Adsense HTML

Privacy and Opt-Out

Many people are aware of the use of cookies for tracking purposes.  But that is old technology.  Many advertisers use more sophisticated techniques for targeting advertisements, such as tracking pixels or audience matching or audience matched advertising.

In Australia, some advertising systems allow consumers to opt-out of audience matching targeting.  This is not well-known or promoted.  To opt-out, go here.

Responsibility for User Comments Posted on Facebook

The High Court of Australia decided today that a newspaper with a Facebook page is responsible for defamatory comments posted by Facebook users on the newspaper's Facebook page.

"The appellants' attempt to portray themselves as passive and unwitting victims of Facebook's functionality has an air of unreality. Having taken action to secure the commercial benefit of the Facebook functionality, the appellants bear the legal consequences."

None of this is surprising.  There are many prior cases in different areas that reach the same result.  There was an Advertising Standards Board decision against VB that came to a similar conclusion in a different area of law, and also the ACCC v. Allergy Pathways case from about 10 years ago.

The next question is whether Facebook could be liable for defamation for user content.

Fairfax Media Publications v Voller [2021] HCA 27 

And see Social Media Best Practice Guide from the ACA and the Diageo case from ASB.

What is interesting about the High Court decision is that it focuses on cases and texts from over 100 years ago, and looks at very few cases concerning the Internet or social media.


Privacy and Streaming Services

A recent report from the USA found that most of America’s popular streaming services and TV streaming gadgets such as Netflix, Roku and Disney+ failed to meet minimum requirements for privacy and security practices. The lone exception was Apple.

See Common Sense Media report

US Court says AI machine cannot be inventor

Reaching a different conclusion to an Australian Federal Court decision, a US District Court looking at the same facts decided that an AI machine cannot be an inventor on a patent.

See Bloomberg story: “The unequivocal statements from the Federal Circuit that ‘inventors much be natural persons’ and ‘only natural persons can be inventors’ supports the plain meaning of ‘individual’ in the Patent Act,” the judge ruled.

Real Estate Photographs Online

A recent Federal Court appeal considered the scope of the right to use photographs taken when marketing a house for sale.  This decision is relevant to anyone who wishes to commercialise data that they obtain for one purpose for a different purpose.

The real estate agent engages a photographer to photograph a house that is for sale, with the intent to upload the photographs onto a real estate sales portal such a RealEstate.com.au or Domain.com.au to advertise the property for sale.  The REA portal has terms that bind the real estate agent.  These terms include the right to sublicense the photographs and the listing information to CoreLogic RP Data for their property information database. 

The court found, in a 2-1 split judgment, that merely because the photographer allowed the photos to be uploaded to REA did not mean that the photographer agreed to REA's terms or agreed to allow the photographs to be sublicensed to CoreLogic RP Data.

In effect, the real estate agent is in breach of the REA contract by uploading the photos in these circumstances.  The license from the photographer to the real estate agent to allow the upload to REA is, in effect, useless unless the agent also obtains terms from the photographer that match the REA license.

CoreLogic RP Data is now in breach of the photographer's copyright.

A strange result. 

Hardingham v RP Data Pty Limited [2021] FCAFC 148

Direct Registration of Domain Names in Australia

Finally, what is called direct registration of domain names is coming to Australia.

See https://www.auda.org.au/statement/australias-internet-domain-growing-get-ready-getyourau

This will allow registrations such as swinson.au and telstra.au, without the .com part of the domain name.

This arose out of the work of the 2017 Policy Review Panel, of which I chaired.  See Paper and website.

Tweets not Journalism

The Federal Court of Australia has decided that a person who published allegedly defamatory tweets on Twitter does not receive the benefit of the journalists' privilege under the Evidence Act.

See Kumova v Davison [2021] FCA 753

This does not mean that a person who tweets can never be considered to be a journalist.  In this case, looking at the Twitter feed as a whole, the defendant was not considered to be a journalist.

See this helpful note from Clayton Utz.  Also Bennett & Co.  Story in the AFR and The Age.

 

Automonous Vechicles

 “The real problem is going to be, at what point is it still ethical to let the human drive,” Lunn said. “But before that, AI has to continue to learn from human drivers. Autonomy will have to make sure that we never have a trolley problem.”

Washington Post, 6 August 2021

Liability for anonymous online reviews

The Federal Court handed down a judgment yesterday regarding defamation for anonymous online reviews of a dentist.

Nettle v Cruse [2021] FCA 935

https://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/single/2021/2021fca0935

"The publications in question here were excessive, scandalous and totally unjustified and unjustifiable. I have no hesitation in finding that they were malicious and calculated to cause maximum damage to Dr Nettle. The fact that Ms Cruse chose to publish such baseless and scandalous material about Dr Nettle either anonymously or in false names supports the inference that she well knew that it was false and misleading. That is perhaps confirmed by the fact that, when Dr Nettle eventually commenced this proceeding, Ms Cruse chose to disappear rather than front-up and defend her indefensible actions. Ms Cruse’s conduct towards Dr Nettle was, in all the circumstances, contumelious and disgraceful."

Ransomware and class action lawsuits

A good article on class action lawsuits in the United States that come after a ransomware attack:

Washington Post article

 "“Companies with good security sometimes have lapses,” Solove said. There isn’t a unified legal standard laying out what sort of security a company needs to have to protect it from liability if it loses its customers’ information or suffers a ransomware attack.

“It really isn’t clear what the standard of care is,” he said. “It’s tricky. All you have to do is fail on one thing.”

That means the potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue."

 I wrote a short article on the topic of cybersecurity lawsuits at the beginning of this year.  See

AI machine can be an inventor, says Australian judge

A single judge of the Federal Court of Australia, Justice Beech, has overruled the Commissioner of Patents and decided that a computer program (an artificial intelligence system) can be an "inventor" for the purposes of the Australian Patents Act in respect of a PCT patent application.

In summary, the judge found:

  • An AI system is not a legal person.
  • An AI system cannot own a patent.
  • An AI system cannot assign a patent.
  • But an AI system can be an inventor of an invention that is the subject of a patent application.
  • Ownership of the invention goes to a legal person -- in this case, the person who owned the copyright in the AI system and operated the AI system.

Justice Beech said:

"167    Dr Thaler is the owner, programmer and operator of DABUS, the artificial intelligence system that made the invention; in that sense the invention was made for him. On established principles of property law, he is the owner of the invention. In that respect, the ownership of the work of the artificial intelligence system is analogous to ownership of the progeny of animals or the treatment of fruit or crops produced by the labour and expense of the occupier of the land (fructus industrialis), which are treated as chattels with separate existence to the land. ...

189    In my view, Dr Thaler, as the owner and controller of DABUS, would own any inventions made by DABUS, when they came into his possession. In this case, Dr Thaler apparently obtained possession of the invention through and from DABUS. And as a consequence of his possession of the invention, combined with his ownership and control of DABUS, he prima facie obtained title to the invention. By deriving possession of the invention from DABUS, Dr Thaler prima facie derived title. In this respect, title can be derived from the inventor notwithstanding that it vests ab initio other than in the inventor. That is, there is no need for the inventor ever to have owned the invention, and there is no need for title to be derived by an assignment. ...
 

194    Now more generally there are various possibilities for patent ownership of the output of an artificial intelligence system. First, one might have the software programmer or developer of the artificial intelligence system, who no doubt may directly or via an employer own copyright in the program in any event. Second, one might have the person who selected and provided the input data or training data for and trained the artificial intelligence system. Indeed, the person who provided the input data may be different from the trainer. Third, one might have the owner of the artificial intelligence system who invested, and potentially may have lost, their capital to produce the output. Fourth, one might have the operator of the artificial intelligence system. But in the present case it would seem that Dr Thaler is the owner."

 In short, title to the invention derives from an inventor who does not own the invention.

This case is not particularly helpful in determining who is the owner of the invention if there is more than one person involved -- for example, if Microsoft owns the copyright in the AI program running in the cloud, 20 people collect the training and input data over many years, I design the problem, and you and a team of people operate the AI system.

Does this case also mean that a corporation or a monkey could be an inventor?

The Patents Act requires that the inventor's name and address be provided to the Patents Office.  Does an AI system have a legal name or an address?  The case did not consider this.  Dr Thaler named his AI system as DABUS, so I guess that is the name of the inventor.  It is not really a name in the legal sense.

The judge spent little time considering the basis of the patent system - to incentivize people to make inventions.  A computer does not need an incentive.  The judgment briefly mentions this, and appears to suggest that creating an incentive to create an AI machine that invents is sufficient.  On that basis, patent patent system should reward parents for having sex to create a child and teaching the child to invent.

The judgment is artificial and shows little real intelligence.

And see about this South African patent: https://www.cyberspac.com/2021/08/ai-machine-can-be-inventor-says.html  Did it go through a full examination?

How reliable is AI in criminal evidence

A good article about how an AI system produces evidence used by police.  But humans changed the output of the AI algorithm, calling the evidence into question.

Vice Article about gunshot detection

Uber Interfered With Privacy of Australians

The Australian Privacy Commissioner has determined that Uber interfered with the privacy of an estimated 1.2 million Australians.

The Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack starting in October 2016.

Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017. 

See Press Release from OAIC

See Decision

 

The Impact of Amazon

Amazon has a special website that sets out its impact.  The focus is on the impact of Amazon in the U.S.  It is hard to find out what positive impact Amazon is having in Australia. 

See https://www.aboutamazon.com/impact

If you contract with AWS on their standard terms, unless you are located in one of a few listed countries, you are agreeing to U.S. law for the contract, and having to go to the U.S. for any disputes.

"Governing Laws" and “Governing Courts” mean, for each AWS Contracting Party, the laws and courts set forth in the following table:  see https://aws.amazon.com/agreement/. I guess that provides jobs for U.S. lawyers!


Giving the Government Power to Disrupt

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 has been subject to criticism   It allows the government to hack into computers of people they think are bad people.  Could innocent bystanders be impacted, just like when Microsoft did protective hacking about 8 years ago?  See  https://www.csoonline.com/article/2449572/microsoft-hammers-no-ip-collateral-damage-includes-hacking-teams-legal-malware.html

Details of the Bill are here:

https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/surveillance-legislation-amendment-identify-and-disrupt-bill-2020

The Law Council has released a 150 page criticism of the Bill.


Section 230

Has Section 230 of the Communications Decency Act gone too far?  Some think it does:

Judge Robert Katzmann in a recent case wrote a 35-page dissent to part of the ruling, arguing that Facebook’s algorithmic recommendations shouldn’t be covered by the legal protections of Section 230.

Late last year, the U.S. Supreme Court rejected a call to hear a different case that would have tested the Section 230 shield. In a statement attached to the court’s decision, Justice Clarence Thomas called for the court to consider whether Section 230’s protections had been expanded too far, citing Judge Katzmann’s opinion.

Justice Thomas said the court didn’t need to decide in the moment whether to rein in the legal protections. “But in an appropriate case, it behooves us to do so,” he said.

See NY Times article.

Many U.S. Internet businesses think that Section 230 has international application.  It does not.  It may provide protection in respect of U.S. lawsuits, but not lawsuits in other countries.

Blocking Bad Websites at the ISP

It is hard to have a bad website taken down.  In Australia, if the bad website is involved in copyright infringement, it is possible to have all Australian ISPs block the bad website, in effect making it disappear from the Internet as far as Australians are concerned.

That happened in recent Federal Court case, brought against Telstra and every other ISP in Australia, by a company that appears to operate a website for escort services.  Someone hacked their website and made copies of it.  The Federal Court blocked the copycat websites, using Section 115A of the Copyright Act.

See Gardner Industries Pty Ltd as trustee for the S M Gardner Family Trust v Telstra Corporation Limited [2021] FCA 294 (25 March 2021) (Greenwood J)

Who should police Internet content?

Who really runs the Internet? A lot of companies you rarely hear about.  A good article about the Internet and hate speech in the Washington Post.

https://www.washingtonpost.com/technology/2021/03/24/online-moderation-tech-stack/

Suing Google for online review

A lawyer who is trying to track down the person who posted a bad review of her lost an application against Google, seemingly on the basis that she did not follow court proper procedures.

"However, if such a proceeding is to be brought it must be brought on proper material, on notice to Google, and it must be conducted efficiently and expeditiously. That is not how this proceeding has been conducted. One thing that must be avoided is the provision of a flurry of materials making inchoate arguments shortly before a hearing."

Garde-Wilson v Google LLC [2021] FCA 243

From The Age:  Gangland lawyer Zarah Garde-Wilson says she will take a court fight directly to Google after the Federal Court dismissed her bid to force the search engine giant to reveal who was behind negative online reviews.

Ms Garde-Wilson, who rose to prominence representing the who’s who of Melbourne’s gangland war, suspects a rival lawyer is behind a negative Google review left under the name “Mohamed Ahmed”.

https://www.theage.com.au/national/victoria/zarah-garde-wilson-loses-bid-to-find-who-was-behind-bad-google-reviews-20210318-p57byd.html


Privacy Commissioner hands down award compensating for non-economic loss

The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach.  This was a first in Australia.

See https://www.oaic.gov.au/assets/privacy/privacy-decisions/privacy-determinations/WP-and-Secretary-to-the-Department-of-Home-Affairs-Privacy-2021-AICmr-2-11-January-2021.pdf and  https://www.kwm.com/en/au/knowledge/insights/privacy-commissioner-hands-down-first-representative-award-20210203

The decision requires the Department of Home Affairs to compensate over 1,200 asylum seekers for inadvertently publishing their personal information online in 2014.  

It is somewhat amazing that this case took seven years to reach this stage.

Take care if you pay the ransom

In response to the proliferation of ransomware attacks over the last five years, a series of United States Executive Orders and statutes have come to include cyberterrorists amongst the list of banned individuals with whom U.S. persons cannot conduct financial transactions.  This impacts payments to cybercriminals for ransomware attacks.

There is a detailed article from a U.S. law firm here, that sets out when payment of a ransom could lead to breach of U.S. law.  See https://www.friedfrank.com/siteFiles/Publications/NYLJ_03.05.21_Kleinman.pdf


Privacy Rights Expanding in Australia?

Justice Keane of the High Court of Australia gave a speech at the end of 2020 that discussed privacy.

It was titled; "Too Much Information: civilisation and the problems of privacy" and argued that relying upon judicial development of the law to solve the problem of privacy "has been, at best, a hit and miss affair".

Justice Keane said it "would not be surprising were the High Court now to accept a tort of invasion of privacy" along U.S. lines.

"But such a cause of action would probably be confined to cases of intentional intrusion, physically or otherwise, upon the solitude or seclusion of an individual or his or her private affairs.

"In the case of the publicising of a matter concerning the private life of an individual, the conduct would be actionable if the matter publicised is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public."

He noted that in the recent High Court case involving the Australian Federal Police raid on the home of journalist Annika Smethurst the media "carefully eschewed any attempt to press forward . . . towards a broader protection of privacy".  (I suspect that the media did not want to expand the right of privacy in Australia even though it may have been helpful in this case - because the media since at least 1890 has been the subject of negative criticism regarding the media's lack of respect of privacy rights.)

AFR Article: https://www.afr.com/companies/media-and-marketing/high-court-judge-takes-swipe-at-media-on-privacy-20200927-p55zo0

Text of Keene J's Speech: https://cdn.hcourt.gov.au/assets/publications/speeches/current-justices/keanej/keanej27Aug2020.pdf

Critical Infrastructure Reforms in Australia

The Australian Government is implementing "Critical Infrastructure reforms".  The consultation process for the new laws is being managed by the Critical Infrastructure Centre which is part of the Department of Home Affairs.

The CIC is currently assessing implementation of the governance rules to accompany the to-be-amended Security of Critical Infrastructure Act 2018 (Cth) at a broad, industry-neutral level. The CIC is intending these rules to provide an overview of the role industry will play in self-assessment and self-reporting, with the specific rules and obligations around assessment standards to come from later consultations.


At a high-level, materials made available by CIC set out CIC’s intention for the governance rules including a breakdown of the intention behind specific provisions in the draft Bill.

 

Key points

 

  • The Bill is not anticipated to pass until mid-2021 – while not all industry-specific rules may be finalised at that stage, consultation should be almost complete by then.
  • Consultation with industry is happening on sequential basis – Electricity and Gas sectors are to start consultation in late March/early April 2021, and then other industries will each have a consultation period one after another.
  • The consultation timeline will be quite aggressive – the governance rules are in consultation this week for publication in late March.
  • The obligations will not activate immediately on enactment of the Bill, and are instead taking a ‘switch on’ approach. The CIC is vague on what the triggers for ‘switching on’ will be and it is not clear if it was an industry-wide event, whether it was incident-based or whether it would occur from a certain point.

An Australian Computer Law Journal

The most recent issue of the Journal of the Australian Society for Computers and the Law is available here:  http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html

This journal includes articles on privacy law and cybersecurity law.

U.S. Privacy Legislation - or lack of it

In January, the NY Times published a long article on Tech predictions for 2021.  There was a section on privacy laws, that was U.S. focused but interesting reading.  An extract:

Lawmakers will take on comprehensive federal privacy legislation. (Hopefully.)

Greg Bensinger, member of the New York Times editorial board:

Lawmakers on both sides of the aisle have indicated that they suddenly care about Americans’ privacy rights online. I am looking forward to them putting their money where their mouth is in 2021 by rolling out comprehensive federal privacy legislation.

Is this a pipe dream? Yes. But if anything good comes from backlash against technology companies, I hope it’s that consumers have more control over the rights to their own data.

Landmark White data breach court case

About two years ago, Landmark White (a property valuation firm in Australia) was subject to a number of cyber security incidents.  Justice moves slowly.

Landmark White’s cyber security standards will come under the spotlight this week, as the trial kicks off of an IT contractor accused of stealing customer data from the firm and putting it on the dark web.

See https://www.afr.com/property/commercial/landmark-white-data-breach-trial-begins-20210304-p577sx

Patentable Subject Matter in Australia

The Federal Court of Australia has sided with the Patents Office and upheld a rejection of a patent application for an invention that improves the timeliness and accuracy of risk information.  It was decided by the judge that the claimed invention was merely a business method or scheme for sharing and completing work place health and safety documents, and was thus unpatentable.

See Repipe Pty Ltd v Commissioner of Patents (No 3) [2021] FCA 31  https://jade.io/article/783336

Amazon's patent rejected in Australia

Amazon was refused a patent in Australia on the grounds that the invention was not patentable subject matter.

See Amazon Technologies, Inc. [2021] APO 7  https://jade.io/article/785911

The patent application was directed to the field of computer resource virtualization.  Providers, such as Amazon, manage large-scale computing resources that can be accessed on demand by their many customers via virtual machines.  This allows various computing resources to be efficiently and securely shared by multiple customers. 


New European Data Breach Notification Guidelines

The European Data Protection Board (EDPB) has recently published guidelines with examples for data breach notification under the GDPR.

The Guidelines set out common types of data breaches, such as ransomware, lost or stolen devices, social engineering attacks and the like, and set out case studies to clarify notification and remediation obligations.

See https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf


Did Facebook overpay in privacy settlement to protect Zuckerberg?

According to Reuters, Facebook Inc may have paid $4.9 billion more than the maximum penalty it faced under a settlement agreement with regulators related to allegations it mishandled user privacy, according to a recent court ruling.

The U.S. court cited a paper by Gibson Dunn attorneys when directing Facebook to turn over documents to shareholders who are trying to determine if Facebook overpaid to protect Zuckerberg.

“The documents already produced provide no insight into why Facebook would pay more than its (apparently) maximum exposure to settle a claim,” said the court.


Can an AI machine be an inventor?

The Australian Patents Office has decided that an AI machine cannot be an inventor for the purposes of granting a patent.

"Section 15(1) is inconsistent with an artificial intelligence machine being treated as an inventor, since it is not possible to identify a person who can be granted a patent."

Further, the person who operated the AI machine was also not an inventor:

"I have considered the alternative option that Dr Thaler is the inventor.  It seems clear that Dr Thaler asserts that he did not devise the invention but merely acquired knowledge of the invention from the artificial intelligence machine.  In the light of JMVB Dr Thaler would not be the inventor."

See Stephen L. Thaler [2021] APO 5

FTC priorities under Biden Administration

U.S. law firm Wilson Sonsini has a good summary of likely FTC priorities.

See https://www.wsgr.com/en/insights/acting-ftc-chairwoman-slaughter-previews-potential-ftc-priorities-under-new-administration.html

Potential key priorities:

  • Requirements in privacy and data security consent orders that represent a departure from the FTC's typical approach to consumer notice and disgorgement, including requirements that companies "disgorge" the data and benefits that they amassed through their allegedly wrongful behavior, and provide notice to consumers of the FTC settlement and the conduct at issue in the settlement; and
  • Increased FTC scrutiny of health apps, facial recognition technology, algorithms and AI, and other issues related to the pandemic and racial equity, particularly where those issues fall under the purview of the FCRA or ECOA.

Section 230

Opinion | The Constitution Can Crack Section 230
Tech companies think the statute allows them to censor with impunity. The law is seldom so simple.

Read in The Wall Street Journal: https://apple.news/AykpuzRwHQJeQWQoc3GPxyg 

Flight Centre's Privacy Act breach

Flight Centre organised a hack-a-phon in 2017, and gave those participating access to real customer data.  This resulted in a breach of the Privacy Act.

Decision here: https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmr/2020/57.html


New Californian Privacy Law: CPRA to effectively replace CCPA

On U.S. Election Day, 3 November 2020, voters in the State of California overwhelmingly voted in favour of Proposition 24—a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights and enforcement mechanisms. 

The CPRA's new obligations for businesses will come into effect on 1 January 2023.  At that time, the CPRA will effectively replace the CCPA.  In the meantime, the CPRA requires that a new California privacy agency be established and that it adopts implementing regulations.

Telstra ordered to help identify critic of doctor

Posting anonymous reviews to defame someone is risky.

Telstra has been ordered to provide documents to a doctor so that the doctor can assist identify someone who supposedly defamed him.

See this recent Federal Court decision:  Colagrande v Telstra Corporation Limited [2020] FCA 1595

Telstra did not appear at this court hearing.

This is similar to this case against Google:  http://www.cyberspac.com/2020/03/google-sued-again-for-identity-of-users.html and also these cases:

Kukulka v Google LLC [2020] FCA 1229

Kabbabe v Google LLC [2020] FCA 126 

Titan Enterprises (Qld) Pty Ltd v Cross [2016] FCA 1241 (patent attorney ordered to hand over file)

Titan Enterprises (Qld) Pty Ltd v Cross [2016] FCA 890 (written by Justice Edelman, now on the High Court)


Defamation for Facebook posts

A wedding planner has won a 'landmark' court case against consumers who made defamatory comments about her business on social media.

Tristan Moy, 33, from Brisbane, moved to Indonesia in 2014 to run a business arranging weddings in Bali for Australian tourists. 

But she suffered 'hurt and humiliation' when two Australian women began posting salacious comments about her and her business on Facebook in 2017.

They included accusations Ms Moy was unprofessional, bullied her clients and would try ruin her client's weddings.

https://www.dailymail.co.uk/news/article-8948725/Two-trolls-ordered-pay-150k-defamatory-comments-Facebook.html

See also this old Fordham article

New Domain Name Rules for Australia

A new set of rules for .au domain names will come into effect on 12 April 2021.

auDA, the domain name regulator, states:  "This new licensing framework helps maintain trust in the .au ccTLD, offers clearer guidance for registrants and registrars, and enhances auDA’s role as the guardian of a key piece of Australia’s digital infrastructure."

The new rules consolidate the more than 30 policies and guidance notes that currently govern the .au domain and consist of two key documents:

.au Domain Administration Rules: Licensing - The terms and conditions for .au domain name licences including the complaints and dispute resolution processes.

.au Domain Administration Rules: Registrar - Rules for companies providing .au domain name registration services that have been accredited by auDA.

The new licensing rules are based closely on the current rules but contain some changes that may impact a small number of registrants. You can read about these changes on our new website.  These new rules were not reviewed by the Policy Review Panel.

Launch dates are yet to be set for id.au namespace, .au namespace and Internationalised Domain Names.

APRA's cybersecurity strategy

APRA is stepping up its focus on CPS234 in 2021.  This is not a surprise.  The Australian government has a strong focus on cybersecurity (and Defence, and foreign influence).

https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services

Fraudulent Invoice Scams

A Sydney hedge fund has collapsed after a cyber attack saw its trustee and administrator mistakenly approve $8.7 million in fraudulent invoices.  Scammed by a fake Zoom invite.

The scam, the latest in a series of strikes by offshore criminal gangs against Australian fund managers, has also ensnared ANZ after the bank failed to stop almost $800,000 being withdrawn from an account linked to the cyber criminals.

 

https://www.afr.com/companies/financial-services/fake-zoom-invite-cripples-aussie-hedge-fund-with-8m-hit-20201122-p56f9c

Comparison Website that made money from Affiliate referrals was Misleading

Trivago, a price comparison, recent lost an appeal in Australia regarding how it ordered the listings on its affiliate program website.  Trivago's conduct was held to be misleading, and therefore illegal, in Australia.

See ACCC media release:  https://www.accc.gov.au/media-release/trivago-loses-appeal-after-misleading-consumers-over-hotel-ads

Judgment is here:  Trivago N.V. v Australian Competition and Consumer Commission [2020] FCAFC 185

Sharing User IDs

Can you give your User ID to someone else to use your account?  And what if that someone then uses your account for a purpose not allowed by the user agreement?  Are you responsible?  This is the subject of a possible lawsuit against CoreLogic in Australia.

See BCI Media Group Pty Ltd v Corelogic Australia Pty Ltd [2020] FCA 1556 https://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/single/2020/2020fca1556


AI Action Plan for Australia

In addition to the privacy review, the government is conducting an AI review.

"The Australian Government recognises that accelerating the development, adoption and adaption of artificial intelligence (AI) will have profound social and economic outcomes for all Australians. We have an opportunity and a responsibility to strive for a better future. A future where Australians develop and use AI to solve national problems, build competitive businesses and increase our collective wellbeing.
 
To achieve this vision, the Australian Government will need a plan. To inform this plan, the Department of Industry, Science, Energy and Resources has released a discussion paper that seeks public input to an AI Action Plan for Australia."
 
You can read the discussion paper and have your say at: 
https://consult.industry.gov.au/digital-economy/ai-action-plan
 
Submissions close on Friday, 27th November 2020, two days before submissions close for the privacy law consultation.

Freedom from Lawsuits or Freedom of Speech?

 Section 230 of the Communications Decency Act is supposedly being reviewed.  From the NY Times:

Chief executives from Google, Facebook and Twitter appeared before a Senate hearing on a law that protects internet companies from liability for much of what their users post, and on how they moderate content.

Democrats focused on misinformation and extremism. They also accused Republicans of holding the hearing to benefit President Trump.

Republicans accused the executives of selective censorship, questioning Twitter’s Jack Dorsey, above, on how the company handled specific tweets. “Mr. Dorsey, who the hell elected you and put you in charge of what the media are allowed to report and what the American people are allowed to hear?” Senator Ted Cruz said.

Australian Privacy Act - government review

The Australian Government is undertaking a complete review of The Australian Privacy Act.

Unfortunately, after a year of work, the government is only giving 4 weeks to make submissions in respect of a very detailed issues paper.

One topic for consideration is whether to legislate and create a privacy tort in Australia.

Further information available here.

Is your mobile safe from the police?

How Police Can Crack Locked Phones—and Extract Information

A report finds 50,000 cases where law enforcement agencies turned to outside firms to bypass the encryption on a mobile device.

Read in WIRED: https://apple.news/Av8HKmpc-SIyx8vccKTIF2w

Using Covid registration data for marketing is alleged privacy breach

It was only a matter of time.  The restaurant chain Wagamama has been reported to the UK Information Commissioner’s Office (ICO) for allegedly using contact details provided for Covid track and trace to send surveys to customers.

See The Times

Arrested for giving a bad review

An American who complained on TripAdvisor that a resort hotel in Thailand wanted to charge him a $15 corkage fee for bringing his own bottle of gin to the restaurant was arrested this month and spent a weekend in jail. If convicted of criminal defamation, he faces up to two years in prison. So don't write anything bad about the Sea View Koh Chang resort, which had the charges brought.

After a backlash, the resort had some regrets. “We agree that using a defamation law may be viewed as excessive for this situation,” the hotel acknowledged.

Newspaper head to High Court regarding liability for users' Facebook comments

The newspapers are appealing the decision of the NSW Court of Appeal that decided that media companies can be held responsible for defamatory comments under stories they post on Facebook.

Guardian Article, and discussion of appeal here.   The newspapers are appealing to the High Court.

The Court of Appeal decision is not surprising.  Compare prior cases:

http://www.cyberspac.com/2012/07/smirnoff-responsible-for-comments-of.html

https://www.accc.gov.au/media-release/firm-fined-for-testimonials-by-facebook-fans-and-tweeters

Is Facebook carrying on business in Australia

 A recent decision in Australia, concerning whether Facebook could be served in California, was decided by the Federal Court of Australia.  This case arises out of a privacy action brought against Facebook by ACMA in relation to the Cambridge Analytics issues.

"It might be added that the means by which entities carry on business are constantly evolving. Much of the case law in which the concept has been discussed was decided long before the technological advances which underpin many modern forms of commerce. Ultimately, the question whether a particular entity carries on business, and does so in a particular place, is determined by reference to the particular facts. 

The Commissioner submitted that she had established a prima facie case that Facebook Inc carried on business in Australia through a combination of two matters: first, through the agency of Facebook Ireland; and secondly, through certain activities for which Facebook Inc was directly responsible in Australia. ...

Rather, the evidence on this application suggests that, to the extent Facebook Ireland carried on business in Australia, it was carrying on its own businessThe evidence adduced on this application and the inferences available to be drawn do not sufficiently allow for a possible conclusion that Facebook Ireland was also carrying on Facebook Inc’s business to warrant permitting service out of the jurisdiction.

However, for the reasons given next, the Commissioner has established a sufficient prima facie case to warrant exposing Facebook Inc to litigation in Australia on the basis that Facebook Inc directly carried on business in Australia. On its case, a part of Facebook Inc’s business was to provide services to Facebook Ireland, including the processing activities referred to earlier. I am satisfied that there is a prima facie case that Facebook Inc carried out sufficient activity in Australia in its business of providing services to Facebook Ireland for a conclusion to be available that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b) of the Privacy Act. ...

I am satisfied that the Commissioner has established a prima facie case, in the required sense, that Facebook Inc carried on business in Australia within the meaning of s 5B(3)(b). In summary, the Commissioner has established a sufficient prima facie case that Facebook Inc carried on business in Australia which included providing services to Facebook Ireland."

Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307

Customer does not have property in a telephone number

A recent dispute between two taxi companies confirms that a telephone number is not property and is not owned by the telco customer.

"Relevantly, the terms confirm that the customer does not own or have any legal interest or goodwill in any telephone number issued to the customer. The terms also permit the customer to transfer a telephone number to another person with the prior consent of Telstra."

Manly Warringah Cabs (Trading) Co-operative Limited v Sydney Taxis Pty Ltd, in the matter of Sydney Taxis Pty Ltd (No 2) [2020] FCA 1336

Compare this domain name decision:  Multi-National Concepts Pty Ltd v. 1300 Directory Pty Ltd

Data law released in Australia

The Office of the National Data Commissioner has released an exposure draft of the Data Availability and Transparency Bill for public comment. - https://www.abc.net.au/news/2020-09-16/government-draft-law-share-personal-data-between-agencies/12666792)

 More information and the draft bill is available here: https://www.datacommissioner.gov.au/exposure-draft/dat

 

The objects of this law are to:

(a)  promote better availability of public sector data; and

(b)  enable consistent safeguards for sharing public sector data; and

(c)  enhance integrity and transparency in sharing public sector data; and

(d)  build confidence in the use of public sector data; and

(e)  establish institutional arrangements for sharing public sector data.

How should damages be assessed for privacy and cybersecurity breaches

Listen to this podcast where I discuss how damages should be assessed in privacy and cybersecurity lawsuits. The Lawyers Weekly Show host J...