As part of the Paris AI Action Summit, Privacy and Data Privacy Commissioners from Australia, Korea, Ireland, France and the UK signed a joint statement to reaffirm commitment to establishing data governance that fosters innovative and privacy-protective AI. That statement sets out that, ‘AI should be developed and deployed in […]
Privacy
New Zealand Biometrics Code Consultation
The New Zealand Privacy Commissioner, Michael Webster has released the Biometric Processing Privacy Code for consultation and is calling for submissions on the draft Code from the public and any agencies it would apply to. “The Code will help agencies implement the technology, while giving people confidence it’s being done […]
$50 million settlement from Meta for Cambridge Analytica incident
On 17 December 2024, the Australian Information Commissioner announced that Federal Court civil penalty proceedings against Meta had settled for a $50 million payment program as part of an enforceable undertaking received from Meta Platforms, Inc. (Meta). The Commissioner alleged that the personal information of some Australian Facebook users was disclosed to […]
Data Leak Exposes Car Owners’ Movements
In December 2024, we highlighted the privacy risks arising from cars examined by Dr Katherine Kemp in her report, ‘Driving Blind: The Unexamined Privacy Risks of Connected Cars’ (access here). Reports in Carscoop and Spiegel on 27 December 2024, revealed that movement data of 800,000 electric cars and contact information […]
Australia’s Privacy Act Reforms 2024
On the final Parliamentary sitting day of 2024, the long-awaited first tranche of privacy reforms was finally passed by the Parliament in the Privacy and Other Legislation Amendment Act 2024 (Cth). This first tranche of reforms implements 23 of the 25 proposals the Government agreed to in its September 2023 […]
NZ Privacy Commissioner’s Report 2024
The New Zealand Privacy Commissioner Annual Report was published on 26 November 2024. It revealed that 864 privacy breach notifications were received and that 1,003 complaints had been processed, with financial settlements in 6.5% of complaints. A key highlight reported was the European Commission determining that New Zealand has an […]
OAIC Guidance on Facial Recognition and Bunnings Decision
On 19 November 2024, the Office of the Australian Information Commissioner (OAIC) released guidance on assessing the privacy risks in facial recognition. The guidance sets out general considerations for private sector organisations considering using facial recognition technology (FRT) to undertake facial identification in a commercial or retail setting. The […]
Privacy Risks of Connected Cars
Associate Professor Katherine Kemp, UNSW Law & Justice has published the first in-depth analysis of privacy terms relevant to connected cars in Australia with highly concerning findings. These are set out in the report and include that manufacturers, importers and dealers in many cases: fail to appreciate the seriousness […]
OAIC Guides on AI and Privacy
The Office of the Australian Information Commissioner (OAIC) has published two new guides to assist organisations in navigating the intersection of AI and privacy: Guidance on privacy and the use of commercially available AI products: This guide assists organisations in complying with privacy obligations using commercially available AI products and helps them […]
OAIC Data Breach Report: Key Themes
From January to June 2024, OAIC received 527 data breach notifications, the highest number since July to December 2020. The top five sectors that notified of data breaches in this period, were Health Service Providers, the Australian government, Finance, Education, and Retail.
In a media release accompanying the Notifiable Data Breaches Report on 16 September 2024, Australian Privacy Commissioner Carly Kind said, ‘the high number of data breaches is evidence of the significant threats to Australian’s privacy.’ The reporting period included the MedicSecure data breach notification affecting nearly 13 million Australians.
So far this year, the Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank arising from its October 2022 data breach. The OAIC has also issued an intention and a direction to notify of an eligible data breach about incidents in previous reporting periods and opened an investigation into the HWL Ebsworth Lawyers 2023 data breach.
OAIC’s Data Breach Report identifies the following key themes and recommendations:
- Mitigating cyber threats – organisations need to have appropriate and proactive measures in place to mitigate cyber threats and protect the personal information they hold.
- Addressing the human factor – individuals are a significant threat to the strength of an entity’s privacy practices. Organisations need to mitigate the potential for individuals to intentionally or inadvertently contribute to the occurrence of data breaches.
- Extended supply chain risks – organisations that outsource the handling of personal information can reduce the impact of a data breach in the supply chain by implementing a robust supplier risk management framework.
- Misconfiguration of cloud-based data holdings – organisations need to be aware there is a shared responsibility for the security of data in the cloud.
- Relevance of a threat actor’s motivation in assessing a data breach – entities should not rely on assumptions. They should weigh in favour of notifying the OAIC and affected individuals when a breach occurs.
- Data breaches in the Australian Government – of all sectors, the Australian Government reported the most data breaches involving social engineering or impersonation. Organisations need to have access control measures in place to ensure only authorised persons access their systems.
Access the OAIC ‘s Data Breach Report here and the OAIC’s Guide to Securing Personal Information here.
IPC Data Breach Report: Key Themes
The first NSW Mandatory Notification of Data Breach Scheme Trends Report for November 2023 to June 2024 was released on 1 October. According to the Report, 79% of all notifications made were caused by human error, followed by criminal or malicious attack. Acting Privacy Commissioner Sonia Minutillo said, ‘The high frequency of […]
The Role of Information Governance in Reducing Data Breach Risks
As data breaches continue to rise, the importance of robust governance to align and improve integrated cybersecurity, technology procurement, privacy compliance, and information lifecycle management becomes critical. Recently released reports by the Office of the Australian Information Commission and the New South Wales Information Commission reveal the high percentage of […]
NZ’s OPC report-back on Biometric Consultation
On 7 August 2024, the Office of the Privacy Commissioner (OPC) provided an update on the consultation process for new rules for biometric processing, which includes facial recognition technology. The OPC publicly released draft rules for using biometrics, for consultation, in May and received 250 submissions from members of the […]
OECD AI, Data Governance and Privacy
The OECD has published a report mapping the principles set out in the OECD Privacy Guidelines to the OECD AI Principles. As explained in the report, ‘AI and privacy policy communities often address these issues independently, with approaches that vary between jurisdictions and legal systems. These silos can generate misunderstandings, add complexities […]
Have your say on proposed changes to New Zealand’s Privacy Act
The Privacy Amendment Bill (the Bill) amends the Privacy Act 2020. The key purpose of the Bill is to improve individuals’ transparency about the collection of their personal information and better enable them to exercise their privacy rights. The Bill addresses a current gap that arises because there is no requirement […]
EU Commission takes on Meta
The European Commission has opened formal proceedings to assess whether Meta, the provider of Facebook and Instagram, may have breached the Digital Services Act (DSA). The proceedings will focus on suspected infringements of Meta’s policies and practices involving: Deceptive advertisements and disinformation Visibility of political content The non-availability of an effective third-party […]
U.S. and UK regulators announce enforcing non-compliant cookies a priority
The Federal Trade Commission (FTC) and the UK’s Information Commissioner’s Office (ICO) are both actively enforcing non-compliant website cookie banners. In the U.S., the FTC have announced proposed settlements arising from three enforcement actions, reflecting the FTC’s ‘heightened focus on pervasive extraction and mishandling of consumers’ sensitive personal data.’ In mid-February, the FTC […]
Privacy Framework Resource
The Information and Privacy Commission NSW has released an updated Privacy Governance Framework, designed to assist NSW public sector agencies implement robust privacy. The Privacy Governance Framework is a dynamic tool designed to assist New South Wales public sector agencies implement robust privacy governance throughout their organisation to manage personal […]
What’s happening with data from your car?
In the US, Mozilla released a report last week that examined the terms of service for 25 car companies and the types of data being collected. The report states, ‘they can collect information about how much money you make, your immigration status, race, genetic information, and sexual activity (it’s in there!).’ […]
EU-U.S. Data Privacy Framework
This week the European Commission has adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new […]
