July 14, 2022
The Queensland Government has issued a consultation paper on proposed reforms to the privacy and right to information legislation.
The announcement relevantly states:
The Queensland Government is seeking your views about proposed reforms to Queensland’s Information privacy and right to information framework.
Queensland’s Information Privacy Act 2009 (IP Act) protects individuals’ privacy by regulating how their personal information is collected and managed by Queensland agencies. The IP Act also provides a right of access to, and amendment of, personal information held by Queensland agencies and ministers.
Queensland’s Right to Information Act 2009 (RTI Act) provides a right of access to information held by Queensland agencies and ministers unless, on balance, it is contrary to the public interest to release the information.
A number of reports have recommended changes to the IP Act and RTI Act. These include the:
Most of the reforms being considered were recommended in these reports.
Reforms being considered include whether:
-
- Queensland should have a mandatory data breach notification scheme
- Queensland’s 2 sets of privacy principles should be replaced with a single set of principles: the Queensland Privacy Principles.
Only focusing on the privacy reforms the proposals can best be described as modest. To a large extent it hopes to bring the legislation in line with the Commonwealth and other state laws.
The timing of this paper is curious. The consultation specifically notes that the Commonwealth is reviewing its Privacy Act 1988 and the Commonwealth Attorney General has suggested the amendments will be significant. The net result may be that Queensland will amend its legislation to bring it in line with current Commonwealth legislation which will be amended because that legislation is currently inadequate. In effect the Queensland legislation may be again out of sync with the Commonwealth legislation but more importantly will be definitively inadequate. It is an unusual way to conduct public policy.
The main proposed reforms Read the rest of this entry »
Posted in Privacy
|
Post a comment »
July 13, 2022
The Australian Competition and Consumer Commission (ACCC) issued the Bank of Queensland with a penalty of the $133,200 for breaching the Consumer Data Right Rules in failing to have available a service to enable consumers to share their data. The breach was that the BOQ failed to meet its implementation deadline.The ACCC is a practiced litigant and active in enforcing legislation for which it is responsible. So while the breach is actual it relates to a technical breach rather than a breach resulting in material prejudice to any one consumer. The fine plus the publicity acts as a deterrent against others breaching the Rules.
The statement from the ACCC relevantly Read the rest of this entry »
Posted in Legal
|
Post a comment »
Deakin University has been hit with a cyber attack on 10 July affecting 47,000 current and past students. Yesterday it released a statement under the heading Deakin has been targeted in a cyber attack this week – here’s what happened and what you should do which provides:
Deakin University was recently targeted in a data security breach earlier this week. Deakin sincerely apologises to those impacted by this incident and wants to assure the Deakin community that it is conducting a thorough investigation to prevent a similar incident from occurring again.
What happened?
On Sunday 10 July, Deakin University became aware of an incident in which a staff member’s username and password was hacked and used by an unauthorised person to access information held by a third-party provider.
This third-party has been engaged by Deakin to forward messages prepared by the University to students via SMS. The information accessed by the unauthorised person was then used to send an SMS, as if from Deakin, to 9,997 Deakin students with the following text:
Anyone who clicked on the link was taken to a form which asked for additional information including credit card details.
In addition to sending the SMS, the unauthorised person downloaded the contact details of 46,980 current and past Deakin students. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
In light of the finding of a breach of the Privacy Act 1988 by Clearview AI regarding its use of facial recognition technology in Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54 there was always a reasonable chance that the Information Commissioner would respond to the comprehensive complaint made by Choice against Bunnings, Kmart and the Good Guys regarding their use of facial recognition technology.
Today the Commissioner announced that her office had opened an investigation into Bunnings and Kmart.
The statement provides:
The Office of the Australian Information Commissioner (OAIC) has opened investigations into the personal information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies’ use of facial recognition technology.
The investigations follow a report from consumer advocacy group CHOICE about the retailers’ use of facial recognition technology. Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Privacy
|
Post a comment »
July 12, 2022
The UK Information Commissioners Office has just released a significant and detailed report titled Behind the screens: ICO calls for review into use of private email and messaging apps within government on the use messaging apps and technologies within government with the associated the issues of privacy, data security and transparency. The flexibility that comes with using messaging apps has unwelcome consequences when used for official business. The lack of record of important exchanges goes to proper transparency. The use of apps and texts have real security issues. Private exchanges for public business can be problematical.
The media release provides:
The Information Commissioner’s Office (ICO) has today called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. Read the rest of this entry »
Posted in UK Information Commissioner's Office
|
Post a comment »
The Federal Trade Commission has written an article on its website titled Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data regarding the collection of data from smartphones, apps, connected cars and smart home products and then the misuse of of that data by onselling the to aggregators and data brokers. It clearly highlights how the collection of this data can act as a form of surveillance but more specifically identify places where individuals would not wish to be publicised to the third parties. Aggregators and data brokers are not a chronic problem as in the United States of America however that doesn’t mean there isn’t a problem. Organisations and government agencies collect masses of data and it is questionable whether they have a requirement for that personal information and the storage of that information is often not properly protected. There remains a significant problem with the extent to which people consent to the collection of their data. Organisations almost invariably bury consents into the middle of a privacy policy or at the base of a page, physically or on line, which is difficult to read let alone properly understand.
The FTC article should be read by all privacy practitioners. While it references US law the principles are universal. It is also cheering that the FTC will crackdown on these unsavoury practices. Hopefully Read the rest of this entry »
Posted in Federal Trade Commission
|
Post a comment »
July 11, 2022
To pay or not to pay ransomware demands, that is a vexed question for organisations. And what advice should their legal representatives give. As far as the Information Commissioner’s Office (“ICO”) is concerned ransomware demands should be paid. The ICO and the UK National Cyber Security Centre (the”NCSC”) wrote to the UK Law Society and as a reminder that lawyers in the UK should not advise Read the rest of this entry »
Posted in Privacy, UK Information Commissioner's Office
|
Post a comment »
As part of its Shifting Powers series Lloyds has released a timely and very thorough report on cyber security with Shifting powers: Physical cyber risk in a changing geopolitical landscape. The Report sets out scenarios and likely responses which are very helpful and practical (and which are too involved to summarise or analyse in this post).
The press release provides:
In a highly digitised economy, cybersecurity sits at the top of the agenda for businesses, boards, risk managers and governments alike.
In recent years, malware and ransomware attacks have been causing severe disruption for global businesses and their supply chains. In addition to the rise in malware and ransomware attacks, the threat of state-sponsored cyber-attacks has become a significant focus for businesses and governments.
Whilst most cyber-attacks are digital, some result in tangible disruption or damage to the physical environment – these types of attacks are becoming increasingly common place. This is, in large part due to the increasingly interconnected nature of systems and services which expose businesses to perils from physical cyber-attacks such as fires, explosions, flooding or bodily injury.
At Lloyd’s we understand the complex and potentially systemic risks in the cyber class and are committed to supporting a resilient cyber market. Cyber physical represents a key opportunity for insurers to develop a sustainable cyber offering that can help protect customers from a risk that has reached the highest level of priority in boardrooms around the world.
At 38 pages it is a significant, and long, report which defies easy summary however some highly pertinent points it makes includes:
- the potential impacts on businesses are:
- 1. Asymmetric Attack Exchange: A rudimentary cyber power sponsors non-state ransomware
attacks by cybercriminals targeting another nation’s critical infrastructure
2. Offensive Cyber Retaliation: Regional tensions over nuclear development programmes spill
over into cyber-physical sabotage of critical infrastructure
3. Symmetric Attack Exchange: Two sophisticated cyber powers engage in an escalation of
destructive cyber attacks on critical infrastructure
Physical cyber risk
Read the rest of this entry »
Posted in Legal, Privacy
|
Post a comment »
July 8, 2022
Ireland, more accurately Ireland’s Data Protection Commission, has been engaged in a protracted dispute with Meta, Facebook’s parent company, regarding its data handling and compliance with the GDPR Articles. On 15 March 2022 it concluded an inquiry into 12 data breaches by Meta Platforms where it found that Meta had infringed Articles 5(2) and 24(10 of the GDPR. The media release relating to those findings stated:
The DPC has today adopted a decision, imposing a fine of €17m on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (“Meta Platforms”).
The decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.
As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.
Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.
Yesterday an article titled Europe faces Facebook blackout reports that the Commission informed its counterparts in Europe that it will block Meta from sending back data to the USA. Meta has said that would close many of its services including Facebook and Instagram. Clearly Read the rest of this entry »
Posted in Privacy
|
Post a comment »
In the Victorian Government Gazette S314 Friday 24 June 2022 the Attorney General made a declaration under section 35(3) of the Defamation Act 2005 to increase the maximum non economic loss damages to $443,00.
The declaration states:
Defamation Act 2005
DECLARATION UNDER SECTION 35(3)
I, Jaclyn Symes, Attorney-General, being the Minister for the time being administering the Defamation Act 2005, hereby declare in accordance with section 35(3) of the Defamation Act 2005 that on and from 1 July 2022 the maximum damages amount that may be awarded for non-economic loss in defamation proceedings is four hundred and forty three thousand dollars ($443,000).
Dated 7 June 2022
JACLYN SYMES MP
Attorney-General
Posted in Defamation, Legal
|
Post a comment »