Category: Litigation of Data Breaches

1
New Privacy Enforcement Act commences in Australia
2
Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws
3
UK Government publishes new proposed data protection law
4
This is your digital life (of no consent or control): The Australian Information Commissioner takes Facebook to Court
5
You’ve got mail…and lots of it according to the latest OAIC report!
6
You Can’t Throw the (Face)Book at Them: Affected Users Unable to Pursue Damages Claim against Facebook
7
Insufficiency meets Punishment: Polish DPA issues largest fine for Insufficient Security and Organisational Measures
8
Update on the Criminalisation of Non-Consensual Distribution of Intimate Images in WA: Another Conviction in Australia
9
The OAIC engages in more in-depth investigations and stronger exercise of its power
10
PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK

New Privacy Enforcement Act commences in Australia

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

  • $50 million;
  • if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
  • if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

The Act also provides the Australian Information Commissioner with greater enforcement powers to enable privacy breaches to be resolved more quickly and efficiently through more effective information-sharing powers.

While the Privacy Act review has been ongoing since 2020 with an increase to the maximum penalties long-expected, the Privacy Enforcement Act was a quick response to recent major data breaches. Attorney-General, Mark Dreyfus stated that “significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business”.

This is just the first step in what is likely to be significant amendments to the Privacy Act that will follow from the Attorney General’s Department’s ongoing review.

We expect that the regulator will start to take a far firmer approach to companies failing to secure their customer’s personal information and now carries a big stick to use in that process.

Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

We’ve just returned from the annual iapp Australia/New Zealand privacy conference held in Sydney this week, and it was a whirlwind. Even if you’re not one of around half of Australians affected by two of the biggest data breaches in our recent history, you’ll be aware a lot is changing – and a lot more is poised to change – in this space.

We’ll be blogging over the coming weeks about some of the key themes and changes your organisation will need to prepare for, including:

– new regulatory enforcement tools

– higher expectations of the way personal information is collected and secured, and when it needs to be destroyed

– potential removal of key exemptions such as the employee records exemption that your business may currently rely on,

– and of course the major penalty increases that seek to deter privacy breaches being viewed as ‘the cost of doing business’,

as Australia tightens the protections around the collection and use of Australians’ personal information.

Stay tuned!

UK Government publishes new proposed data protection law

By Claude-Étienne Armingaud, Nóirín McFadden and Keisha Phippen

The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

This is your digital life (of no consent or control): The Australian Information Commissioner takes Facebook to Court

By Cameron Abbott, Rob Pulham and Rebecca Gill

In a first for Australia, the Australian Information Commissioner (Commissioner) has launched proceedings in the Federal Court of Australia, seeking penalties against Facebook for serious and/or repeated interferences with privacy. The contraventions relate to the conduct disclosed by the Cambridge Analytica scandal, which involved the This is Your Digital Life app (App). We’ve previously blogged about the App here.

It is unclear how the penalties will be calculated in this proceeding. The penalty rate applicable to the relevant period (being from March 2014 to May 2015) is a maximum of $1.7 million. Some have suggested that fines may be in the billions if the maximum rate is applied to each individual affected as a single “contravention” (with possibly over 300,000 contraventions in total!). This may be fun to calculate, but highly unlikely to be applied in reality.

Read More

You’ve got mail…and lots of it according to the latest OAIC report!

By Cameron Abbott and Michelle Aggromito

With email being one of the most common forms of communication, it’s not surprising that inboxes these days accumulate thousands of emails that, perhaps, aren’t always electronically filed or deleted (not ours of course).

As the Office of the Australian Information Commissioner (OAIC) has indicated in its most recent report on notifications received under the Notifiable Data Breach (NBD) scheme, email accounts are frequently being used for storage, and this raises inherent risk. Yes it’s convenient, but using email to send personal information, such as copies of passports, bank account details and credit card information, can very quickly lose its appeal. If the email account is accessed by a malicious actor through a phishing attack or a rogue employee, the end result can be exploitation of that information for criminal gain.

Read More

You Can’t Throw the (Face)Book at Them: Affected Users Unable to Pursue Damages Claim against Facebook

By Cameron Abbott, Max Evans and James Gray

A US federal judge has ruled that the 29 million Facebook users affected by the September 2018 data breach may not seek damages as a remedy, but can only pursue the enforcement of better security practices at Facebook, according to a report by Reuters. Judge Alsup of the US District Court stated that Facebook’s repetitive losses of users’ privacy indicated a long-term need for supervision, which comes in addition to prior judgment which indicated that Facebook’s views about user’s privacy expectations were “so wrong”.

Read More

Insufficiency meets Punishment: Polish DPA issues largest fine for Insufficient Security and Organisational Measures

By Cameron Abbott and Max Evans

Further to the Facebook and Tesco scandals, and the apparent statistic increase of enforcement fines issued, the Polish Data Protection Authority has issued a landmark fine of €645,000 against online retail company morele.net for insufficient security and organisational measures violating data confidentiality and integrity principles prescribed in the EU’s General Data Protection Regulation.

Read More

Update on the Criminalisation of Non-Consensual Distribution of Intimate Images in WA: Another Conviction in Australia

By Olivia O’Brien, Philip Murray and Kathleen Weston

Just a few months ago, we published an article on the criminalisation of the non-consensual distribution of intimate images in Western Australia. Only this week, there has been a second successful conviction under the Criminal Law Amendment (Intimate Images) Act 2018 (WA) (WA Act) in the Rockingham Magistrate’s Court.

Read More

The OAIC engages in more in-depth investigations and stronger exercise of its power

By Cameron Abbott, Rob Pulham and Jacqueline Patishman

Following two key data incidents concerning how the Commonwealth Bank of Australia (CBA) handled data, the OAIC has successfully taken court action binding the banking heavyweight to “substantially improve its privacy practices”.

As a quick summary of the incidents, the first incident involved the loss of magnetic storage tapes (which are used to print account statements). These contained historical customer data including customer statements of up to 20 million bank customers. In 2016, the CBA was unable to confirm that the two magnetic tapes were securely disposed of after the scheduled destruction by a supplier.

Read More

PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK

By Cameron Abbott and Rebecca Gill

PwC’s UK Privacy & Security Enforcement Tracker has found that fines in the UK over data protection law violations totalled £6.5 million in 2018, a £2 million increase from 2017.

The Tracker analysed data protection enforcement actions by the UK Information Commissioner’s Office (ICO), including monetary fines, prosecutions and undertakings. The Tracker shows that the total sum of fines increased from 2017, but the number of ICO enforcements fell to 67 in 2018 from 91 in 2017.

Read More

Copyright © 2023, K&L Gates LLP. All Rights Reserved.