accountable for breaches of Australian privacy law, and must ensure that their operations in Australia comply with that law,” Commissioner Falk said.

Background

On 9 March 2020, the Commissioner lodged proceedings against US-based Facebook Inc and Facebook Ireland (collectively, Facebook) in the Federal Court, alleging the social media platform had committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.

The Commissioner alleges that from 12 March 2014 to 1 May 2015: Read the rest of this entry »

The National Institute of Science and Technology releases Cybersecurity of Genomic Data

March 6, 2023

The National Institute of Science and Technology (“NIST”) has released its initial draft of Cybersecurity of Genomic Data.

The media release provides:

Genomic data has enabled the rapid growth of the U.S. bioeconomy and is valuable to the individual, industry, and government due to intrinsic properties that, in combination, make it different from other types of high-value data which possess only a subset of these properties. The characteristics of genomic data compared to other high value datasets raises some correspondingly unique cybersecurity and privacy challenges that are inadequately addressed with current policies, guidance, and technical controls.

This report describes current practices in risk management, cybersecurity, and privacy management for protecting genomic data, as well as the associated challenges and concerns. It identifies gaps in protection practices across the genomic data lifecycle and proposes solutions to address real-life use cases occurring at various stages of the genomic data lifecycle. This report also is intended to provide areas for regulatory/policy enactment or further research.

Genomic data has multiple intrinsic properties that in combination make it different from other types of high value data which possess only a subset of these properties. The characteristics of genomic data compared to other high value datasets raises unique cybersecurity and privacy challenges.

The NIST  report proposes a set of solution ideas that address real-life use cases occurring at various stages of the genomic data lifecycle along with candidate mitigation strategies and the expected  benefits of the solutions. Additionally, areas needing regulatory/policy enactment or further research are highlighted.

Cyber attacks targeted at genomic data include attacks against:

  • the confidentiality of the data,
  • data  integrity and its availability.
  • the confidentiality of the data can threaten the economy through theft of the intellectual property owned by the  biotechnology industry,
  • the integrity of the data can disrupt:
    • biopharmaceutical output,
    • agricultural food production,
    • bio-manufacturing activity.
  • the availability of the data include:
    • encrypting for ransom,
    • deletion of data, and
    • disabling critical automated equipment used in:
      • research,
      • development,
      • and manufacturing.
  • the potential harms of cyber attacks on genomic data threaten national security including enabling the development of biological weapons and the surveillance, oppression, and extortion of our citizens, military, and intelligence personnel based on their genomic data.
  • genomic data can also harm individuals by enabling blackmail, discrimination based on disease risk, and privacy loss from the revealing of hidden consanguinity or phenotypes including health, emotional stability, mental capacity, appearance, and physical abilities.

Read the rest of this entry »

Facebook v Australian Information Commissioner; hearing in the High Court tomorrow 7 March 2023

The Australian Information Commissioner chose a tough nut to crack when it chose to use for the first time its civil penalty powers against Facebook arising out of the use of personal information by Cambridge Analytica.  The Information Commissioner was late in bringing enforcement action against Facebook, The Facebook disclosed personal information to Cambridge Analystica between March 2014 and May 2015.  The Commissioner opened an investigation in April 2018 and commenced proceedings on 9 March 2020.  By then the FTC, on 24 July 2019 imposed a $ 5 billion penalty on Facebook while the UK Information Commissioner imposed a £500,00 fine on Faceook on 30 October 2019. 

On 9 April 2020 the Information Commissioner sought under rule and rule 10.43(2) leave to serve documents on Facebook, Inc. and Facebook Ireland in accordance with art 5 of Hague  Convention by substituted service. On 22 April 2020 His Honour Justice Thawley  made orders  that the Commissioner be granted leave to serve the documents in the United States of America. On 6 May 2020 Facebook Inc by interlocutory application sought to set aside those orders. Thawley J dismissed the application on 14 September 2020 and Facebook appealed that decision on 28 September 2020 to the Full Court of the Federal Court. 

The Full Court dismissed the appeal on 7 February 2022. On 16 September 2022 the High Court granted Facebook leave to appeal. It has been a long road, almost 3 years since commencing proceeding. And the case has barely begun.

The issue before the High Court is whether under Rule 10.43 of Federal Court Rules 2011 whether the Information Commissioner was successful in establishing prima facie case on application to serve appellant out of jurisdiction and whether Facebook “carr[ied] on business in Australia” within meaning of 5B(3)(b) of Privacy Act and whether it “collected… personal information in Australia” within meaning of s 5B(3)(c) of Privacy Act.

The Appellants and First Respondent filed detailed and densely argued submissions which will not be recited at length here.  It is however worth noting a number of points raised.

Facebook submits that:

  • the issues are:

(a) Can a foreign corporation “carry on business” in Australia (within the meaning of s 5B(3)(b) of the Privacy Act 1988 (Cth) (the Act)) if it has no commercial activities or other recognised indicia of carrying on business in this country? Appellant contents that hte answer is“no”.
(b) Does the requirement of a “prima facie case” in r 10.43(4)(c) of the Federal Court Rules 2011 (Cth) (Rules) require evidence that could itself Read the rest of this entry »

Information Commissioner releases the Notifiable Data Breach report covering the second half of 2022. A 26% increase..no small thanks to Optus and Medibank. It is still an under report of the real rate of data breaches

March 1, 2023

Today the Information Commissioner released the latest Notifiable Data Breach report.

It makes for grim reading. The key findings are:

  • 497 breaches were notified compared with 393 in January to June 2022 – a 26% increase.
  • There was a 41% increase in data breaches resulting from malicious or criminal attacks. Malicious or criminal attacks accounted for 350 notifications – 70% of all notifications.
  • Human error was the cause of 123 notifications (25% of all notifications), down 5% in number from 129.
  • Health reported the most breaches (71), followed by finance (68). That the health sector provides the greatest number of breaches is no surprise.
  • Contact information remains the most common type of personal information involved in breaches.
  • The majority (88%) of breaches affected 5,000 individuals or fewer.
  • 71% of entities notified the OAIC within 30 days of becoming aware of an incident. This is quite an indictment on compliance. Almost 30% of entities did not notify the OAIC within the statutory maximum of 30 days. That bespeaks poor culture.

The Commissioner’s media release provides:

Several large-scale data breaches impacted millions of Australians’ personal information in the second half of 2022, as part of a 26% increase in breaches overall, according to the latest Notifiable data breaches report released today.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said cyber security incidents in particular can have significant impacts on individuals, and organisations need to be alert to the risks.

“We saw a significant increase in data breaches that impacted a larger number of Australians in the second half of 2022,” she said.

“Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches.”

Thirty-three of the 40 breaches that affected over 5,000 Australians were the result of cyber security incidents.

“Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats,” Commissioner Falk said.

“This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”

Commissioner Falk said organisations need to be vigilant as large-scale compromises of personal information may lead to further attacks.

“As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase.

“Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals,” she said.

The Office of the Australian Information Commissioner has clear expectations of best practice with regard to data breach preparation and response, to ensure individuals are protected from harm.

“In response to a breach, organisations need to provide information to individuals that is timely and accurate.

“As well as setting out the kinds of information breached, the notification must include recommendations about clear steps people should take in response,” said Commissioner Falk.

The reporting period also saw the enactment of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. Among other things, the Act:

    • provides the Commissioner with new and greater powers to share information with other authorities about data breaches
    • provides the Commissioner with a new power to obtain information and documents relevant to an actual or suspected eligible data breach
    • enables the Commissioner to conduct an assessment of the ability of an entity to comply with the Notifiable Data Breaches scheme, including the extent to which the entity has processes and procedures in place to assess suspected eligible data breaches, and provide notice to the Commissioner and individuals at risk from such breaches
    • significantly increases penalties for serious or repeated privacy breaches, which includes non-compliance with the Notifiable Data Breaches scheme.

“While we will continue to work with organisations to facilitate voluntary compliance, we will use these regulatory powers where required to ensure compliance with the Notifiable Data Breaches scheme,” said Commissioner Falk.

“We also welcome the further proposals to strengthen the Notifiable Data Breaches scheme in the Attorney-General’s Department’s Privacy Act review report.”

The Report provides:

Notifications received July to December 2022 – All sectors

The OAIC received 497 notifications this reporting period – a 26% increase compared with January to June 2022. Read the rest of this entry »

YouTube accused of collecting data of children in the UK

The BBC in YouTube accused of collecting UK children’s data reports that YouTube has been accused of collecting the data of children aged under 13. This while the UK Information Office has developed a Children’s Code for on line services used by children.

The BBC article provides:

Read the rest of this entry »

Health data “must vulnerable” to attack

For more than a decade I have been writing about the propensity for health data to be the subject of data breaches.  It has been a long standing problem which predates the digital age.  Health services and their practitioners have been notoriously prone to data breaches.

The Australian in Health data ‘most vulnerable’ to hack attack rehashes the obvious in breathless terms.  As if it is major discovery.  It is not.  Data Breach in Healthcare Most Hit by Ransomware Last Year, FBI Finds reports the FBI listed health care facilities as being the most attacked of critical infrastructure.

Health organisations have many and Read the rest of this entry »

Commonwealth to establish an agency to fight cyber attacks; a cyber security office and national co ordinator

February 27, 2023

When confronted with a difficult issue, either establish an inquiry or create a governmental office. The Government, conftonting the reality of significant data breaches has opted for the bureaurocratic option, establish a cyber tsar.  And of course, a discussion paper.

The rationale is set out in an interview between Clare O’Neil, the Minister for Home Affairs, on AM this morning.  It provides:

SPEAKER: First this half hour, months after millions of people had their personal data hacked during the Optus and Medibank cyber-attacks, the Federal Government setting up a new agency to tackle the problem, there will be a new senior official called a Coordinator For Cyber Security, who will lead a National Office for Cyber Security, and that’s within the Federal Government’s Department of Home Affairs, and along with a round table of business security and tech leaders the Prime Minister is releasing a discussion paper about a new cyber security strategy.

The Home Affairs Minister is Clare O’Neil, she’s spoken with the ABC this morning, saying the Government’s taking an important step forward.

CLARE O’NEIL: We arrived in Government confronting a real mess with cyber security, so what we saw was different parts of Government and the private sector doing important things, but kind of all rowing in different directions, and what was clearly needed here was political leadership, and we’ve got that from the personal investment of the PM, and he today has decided to appoint a coordinator to ensure that there is spine and strategy for the work being done throughout Government, and also an office within my department that will support the coordination work.

SABRA LANE: So practically what will that person do, and when will this office be in place? 

CLARE O’NEIL: So two really important tasks for this person. The first will be, as I said, to try to provide some strategy and structure and spine to the work being done across Government. So it will mean things like making sure that the billions of dollars that we are investing in cyber security each year are being spent in a way that’s strategic and appropriate, that we’ve got different parts of Government communicating with each other and working together on helping with cyber security protections across the country. Read the rest of this entry »

Minister for Home Affairs releases rules and Strategy for critical infrastructure assets

February 21, 2023

Australia has had legislative proscriptions relating security and reporting obligations in particular defined critical infrastructure industries for some time. Australia has adopted a similar legislative structure that has been adopted in other jurisdictions such as the United States.  The legislation is quite detailed, almost a code.  There is a need for this form of regulation.  Critical infrastructure is invariably networked and vulnerable to attack.  That vulnerability is caused by the development of systems servicing infrastructure over a long period where cyber security was unsophisticated.  Mergers and changes of strategy over the years often leads to information systems which were cobbled together with many weaknesses.  Many organisations put little effort and money into the upgrading cyber security until relatively recently.

It is important for privacy practitioners to be familiar with this legislation.

Today the Minister for Home Affairs, Clare O’Neil released the Risk Manager Program rules and Critical Infrastructure Strategy today.

The media release provides:

Australia’s critical infrastructure assets will be better protected following commencement of the Risk Management Program (RMP) obligation – a set of rules designed to strengthen the resilience of critical infrastructure and essential services vital to the security, prosperity and sovereignty of Australia.

Minister for Home Affairs and Minister for Cyber Security Clare O’Neil said critical infrastructure assets are vulnerable to natural disasters and attractive targets for foreign interference, cyber criminals and other malicious actors who seek to do Australia harm. Read the rest of this entry »

Federal Attorney General’s Department completes its review of the Privacy Act and recommends 116 changes. Onto the next step

February 17, 2023

It has taken almost 4 years for the Attorney General to undertake a review of the Privacy Act but it has done it.  That report was published yesterday.  That review is on top of an Australian Law Reform Commission Report in both 2008 and 2014, dealing with identical issues.  It has not been a stellar moment for public policy reform.

The report can be found here. The Report is open for submissions until 31 March 2023.  The usual process is then for the Government to provide its response. At some point there will be a draft proposed Bill, probably before the Parliament rises for the winter recess.  If the Government is intent to pushing the reforms through promptly a Bill will be introduced into the Spring session and referred off to committees.  It will then be debated and voted upon later in the year with a view to being passed before the end of 2023 with a view to taking effect in 2024. Given the Government is on a 3 year cycle and the next House of Representatives election must be held by 27 September 2025 it is unlikely that the process will be lengthy.

There are 116 recommendations.  Some of the most important are:

  •  proposal 4 recommends the definition of personal information be amended to  change the word “about” to “relates to”.  This change would allow the definition to capture a broader range of information.   The change would also bring the definition in line with other Commonwealth legislation that uses ‘relating to’ when regulating information on privacy (for example, the Competition and Consumer Act 2010 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth)) and bring the Privacy Act definition in line with the language used in the GDPR definition of ‘personal data’.  The Report also proposes that any inferred or generated information will be deemed to have been ‘collected’ within the meaning of the Privacy Act.  This will have important consequences for the AI industry.
  • proposal 12 recommends a requirement for entities to act fairly and reasonably when collecting, using and disclosing personal information which will be an objective test. It will apply regardless of any consent
  • proposal 11 amends the definition of consent to make it  clear that consent must be voluntary, informed, current, specific and unambiguous
  • proposal 26 recommends a direct right of action for those who have suffered loss or damage as a result of an interference with their privacy. The claim can be made individually or a representative actionin the Federal Court or the Federal Circuit Court. Individuals will have to make a complaint to the OAIC prior to commencing court action.
  • under proposal 4.5 – 4.8 there will be additional obligations to deidentify information. Those amendments would extend APP 11.1 and APP 8 to apply to de-identified datasets. The Report also recommends prohibiting APP entities from re-identifying de-identified information received from a third party and introducing a new criminal offence for “malicious” re-identification intended to harm or cause illegitimate benefit. .
  • under proposal 28 there will be stricter time frames for Notifiable Data Breaches.  The Report recommends falling into line with the GDPR time frame of 72 hours  from when the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach.   The Report also recommends requiring more detailed statements of what  steps the entity has taken or intends to take in response to the breach.
  • Additional obligations when handling employee records (Proposal 7). Some businesses may give a sigh of relief that the employee records exemption is to be retained, but on a more nuanced basis – i.e. certain Privacy Act obligations will be extended to private sector employees.  In particular, obligations relating to transparency of collection and use of employee information, protection against unauthorised access or interference, and eligible data breach reporting. The Report flags that further consultation is required to determine how this should be implemented in legislation and hints that it could use either the architecture of the Fair Work Act or the Privacy Act.  The nature of Australia’s current employee records exemption is speculated to be a major barrier for achieving GDPR adequacy status, so it may be surprising to some to see that the exemption will be mostly retained.
  • under proposal 22 there will be  processors and controllers.  That is consistent with other jurisdictions.  Under this proposal  where processors are acting on the instructions of a controller, they will have fewer compliance obligations under the Privacy Act.  Processors would only be responsible for complying with APP 1 , APP 11  and the notifiable data breach scheme.
  • proposal 13 will require entities to conduct Privacy Impact Assessments for any ‘high privacy risk activity’.  Such activities  would  ‘likely to have a significant impact on the privacy of individuals’.
  • under proposal 19 there will be regulation of the use of personal information in automated decision making.  The Report proposes more transparency around personal information used in “substantially” automated decisions which have a legal or significantly similar effect on an individual’s rights.
  • proposal 20 recommends regulation of targeted advertising.  There will be a prohibitions on the use of information related to an individual for targeted advertising and content to children, and prohibitions on using sensitive information for targeted advertising and content to any individuals. Individuals will have a right to opt-out of receiving targeted advertising and content, and any permitted targeting must be ‘fair and reasonable’ and come with transparency requirements about the use of algorithms and profiling to recommend content to individuals.
  • under proposals 16 and 17 there will be additional protections for children and vulnerable persons.  For children the additional protections include codification of existing OAIC guidance on consent and capacity, requiring entities to make collection notices and privacy policies ‘clear and understandable’, and requiring entities to have regard to the best interests of the child in its consideration of the fair and reasonable test as well as developing a Children’s Online Privacy Code applicable to services that children are likely to access. . For vulnerable people  where an activity may have a significant impact on vulnerable persons, this must be considered in the fair and reasonable test (and a Privacy Impact Assessment must be performed.
  • proposal 27 recommends a statutory tort of privacy for serious invasions of privacy that are intentional or reckless. The invasion of privacy need not cause actual damage and individuals may claim damages for emotional distress.  The Report suggests that the OAIC should be able to appear as amicus curiae and intervene in proceedings with leave of the court for both the direct right of action under the Privacy Act and the tort for invasion of privacy.
  • under proposal 18 there will be a limited right of erasure.  It also proposes a right of de-indexation which will allow individuals to require search engines to de-index online search results where the results are excessive in volume, inaccurate, out of date, incomplete, irrelevant or misleading. Search engines will also be required to de-index sensitive information and information about minors. There will be exceptions where: there are competing public interests, it is required or authorised by law, it is technically infeasible or an abuse of process.
  • proposal 25 recommends giving the OAIC Greater enforcement powers and penalties. They include  new civil penalties and new powers of investigations, public inquiries and determinations.  The threshold for a “serious interference” will be eased, and may include interferences that involve “sensitive information” or other information of a sensitive nature, interferences adversely affecting large groups of individuals, or serious failures to take proper steps to protect personal information.

Read the rest of this entry »