Latest Cybersecurity Law Updates in Australia for 2024

Sweeping new bill unveiled that could revolutionise the data privacy landscape in the United States

Date: 11 April 2024

Abstract:

A new data privacy bill, the American Privacy Rights Act, was unveiled in the United States on 7 April 2023. It proposes to restrict the scope of consumer data that technology companies can collect to only what is essential for the products and services provided. It also gives individuals greater control over their personal data, including the ability to prevent their data being sold (disclosure would be required if data has been transferred to foreign adversaries, and in the case of ‘sensitive’ data, express consent is required if it can be transferred) or to compel its deletion. Additionally, individuals will be given the option to opt out of targeted advertising. If these rights are violated, individuals would be empowered to take action and recover damages. There is also a number of obligations on entities to conduct annual reviews of algorithms and processes to ensure that they are not causing harm, discrimination and are otherwise compliant.

Under the bill, the U.S. Federal Trade Commission and state attorneys would also be given the broad authority to oversee consumer privacy issues, and establish enforcement mechanisms to ensure the obligations are complied with.’

Government Credential Protection Register Scheme is proving successful – what is it?

Date: 11 April 2024

Abstract:

A statement released by Attorney-General’s Department on 10 April 2023 has revealed the success of new protective measures implemented in response to the 2022 Optus data breach during which the sensitive personal details of 10 million individuals, including identity documents such as passports and driving licences, were compromised.

One of the measures was the establishment of the Identity Verification Service Credential Protection Register (IVSCPR). The purpose of the register is to protect individuals who have had their identity documents stolen from further harm by preventing the compromised documents being used as forms of identity. The legitimate owners are still able to use the documents, but only for their primary purpose (for example, a passport can be used for travelling).

Since its establishment, over 300,000 fraudulent attempt to use stolen identity documents have been blocked. The success has resulted in a further $3.3 million being pledged to enhancing the IVSCPR in 2023. Once the enhancements are completed, document issuers and other trusted organisations will have the ability to directly update the register in virtually real-time.

China releases long-awaited simplification of its data export regime

Date: 3 April 2024

Abstract: 

The Cyberspace Administration of China (CAC) has released its long-awaited Provisions on Regulation and Promoting Cross-Border Data Flows, as well as a second edition of its Guidelines for Security Assessment Filings and the Guidelines for Filing Personal Information Expert Standard Contract. All three newly released documents are effective immediately.

Previously, China’s data export regime required any export of “important data” to be conducted via one of three total schemes: A security assessment organised by the CAC, certification by a licensed third-party institution, or the execution of a standard contract formulated and issued by the CAC. This regime proved to be particularly burdensome on the businesses and other entities attempting to comply with its requirements. This was owing to the complexity of the regime, requiring extensive documentation work in all cases, as well as the ambiguous definition of “important data” and uncertain timeframes for the completion of a filing.

A number of exemptions have been established under the new provisions; if data export activities fall under the scope of one of the exemptions, then they can be conducted without having to follow one of the aforementioned schemes.

The United States and United Kingdom join forces in the field of artificial intelligence testing

Date: 3 April 2024

Abstract:

On 1 April 2024 the United States and United Kingdom signed a Memorandum of Understanding for collaboration on the development of robust testing for advanced artificial intelligence (AI) models. This includes plans to align their scientific approaches and an aim to jointly accelerate and iterate suites of evaluation for artificial intelligence models, systems and agents. The Memorandum of Understanding will take effect immediately.

The Memorandum of Understanding was signed by the United States Commerce Secretary Gina Raimondo and the United Kingdom Technology Secretary Michelle Donelan.

More information is available on the respective countries’ government websites.

Australian Senate passes Digital ID Bill

Date: 3 April 2024

Abstract:

On 27 March 2024, the Australian Senate passed the Digital ID Bill and the Digital ID (Transitional and Consequential Provisions) Bill.

The Digital ID Bill represents an Australia-wide legislative framework for Digital ID services. These services are designed to allow individuals to verify their identity online, access government services more easily, increase the privacy of their personal data, and streamline the process of logging into various government services with different usernames and passwords.

Following passage of the Digital ID Bill, there will be a phased expansion of the existing Digital ID system to further state and territory government services and the private sector. Accordingly, there privacy and security safeguards for users as well as more robust regulation and governance of the Digital ID services would also be strengthened.

This follows an endorsement of the Digital ID Bill by the Senate Economics Legislation Committee in early March, who were pleased overall “with the numerous benefits that a legislated digital ID scheme will bring to individuals and businesses who choose to participate in the system”.

The text of the Digital ID Bill is available here.

European Union’s Cybersecurity Resilience Act has been approved – but what is it?

Date: 27 March 2024

Abstract:

On Tuesday 12 March, the European Parliament voted in favour of approving the European Union (EU) Cyber Resilience Act. All that remains is formal approval by the European Council before it will enter into force.

The Cyber Resilience Act (CRA) aims to address the lack of EU legislation targeting the standards of cybersecurity in products that contain digital elements, which can include products with either hardware or software components. The specific objectives as set out in the text of the CRA are as follows:

1. Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle
2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers
3. Enhance the transparency of security properties of products with digital elements
4. Enable businesses and consumers to use products with digital elements securely

Australian Government seeking public submissions on Privacy Act reforms to target doxxing

Date: 22 March 2024

Abstract:

The Attorney-General is seeking consultation on proposed reforms to the Privacy Act 1988 in order to address the growing threat of doxxing.

Doxxing is defined as the intentional exposure of an individual’s identity, private information or personal details without their consent. The practice can often leave victims vulnerable to public embarrassment and discrimination as well as putting their personal safety at risk.

The Australian Government is proposing to introduce new provisions to the Privacy Act 1988 to provide specific protection to individuals against the practice of doxxing. The proposed changes are as follows:

• A new statutory tort for serious invasions of privacy would allow individuals to seek redress through the courts if they have fallen victim to doxing,
• Giving individuals greater control and transparency over their personal information, including the introduction of new or strengthened individual rights to access, object, erase, correct, and de-index their personal information, and
• Progressing other privacy reform proposals contained in the Privacy Act review that bring the Privacy Act into the digital age, uplift protections, and raise awareness of obligations for responsible personal information handling.

European Parliament passes Artificial Intelligence Act

Date: 22 March 2024

Abstract:

The European Union’s proposed Artificial Intelligence (AI) Act is a step closer to coming into force after the European Parliament voted in favour of it last month – 523 votes for versus only 46 against.

Following a final review by EU lawyer-linguists, it is expected that the 27 member states of the EU will endorse the proposed law in April before final publishing it in the EU’s official Journal in May or June.

The AI Act takes a risk-based approach to AI regulation, meaning the level of regulation will be proportional to the level of perceived risk of the AI tool. AI tools deemed to carry the most risk will be outrightly banned under the act. Some provisions of the act will come into force 12 months after the law becomes official, while others will only come into force after 24 months.

The full text of the AI Act in its current form is available here.

United Kingdom’s Information Commissioner’s Office seeking public input on radical “consent or pay” online business model

Date: 18 March 2024

Abstract: 

The Information Commissioner’s Office – the United Kingdom’s independent body tasked with upholding information rights – is seeking public input on a “consent or pay” approach to online website access which some businesses are considering adopting.

The “consent or pay” approach gives online users a choice to visit and use a website for free provided they consent to having their personal information collected and used for personalised or targeted advertising. Alternatively, users can pay a fee and avoid this data collection and tracking.

Consultation on “consent or pay” approaches commenced on 6 March 2024 and will remain open until 17 April 2024. Information is available about the relevant laws, considerations for organisations, exact mechanisms and more on the consultation page.

This consultation process is part of a larger campaign by the Information Commissioner’s office to ensure current online targeted advertising practices, such as the use of advertising cookies and the ability for users to consent to the use of such technologies, are compliant with the existing laws.

ACCC launches inquiry into general internet search services in Australia

Date: 18 March 2024
Source: Australian Competition and Consumer Commission

Abstract:

The Australian Competition and Consumer Commission (ACCC) has released an issues paper for its new inquiry into the state of competition in general internet search services such as Google and Bing in Australia. This new inquiry is part of the ACCC’s ongoing Digital Platform Services Inquiry (see our previous Latest Legal Update here).

The issues paper seeks the views of interested parties about the level of competition present in general search services as well as general trends in search quality and the relationship between the two.

The inquiry will also consider the impacts of regulatory and industry developments including those in other jurisdictions and the emergence of AI-powered search engines and its potential impact on competition in the market for general search services. The report will not examine issues relating to generative AI more broadly, including privacy, online safety, or misinformation issues.

The ACCC previously considered competition and consumer issues in general search and web browser services in its September 2021 and July 2019 Digital Platforms Inquiry reports.

European Commission guilty of data privacy malpractice under EU regulation

Date: 18 March 2024

Abstract:

European Data Protection Supervisor (EDPS) announced last week that the European Commission itself has infringed a number of European Union (EU) data protection regulations through its use of Microsoft 365.

Regulation (EU) 2018/1725 regulates the data practices of official EU bodies, offices and agencies. In summary, the European Commission failed to comply with the regulation by:

1. Failing to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA (European Economic Area) is afforded an equivalent level of protection as is guaranteed within the EU/EEA.
2. Failing to sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes in its contract with Microsoft for the use of Microsoft 365.

These failures constitute 11 infringements of 10 different articles of Regulation (EU) 2018/1725.

The EDPS decided to take a number of corrective measures against the European Commission in respect of the infringements. In summary, the European Commission is required to:

1. Suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision.

Senate Economics Legislation Committee delivers its verdict on the Digital ID Bill in new report

Date: 6 March 2024

Abstract:

The Senate Economics and Legislation Committee (‘the Committee’) has published its report on the Digital ID Bill 2023 and the related Digital ID (Transitional and Consequential Provisions) Bill 2023 (‘the Bills’). In late 2023, the Commonwealth government proposed measures to strengthen the existing Digital ID schemes by introducing the Bills in the Senate. The Bills were subsequently referred to the Senate Economics Legislation Committee (‘the Committee’) to conduct a comprehensive inquiry and deliver a report on the merits of the Bills.

The report, published on 28 February 2024, explores the purpose and the provisions of the Bills as well as other areas including its financial impact, regulatory impact, stages of consultation and legislative scrutiny. The committee then delivered their views with special focus on the Bills’ voluntariness, security, privacy, costs, interoperability, phasing and mechanisms for redress.

The Committee was pleased overall “with the numerous benefits that a legislated digital ID scheme will bring to individuals and businesses who choose to participate in the system.”

Treasury announces review of Australia’s credit reporting framework

Date: 1 March 2024
Source: The Australian Treasury

Abstract:

The Australian Government has announced an independent review of Australia’s Credit Reporting Framework.

The review will evaluate the effectiveness and efficiency of the credit reporting provisions in the Privacy Act 1988 (Cth) and the National Consumer Credit Protection Act 2009 (Cth) in enabling effective lending decisions by credit providers while ensuring the personal information of consumers is adequately protected.

The review is being conducted by former Australian Prudential Regulation Authority (APRA) senior executive Heidi Richards, with a report to be delivered by 1 October 2024.

For more information, see the terms of reference for the review here, and Treasury’s statement here.

• the impacts on essential services and critical infrastructure;
• whether the conduct involved loss of or risk to life;

Federal Court delivers judgment applying financial services law to crypto-backed financial products

Date: 29 February 2024

Abstract: 

The rise of cryptocurrency has led to the creation of a new sector of the financial services industry based around digital assets. However, it remains unclear how the relevant existing laws will apply to this new breed of financial services.

The recent decision in Australian Securities and Investments Commission v Web3 Ventures Pty Ltd [2024] FCA 64 shed some light on this issue. The respondent (trading as ‘Block Earner’) offered a product which allowed users to lend their cryptocurrency holdings to the company in exchange for a fixed interest rate. The Federal Court found that this met the definition of a managed investment scheme and a facility for making a financial investment, leading to the conclusion that Block Earner had engaged in unlicensed financial services conduct by offering this product.

This judgement serves as a remind that although cryptocurrency and other digital assets remain under-regulated, financial offerings that involve these assets may still be considered financial products under the existing law if they operate as such, regardless of the underlying mechanics.

The full judgement is available here.

Latest data breach statistics highlight the risk of outsourcing information handling to third parties

Date: 28 February 2024
Jurisdiction: Office of the Australian Information Commissioner (OAIC)

Abstract:

The notifiable data breaches report released last week by the OAIC for the months of July 2023 to December 2023 indicated that there were 483 data breaches reported to the OAIC, representing a 19% increase from the first half of 2023. Additionally, there were 121 secondary notifications (notifications of the same data breach by multiple parties) up from only 29 in the previous 6 months.

With the majority of these data reaches resulting from a breach of a third-party cloud provider or other related software-service provider, the report highlights the risk associated with outsourcing personal information handling. Speaking on the report’s findings, Australian Information Commissioner Angelene Falk urged organisations to “proactively address privacy risks in contractual agreement with third party providers […] This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory obligations.”

OVIC releases new guidance on use of personal information with ChatGPT

Date: 16 February 2024
Jurisdiction: Office of the Victorian Information Commission

Abstract:

The Office of the Victorian Information Commission (OVIC) has released new guidance on the use of personal information with Chat Generative Pre-Trained Transformer (ChatGPT).

The guidance specifically relates to use of the ChatGPT platform by Victorian public sector (VPS) organisations but raises concerns that are potentially applicable to all organisations.

OVIC outlines the following concerns:

• The use of ChatGPT means that information is disclosed to OpenAI. Information shared may then be accessed by or used by individuals outside of your organisation for unauthorised purposes. This is in contravention of Information Privacy Principles (IPPs) 2.1, 4.1 and 9.
• The generation of personal information with ChatGPT may be unlawful and result in inaccurate information, or opinions, being generated and subsequently used or disclosed, in contravention of IPPs 1.1, 1.2, 3.1 and 10.
• The input of personal information into ChatGPT allows OpenAI to indefinitely retain that information in contravention of IPP 4.2 and an organisations’ obligations under the Public Records Act 1973.

Read the Office of the Victorian Information Commission ’s full public statement here .

CCC releases second survey for Consumer Data Right stakeholders

Date: 8 February 2024
Source: Australian Competition and Consumer Commission (ACCC)

Abstract:

The ACCC is conducting a survey to better understand the needs of Consumer Data Right stakeholders. The survey is aimed at businesses and individuals that are holders or receivers of data under the Consumer Data Right scheme, or provide services to these parties. This includes data holders, accredited persons, Consumer Data Right representatives and third-party service providers.

The ACCC hopes the survey will reveal how participants’ views have changed since a similar survey was conducted in 2022. The survey will also help gauge the effectiveness of initiatives that have been introduced in that time.

The survey is available here.

Australian Government releases official guidance for organisations on using AI systems securely

Date: 1 February 2024
Jurisdiction: Australian Signals Directorate

Abstract:

The Australian Signal Directorate’s Australian Cyber Security Centre, collaborating with several international governmental partners, have released ‘Engaging with Artificial Intelligence (AI)’, a guidance paper focussing on the safe and secure use of AI systems.

The guidance paper begins with a description of the growth opportunities around AI as well as the associated risks, and briefly explains some of the most popular sub-fields of AI, including machine learning, natural language processing and generative AI.

The body consists of an exploration (including case studies) of some of the challenges that arise when engaging with AI. These include:

• Data poisoning of an AI Model
• Input manipulation attacks – Prompt injection and adversarial examples
• Generative AI hallucinations
• Privacy and intellectual property concerns
• Model stealing attack

This is followed by eleven mitigation considerations for organisations looking to use and engage with AI systems. The considerations are as follows:

• Has your organisation implemented the cyber security frameworks relevant to its jurisdiction?
• How will the system affect your organisation’s privacy and data protection obligations?
• Does your organisation enforce multi-factor authentication?

Sanctions update – Australia imposes first sanctions in response to Medibank cyber incident

Date: 24 January 2024
Jurisdiction: Federal Register of Legislation

Abstract:

The Minister for Foreign Affairs has made the Autonomous Sanctions (Designated Persons and Entities and Declared Persons – Thematic Sanctions) Amendment (No. 1) Instrument 2024 (Cth) to impose sanctions on an individual for the first time under the “significant cyber incident” thematic sanctions criteria in the Autonomous Sanctions Regulations 2011 (Cth) (Regulations).

The sanctions have been imposed on Russian citizen Aleksandr Ermakov (also known as Alexander Ermakov, GustaveDore, aiiis_ermak, blade_runner and JimJones) for his alleged involvement in the Medibank significant cyber incident in 2022.

The Regulations allow the Minister to impose targeted financial sanctions and travel bans on a person if the Minister is satisfied that the person has caused, assisted or been complicit in a significant cyber incident. In determining whether a cyber incident is “significant”, the Minister may have regard to (among other things):

• the maliciousness of the conduct;
• the impacts on essential services and critical infrastructure;
• whether the conduct involved loss of or risk to life;

The Australian Government floats mandatory safeguards for high-risk AI in interim response paper

Date: 18 January 2024
Jurisdiction: Department of Industry, Science and Resources

Abstract: 

On 17 January 2024 the Australian Government published its interim response to the Safe and Responsible AI in Australia discussion paper released in June 2023. The interim response outlines a number of immediate and proposed measures to address the issues that have been raised during the consultation period.

The interim response focusses on gaps identified by a number of submissions regarding the lack of safeguards around the deployment of AI in legitimate but high-risk contexts. Accordingly, the Australian Government will consider mandatory safeguards for individuals and entities developing or deploying AI systems in legitimate, high-risk settings. The proposed safeguards will be focussed on:

• Testing – could include internal and external testing, best-practice information sharing, ongoing auditing and monitoring, and cybersecurity reporting.
• Transparency – could include labelling or watermarking content that is AI-generated, public reporting of AI system limitations, capabilities and areas of appropriate use, and public reporting of training data, data processing and testing.
• Accountability – could include designated roles with responsibility for AI safety, and training for developers or deployers of AI in some settings.

Have your say — Australian Government seeks consultation on new cybersecurity legislation

Date: 10 January 2024
Source: Department of Home Affairs

Abstract:

In line with the 2023-2030 Australian Cyber Security Strategy, the Australian Government has identified opportunities to strengthen cybersecurity laws by introducing new legislation and amending the existing Security of Critical Infrastructure Act 2018 (Cth).

A consultation paper has been released by the Department of Home Affairs, seeking public submissions on the proposed reforms. In summary, the consultation paper proposes new legislation that will establish:

• A mandatory cybersecurity standard for consumer-grade smart devices to address security risks posed by the proliferation of Internet of Things devices.
• Ransomware reporting obligations for businesses that are either impacted by a ransomware or cyber extortion attack, or have made a ransomware or extortion payment.
• A legislative framework that will encourage industry to voluntarily provide information to the Australian Signals Directorate and the National Cyber Security Coordinator about or in the case of a cyber incident. The framework will attempt to balance confidentiality guarantees for entities while also enabling appropriate information sharing.

AI management: ISO/IEC 42001 released

Date: 19 December 2023
Source: ISO

Abstract:

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have released their new standards for artificial intelligence (AI) management systems.

The standards outline requirements and guidance for the establishing, implementing, and maintaining of AI management systems within organisations. The aim of these global standards is to aid organisations in managing both the benefits and responsibilities that come with the use of AI. Any organisation that utilises AI can adopt the requirements and guidance regardless of size or kind.

Access ISO/IEC 42001 here.

Freedom of Information (Volume 4 - Considering the Public Interest) Guidelines 2023

Date: 7 December 2023
Jurisdiction: ACT

Abstract: 

As of 1 December 2023, the Freedom of Information (Volume 4 – Considering the public interest) Guidelines 2023 (the 2023 Guidelines) has replaced the previous 2020 edition of the guidelines.

The purpose of the guidelines is to provide assistance to decision-makers when making a decision under the Freedom of Information Act 2016 as to whether it would be contrary to public interest to disclose government information. The guidelines provide information about the guiding principles for decision-makers, common terms and phrases, and categories of information that are taken to be contrary to public interest to disclose. It also explains how to apply the public interest test to ensure all relevant factors are balanced in the process of reaching a decision.

The changes to the 2023 Guidelines as compared to the 2020 version are as follows:

• All information that is subject to legal professional privilege will be considered contrary to public interest if disclosed under the 2023 Guidelines. Previously, there had been an exception for information protected by legal professional privilege if it might reveal corruption, the commission of an offence or that a law enforcement investigation had exceeded its legal limits.

Freedom of Information (Miscellaneous) Amendment Bill 2023

Date: 7 December 2023
Jurisdiction: South Australia

Abstract:

On 29 November, the Freedom of Information (Miscellaneous) Amendment Bill 2023 (the Bill) was introduced to South Australia’s legislative council. The Bill amends South Australia’s Freedom of Information Act 1991 in order to authorise and encourage the proactive public release of government information by agencies.

Some of the key proposals contained within the Bill are to:

• Require that applications to access agencies' documents are:

• in writing
• contain necessary information to identify the document
• specify a postal address in Australia (and email address if possible)
• are accompanied by such application fee as may be prescribed
• are lodged in a manner determined by the agency

• Require that the application to access a document that contains personal information of the applicant must be accompanied by relevant identity evidence for the applicant
• Provide that disclosure of a document would be contrary to the public interest if there are public interest considerations that would outweigh the public interest considerations in favour of disclosure

Digital ID Bill 2023 (Cth)

Date: 6 December 2023
Jurisdiction: Commonwealth

Abstract:

On 30 November, the Digital ID Bill 2023 (Cth) (the Bill) was introduced in the Senate. The aim of the Bill is to strengthen existing Digital ID schemes by increasing governance, privacy, and consumer protections as well as to provide legislative backing to the expansion of the schemes.

The Bill strengthens privacy requirements for accredited providers under the Trusted Digital Identity Framework (the government’s existing voluntary digital ID accreditation scheme). These include prohibitions on the use of single identifiers, the disclosure of information for marketing, and restrictions on the collection, use and disclosure of biometrics and other personal information. Penalties for non-compliance are included in the Bill. This aims to ensure individuals using digital ID services from accredited providers can be sure their information and privacy is protected.

The Bill also provides for expansion of the Australian Government Digital ID System (AGDIS). Phases 1 and 2 of the expansion will see the reciprocal use of digital IDs and attribute providers in Commonwealth and state and territory services. Eventually the government’s digital ID services and attribute providers will expand to the private sector under Phase 3.

Australian Signals Directorate announces changes to Essential Eight Maturity Model

Date: 30 November 2023
Source: Australian Signals Directorate

Abstract:

Australian Signals Directorate (ASD) has announced changes to its Essential Eight Maturity Model.

The Essential Eight Maturity Model is a set of mitigation strategies that organisations are recommended implement in order to protect against cybersecurity threats.

Specific changes are split between three levels of maturity. To determine the level of maturity applicable to it, an organisation needs to consider the likelihood of being targeted is influenced by their desirability to malicious actors, and the consequences of a cybersecurity incident on the level of mitigation strategies it has in place.

The changes are thorough and fall under each of the following topics:

• Patch applications and operating systems
• Multi-factor authentication
• Restrict administrative privileges
• Application control
• Restrict Microsoft Office macros
• User application hardening
• Regular backups

OAIC welcomes newly appointed Privacy and Freedom of Information Commissioners

Date: 29 November 2023
Source: Office of the Australian Information Commissioner (OAIC)

Abstract:

This week the Australian Government appointed two new commissioners in order to fully restore the OAIC.

Elizabeth Tydd has been appointed as the Freedom of Information Commissioner for a five-year term. Elizabeth Tydd was previously the Information Commissioner and CEO of the NSW Information and Privacy Commission. The appointment will commence on 19 February 2024. Toni Pirani will continue as acting Freedom of Information Commissioner in the interim.

Carly Kind has been appointed as the Privacy Commissioner. Carly Kind has expertise in data protection, AI policy, practice and governance, privacy and technology law policy. The appointment will commence on 26 February 2024. Angelene Falk will continue as Privacy Commissioner in the interim.

These appointments mark the first time since 2015 that the OAIC will have standalone Privacy and Freedom of Information Commissioners.

The full OAIC media release is available here.

Privacy and Personal Information Protection Act 1998 (NSW) amendments come into effect

Date: 29 November 2023
Source: Privacy and Personal Information Protection Act 1998 (NSW)

Abstract:

Amendments to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) have now come into effect as of 28 November 2023.

Passed by the NSW Parliament in November 2022, the amendments impact the responsibilities of agencies under the PPIP Act. Under the new Mandatory Notification of Data Breach Scheme, agencies must now provide notifications to the Privacy Commissioner and affected individuals in the event of an eligible data breach involving personal or health information.

Read the full Privacy and Personal Information Protection Amendment Bill 2022 here.

Information Privacy and Other Legislation Amendment Bill 2023 (Queensland)

Date: 29 November 2023
Jurisdiction: Queensland

On 28 November 2023 the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Bill 2023 (the Bill).

The Bill will amend a number of Queensland laws, including the Information Privacy Act 2009 in order to bolster the state’s data and privacy framework. Notable changes include:

• The creation of a mandatory data breaches reporting scheme
• Introduction of new Queensland Privacy Principles
• Amendments or insertion of definitions of key terms such as “personal information” and “sensitive information” to better align with the Privacy Act 1998 (Cth)

Governance Institute of Australia report recommends organisations improve their data governance practices

Date: 23 November 2023
Source: Governance Institute of Australia

Abstract: 

A report released by the Governance Institute of Australia (GIA) has revealed that understanding of data governance requirements and associated best practices is lacking in many Australian organisations.

The GIA conducted a survey of 345 individuals including senior governance and risk professionals, C-suite executives, directors and other professionals for their report on ‘Data governance in Australia’. Among the most alarming findings were that over 50% of respondents’ organisations did not have a data governance framework, and almost 60% of respondents believed that the board of their organisation did not have an understanding the organisation’s current data governance challenges.

Based on the findings of the report, the GIA makes the following recommendations for organisations in relation to data governance:

Australian Information Commissioner and Privacy Commissioner provides insight into government plans for artificial intelligence and privacy law reform

Date: 2 November 2023
Source: Office of the Australian Information Commissioner

Abstract:

Angelene Falk, the Australian Information Commissioner and Privacy Commissioner, delivered a speech at the Australian Government Solicitor FOI and Privacy Law Conference on 31 October 2023.

The speech provided insight into the Government’s approach to a number of topics, most relevantly artificial intelligence and privacy law reform.

On the topic of AI, Falk began by noting that the Australian Government has identified artificial intelligence as a critical technology in the national interest and that accordingly there are several initiatives underway to promote trusted, secure and responsible AI. Further, it was revealed that in early October the Commonwealth, state and territory education ministers agreed to an Australian framework for generative AI in schools. The purpose of the framework is to guide the responsible and ethical use of generative AI tools in ways that benefit students, schools and society. Speaking on the possibility of dedicated AI regulation, Falk reveals the OAIC’s position was that consideration should be given to how existing frameworks should be strengthened and enhanced to provide adequate safeguards before a separate regulator regime specific to AI is considered.

Australian Government releases its 2023-2030 Cyber Security Strategy

Date: 22 November 2023
Source: Department of Home Affairs

Abstract:

The Australian Government has released its 2023-2030 Australian Cyber Security Strategy (the Strategy). Following the release of a related discussion paper in early 2023, over 330 submissions were received and over 700 stakeholders consulted informing the development of the Strategy.

The Strategy sets out six ‘cyber shields’ that form an overarching framework to bolster Australian cyber security. The six shields and some of the key changes that will be made to give effect to them, are as follows:

1. Strong businesses and citizens

The Strategy acknowledges the importance of all members of Australian society sharing the responsibility for cybersecurity. In order to develop this shield, the Australian Government will:

• Support small and medium businesses to strengthen their cyber security

Private school reprimanded by Australian Information Commissioner (Pacific Lutheran College (Privacy))

Date: 15 November 2023
Court: Australian Information Commissioner
Judge(s): Angelene Falk
Judgment date: 24 October 2023

Abstract:

Pacific Lutheran College (PLC) were victims of a data breach that amounted to an eligible data breach under the Privacy Act 1988 (Privacy Act). PLC’s obligations under the Privacy Act in respect of this incident and whether they had been properly complied with were the subject of scrutiny by the Australian Information Commissioner, Angelene Falk.

The case:

PLC, a private school in Queensland, operates an onsite Early Learning Centre and Outside School Hours Care Services. On 28 May 2020 there was unauthorised access by a third party of the email account of the manager of the Early Learning Centre and Outside School Hours Care Services. The email account was regularly used to collect information from individuals including birth certificates, credit card details, Medicare card details and tax file numbers.

The Office of the Australian Information Commissioner investigated the acts and practices of PLC, particularly focussing on PLC’s compliance with three sections of the Privacy Act around the time of the incident on 28 May 2020.

AI Governance on the agenda with the Bletchley Declaration

Date: 15 November 2023
Source: www.industry.gov.au

Abstract: 

Australia along with 27 other countries signed the Bletchley Declaration following the inaugural Artificial Intelligence (AI) Safety Summit held in the United Kingdom on 1-2 November 2023. This declaration seeks to established a shared understanding of the opportunities and risks posed by frontier AI. The signatories agreed to share knowledge on AI safety and research, as well as intelligence about AI’s misuse.

As part of this declaration, the signatories recognised that many risks arising from AI are inherently international in nature, and so are best addressed through international cooperation. Relatedly, the UN Secretary General, António Guterres made a statement at the AI Summit that underscored the importance of basing principles of AI governance on the United Nations Charter and the Universal Declaration of Human Rights. The Secretary General highlighted concerns with AI’s disruption to job markets and economies; and the loss of cultural diversity that could result from algorithms that perpetuate biases and stereotypes.

The rapidly developing global conversation regarding AI governance has been driven by the growth in generative AI.

Annual Cyber Threat Report records cyber attacks on critical infrastructure and attempts to extract maximum payments from victims

Date: 15 November 2023
Source: www.cyber.gov.au

Abstract:

The Australian Signals Directorate (ASD) through its technical authority on cybersecurity, the Australian Cyber Security Centre (ACSC) has published the Annual Cyber Threat Report 2022-23. The report demonstrates that a range of malicious cyber actors regularly targeted Australian networks leading to 14% rise in average cost of cybercrime per report. The average cost of cybercrime for small businesses was $46,000, for medium businesses $97,000 and large businesses $71,000. The top 3 cybercrime types for businesses were email compromise, businesses email compromise fraud, and online banking fraud. With regard to individuals, identity fraud, online banking fraud and online shopping fraud were the top 3 cybercrime type.

ASD noted in its report that cybercriminals constantly evolved their operations against Australian organisations, with ASD responding to 127 extortion-related incidents, 118 of which volved involved ransomware or other forms of restriction to systems, files or accounts. Meanwhile, significant data breaches resulted in millions of Australians having their information stolen and leaked on the dark web.

Joint ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right

Date: 25 October 2023
Source: Office of the Australian Information Commissioner (OAIC)

The Australian Competition Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) have published a joint policy to outline their approach toward compliance and enforcement of the Consumer Data Right (CDR).

The CDR allows consumers to have more control over their personal data held by businesses and how this data is shared. The CDR regulatory framework consists of:

• Core provisions under the Competition and Consumer Act 2010 (Cth), the Privacy Act 1988 (Cth) and the Australian Information Commissioner Act 2010 (Cth);
• Rules made under legislation (Rules);
• the Competition and Consumer Regulations 2010 (Cth); and
• Consumer Data Standards made under the Rules.

Microsoft announces $5 billion investment in Australia

Date: 25 October 2023
Source: Prime Minister of Australia

Abstract:

Prime Minister Anthony Albanese has announced a $5 billion investment in Australia from Microsoft.

Microsoft will collaborate with the Australian Signals Directorate (ASD) on the Microsoft-ASD Cyber Shield in order to strengthen Australia’s defences against cyber threats to individuals, businesses and governments. This will be done through an improved capability to identify, prevent and respond to cyber threats and will be one of the first steps taken as part of the 2023-2030 Cyber-Security Strategy, which aims for Australia to become a world-leading cyber secure and resilient nation by 2030.

The investment will fund the further expansion of Microsoft’s hyperscale cloud computing and artificial intelligence infrastructure over the next two years. In doing so, Microsoft will grow its local footprint from 20 to 29 sites across Sydney, Canberra and Melbourne.

Key findings from OAIC annual report 2022-23

Date: 19 October 2023
Source: Office of the Australian Information Commissioner (OAIC)

Abstract:

The Office of the Australian Information Commissioner (OAIC) has published its annual report for 2022-23 (Report), which highlights the work undertaken by the OAIC to uphold privacy and information access rights. The OAIC’s regulatory activities include conducting investigations, handling complaints, reviewing decisions made under the Freedom of Information Act 1982 (Cth), monitoring agency administration, and providing advice to the government and the community.

According to the Report, in 2022-23, the OAIC:

• received 1,647 applications for Information Commissioner review of freedom of information (FOI) decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%);
• received 212 FOI complaints (down 2%) and finalised 124 (down 44%);
• received 34% more privacy complaints (a record number of 3,402) than in 2021–22, and finalised 2,576 privacy complaints (up 17%), with the average time taken to finalise a privacy complaint being 6.4 months;
• received 895 notifications under the Notifiable Data Breaches scheme (up 5%), with the average time taken to finalise a data breach notification being 55 days;
• handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%);

ACCC Chair reiterates need for reform in Digital Future Summit address

Date: 18 October 2023
Source: Australian Competition and Consumer Commission

In an address at King and Wood Mallesons' Digital Future Summit on 17 October 2023, Chair of the Australian Competition and Consumer Commission (ACCC) Gina Cass-Gottlieb reiterated the need for regulatory reform to address competition and consumer issues identified by the ACCC in its digital platforms work, including its Digital Platform Services Inquiry. See our previous Latest Legal Update: Platform for change: ACCC reinforces calls for targeted regulation of digital platforms to address competition and consumer issues.

Ms Cass-Gottlieb restated some of the ACCC’s proposed reforms, noting that it is “critical [Australia has] fit-for-purpose regulatory tools that ensure effective and robust competition and consumer protection.” In particular, she flagged the ACCC’s following proposals:

• New sector-specific mandatory codes of conduct for designated digital platforms, introducing targeted obligations to address anti-competitive conduct.
• Merger reforms to bring Australia’s merger regime more into line with many OECD countries, and protect competition in Australia during a period of economic transition (see our previous Latest Legal Update: “No longer fit for purpose” — ACCC Chair calls for reform of merger laws).

Treasury consults on regulation of digital and crypto assets

Date: 17 October 2023
Source: The Treasury

Abstract:

The Federal Government has released a proposal paper that recommends making crypto exchanges and digital asset platforms subject to existing Australian financial services laws and requiring platform operators to obtain an Australian Financial Services Licence. The proposal paper also recommends requiring digital asset platforms adhere to minimum standards for holding tokens, standards for custody software, and standards when transacting in tokens. Feedback on the proposal paper is due by 1 December 2023, with further consultation on draft legislation planned for 2024.

In recent years, consumers have suffered harm and lost assets due to the collapse of crypto platforms. The proposed regulatory framework intends to increase oversight, protect consumers, support innovation, provide certainty in the industry, and ensure consistency with other jurisdictions.

The proposal paper discusses approaches to regulating digital asset intermediaries, licensing digital asset intermediaries, introducing minimum standards for facility contracts, and introducing minimum standards for ‘financialised functions’.

See the proposal paper here and the media release from Hon Stephen Jones MP, Assistant Treasurer and Minister for Financial Services, here.

Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023 (Cth)

Date: 5 October 2023
Source: Federal Register of Legislation
Jurisdiction: Commonwealth
Status: Commenced

Abstract:

The Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023 commenced on 30 September 2023, extending the operation of sections 15A and 15B of the Telecommunications Regulations 2021 for a further twelve months. This will allow the Australian government additional time to weigh the ongoing appropriateness and effectiveness of the regulations and to implement a more permanent solution in primary legislation.

These sections allow the disclosure of information or documents to financial services entities (s 15A) or government entities (15B), circumventing the prohibitions contained in s 276 of the Telecommunications Act 1997, if it is for the purpose of cyber security. Sections 15A(2) and 15B(2) provide the specified circumstances that must be present for the disclosure to be allowable under the regulations.

The amendment also changes the form by which the Minister for Communications may specify additional types of information or documents as disclosable under the sections, from a notifiable instrument form to a legislative instrument form.

Upcoming Privacy Act reforms seek to strengthen individual rights and the regulator’s enforcement powers

Date: 4 October 2023
Source: www.ag.gov.au

Abstract:

The Federal Government’s agreement to amending the object of the Privacy Act 1988 (Cth) that this Act is about the protection of personal information and that there is a public interest in protecting privacy, signals the direction the reforms to the Privacy Act are likely to proceed.

On 28 September 2023, the Federal Government responded to the Privacy Act Review Report (the Response). The Practical Guidance Cybersecurity, Data Protection and Privacy module will shortly publish a toolkit that will address all these upcoming changes to the Privacy Act with easy-to-follow, practical guidance on how to uplift to your organisation’s privacy policies and procedures.

In the meantime, some of the key takeaways from the Federal Government’s Response is outlined below.

Broadening the scope of the Privacy Act

To date, small businesses with turnovers of less that $3 million have been exempt from the from the operation of the Privacy Act. Following further consultation, this exemption could be removed.

Government responds to Privacy Act Review Report

Date: 29 September 2023
Source: Australian Government Attorney-General’s Department

On 28 September 2023, the Australian Government responded to the Privacy Act Review Report (Report) released by the Attorney-General in February 2023 after nearly three years of extensive consultation. The Report reviews the scope and application of the Privacy Act 1988 (Cth) (Privacy Act), including whether the Privacy Act is fit for purpose and whether individuals should have direct rights of action to enforce privacy obligations, among other issues of protection, regulation, and enforcement.

Of the 116 proposals in the Report, the Government agrees to 38 proposals, agrees in-principle to 68 proposals and notes 10 proposals. ‘Agrees in-principle’ indicates that the Government would like to conduct a comprehensive impact analysis and further engagement before making a final decision on the implementation of the proposals.

Sony cyberattack highlights importance of strong cybersecurity practices

Date: 27 September 2023

Abstract:

This week Sony has been embroiled in yet another high-profile cybersecurity breach after ransomware group “Ransomed.vc” claimed to have gained access to all of the company’s systems. In an unexpected turn of events, a second individual ostensibly acting alone has claimed that the only legitimate breach of Sony’s systems was his own, through which he has gained access to the credentials for a number of Sony internal systems.

This sequence of events highlights the uncertain and unpredictable nature of cyberattacks that can threaten organisations of all sizes at any time. It also emphasises the importance of taking protective measures and developing robust processes to follow in case of any kind of breach or attack.

The latest guidance on ransomware states that organisations should prepare for any threats by creating incident response plans and identifying key stakeholders, developing security control sand seeking cyber insurance, identifying risks and briefing the board and senior staff on organisation protocols. Organisations should also continue to follow the Australian Signals Directorate Essential Eight:

• Application whitelisting
• Application patching
• Disabling Office macros
• User application hardening
• Restricting administrative privileges
• Patching operating systems
• Multi-factor authentication
• Daily backups

Commonwealth Government releases draft Digital ID Bill

Date: 25 September 2023
Source: Australian Government

Abstract:

The Australian Government has released a draft of the proposed Digital ID Bill, which aims to regulate the use and provision of Digital IDs across the entire country. The proposed legislation will expand the existing Digital ID system and introduce additional measures to ensure that Digital ID providers are storing and handling the private information of individuals safely and securely.

The bill will introduce a number of new regulatory strategies to achieve its purpose:

• The creation of an accreditation scheme for Digital ID service providers: The bill will introduce a voluntary Accreditation Scheme that providers of Digital ID services can opt into. The scheme will involve rigorous technical standards and appropriate mechanisms for enforcement. This will ensure that accredited Digital ID providers meet the desired standards in areas such privacy, cybersecurity and user experience.
• Increase the number of available Digital ID service providers: The bill allows for the Commonwealth Government to partner with state and territory governments as well as private sector organisations in order to increase the number of Digital ID service providers and facilitate more choice for consumers when creating and using Digital IDs.

ASIC sues provider of Kraken crypto exchange alleging design and distribution breaches

Date: 21 September 2023
Source: Australian Securities & Investments Commission (ASIC)

Abstract:

The Australian Securities & Investments Commission (ASIC) has commenced civil penalty proceedings against Bit Trade Pty Ltd (Bit Trade), the provider of the Kraken crypto exchange, in the Federal Court of Australia. ASIC alleges that Bit Trade contravened s 994B(2) of the Corporations Act 2010 (Cth) (Act) by failing to comply with the design and distribution obligations (DDO) for the margin trading product it offered to Australian customers on the Kraken exchange.

The DDO regime under Part 7.8A of the Act requires financial product issuers and distributors to design financial products that meet the needs and circumstances of consumers and to distribute those products in a targeted manner. Companies must make a target market determination (TMD), a mandatory public document identifying the target market and restrictions on distribution, and identify “review triggers” indicating that a TMD is no longer appropriate.

From January 2020, Bit Trade has offered a margin trading product known as “Margin Extensions” to Australian customers via the Kraken exchange.

Digital platform regulators make joint submission to consultation on ‘Safe and responsible AI in Australia’ Discussion Paper

Date: 12 September 2023
Source: Australian Government eSafety Commissioner

Abstract:

The Digital Platform Regulators forum (DP-REG), which includes the Australian Competition and Consumer Commission (ACCC), the Australian Communications and Media Authority (ACMA), the eSafety Commissioner, and the Office of the Australian Information Commissioner (OIAC), has given a joint submission in response to the Department of Industry, Science and Resources’ (DISR) consultation on the ‘Safe and responsible AI in Australia’ Discussion Paper.

In its submission, DP-REG outlined the opportunities and challenges posed by rapid developments in the use of artificial intelligence (AI), including potential implications for each member’s existing regulatory framework. The submission considered how existing regulatory frameworks can be used or enhanced in order to provide appropriate safeguards for the Australian public.

DP-REG seeks to promote a whole-of-government response to AI through ongoing collaboration and coordination, information sharing, and stakeholder engagement. To this end, DP-REG currently has three standing working groups: Digital Technology, Codes & Regulation, and Data & Research. This approach allows consideration of how competition, consumer protection, privacy, online safety and data issues intersect.

Minister for Home Affairs announces designation of 87 critical infrastructure assets as systems of national significance

Date: 11 September 2023

Abstract:

The Minister for Home Affairs, Clare O’Neil has designated 87 new critical infrastructure assets as “systems of national significance” (SoNS), emphasising the Government’s increasing focus on the protection of assets that would affect Australia’s social or economic stability, defence, or national security should they be subject to a cyber threat.

Part 6A of the Security of Critical Infrastructure Act 2018 (SOCI Act), enables the Minister for Home Affairs (the Minister) to declare a critical infrastructure asset to be a system of national significance. Once designated, SoNS continue to be subject to all the obligations that applied to that critical infrastructure asset under the SOCI Act before it was declared a SoNS. In addition to these obligations, entities responsible for assets designated as SoNS may be subject to Enhanced Cyber Security Obligations, outlined in Part 2C of the SOCI Act.

These obligations include the responsible entity needing to create response plans for cyber incidents, prep themselves through cyber security exercises, obtain assessments to identify and fix vulnerabilities and hand over system information or control over the systems to the Australian Signals Directorate if required.

Administrative Appeals Tribunal sheds light on non-economic loss under the Privacy Act (HYYL and Privacy Commissioner)

Date: 11 October 2023
Court: Administrative Appeals Tribunal
Tribunal Member(s): Justice Perry, Deputy President
Decision date: 13 September 2023

Abstract:

A decision of the Australian Administrative Appeals Tribunal has shed light on what will constitute loss or damage under the Privacy Act in cases where there has been a data breach.

The appeal concerned a declaration of the Privacy Commissioner (the respondent) relating to a data leak by the Department of Home Affairs, in breach of principles 5 and 7 of the Information Privacy Principles (the precursor to the Australian Privacy Principles).

On 10 February 2014, a document was uploaded onto the Department of Immigration and Citizenship’s website containing the personal information of 9258 individuals who were in immigration detention as at 31 January. Following an influx of complaints to the Office of the Australian Information Commissioner and a subsequent investigation, a representative complaint was lodged with the respondent seeking an apology, compensation for the class members who had suffered economic and non-economic loss, and aggravated damages.