Amended Privacy Law in Australia

AUSTRALIAN PRIVACY AMENDMENT BILL. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 has now passed both houses of Parliament, and will be presented to the Governor General for assent.  The amendment adds substantial penalties  for serious or repeated breaches of the Australian Privacy Act.

UK Cookies Case

An interesting case today from the UK:  Lloyd v Google

See note here:  https://www.mishcon.com/news/the-developing-law-on-data-protection-group-claims

"This is of course a landmark judgment for data protection claims, but also more generally for consumer actions brought on an "opt-out" basis. The claimant, Mr Lloyd, represented a group of more than 4 million iPhone users, and alleged, on their behalf, that Google's historic deployment of cookies on the Safari browser had been not just unlawful, but that it meant that Google should pay compensation to everyone who had received cookies on that basis."

The court found for Google.

 

How the FBI obtains access to telephone information

This is a good article.  It provides insights on what exactly each carrier collects, a more recent run-down of how long each United States telecom retains certain types of data for, and images of the tool the FBI makes available to law enforcement agencies across the country to analyze cell phone tower data.

Here's the FBI's Internal Guide for Getting Data from AT&T, T-Mobile, Verizon

https://www.vice.com/en/article/m7vqkv/how-fbi-gets-phone-data-att-tmobile-verizon

Privacy Act Review in Australia

The Australian Attorney-General's Office has released the Privacy Act Review Discussion Paper and seeks comments before 10 January 2022. The discussion paper considers these matters:

• Scope, application & effectiveness of the Privacy Act
• Direct rights of action by individuals
• Statutory tort for invasion of privacy
• Notifiable data breach scheme effectiveness
• Enforcement power effectiveness
• Aspects of a certification scheme

https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/

Concurrently, the AG's Office is holding this consultation at the same time as a consultation on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill).

The Online Privacy Bill addresses the pressing privacy challenges posed by social media and certain other online platforms.

The Privacy Act Review seeks to build on the outcomes of the Online Privacy Bill to ensure that Australia's privacy law framework empowers consumers, protects their data and supports the Australian economy.

7-Eleven Stores in Australia breached privacy through facial recognition software

A recent decision of the Privacy Commission found that 7-Eleven Stores breached the privacy of Australians by photographing customers who completed in store surveys, and then used facial recognition software to determine characteristics of the customers.

See Decision

The store was in breach because it

• collected individuals’ sensitive information without consent, and where that
  information was not reasonably necessary for the store’s functions and
  activities, and
  

• failed to take reasonable steps to notify individuals about the fact and circumstances
  of collection and the purposes of collection of that information.    

  See story in The Guardian 

Ring Doorbell and Privacy

Amazon's Ring Doorbell collects data that can be used for other purposes, such as sold to law enforcement.  In light of the recent 7-Eleven case, if Amazon does this, it would be problematic.

See Washington Post article:

“I think about what the effect is of law enforcement having easy access to cameras from everyone’s porch,” Gilliard said. “It makes nuisance crimes” — from stolen Amazon packages to an egged car — “available for escalation in a way that they weren’t previously.”

Internet Privacy

Good articles from the NY Times regarding Internet and privacy:

The Battle for Internet Privacy is Reshaping the Internet

and

What the Privacy Battle means for you

Privacy and Opt-Out

Many people are aware of the use of cookies for tracking purposes.  But that is old technology.  Many advertisers use more sophisticated techniques for targeting advertisements, such as tracking pixels or audience matching or audience matched advertising.

In Australia, some advertising systems allow consumers to opt-out of audience matching targeting.  This is not well-known or promoted.  To opt-out, go here.

Privacy and Streaming Services

A recent report from the USA found that most of America’s popular streaming services and TV streaming gadgets such as Netflix, Roku and Disney+ failed to meet minimum requirements for privacy and security practices. The lone exception was Apple.

See Common Sense Media report

Uber Interfered With Privacy of Australians

The Australian Privacy Commissioner has determined that Uber interfered with the privacy of an estimated 1.2 million Australians.

The Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack starting in October 2016.

Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017. 

See Press Release from OAIC

See Decision

 

Privacy Commissioner hands down award compensating for non-economic loss

The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach.  This was a first in Australia.

See https://www.oaic.gov.au/assets/privacy/privacy-decisions/privacy-determinations/WP-and-Secretary-to-the-Department-of-Home-Affairs-Privacy-2021-AICmr-2-11-January-2021.pdf and  https://www.kwm.com/en/au/knowledge/insights/privacy-commissioner-hands-down-first-representative-award-20210203

The decision requires the Department of Home Affairs to compensate over 1,200 asylum seekers for inadvertently publishing their personal information online in 2014.  

It is somewhat amazing that this case took seven years to reach this stage.

Privacy Rights Expanding in Australia?

Justice Keane of the High Court of Australia gave a speech at the end of 2020 that discussed privacy.

It was titled; "Too Much Information: civilisation and the problems of privacy" and argued that relying upon judicial development of the law to solve the problem of privacy "has been, at best, a hit and miss affair".

Justice Keane said it "would not be surprising were the High Court now to accept a tort of invasion of privacy" along U.S. lines.

"But such a cause of action would probably be confined to cases of intentional intrusion, physically or otherwise, upon the solitude or seclusion of an individual or his or her private affairs.

"In the case of the publicising of a matter concerning the private life of an individual, the conduct would be actionable if the matter publicised is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public."

He noted that in the recent High Court case involving the Australian Federal Police raid on the home of journalist Annika Smethurst the media "carefully eschewed any attempt to press forward . . . towards a broader protection of privacy".  (I suspect that the media did not want to expand the right of privacy in Australia even though it may have been helpful in this case - because the media since at least 1890 has been the subject of negative criticism regarding the media's lack of respect of privacy rights.)

AFR Article: https://www.afr.com/companies/media-and-marketing/high-court-judge-takes-swipe-at-media-on-privacy-20200927-p55zo0

Text of Keene J's Speech: https://cdn.hcourt.gov.au/assets/publications/speeches/current-justices/keanej/keanej27Aug2020.pdf

Another U.S State brings in a privacy law

Virginia in the USA recently passed a new privacy law.  

A US law firm note is here:  https://communications.willkie.com/103/1291/uploads-(icalendars-pdf-documents)/virginia-is-the-new-privacy-leader-what-s-next-after-virginia-passes-comprehensive-privacy-law.pdf and another is here: https://www.jdsupra.com/legalnews/virginia-legislature-sends-novel-2533245/

An Australian Computer Law Journal

The most recent issue of the Journal of the Australian Society for Computers and the Law is available here:  http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html

This journal includes articles on privacy law and cybersecurity law.

U.S. Privacy Legislation - or lack of it

In January, the NY Times published a long article on Tech predictions for 2021.  There was a section on privacy laws, that was U.S. focused but interesting reading.  An extract:

Lawmakers will take on comprehensive federal privacy legislation. (Hopefully.)

Greg Bensinger, member of the New York Times editorial board:

Lawmakers on both sides of the aisle have indicated that they suddenly care about Americans’ privacy rights online. I am looking forward to them putting their money where their mouth is in 2021 by rolling out comprehensive federal privacy legislation.

Is this a pipe dream? Yes. But if anything good comes from backlash against technology companies, I hope it’s that consumers have more control over the rights to their own data.

New European Data Breach Notification Guidelines

The European Data Protection Board (EDPB) has recently published guidelines with examples for data breach notification under the GDPR.

The Guidelines set out common types of data breaches, such as ransomware, lost or stolen devices, social engineering attacks and the like, and set out case studies to clarify notification and remediation obligations.

See https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf

Did Facebook overpay in privacy settlement to protect Zuckerberg?

According to Reuters, Facebook Inc may have paid $4.9 billion more than the maximum penalty it faced under a settlement agreement with regulators related to allegations it mishandled user privacy, according to a recent court ruling.

The U.S. court cited a paper by Gibson Dunn attorneys when directing Facebook to turn over documents to shareholders who are trying to determine if Facebook overpaid to protect Zuckerberg.

“The documents already produced provide no insight into why Facebook would pay more than its (apparently) maximum exposure to settle a claim,” said the court.

See https://www.reuters.com/article/us-facebook-settlement-idUSKBN2AB01P

FTC priorities under Biden Administration

U.S. law firm Wilson Sonsini has a good summary of likely FTC priorities.

See https://www.wsgr.com/en/insights/acting-ftc-chairwoman-slaughter-previews-potential-ftc-priorities-under-new-administration.html

Potential key priorities:

• Requirements in privacy and data security consent orders that represent a departure from the FTC's typical approach to consumer notice and disgorgement, including requirements that companies "disgorge" the data and benefits that they amassed through their allegedly wrongful behavior, and provide notice to consumers of the FTC settlement and the conduct at issue in the settlement; and
• Increased FTC scrutiny of health apps, facial recognition technology, algorithms and AI, and other issues related to the pandemic and racial equity, particularly where those issues fall under the purview of the FCRA or ECOA.

Flight Centre's Privacy Act breach

Flight Centre organised a hack-a-phon in 2017, and gave those participating access to real customer data.  This resulted in a breach of the Privacy Act.

Decision here: https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmr/2020/57.html

New Californian Privacy Law: CPRA to effectively replace CCPA

On U.S. Election Day, 3 November 2020, voters in the State of California overwhelmingly voted in favour of Proposition 24—a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights and enforcement mechanisms. 

The CPRA's new obligations for businesses will come into effect on 1 January 2023.  At that time, the CPRA will effectively replace the CCPA.  In the meantime, the CPRA requires that a new California privacy agency be established and that it adopts implementing regulations.