Peter A Clarke

ENISA releases annual reports of security incidents every year. This year it reported 188 incidents submitted by national authorities from 26 EU Member States and two European Free Trade Association (EFTA) countries. This is an increase of 20.5% over 2023, with 156 incidents from 26 EU Member States and one EFTA country. That said there was a reduction in user hours lost according to the press release.

According to the Read the rest of this entry »

The case of Kate Aston being videoed walking out of a bathroom and Nathalie Matthews being concerned about intimate videos she filmed would be made public raises issues of privacy protections in each case and what each could do to protect their privacy. Particularly with the statutory tort of serious invasion of privacy coming into operation on 10 June 2025.

While both factual situations are unique they are not, in broad strokes, all that unusual in privacy law.  The use of videos and cameras used in a setting which should be private and which clearly cause serious distress is not unknown. Many cases, almost invariably resulting in a prosecution, involve the use of a camera/video in a toilet. But there is no hard dividing line taking photos or videos of someone in a toilet and photographing or videoing someone with that same equipment who are leaving a toilet.  The question is whether there is a reasonable expectation of privacy.  In case of someone using the toiletry facilities the answer is clearly yes.  In terms of someone leaving a toilet it is most likely yes.  The distinction is slight.  One can have a reasonable expectation of privacy in a semi public or even public space. In 2008 the UK Court of Appeal in Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446 found that a child had a right to privacy in a public space. The Mrs Murray in that case writes under the nome de plume of JK Rowling. While the claim was brought on behalf of the Murray’s child the defendant’s interest was more about capturing an image of Mrs Murray with her family, child especially.  While that case focused on the rights of the child the subsequently developed principles apply to adults. It depends on the circumstances.  And those circumstances do not assist someone who intentionally waits outside a toilet and uses the video to catch another on film leaving the toilet.  And then posts that footage on line.  

According to 7 News Ms Aston has commenced legal action. Whether that is a claim in privacy, equity, defamation or any other cause of action is unknown.  

According to the Australian report of the Matthews case the concern is there are intimate videos would be made public and that motivated her to apply for a domestic violence order.  The abuse of intimate videos, previously made consensualy, have been the subject of two superior court decisions in Australia; the Victorian Court of Appeal decision in  Giller v Procopets [2008] 24 VR 1 and the Western Australian decision of Wilson v Ferguson [2015] WASC 15 which I posted on in 2015.  

Either of these cases could be run without the statutory tort of serious invasion of privacy.  With that tort extant and these fact situations commencing after 10 June 2025 the tort is available to either.  The strength of the case depends on all of the facts, not just the media coverage. 

It is interesting to read Read the rest of this entry »

The desire if not obsession of government agencies and private organisations and companies to collect and store information has been a problem as long as there has been the capacity to make records. It has been regularly satirised (eg Brazil). it is no joke.  Digitisation and increased ability to  economically store vast stores of data has meant that governments, organisations and companies could collect much more personal information than thought possible in the analog era.  More importantly, advanced computing especially the use of algorithms made that data particularly valuable.  As a result many government bodies and companies hold an enormous amount of personal information.  In cyber security language that is sometimes described as the honey pot.  The question often posed is, how to reduce this honey pot and thereby minimise the exposure to individuals losing their personal information. One of the solutions raised is to require agencies and companies to remove data.  That is the product of wrong analysis.  It implies that the regulation is lacking.  That is not correct.  The laws are adequate.  It is the regulation and enforcement of those laws, especially the Privacy Act 1988, that has been inadequate over a very long time.  As a result there is complacency in the market place.  Under the Privacy Act 1988 an entity should only collect personal information relevant to its primary purpose.  It should only retain that personal information for as long as it is relevant to that purpose.  That, especially, companies collect as much information as possible on the most tenuous bases is a matter of their desire, not compliance with the law.  The problem is that they have not been called on it.  There have not been enough cases in the Federal Court where those breaches have not been prosecuted.  All of this is not to say the Privacy Act 1988 needs further reform.  It does.  But the issue of data hoarding can be dealt with by a determined, effective and properly resourced regulator.  

The ABC has published an interesting essay Experts say forcing companies to delete data would remove cybercrime ‘honey pot‘ .

It provides, with my notations:

If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

There are exceptions to Read the rest of this entry »

The cyber attack of Trumpets of Patriots and the United Australia Party highlights two issues with privacy. The first is that political parties harvest huge amounts of personal information. Some of it relates to membership. Some is obtained through enquiries, surveys and data provided from other political sources, such as parliamentarians. Political parties operate on data. It is a critical part of messaging and lobbying. This cyber attack highlights a flaw in the Privacy Act 1988. Registered political parties are exempt  under section 7C from the operations of the Privacy Act 1988. The Privacy Commissioner has no power to investigate the breach. The question then is whether either or both the United Australia Party and the Trumpets of Patriots are “registered political parties.”  According to the Australian Electoral Commission the Trumpet of Patriots is a registered political party. The United Australia Party is not.  It has been deregistered and despite its best efforts in Babet v Commonwealth of Australia; Palmer v Commonwealth of Australia [2025] HCA 21 could not be re registered.  Interestingly the Trumpets of Patriots notified the Privacy Commissioner of the data breach.

That does not mean Trumpets of Patriots is immune from suit even if it is exempt under the Privacy Act.  

The story is covered in Read the rest of this entry »

The Cambridge Analytica scandal has a very long tail. Shareholders of Meta brought an action against Mark Zuckerberg and other Facebook directors over privacy violations. It is reported in the Times with Mark Zuckerberg settles $8bn lawsuit over Facebook privacy claims and the BBC with Meta investors settle $8bn lawsuit with Zuckerberg over Facebook privacy.  The core of the case was a claim against Facebook directors for their failures which resulted in fines and legal costs associated with the Cambridge Analytica scandal. The problem for the defendants was that Facebook entered into an agreement in 2012 regarding compliance with privacy obligations. The other difficulty for the defendants was the scale of the data harvesting and the deceptive practices to do it.

The timing of the settlement is ironic given Read the rest of this entry »

The Australian reports in Maurice Blackburn launches compensation case against Qantas over cyber attack that a claim against Qantas is in the offing. It is a representative complaint under the Privacy Act 1988. It is also reported in Compensation sought for millions of Qantas customers hit in major cyber data breach. Representative complaints may be commenced under Division 1 of Part V of hte Privacy Act. Under section 36 an individual may complain to the Commissioner about an act or practice that is an interference with privacy of that individual. Under section 38 a representative complaint can be made on behalf of a class if all the members have complaints against the same entity and they arise out of the, in this case, same circumstances.

In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious.  To call for a change to the law while appealing a decision involving the extant law is not illegal.  But it is quite arrogant.  Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act. 

Meanwhile in CBA using facial recognition logins to verify disputed payment the CBA is showing itself to be an enthusiastic user of facial recognition.  

The AFR article Read the rest of this entry »

It is becoming common practice for companies affected by the significant data breaches to seek injunctive relief. The Australian reports in Qantas goes to court over cyber attack in attempt to stop stolen data being released or used. that Qantas has obtained an interim injunction in the New South Wales Supreme Court. A copy of the orders has not been released but it is reported as intending “..to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.” There is no identified respondent to the application.  It is also covered by 9 News and Reuters.  If the process follows the approach taken by the court in the HWL Ebsworth application for injunctive relief in 2024.

Interestingly the National Office of Cyber Security prepared a report on the HWL Ebsworth Cyber Security Incident titled “Lessons Learned Review”.  Under the hearing “What was interesting” the report says the following about the injunction HWL Ebsworth obtained from the Supreme Court of New South Wales.  

The granting of an injunction from the Supreme Court of New South Wales to HWL Ebsworth was a key point of interest during the management of the incident. The injunction was sought by HWL Ebsworth to restrain further access to or publication of information exposed during the incident, in an attempt to protect client data, and minimise ‘online rubbernecking’. Overwhelmingly, government entities viewed this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response.

HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.

There is quite a bit of supposition in that assessment.  It is not possible to know whether the injunction performed that role.  There has been no reported contempt of court proceedings for breaching the injunction.  It would also be quite difficult to determine whether there was a reduction in ‘online rubbernecking’ to start with and whether it was reduced.  How to monitor on line rubber necking is another issue.  If the data is stored on the dark web in a particular site removing the data, highly improbable, would be a better solution than working out who viewed it, even more difficult.  That said injunctive relief is now part of the response in large scale data breaches.  

It is clear from the assessment that the orders were almost certainly more involved and complicated than a blanket prohibition.  There is reference to exemptions.  That is an important issue when seeking such orders.  It is important to avoid putting those who are victims who discover their personal information and in viewing it may in a position where they may be in contempt of court.  Clearly not an intended consequence.

The Australian story Read the rest of this entry »

That data breaches cause damage is trite. The damage may be economic or psychological. It can also be life threatening as the Times story Revealed: Leak that risked lives of 100,000 Afghans — and £7bn cover-up makes clear. As does the BBC report Thousands of Afghans were moved to UK in secret scheme after data breach. A data breach by a British official at the Ministry of Defence in February 2022 resulted in the personal details of 19,000 people who applied to move to the UK after the Taliban took over were leaked. That prompted a resettlement scheme which has resulted in 4,500 Afghans moving to UK so far. So far, so bad.

What is very interesting to legal practitioners is that the Government sought and obtained a super injunction which involved a gag order relating to the data breach and its contents.  It was the first time the Government sought a super injunction and it was the longest ever granted.That was lifted yesterday in Ministry of Defence v Global Media and Entertainment Ltd & ors [2025] EWHC 1806.   

In reviewing and ultimately lifting the gag order teh court made the following points regarding the grant and Read the rest of this entry »

Implementing proper password protection is one of the foundation blocks of proper cyber security. It has been since the internet was established. But it remains a real problem with many organisations. Bleeping Computer with ‘123456′ password exposed chats for 64 million McDonald’s job chatbot applications reports on a spectacular fail with both log ins and passwords, both being 123456.

The Bleeping Computer article Read the rest of this entry »