Privacy Rights Expanding in Australia?

Justice Keane of the High Court of Australia gave a speech at the end of 2020 that discussed privacy.

It was titled; "Too Much Information: civilisation and the problems of privacy" and argued that relying upon judicial development of the law to solve the problem of privacy "has been, at best, a hit and miss affair".

Justice Keane said it "would not be surprising were the High Court now to accept a tort of invasion of privacy" along U.S. lines.

"But such a cause of action would probably be confined to cases of intentional intrusion, physically or otherwise, upon the solitude or seclusion of an individual or his or her private affairs.

"In the case of the publicising of a matter concerning the private life of an individual, the conduct would be actionable if the matter publicised is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public."

He noted that in the recent High Court case involving the Australian Federal Police raid on the home of journalist Annika Smethurst the media "carefully eschewed any attempt to press forward . . . towards a broader protection of privacy".  (I suspect that the media did not want to expand the right of privacy in Australia even though it may have been helpful in this case - because the media since at least 1890 has been the subject of negative criticism regarding the media's lack of respect of privacy rights.)

AFR Article: https://www.afr.com/companies/media-and-marketing/high-court-judge-takes-swipe-at-media-on-privacy-20200927-p55zo0

Text of Keene J's Speech: https://cdn.hcourt.gov.au/assets/publications/speeches/current-justices/keanej/keanej27Aug2020.pdf

Critical Infrastructure Reforms in Australia

The Australian Government is implementing "Critical Infrastructure reforms".  The consultation process for the new laws is being managed by the Critical Infrastructure Centre which is part of the Department of Home Affairs.

The CIC is currently assessing implementation of the governance rules to accompany the to-be-amended Security of Critical Infrastructure Act 2018 (Cth) at a broad, industry-neutral level. The CIC is intending these rules to provide an overview of the role industry will play in self-assessment and self-reporting, with the specific rules and obligations around assessment standards to come from later consultations.

At a high-level, materials made available by CIC set out CIC’s intention for the governance rules including a breakdown of the intention behind specific provisions in the draft Bill.

 

Key points

 

• The Bill is not anticipated to pass until mid-2021 – while not all industry-specific rules may be finalised at that stage, consultation should be almost complete by then.
• Consultation with industry is happening on sequential basis – Electricity and Gas sectors are to start consultation in late March/early April 2021, and then other industries will each have a consultation period one after another.
• The consultation timeline will be quite aggressive – the governance rules are in consultation this week for publication in late March.
• The obligations will not activate immediately on enactment of the Bill, and are instead taking a ‘switch on’ approach. The CIC is vague on what the triggers for ‘switching on’ will be and it is not clear if it was an industry-wide event, whether it was incident-based or whether it would occur from a certain point.

Another U.S State brings in a privacy law

Virginia in the USA recently passed a new privacy law.  

A US law firm note is here:  https://communications.willkie.com/103/1291/uploads-(icalendars-pdf-documents)/virginia-is-the-new-privacy-leader-what-s-next-after-virginia-passes-comprehensive-privacy-law.pdf and another is here: https://www.jdsupra.com/legalnews/virginia-legislature-sends-novel-2533245/

An Australian Computer Law Journal

The most recent issue of the Journal of the Australian Society for Computers and the Law is available here:  http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html

This journal includes articles on privacy law and cybersecurity law.

U.S. Privacy Legislation - or lack of it

In January, the NY Times published a long article on Tech predictions for 2021.  There was a section on privacy laws, that was U.S. focused but interesting reading.  An extract:

Lawmakers will take on comprehensive federal privacy legislation. (Hopefully.)

Greg Bensinger, member of the New York Times editorial board:

Lawmakers on both sides of the aisle have indicated that they suddenly care about Americans’ privacy rights online. I am looking forward to them putting their money where their mouth is in 2021 by rolling out comprehensive federal privacy legislation.

Is this a pipe dream? Yes. But if anything good comes from backlash against technology companies, I hope it’s that consumers have more control over the rights to their own data.

Landmark White data breach court case

About two years ago, Landmark White (a property valuation firm in Australia) was subject to a number of cyber security incidents.  Justice moves slowly.

Landmark White’s cyber security standards will come under the spotlight this week, as the trial kicks off of an IT contractor accused of stealing customer data from the firm and putting it on the dark web.

See https://www.afr.com/property/commercial/landmark-white-data-breach-trial-begins-20210304-p577sx

Patentable Subject Matter in Australia

The Federal Court of Australia has sided with the Patents Office and upheld a rejection of a patent application for an invention that improves the timeliness and accuracy of risk information.  It was decided by the judge that the claimed invention was merely a business method or scheme for sharing and completing work place health and safety documents, and was thus unpatentable.

See Repipe Pty Ltd v Commissioner of Patents (No 3) [2021] FCA 31  https://jade.io/article/783336

Amazon's patent rejected in Australia

Amazon was refused a patent in Australia on the grounds that the invention was not patentable subject matter.

See Amazon Technologies, Inc. [2021] APO 7  https://jade.io/article/785911

The patent application was directed to the field of computer resource virtualization.  Providers, such as Amazon, manage large-scale computing resources that can be accessed on demand by their many customers via virtual machines.  This allows various computing resources to be efficiently and securely shared by multiple customers. 

New European Data Breach Notification Guidelines

The European Data Protection Board (EDPB) has recently published guidelines with examples for data breach notification under the GDPR.

The Guidelines set out common types of data breaches, such as ransomware, lost or stolen devices, social engineering attacks and the like, and set out case studies to clarify notification and remediation obligations.

See https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf

Did Facebook overpay in privacy settlement to protect Zuckerberg?

According to Reuters, Facebook Inc may have paid $4.9 billion more than the maximum penalty it faced under a settlement agreement with regulators related to allegations it mishandled user privacy, according to a recent court ruling.

The U.S. court cited a paper by Gibson Dunn attorneys when directing Facebook to turn over documents to shareholders who are trying to determine if Facebook overpaid to protect Zuckerberg.

“The documents already produced provide no insight into why Facebook would pay more than its (apparently) maximum exposure to settle a claim,” said the court.

See https://www.reuters.com/article/us-facebook-settlement-idUSKBN2AB01P

Can an AI machine be an inventor?

The Australian Patents Office has decided that an AI machine cannot be an inventor for the purposes of granting a patent.

"Section 15(1) is inconsistent with an artificial intelligence machine being treated as an inventor, since it is not possible to identify a person who can be granted a patent."

Further, the person who operated the AI machine was also not an inventor:

"I have considered the alternative option that Dr Thaler is the inventor.  It seems clear that Dr Thaler asserts that he did not devise the invention but merely acquired knowledge of the invention from the artificial intelligence machine.  In the light of JMVB Dr Thaler would not be the inventor."

See Stephen L. Thaler [2021] APO 5

FTC priorities under Biden Administration

U.S. law firm Wilson Sonsini has a good summary of likely FTC priorities.

See https://www.wsgr.com/en/insights/acting-ftc-chairwoman-slaughter-previews-potential-ftc-priorities-under-new-administration.html

Potential key priorities:

• Requirements in privacy and data security consent orders that represent a departure from the FTC's typical approach to consumer notice and disgorgement, including requirements that companies "disgorge" the data and benefits that they amassed through their allegedly wrongful behavior, and provide notice to consumers of the FTC settlement and the conduct at issue in the settlement; and
• Increased FTC scrutiny of health apps, facial recognition technology, algorithms and AI, and other issues related to the pandemic and racial equity, particularly where those issues fall under the purview of the FCRA or ECOA.

Section 230

Opinion | The Constitution Can Crack Section 230
Tech companies think the statute allows them to censor with impunity. The law is seldom so simple.

Read in The Wall Street Journal: https://apple.news/AykpuzRwHQJeQWQoc3GPxyg 

APRA's focus on cybersecurity

APRA speech by Geoff Summerhayes in late 2020 on APRA’s current focus on cybersecurity: https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services

Flight Centre's Privacy Act breach

Flight Centre organised a hack-a-phon in 2017, and gave those participating access to real customer data.  This resulted in a breach of the Privacy Act.

Decision here: https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmr/2020/57.html

New Californian Privacy Law: CPRA to effectively replace CCPA

On U.S. Election Day, 3 November 2020, voters in the State of California overwhelmingly voted in favour of Proposition 24—a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights and enforcement mechanisms. 

The CPRA's new obligations for businesses will come into effect on 1 January 2023.  At that time, the CPRA will effectively replace the CCPA.  In the meantime, the CPRA requires that a new California privacy agency be established and that it adopts implementing regulations.

Telstra ordered to help identify critic of doctor

Posting anonymous reviews to defame someone is risky.

Telstra has been ordered to provide documents to a doctor so that the doctor can assist identify someone who supposedly defamed him.

See this recent Federal Court decision:  Colagrande v Telstra Corporation Limited [2020] FCA 1595

Telstra did not appear at this court hearing.

This is similar to this case against Google:  http://www.cyberspac.com/2020/03/google-sued-again-for-identity-of-users.html and also these cases:

Kukulka v Google LLC [2020] FCA 1229

Kabbabe v Google LLC [2020] FCA 126 

Titan Enterprises (Qld) Pty Ltd v Cross [2016] FCA 1241 (patent attorney ordered to hand over file)

Titan Enterprises (Qld) Pty Ltd v Cross [2016] FCA 890 (written by Justice Edelman, now on the High Court)

Defamation for Facebook posts

A wedding planner has won a 'landmark' court case against consumers who made defamatory comments about her business on social media.

Tristan Moy, 33, from Brisbane, moved to Indonesia in 2014 to run a business arranging weddings in Bali for Australian tourists. 

But she suffered 'hurt and humiliation' when two Australian women began posting salacious comments about her and her business on Facebook in 2017.

They included accusations Ms Moy was unprofessional, bullied her clients and would try ruin her client's weddings.

https://www.dailymail.co.uk/news/article-8948725/Two-trolls-ordered-pay-150k-defamatory-comments-Facebook.html

See also this old Fordham article

Australia follows US in respect of patent exhaustion

 See this article regarding the recent Seiko case in the High Court of Australia

https://www.kwm.com/en/au/knowledge/insights/patent-rights-on-sale-high-court-reverses-20201113

New Domain Name Rules for Australia

A new set of rules for .au domain names will come into effect on 12 April 2021.

auDA, the domain name regulator, states:  "This new licensing framework helps maintain trust in the .au ccTLD, offers clearer guidance for registrants and registrars, and enhances auDA’s role as the guardian of a key piece of Australia’s digital infrastructure."

The new rules consolidate the more than 30 policies and guidance notes that currently govern the .au domain and consist of two key documents:

.au Domain Administration Rules: Licensing - The terms and conditions for .au domain name licences including the complaints and dispute resolution processes.

.au Domain Administration Rules: Registrar - Rules for companies providing .au domain name registration services that have been accredited by auDA.

The new licensing rules are based closely on the current rules but contain some changes that may impact a small number of registrants. You can read about these changes on our new website.  These new rules were not reviewed by the Policy Review Panel.

Launch dates are yet to be set for id.au namespace, .au namespace and Internationalised Domain Names.

APRA's cybersecurity strategy

APRA is stepping up its focus on CPS234 in 2021.  This is not a surprise.  The Australian government has a strong focus on cybersecurity (and Defence, and foreign influence).

https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services

AI and human rights

https://humanrights.gov.au/our-work/rights-and-freedoms/publications/using-artificial-intelligence-make-decisions-addressing

The Australian Human Rights Commission released a paper today on AI, bias and fairness.  It is worth reading.

Fraudulent Invoice Scams

A Sydney hedge fund has collapsed after a cyber attack saw its trustee and administrator mistakenly approve $8.7 million in fraudulent invoices.  Scammed by a fake Zoom invite.

The scam, the latest in a series of strikes by offshore criminal gangs against Australian fund managers, has also ensnared ANZ after the bank failed to stop almost $800,000 being withdrawn from an account linked to the cyber criminals.

 

https://www.afr.com/companies/financial-services/fake-zoom-invite-cripples-aussie-hedge-fund-with-8m-hit-20201122-p56f9c

Comparison Website that made money from Affiliate referrals was Misleading

Trivago, a price comparison, recent lost an appeal in Australia regarding how it ordered the listings on its affiliate program website.  Trivago's conduct was held to be misleading, and therefore illegal, in Australia.

See ACCC media release:  https://www.accc.gov.au/media-release/trivago-loses-appeal-after-misleading-consumers-over-hotel-ads

Judgment is here:  Trivago N.V. v Australian Competition and Consumer Commission [2020] FCAFC 185

Sharing User IDs

Can you give your User ID to someone else to use your account?  And what if that someone then uses your account for a purpose not allowed by the user agreement?  Are you responsible?  This is the subject of a possible lawsuit against CoreLogic in Australia.

See BCI Media Group Pty Ltd v Corelogic Australia Pty Ltd [2020] FCA 1556 https://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/single/2020/2020fca1556

AI Action Plan for Australia

In addition to the privacy review, the government is conducting an AI review.

"The Australian Government recognises that accelerating the development, adoption and adaption of artificial intelligence (AI) will have profound social and economic outcomes for all Australians. We have an opportunity and a responsibility to strive for a better future. A future where Australians develop and use AI to solve national problems, build competitive businesses and increase our collective wellbeing.
 
To achieve this vision, the Australian Government will need a plan. To inform this plan, the Department of Industry, Science, Energy and Resources has released a discussion paper that seeks public input to an AI Action Plan for Australia."
 
You can read the discussion paper and have your say at: https://consult.industry.gov.au/digital-economy/ai-action-plan
 
Submissions close on Friday, 27^th November 2020, two days before submissions close for the privacy law consultation.

Freedom from Lawsuits or Freedom of Speech?

 Section 230 of the Communications Decency Act is supposedly being reviewed.  From the NY Times:

Chief executives from Google, Facebook and Twitter appeared before a Senate hearing on a law that protects internet companies from liability for much of what their users post, and on how they moderate content.

Democrats focused on misinformation and extremism. They also accused Republicans of holding the hearing to benefit President Trump.

Republicans accused the executives of selective censorship, questioning Twitter’s Jack Dorsey, above, on how the company handled specific tweets. “Mr. Dorsey, who the hell elected you and put you in charge of what the media are allowed to report and what the American people are allowed to hear?” Senator Ted Cruz said.

Australian Privacy Act - government review

The Australian Government is undertaking a complete review of The Australian Privacy Act.

Unfortunately, after a year of work, the government is only giving 4 weeks to make submissions in respect of a very detailed issues paper.

One topic for consideration is whether to legislate and create a privacy tort in Australia.

Further information available here.

Is your mobile safe from the police?

How Police Can Crack Locked Phones—and Extract Information

A report finds 50,000 cases where law enforcement agencies turned to outside firms to bypass the encryption on a mobile device.

Read in WIRED: https://apple.news/Av8HKmpc-SIyx8vccKTIF2w

Fund Public Art!

Although off topic, I consider it worthwhile to fund public art.  This is a great project:

https://australianculturalfund.org.au/projects/chrysalis-01