Cyberlaw

Privacy Commissioner hands down award compensating for non-economic loss

The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach. This was a first in Australia.

See https://www.oaic.gov.au/assets/privacy/privacy-decisions/privacy-determinations/WP-and-Secretary-to-the-Department-of-Home-Affairs-Privacy-2021-AICmr-2-11-January-2021.pdf and https://www.kwm.com/en/au/knowledge/insights/privacy-commissioner-hands-down-first-representative-award-20210203

The decision requires the Department of Home Affairs to compensate over 1,200 asylum seekers for inadvertently publishing their personal information online in 2014.

It is somewhat amazing that this case took seven years to reach this stage.

Take care if you pay the ransom

In response to the proliferation of ransomware attacks over the last five years, a series of United States Executive Orders and statutes have come to include cyberterrorists amongst the list of banned individuals with whom U.S. persons cannot conduct financial transactions. This impacts payments to cybercriminals for ransomware attacks.

There is a detailed article from a U.S. law firm here, that sets out when payment of a ransom could lead to breach of U.S. law. See https://www.friedfrank.com/siteFiles/Publications/NYLJ_03.05.21_Kleinman.pdf

Privacy Rights Expanding in Australia?

Justice Keane of the High Court of Australia gave a speech at the end of 2020 that discussed privacy.

It was titled; "Too Much Information: civilisation and the problems of privacy" and argued that relying upon judicial development of the law to solve the problem of privacy "has been, at best, a hit and miss affair".

Justice Keane said it "would not be surprising were the High Court now to accept a tort of invasion of privacy" along U.S. lines.

"But such a cause of action would probably be confined to cases of intentional intrusion, physically or otherwise, upon the solitude or seclusion of an individual or his or her private affairs.

"In the case of the publicising of a matter concerning the private life of an individual, the conduct would be actionable if the matter publicised is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public."

He noted that in the recent High Court case involving the Australian Federal Police raid on the home of journalist Annika Smethurst the media "carefully eschewed any attempt to press forward . . . towards a broader protection of privacy". (I suspect that the media did not want to expand the right of privacy in Australia even though it may have been helpful in this case - because the media since at least 1890 has been the subject of negative criticism regarding the media's lack of respect of privacy rights.)

AFR Article: https://www.afr.com/companies/media-and-marketing/high-court-judge-takes-swipe-at-media-on-privacy-20200927-p55zo0

Text of Keene J's Speech: https://cdn.hcourt.gov.au/assets/publications/speeches/current-justices/keanej/keanej27Aug2020.pdf

Critical Infrastructure Reforms in Australia

The Australian Government is implementing "Critical Infrastructure reforms". The consultation process for the new laws is being managed by the Critical Infrastructure Centre which is part of the Department of Home Affairs.

The CIC is currently assessing implementation of the governance rules to accompany the to-be-amended Security of Critical Infrastructure Act 2018 (Cth) at a broad, industry-neutral level. The CIC is intending these rules to provide an overview of the role industry will play in self-assessment and self-reporting, with the specific rules and obligations around assessment standards to come from later consultations.

At a high-level, materials made available by CIC set out CIC’s intention for the governance rules including a breakdown of the intention behind specific provisions in the draft Bill.

Key points

The Bill is not anticipated to pass until mid-2021 – while not all industry-specific rules may be finalised at that stage, consultation should be almost complete by then.
Consultation with industry is happening on sequential basis – Electricity and Gas sectors are to start consultation in late March/early April 2021, and then other industries will each have a consultation period one after another.
The consultation timeline will be quite aggressive – the governance rules are in consultation this week for publication in late March.
The obligations will not activate immediately on enactment of the Bill, and are instead taking a ‘switch on’ approach. The CIC is vague on what the triggers for ‘switching on’ will be and it is not clear if it was an industry-wide event, whether it was incident-based or whether it would occur from a certain point.

Another U.S State brings in a privacy law

Virginia in the USA recently passed a new privacy law.

A US law firm note is here: https://communications.willkie.com/103/1291/uploads-(icalendars-pdf-documents)/virginia-is-the-new-privacy-leader-what-s-next-after-virginia-passes-comprehensive-privacy-law.pdf and another is here: https://www.jdsupra.com/legalnews/virginia-legislature-sends-novel-2533245/

An Australian Computer Law Journal

The most recent issue of the Journal of the Australian Society for Computers and the Law is available here: http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html

This journal includes articles on privacy law and cybersecurity law.

U.S. Privacy Legislation - or lack of it

In January, the NY Times published a long article on Tech predictions for 2021. There was a section on privacy laws, that was U.S. focused but interesting reading. An extract:

Lawmakers will take on comprehensive federal privacy legislation. (Hopefully.)

Greg Bensinger, member of the New York Times editorial board:

Lawmakers on both sides of the aisle have indicated that they suddenly care about Americans’ privacy rights online. I am looking forward to them putting their money where their mouth is in 2021 by rolling out comprehensive federal privacy legislation.

Is this a pipe dream? Yes. But if anything good comes from backlash against technology companies, I hope it’s that consumers have more control over the rights to their own data.

Landmark White data breach court case

About two years ago, Landmark White (a property valuation firm in Australia) was subject to a number of cyber security incidents. Justice moves slowly.

Landmark White’s cyber security standards will come under the spotlight this week, as the trial kicks off of an IT contractor accused of stealing customer data from the firm and putting it on the dark web.

See https://www.afr.com/property/commercial/landmark-white-data-breach-trial-begins-20210304-p577sx

Patentable Subject Matter in Australia

The Federal Court of Australia has sided with the Patents Office and upheld a rejection of a patent application for an invention that improves the timeliness and accuracy of risk information. It was decided by the judge that the claimed invention was merely a business method or scheme for sharing and completing work place health and safety documents, and was thus unpatentable.

See Repipe Pty Ltd v Commissioner of Patents (No 3) [2021] FCA 31 https://jade.io/article/783336

Amazon's patent rejected in Australia

Amazon was refused a patent in Australia on the grounds that the invention was not patentable subject matter.

See Amazon Technologies, Inc. [2021] APO 7 https://jade.io/article/785911

The patent application was directed to the field of computer resource virtualization. Providers, such as Amazon, manage large-scale computing resources that can be accessed on demand by their many customers via virtual machines. This allows various computing resources to be efficiently and securely shared by multiple customers.