By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid
Proceedings led by the Office of the Australian Information Commissioner (OAIC) against Facebook, Inc. (Facebook) for their role in the Cambridge Analytica scandal will finally proceed in the Federal Court of Australia.
Read More
By Cameron Abbott, Rob Pulham and Stephanie Mayhew
Currently, most small businesses (with some exceptions) are not covered by the Privacy Act – with the threshold shaping a small business being an annual turnover of $3 million or less. However the Attorney General’s Department recognises that Australians want their privacy protected and that small businesses shouldn’t be excepted from this.
In the long term, proposal 6.1 seeks to remove the small business exemption but only after:
Proposal 6.2, in the shorter term, seeks to ensure that small businesses comply with the Privacy Act in relation to the collection of biometric information and remove the exemption from the Privacy Act for small businesses that obtain consent to trade in personal information (trading in personal information will mean the Privacy Act applies).
Read More
By Cameron Abbott, Rob Pulham and Stephanie Mayhew
The section of the Report dealing with the employee records exemption highlighted significant debate and difference of opinion. Employers expressed a strong desire to retain or even strengthen the exemption; employee representatives consider reform is needed.
In that context the Report does not conclude how the changes should take effect, but proposals 7.1(a)-7.1(d) recommend stronger protection of private sector employee information, to:
What does this mean for my organisation?
Private sector employers who don’t yet have a good grasp of the breadth of information they collect and hold about their employees will need to stocktake their collection activities and sharpen their focus on why they collect such information; prepare appropriate collection notices and employee privacy policies (if not used already); and ensure employee information is appropriately covered in their security measures and considered in their data breach response plans.
Read More
By Cameron Abbott, Rob Pulham and Stephanie Mayhew
Under proposals 4.1-4.4 of the Report, changes to broaden the definition of Personal Information are on the horizon. Under the proposed amendments, the word “about” in the definition of Personal Information will be amended to “relates to”. That is – “information or an opinion that relates to an identified individual…”. This brings the definition in line with other legislative frameworks that regulate privacy and ensures consistency with the language used in the GDPR definition of ‘Personal Data’.
Amendment of the definition of ‘collection’ is also proposed to expressly cover information obtained by any means, including inferred or generated information. The Report also states that ‘reasonably identifiable’ should be supported by a non-exhaustive list of circumstances to which APP entities will be expected to have regard to in their assessment of what is ‘Personal Information’.
What does this mean for my organisation?
With such a broader interpretation, APP entities will need to have regard to a larger set of information that could fall within the definition. This will see information such as mobile location data, IP addresses, social media handles, mobile advertising IDs and other technical information more clearly fall within the definition.
Read More
By Cameron Abbott, Rob Pulham and Stephanie Mayhew
The Government has today released the Report of the Attorney General’s Department’s review of the Privacy Act 1988 (Cth). The Government is seeking feedback on the 116 proposals in the Report before deciding what further steps to take. Submissions on the report are due on 31 March 2023. With this timing, it’s possible that we will see the review finalised towards the end of the first half of 2023.
The report can be accessed here.
The proposals made in the Report centre around:
Read More
By Claude-Étienne Armingaud, Camille Scarparo and Alexandra Séguis
This survey follows the CNIL’s announcement on 24 November 2022 that it aims at “better understanding the economic challenges associated with the collection and processing of personal data in mobile applications” as part of its 2022-2024 strategic plan.
The CNIL considered data collection via mobile applications greatly lacks transparency as opposed to cookies collection on websites.
The expected inputs are to be used for the purpose of drafting recommendations to be submitted to public consultation during the second semester of this year.
Concurrently to its ever-active enforcement of website cookie framework, the CNIL also recently started going after mobile applications for their use of personal data, often leverage as a primary source of revenue for free-to-play mobile games. The most recent example being the French mobile game publisher Voodoo SAS, with a fine of EUR3 million for breach of user consent for targeted ads on 29 December 2022. Indeed, the CNIL considered that even when users did not consent to the tracking for advertising purposes, Voodoo still accessed the IDFV (Apple’s “IDentifier For Vendors” (“IDFV”) – an identifier assigned to app operators, which facilitates targeted advertising) and processed browsing information for advertising purposes, constituting a violation of French privacy law and the GDPR.
The CNIL now calls for economic contributions from experts, interest groups, regulatory entities and experienced private individuals in the field. The call for contributions closes on 10 February 2023. Contributions can be submitted by completing a questionnaire and/or a written statement at the following email address: ecodesapplis@cnil.fr.
All contributions will be covered by professional secrecy and will be published in the form of a synthetic and aggregated report.
By Cameron Abbott, Rob Pulham and Stephanie Mayhew
As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.
As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:
Read More
By Cameron Abbott, Rob Pulham and Stephanie Mayhew
Earlier this week (on 29 November), the Australian Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which was introduced to Parliament on 26 October 2022.
The Bill amends the following:
By Cameron Abbott, Rob Pulham and Stephanie Mayhew
We’ve just returned from the annual iapp Australia/New Zealand privacy conference held in Sydney this week, and it was a whirlwind. Even if you’re not one of around half of Australians affected by two of the biggest data breaches in our recent history, you’ll be aware a lot is changing – and a lot more is poised to change – in this space.
We’ll be blogging over the coming weeks about some of the key themes and changes your organisation will need to prepare for, including:
– new regulatory enforcement tools
– higher expectations of the way personal information is collected and secured, and when it needs to be destroyed
– potential removal of key exemptions such as the employee records exemption that your business may currently rely on,
– and of course the major penalty increases that seek to deter privacy breaches being viewed as ‘the cost of doing business’,
as Australia tightens the protections around the collection and use of Australians’ personal information.
Stay tuned!
By Claude-Étienne Armingaud and Keisha Phippen
Sending unsolicited marketing emails could prove costly to UK organisations, as bike and car accessory retailer Halfords have recently discovered.
Last month, Halfords were handed a fine of £30,000 by the Information Commissioner’s Office (ICO) for sending around half a million unsolicited marketing email messages to customers who had not previously opted-in to marketing (see here).
The fine was issued under the Privacy and Electronic Communications Regulations (PECR), which gives people specific privacy rights in relation to electronic communications and restricts how unsolicited direct marketing is carried out.
An investigation carried out by the ICO found that the retailer broke the laws governing electronic communications by sending out emails relating to a government voucher scheme that gave people £50 off the cost of repairing a bike at any participating store or mechanic in England. The email not only pointed customers to the government website, it also invited them to book a bike assessment and to redeem their voucher at their chosen Halfords store. The ICO concluded that the insinuation of Halfords having a direct connection with the government scheme encouraged its customers to redeem the voucher in its stores and that Halfords was therefore advertising its own services.
PECR prevents organisations from sending emails or messages to people unless they have consented to it or they are an existing customer who has bought similar products or services in the past (known as the “soft opt-in” rule).
Halfords argued that the email constituted a service message and should not be categorised as direct marketing, but the ICO maintained that the email did constitute direct marketing because it satisfied the definition of such under Paragraph 35 of the ICO’s Direct Marketing Guidance (see here). In addition, the ICO concluded that the soft opt-in rule could not apply because the targeted customers had already opted out.
Andy Curry, Head of Investigations at the ICO said: “This [decision] sends a message to similar organisations to review their electronic marketing operations, and that we will take necessary action if they break the law.”
Copyright © 2023, K&L Gates LLP. All Rights Reserved.