Adsense HTML

Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts

Privacy Commissioner hands down award compensating for non-economic loss

The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach.  This was a first in Australia.

See https://www.oaic.gov.au/assets/privacy/privacy-decisions/privacy-determinations/WP-and-Secretary-to-the-Department-of-Home-Affairs-Privacy-2021-AICmr-2-11-January-2021.pdf and  https://www.kwm.com/en/au/knowledge/insights/privacy-commissioner-hands-down-first-representative-award-20210203

The decision requires the Department of Home Affairs to compensate over 1,200 asylum seekers for inadvertently publishing their personal information online in 2014.  

It is somewhat amazing that this case took seven years to reach this stage.

Privacy Rights Expanding in Australia?

Justice Keane of the High Court of Australia gave a speech at the end of 2020 that discussed privacy.

It was titled; "Too Much Information: civilisation and the problems of privacy" and argued that relying upon judicial development of the law to solve the problem of privacy "has been, at best, a hit and miss affair".

Justice Keane said it "would not be surprising were the High Court now to accept a tort of invasion of privacy" along U.S. lines.

"But such a cause of action would probably be confined to cases of intentional intrusion, physically or otherwise, upon the solitude or seclusion of an individual or his or her private affairs.

"In the case of the publicising of a matter concerning the private life of an individual, the conduct would be actionable if the matter publicised is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public."

He noted that in the recent High Court case involving the Australian Federal Police raid on the home of journalist Annika Smethurst the media "carefully eschewed any attempt to press forward . . . towards a broader protection of privacy".  (I suspect that the media did not want to expand the right of privacy in Australia even though it may have been helpful in this case - because the media since at least 1890 has been the subject of negative criticism regarding the media's lack of respect of privacy rights.)

AFR Article: https://www.afr.com/companies/media-and-marketing/high-court-judge-takes-swipe-at-media-on-privacy-20200927-p55zo0

Text of Keene J's Speech: https://cdn.hcourt.gov.au/assets/publications/speeches/current-justices/keanej/keanej27Aug2020.pdf

An Australian Computer Law Journal

The most recent issue of the Journal of the Australian Society for Computers and the Law is available here:  http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html

This journal includes articles on privacy law and cybersecurity law.

U.S. Privacy Legislation - or lack of it

In January, the NY Times published a long article on Tech predictions for 2021.  There was a section on privacy laws, that was U.S. focused but interesting reading.  An extract:

Lawmakers will take on comprehensive federal privacy legislation. (Hopefully.)

Greg Bensinger, member of the New York Times editorial board:

Lawmakers on both sides of the aisle have indicated that they suddenly care about Americans’ privacy rights online. I am looking forward to them putting their money where their mouth is in 2021 by rolling out comprehensive federal privacy legislation.

Is this a pipe dream? Yes. But if anything good comes from backlash against technology companies, I hope it’s that consumers have more control over the rights to their own data.

New European Data Breach Notification Guidelines

The European Data Protection Board (EDPB) has recently published guidelines with examples for data breach notification under the GDPR.

The Guidelines set out common types of data breaches, such as ransomware, lost or stolen devices, social engineering attacks and the like, and set out case studies to clarify notification and remediation obligations.

See https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf


Did Facebook overpay in privacy settlement to protect Zuckerberg?

According to Reuters, Facebook Inc may have paid $4.9 billion more than the maximum penalty it faced under a settlement agreement with regulators related to allegations it mishandled user privacy, according to a recent court ruling.

The U.S. court cited a paper by Gibson Dunn attorneys when directing Facebook to turn over documents to shareholders who are trying to determine if Facebook overpaid to protect Zuckerberg.

“The documents already produced provide no insight into why Facebook would pay more than its (apparently) maximum exposure to settle a claim,” said the court.


FTC priorities under Biden Administration

U.S. law firm Wilson Sonsini has a good summary of likely FTC priorities.

See https://www.wsgr.com/en/insights/acting-ftc-chairwoman-slaughter-previews-potential-ftc-priorities-under-new-administration.html

Potential key priorities:

  • Requirements in privacy and data security consent orders that represent a departure from the FTC's typical approach to consumer notice and disgorgement, including requirements that companies "disgorge" the data and benefits that they amassed through their allegedly wrongful behavior, and provide notice to consumers of the FTC settlement and the conduct at issue in the settlement; and
  • Increased FTC scrutiny of health apps, facial recognition technology, algorithms and AI, and other issues related to the pandemic and racial equity, particularly where those issues fall under the purview of the FCRA or ECOA.

Flight Centre's Privacy Act breach

Flight Centre organised a hack-a-phon in 2017, and gave those participating access to real customer data.  This resulted in a breach of the Privacy Act.

Decision here: https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmr/2020/57.html


New Californian Privacy Law: CPRA to effectively replace CCPA

On U.S. Election Day, 3 November 2020, voters in the State of California overwhelmingly voted in favour of Proposition 24—a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights and enforcement mechanisms. 

The CPRA's new obligations for businesses will come into effect on 1 January 2023.  At that time, the CPRA will effectively replace the CCPA.  In the meantime, the CPRA requires that a new California privacy agency be established and that it adopts implementing regulations.

Australian Privacy Act - government review

The Australian Government is undertaking a complete review of The Australian Privacy Act.

Unfortunately, after a year of work, the government is only giving 4 weeks to make submissions in respect of a very detailed issues paper.

One topic for consideration is whether to legislate and create a privacy tort in Australia.

Further information available here.

Using Covid registration data for marketing is alleged privacy breach

It was only a matter of time.  The restaurant chain Wagamama has been reported to the UK Information Commissioner’s Office (ICO) for allegedly using contact details provided for Covid track and trace to send surveys to customers.

See The Times

Is Facebook carrying on business in Australia

 A recent decision in Australia, concerning whether Facebook could be served in California, was decided by the Federal Court of Australia.  This case arises out of a privacy action brought against Facebook by ACMA in relation to the Cambridge Analytics issues.

"It might be added that the means by which entities carry on business are constantly evolving. Much of the case law in which the concept has been discussed was decided long before the technological advances which underpin many modern forms of commerce. Ultimately, the question whether a particular entity carries on business, and does so in a particular place, is determined by reference to the particular facts. 

The Commissioner submitted that she had established a prima facie case that Facebook Inc carried on business in Australia through a combination of two matters: first, through the agency of Facebook Ireland; and secondly, through certain activities for which Facebook Inc was directly responsible in Australia. ...

Rather, the evidence on this application suggests that, to the extent Facebook Ireland carried on business in Australia, it was carrying on its own businessThe evidence adduced on this application and the inferences available to be drawn do not sufficiently allow for a possible conclusion that Facebook Ireland was also carrying on Facebook Inc’s business to warrant permitting service out of the jurisdiction.

However, for the reasons given next, the Commissioner has established a sufficient prima facie case to warrant exposing Facebook Inc to litigation in Australia on the basis that Facebook Inc directly carried on business in Australia. On its case, a part of Facebook Inc’s business was to provide services to Facebook Ireland, including the processing activities referred to earlier. I am satisfied that there is a prima facie case that Facebook Inc carried out sufficient activity in Australia in its business of providing services to Facebook Ireland for a conclusion to be available that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b) of the Privacy Act. ...

I am satisfied that the Commissioner has established a prima facie case, in the required sense, that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b). In summary, the Commissioner has established a sufficient prima facie case that Facebook Inc carried on business in Australia which included providing services to Facebook Ireland."

Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307

Queensland Privacy Review and Law Reform Report

Today, the Queensland Law Reform Commission published a final report, Report No 77Review of Queensland’s laws relating to civil surveillance and the protection of privacy in the context of current and emerging technologies.

The Report includes a draft bill:  DRAFT SURVEILLANCE DEVICES BILL 2020

Facebook in Australia?

Facebook claims it can’t be sued by Aussie privacy watchdog

In a court hearing on Friday, 26 June 202, US-based Facebook has argued that it does not carry on business in Australia despite users in Australia accessing its website, calling for the dismissal of action brought by the Australian Information Commissioner over alleged privacy breaches and Cambridge Analytics.

Facebook in Court over Cambridge Analytics

This recent Australian judgment concerns substituted service on Facebook.  It relates to Cambridge Analytics breach.  Interestingly, it discusses COVID-19.  Facebook did not appear in court.
Australian Information Commission v Facebook Inc [2020] FCA 531

Facebook in Court

In a surprising move, the Australian Information Commissioner has sued Facebook in Australia over giving access to personal information of thousands of Australians to Cambridge Analytica.

https://www.abc.net.au/news/2020-03-09/facebook-privacy-oaic-information-commissioner/12039642

https://www.businessnewsaus.com.au/articles/australian-information-commissioner-takes-facebook-to-court.html

"We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed," says Australian Information Commissioner and Privacy Commissioner Angelene Falk.

Assaults on Privacy in the USA

A good article in Harvard Magazine titled "How surveillance changes people's behaviour: assaults on privacy in America."  See article here.

EU ePrivacy

On 10 January 2017, the European Commission published a Proposal for a Regulation could have significant implications for Internet-based services and technologies.
The Proposal seeks to revise the current EU ePrivacy Directive.  It creates strict new rules regarding confidentiality of electronic communications, including content and metadata. In addition, the Proposal amends the current rules on the use of cookies and similar technologies, and direct marketing. The rules apply to EU and non-EU companies providing services in the EU, and are backed up by significant enforcement powers—fines of up to four percent of a company's global turnover.
The Proposal is the next major step in the EU's review of its data protection legal framework and follows the adoption of the General Data Protection Regulation (GDPR) in April 2016.

Hacktivist raided

Swiss Hacktivist was raided at the request of U.S. authorities for data theft and then publishing what was hacked. https://amp.9news.com.au/...