A blog relating to Internet legal issues by Professor John Swinson, University of Queensland
Listen to this podcast where I discuss how damages should be assessed in privacy and cybersecurity lawsuits.
The Lawyers Weekly Show host Jerome Doraisamy speaks with Professor John Swinson, who teaches cyber security law and privacy law at The University of Queensland, about growing awareness of data and cyber security issues and subsequent legal claims.
AUSTRALIAN PRIVACY AMENDMENT BILL. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 has now passed both houses of Parliament, and will be presented to the Governor General for assent. The amendment adds substantial penalties for serious or repeated breaches of the Australian Privacy Act.
An interesting case today from the UK: Lloyd v Google
See note here: https://www.mishcon.com/news/the-developing-law-on-data-protection-group-claims
"This is of course a landmark judgment for data protection claims, but also more generally for consumer actions brought on an "opt-out" basis. The claimant, Mr Lloyd, represented a group of more than 4 million iPhone users, and alleged, on their behalf, that Google's historic deployment of cookies on the Safari browser had been not just unlawful, but that it meant that Google should pay compensation to everyone who had received cookies on that basis."
The court found for Google.
This is a good article. It provides insights on what exactly each carrier collects, a more recent run-down of how long each United States telecom retains certain types of data for, and images of the tool the FBI makes available to law enforcement agencies across the country to analyze cell phone tower data.
https://www.vice.com/en/article/m7vqkv/how-fbi-gets-phone-data-att-tmobile-verizon
The Australian Attorney-General's Office has released the Privacy Act Review Discussion Paper and seeks comments before 10 January 2022. The discussion paper considers these matters:
https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/
Concurrently, the AG's Office is holding this consultation at the same time as a consultation on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill).
The Online Privacy Bill addresses the pressing privacy challenges posed by social media and certain other online platforms.
The Privacy Act Review seeks to build on the outcomes of the Online Privacy Bill to ensure that Australia's privacy law framework empowers consumers, protects their data and supports the Australian economy.
A recent decision of the Privacy Commission found that 7-Eleven Stores breached the privacy of Australians by photographing customers who completed in store surveys, and then used facial recognition software to determine characteristics of the customers.
See Decision
The store was in breach because it
collected individuals’ sensitive information without consent, and where that
information was not reasonably necessary for the store’s functions and
activities, and
failed to take reasonable steps to notify individuals about the fact and circumstances
of collection and the purposes of collection of that information.
See story in The Guardian
Amazon's Ring Doorbell collects data that can be used for other purposes, such as sold to law enforcement. In light of the recent 7-Eleven case, if Amazon does this, it would be problematic.
“I think about what the effect is of law enforcement having easy access to cameras from everyone’s porch,” Gilliard said. “It makes nuisance crimes” — from stolen Amazon packages to an egged car — “available for escalation in a way that they weren’t previously.”
Good articles from the NY Times regarding Internet and privacy:
The Battle for Internet Privacy is Reshaping the Internet
and
Many people are aware of the use of cookies for tracking purposes. But that is old technology. Many advertisers use more sophisticated techniques for targeting advertisements, such as tracking pixels or audience matching or audience matched advertising.
In Australia, some advertising systems allow consumers to opt-out of audience matching targeting. This is not well-known or promoted. To opt-out, go here.
A recent report from the USA found that most of America’s popular streaming services and TV streaming gadgets such as Netflix, Roku and Disney+ failed to meet minimum requirements for privacy and security practices. The lone exception was Apple.
See Common Sense Media report
The Australian Privacy Commissioner has determined that Uber interfered with the privacy of an estimated 1.2 million Australians.
The Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack starting in October 2016.
Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.
See Decision
The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach. This was a first in Australia.
See https://www.oaic.gov.au/assets/privacy/privacy-decisions/privacy-determinations/WP-and-Secretary-to-the-Department-of-Home-Affairs-Privacy-2021-AICmr-2-11-January-2021.pdf and https://www.kwm.com/en/au/knowledge/insights/privacy-commissioner-hands-down-first-representative-award-20210203
The decision requires the Department of Home Affairs to compensate over 1,200 asylum seekers for inadvertently publishing their personal information online in 2014.
It is somewhat amazing that this case took seven years to reach this stage.
Justice Keane of the High Court of Australia gave a speech at the end of 2020 that discussed privacy.
It was titled; "Too Much Information: civilisation and the problems of privacy" and argued that relying upon judicial development of the law to solve the problem of privacy "has been, at best, a hit and miss affair".
Justice Keane said it "would not be surprising were the High Court now to accept a tort of invasion of privacy" along U.S. lines.
"But such a cause of action would probably be confined to cases of intentional intrusion, physically or otherwise, upon the solitude or seclusion of an individual or his or her private affairs.
"In the case of the publicising of a matter concerning the private life of an individual, the conduct would be actionable if the matter publicised is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public."
He noted that in the recent High Court case involving the Australian Federal Police raid on the home of journalist Annika Smethurst the media "carefully eschewed any attempt to press forward . . . towards a broader protection of privacy". (I suspect that the media did not want to expand the right of privacy in Australia even though it may have been helpful in this case - because the media since at least 1890 has been the subject of negative criticism regarding the media's lack of respect of privacy rights.)
AFR Article: https://www.afr.com/companies/media-and-marketing/high-court-judge-takes-swipe-at-media-on-privacy-20200927-p55zo0
Text of Keene J's Speech: https://cdn.hcourt.gov.au/assets/publications/speeches/current-justices/keanej/keanej27Aug2020.pdf
Virginia in the USA recently passed a new privacy law.
A US law firm note is here: https://communications.willkie.com/103/1291/uploads-(icalendars-pdf-documents)/virginia-is-the-new-privacy-leader-what-s-next-after-virginia-passes-comprehensive-privacy-law.pdf and another is here: https://www.jdsupra.com/legalnews/virginia-legislature-sends-novel-2533245/
The most recent issue of the Journal of the Australian Society for Computers and the Law is available here: http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html
This journal includes articles on privacy law and cybersecurity law.
In January, the NY Times published a long article on Tech predictions for 2021. There was a section on privacy laws, that was U.S. focused but interesting reading. An extract:
Lawmakers will take on comprehensive federal privacy legislation. (Hopefully.) |
|
Greg Bensinger, member of the New York Times editorial board: |
|
Lawmakers on both sides of the aisle have indicated that they suddenly care about Americans’ privacy rights online. I am looking forward to them putting their money where their mouth is in 2021 by rolling out comprehensive federal privacy legislation. |
|
Is this a pipe dream? Yes. But if anything good comes from backlash against technology companies, I hope it’s that consumers have more control over the rights to their own data. |
The European Data Protection Board (EDPB) has recently published guidelines with examples for data breach notification under the GDPR.
The Guidelines set out common types of data breaches, such as ransomware, lost or stolen devices, social engineering attacks and the like, and set out case studies to clarify notification and remediation obligations.
U.S. law firm Wilson Sonsini has a good summary of likely FTC priorities.
Potential key priorities:
Flight Centre organised a hack-a-phon in 2017, and gave those participating access to real customer data. This resulted in a breach of the Privacy Act.
Decision here: https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmr/2020/57.html
Listen to this podcast where I discuss how damages should be assessed in privacy and cybersecurity lawsuits. The Lawyers Weekly Show host J...