AUSTRALIAN PRIVACY AMENDMENT BILL. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 has now passed both houses of Parliament, and will be presented to the Governor General for assent. The amendment adds substantial penalties for serious or repeated breaches of the Australian Privacy Act.
An interesting case today from the UK: Lloyd v Google
"This is of course a landmark judgment for data protection claims, but also more generally for consumer actions brought on an "opt-out" basis. The claimant, Mr Lloyd, represented a group of more than 4 million iPhone users, and alleged, on their behalf, that Google's historic deployment of cookies on the Safari browser had been not just unlawful, but that it meant that Google should pay compensation to everyone who had received cookies on that basis."
The court found for Google.
This is a good article. It provides insights on what exactly each carrier collects, a more recent run-down of how long each United States telecom retains certain types of data for, and images of the tool the FBI makes available to law enforcement agencies across the country to analyze cell phone tower data.
The Australian Attorney-General's Office has released the Privacy Act Review Discussion Paper and seeks comments before 10 January 2022. The discussion paper considers these matters:
- Scope, application & effectiveness of the Privacy Act
- Direct rights of action by individuals
- Statutory tort for invasion of privacy
- Notifiable data breach scheme effectiveness
- Enforcement power effectiveness
- Aspects of a certification scheme
Concurrently, the AG's Office is holding this consultation at the same time as a consultation on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill).
The Online Privacy Bill addresses the pressing privacy challenges posed by social media and certain other online platforms.
The Privacy Act Review seeks to build on the outcomes of the Online Privacy Bill to ensure that Australia's privacy law framework empowers consumers, protects their data and supports the Australian economy.
A recent decision of the Privacy Commission found that 7-Eleven Stores breached the privacy of Australians by photographing customers who completed in store surveys, and then used facial recognition software to determine characteristics of the customers.
The store was in breach because it
collected individuals’ sensitive information without consent, and where that
information was not reasonably necessary for the store’s functions and
failed to take reasonable steps to notify individuals about the fact and circumstances
of collection and the purposes of collection of that information.
See story in The Guardian
Amazon's Ring Doorbell collects data that can be used for other purposes, such as sold to law enforcement. In light of the recent 7-Eleven case, if Amazon does this, it would be problematic.
“I think about what the effect is of law enforcement having easy access to cameras from everyone’s porch,” Gilliard said. “It makes nuisance crimes” — from stolen Amazon packages to an egged car — “available for escalation in a way that they weren’t previously.”
Good articles from the NY Times regarding Internet and privacy:
In Australia, some advertising systems allow consumers to opt-out of audience matching targeting. This is not well-known or promoted. To opt-out, go here.
A recent report from the USA found that most of America’s popular streaming services and TV streaming gadgets such as Netflix, Roku and Disney+ failed to meet minimum requirements for privacy and security practices. The lone exception was Apple.
See Common Sense Media report
The Australian Privacy Commissioner has determined that Uber interfered with the privacy of an estimated 1.2 million Australians.
The Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack starting in October 2016.
Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.
The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach. This was a first in Australia.
See https://www.oaic.gov.au/assets/privacy/privacy-decisions/privacy-determinations/WP-and-Secretary-to-the-Department-of-Home-Affairs-Privacy-2021-AICmr-2-11-January-2021.pdf and https://www.kwm.com/en/au/knowledge/insights/privacy-commissioner-hands-down-first-representative-award-20210203
The decision requires the Department of Home Affairs to compensate over 1,200 asylum seekers for inadvertently publishing their personal information online in 2014.
It is somewhat amazing that this case took seven years to reach this stage.
Justice Keane of the High Court of Australia gave a speech at the end of 2020 that discussed privacy.
It was titled; "Too Much Information: civilisation and the problems of privacy" and argued that relying upon judicial development of the law to solve the problem of privacy "has been, at best, a hit and miss affair".
Justice Keane said it "would not be surprising were the High Court now to accept a tort of invasion of privacy" along U.S. lines.
"But such a cause of action would probably be confined to cases of intentional intrusion, physically or otherwise, upon the solitude or seclusion of an individual or his or her private affairs.
"In the case of the publicising of a matter concerning the private life of an individual, the conduct would be actionable if the matter publicised is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public."
He noted that in the recent High Court case involving the Australian Federal Police raid on the home of journalist Annika Smethurst the media "carefully eschewed any attempt to press forward . . . towards a broader protection of privacy". (I suspect that the media did not want to expand the right of privacy in Australia even though it may have been helpful in this case - because the media since at least 1890 has been the subject of negative criticism regarding the media's lack of respect of privacy rights.)
Text of Keene J's Speech: https://cdn.hcourt.gov.au/assets/publications/speeches/current-justices/keanej/keanej27Aug2020.pdf
Virginia in the USA recently passed a new privacy law.
A US law firm note is here: https://communications.willkie.com/103/1291/uploads-(icalendars-pdf-documents)/virginia-is-the-new-privacy-leader-what-s-next-after-virginia-passes-comprehensive-privacy-law.pdf and another is here: https://www.jdsupra.com/legalnews/virginia-legislature-sends-novel-2533245/
The most recent issue of the Journal of the Australian Society for Computers and the Law is available here: http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html
This journal includes articles on privacy law and cybersecurity law.
In January, the NY Times published a long article on Tech predictions for 2021. There was a section on privacy laws, that was U.S. focused but interesting reading. An extract:
Lawmakers will take on comprehensive federal privacy legislation. (Hopefully.)
Greg Bensinger, member of the New York Times editorial board:
Lawmakers on both sides of the aisle have indicated that they suddenly care about Americans’ privacy rights online. I am looking forward to them putting their money where their mouth is in 2021 by rolling out comprehensive federal privacy legislation.
Is this a pipe dream? Yes. But if anything good comes from backlash against technology companies, I hope it’s that consumers have more control over the rights to their own data.
The European Data Protection Board (EDPB) has recently published guidelines with examples for data breach notification under the GDPR.
The Guidelines set out common types of data breaches, such as ransomware, lost or stolen devices, social engineering attacks and the like, and set out case studies to clarify notification and remediation obligations.
U.S. law firm Wilson Sonsini has a good summary of likely FTC priorities.
Potential key priorities:
- Requirements in privacy and data security consent orders that represent a departure from the FTC's typical approach to consumer notice and disgorgement, including requirements that companies "disgorge" the data and benefits that they amassed through their allegedly wrongful behavior, and provide notice to consumers of the FTC settlement and the conduct at issue in the settlement; and
- Increased FTC scrutiny of health apps, facial recognition technology, algorithms and AI, and other issues related to the pandemic and racial equity, particularly where those issues fall under the purview of the FCRA or ECOA.
Flight Centre organised a hack-a-phon in 2017, and gave those participating access to real customer data. This resulted in a breach of the Privacy Act.
On U.S. Election Day, 3 November 2020, voters in the State of California overwhelmingly voted in favour of Proposition 24—a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights and enforcement mechanisms.
The CPRA's new obligations for businesses will come into effect on 1 January 2023. At that time, the CPRA will effectively replace the CCPA. In the meantime, the CPRA requires that a new California privacy agency be established and that it adopts implementing regulations.
AUSTRALIAN PRIVACY AMENDMENT BILL. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 has now passed both house...
The United Nations intellectual property agency (WIPO) is the latest front in the US-China trade war. http://www.theage.com.au/world/sad-am...
The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach. This was a first ...