admin – Cyber Law Watch

Breaking Down the Privacy Act Review Report #3: Removal of the Small Business Exemption

Mar 03 2023

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Currently, most small businesses (with some exceptions) are not covered by the Privacy Act – with the threshold shaping a small business being an annual turnover of $3 million or less. However the Attorney General’s Department recognises that Australians want their privacy protected and that small businesses shouldn’t be excepted from this.

In the long term, proposal 6.1 seeks to remove the small business exemption but only after:

an impact analysis has been undertaken
appropriate support is developed
in consultation with small businesses, the most appropriate way for small business to meet their obligations is determined (propionate to the risk) – e.g. through a code, and
small businesses are in a position to comply with these obligations.

Proposal 6.2, in the shorter term, seeks to ensure that small businesses comply with the Privacy Act in relation to the collection of biometric information and remove the exemption from the Privacy Act for small businesses that obtain consent to trade in personal information (trading in personal information will mean the Privacy Act applies).

Mar 01 2023

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

The section of the Report dealing with the employee records exemption highlighted significant debate and difference of opinion. Employers expressed a strong desire to retain or even strengthen the exemption; employee representatives consider reform is needed.

In that context the Report does not conclude how the changes should take effect, but proposals 7.1(a)-7.1(d) recommend stronger protection of private sector employee information, to:

enhance transparency over what employee information is collected and why
ensure employers have adequate flexibility to deal with employees’ information to administer the employment relationship (and addressing whether consent should be required to collect sensitive information)
ensure adequate security and destruction measures around employee personal information, and
notify employees and the OAIC of data breaches involving employee personal information.

What does this mean for my organisation?

Private sector employers who don’t yet have a good grasp of the breadth of information they collect and hold about their employees will need to stocktake their collection activities and sharpen their focus on why they collect such information; prepare appropriate collection notices and employee privacy policies (if not used already); and ensure employee information is appropriately covered in their security measures and considered in their data breach response plans.

Feb 27 2023

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Under proposals 4.1-4.4 of the Report, changes to broaden the definition of Personal Information are on the horizon. Under the proposed amendments, the word “about” in the definition of Personal Information will be amended to “relates to”. That is – “information or an opinion that relates to an identified individual…”. This brings the definition in line with other legislative frameworks that regulate privacy and ensures consistency with the language used in the GDPR definition of ‘Personal Data’.

Amendment of the definition of ‘collection’ is also proposed to expressly cover information obtained by any means, including inferred or generated information. The Report also states that ‘reasonably identifiable’ should be supported by a non-exhaustive list of circumstances to which APP entities will be expected to have regard to in their assessment of what is ‘Personal Information’.

What does this mean for my organisation?

With such a broader interpretation, APP entities will need to have regard to a larger set of information that could fall within the definition. This will see information such as mobile location data, IP addresses, social media handles, mobile advertising IDs and other technical information more clearly fall within the definition.

Feb 16 2023

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

The Government has today released the Report of the Attorney General’s Department’s review of the Privacy Act 1988 (Cth). The Government is seeking feedback on the 116 proposals in the Report before deciding what further steps to take. Submissions on the report are due on 31 March 2023. With this timing, it’s possible that we will see the review finalised towards the end of the first half of 2023.

The report can be accessed here.

The proposals made in the Report centre around:

Jan 23 2023

By Claude-Étienne Armingaud, Camille Scarparo and Alexandra Séguis

This survey follows the CNIL’s announcement on 24 November 2022 that it aims at “better understanding the economic challenges associated with the collection and processing of personal data in mobile applications” as part of its 2022-2024 strategic plan.

The CNIL considered data collection via mobile applications greatly lacks transparency as opposed to cookies collection on websites.

The expected inputs are to be used for the purpose of drafting recommendations to be submitted to public consultation during the second semester of this year.

Concurrently to its ever-active enforcement of website cookie framework, the CNIL also recently started going after mobile applications for their use of personal data, often leverage as a primary source of revenue for free-to-play mobile games. The most recent example being the French mobile game publisher Voodoo SAS, with a fine of EUR3 million for breach of user consent for targeted ads on 29 December 2022. Indeed, the CNIL considered that even when users did not consent to the tracking for advertising purposes, Voodoo still accessed the IDFV (Apple’s “IDentifier For Vendors” (“IDFV”) – an identifier assigned to app operators, which facilitates targeted advertising) and processed browsing information for advertising purposes, constituting a violation of French privacy law and the GDPR.

The CNIL now calls for economic contributions from experts, interest groups, regulatory entities and experienced private individuals in the field. The call for contributions closes on 10 February 2023. Contributions can be submitted by completing a questionnaire and/or a written statement at the following email address: ecodesapplis@cnil.fr.

All contributions will be covered by professional secrecy and will be published in the form of a synthetic and aggregated report.

New Privacy Enforcement Act commences in Australia

Dec 14 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

Oct 11 2022

By Claude-Étienne Armingaud and Keisha Phippen

Sending unsolicited marketing emails could prove costly to UK organisations, as bike and car accessory retailer Halfords have recently discovered.

Last month, Halfords were handed a fine of £30,000 by the Information Commissioner’s Office (ICO) for sending around half a million unsolicited marketing email messages to customers who had not previously opted-in to marketing (see here).

The fine was issued under the Privacy and Electronic Communications Regulations (PECR), which gives people specific privacy rights in relation to electronic communications and restricts how unsolicited direct marketing is carried out.

An investigation carried out by the ICO found that the retailer broke the laws governing electronic communications by sending out emails relating to a government voucher scheme that gave people £50 off the cost of repairing a bike at any participating store or mechanic in England. The email not only pointed customers to the government website, it also invited them to book a bike assessment and to redeem their voucher at their chosen Halfords store. The ICO concluded that the insinuation of Halfords having a direct connection with the government scheme encouraged its customers to redeem the voucher in its stores and that Halfords was therefore advertising its own services.

PECR prevents organisations from sending emails or messages to people unless they have consented to it or they are an existing customer who has bought similar products or services in the past (known as the “soft opt-in” rule).

Halfords argued that the email constituted a service message and should not be categorised as direct marketing, but the ICO maintained that the email did constitute direct marketing because it satisfied the definition of such under Paragraph 35 of the ICO’s Direct Marketing Guidance (see here). In addition, the ICO concluded that the soft opt-in rule could not apply because the targeted customers had already opted out.

Andy Curry, Head of Investigations at the ICO said: “This [decision] sends a message to similar organisations to review their electronic marketing operations, and that we will take necessary action if they break the law.”

Uber found to have breached Australian’s privacy following 2016 hack

Jul 27 2021

By Cameron Abbott and Jacqueline Patishman

In 2017, Uber disclosed to the Office of the Australian Information Commissioner (OAIC) a breach of its some 57 million global users and driver’s personal information (including approximately 1.2 million Australians). Last Friday, the OAIC determined that Uber had breached the Australian Privacy Act by failing to take reasonable steps to protect Australian’s personal information from unauthorised access.

To pay or not to pay the ransom? Organisations may find their decision easier with government guidance

Jul 26 2021

By Cameron Abbott, Rob Pulham and Jacqueline Patishman

The Cyber Security Advisory Committee (an industry based advisory panel established by the Minister for Home Affairs to provide independent strategic advice on Australia’s cyber security challenges) has recommended in its annual report that the federal government develop a clearer policy position on the payment of ransoms by organisations that have suffered ransomware attacks.

Would mandatory reporting of ransomware payments cause more good or trouble?

Jul 15 2021

By Cameron Abbott, Warwick Andersen and Jacqueline Patishman

Last month, the federal opposition (Shadow Assistant Minister for Cyber Security) introduced the private member’s Ransomware Payments Bill (the Bill) that proposes to make it mandatory for all Australian businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying a ransom to a ransomware attacker. Failure to notify will attract a penalty of 1,000 penalty units ($181,740).

Author - admin

Breaking Down the Privacy Act Review Report #3: Removal of the Small Business Exemption

Breaking Down the Privacy Act Review Report #2: Modifying the employee records exemption

Breaking down the Privacy Act Review Report #1: More Personal Information to be captured by the Act

The wait is over: The Privacy Act Review Report has been published!

SURVEY ON THE ECONOMICS ON PERSONAL DATA ON MOBILE APPS LAUNCHED BY FRANCE’S PRIVACY WATCHDOG

New Privacy Enforcement Act commences in Australia

UK Data Protection: Beware of the consequences of unsolicited marketing emails!

Uber found to have breached Australian’s privacy following 2016 hack

To pay or not to pay the ransom? Organisations may find their decision easier with government guidance

Would mandatory reporting of ransomware payments cause more good or trouble?