Latest news on Australian privacy and information security laws
Summary
TLDRIn this Privacy Espresso episode, Kelly Dixon, a managing principal lawyer, discusses significant developments in Australian privacy law. She highlights two key consultations before parliament that aim to increase penalties and align privacy law with GDPR standards. Dixon also addresses a data breach involving New South Wales government and a case involving 7-Eleven's misuse of biometric data, emphasizing the importance of businesses understanding and implementing robust privacy policies. The discussion underscores the need for businesses to be proactive in privacy protection, especially as the OAIC shifts from education to enforcement.
Takeaways
- 📘 Australia is currently undergoing legislative developments in privacy law that could have significant impacts on businesses.
- 🔍 Two privacy consultations are before the Australian parliament, focusing on online and digital legislation, which may extend beyond just online platforms.
- 💰 Proposed changes include increasing privacy penalties to match those in consumer law, with fines potentially reaching up to 10 million dollars, three times the benefit of the contravention, or 10% of turnover.
- 🕵️♂️ The Australian Privacy Commissioner may be granted new investigative powers to enforce privacy laws more effectively.
- 📜 The second proposal aims to align Australia's privacy law more closely with GDPR standards, introducing rights such as direct action for individuals and more prescriptive notice and consent requirements.
- 🏥 A recent data breach in New South Wales exposed sensitive information, including defense sites and domestic violence shelters, highlighting the importance of data security.
- 🛑 The privacy breach was not officially classified as one by the Privacy Commissioner because the leaked data was considered business addresses, but it raised public concern.
- 🏪 The 7-Eleven case demonstrated the importance of obtaining proper consent and providing adequate notice when collecting personal information, especially biometric data.
- 📊 The OAIC's database report indicates a shift from education to enforcement in data breach management, emphasizing the need for businesses to have robust systems in place.
- ⏱ Australian businesses have a 30-day window to report data breaches, which is longer than the 72-hour period in some other jurisdictions, but prompt reporting is still expected.
- 🛡️ The key takeaway for businesses is to have privacy policies and procedures in place, train staff on data handling, and be prepared to respond to potential breaches.
Q & A
What is the main topic of discussion in the 'Privacy Espresso' episode featuring Kelly Dixon?
-The main topic of discussion is the recent developments in Australian privacy law, including legislative changes and significant cases that have implications for businesses operating in Australia.
Why should businesses be aware of the current privacy law consultations in Australia?
-Businesses should be aware of the privacy law consultations because the proposed legislation, although named as online or digital, could apply broadly to all sorts of businesses, potentially increasing penalties and introducing new privacy requirements similar to GDPR.
What are the two privacy consultations currently before the Australian Parliament?
-The two consultations are a proposed Online Privacy Bill, which would create a code for social media platforms and increase privacy penalties, and a second proposal aimed at aligning Australia's privacy law more closely with GDPR, including a direct right of action for individuals and more prescriptive notice and consent requirements.
What was the significance of the data breach involving the New South Wales government?
-The significance of the data breach was that it exposed sensitive information, including addresses of defense sites, domestic violence shelters, and infrastructure networks, raising concerns about the security of such data and the potential misuse of information by the public.
Why did the Privacy Commissioner determine that the New South Wales data breach was not a privacy breach as defined?
-The Privacy Commissioner determined that it was not a privacy breach because the leaked data consisted of business addresses, which are not typically considered private under the current definitions.
What was the outcome of the 7-Eleven case in Australia regarding customer privacy?
-The Australian Privacy Commissioner determined that 7-Eleven interfered with customer privacy by collecting biometric information through tablets in stores without adequate notice or consent, using it for demographic profiling, which was a breach of Australia's privacy principles.
What is one of the key takeaways from the recent database report by the Australian Information Commissioner?
-A key takeaway is that after four years of Australia's data breach mechanism being in place, the Privacy Commissioner is moving from education to enforcement, expecting businesses to have robust data breach response systems in place.
What are some of the actions businesses should take in light of the data breach report findings?
-Businesses should implement privacy policies, establish procedures for staff to follow in case of a breach, and provide training to staff on how to respond to potential incidents or breaches.
What is the reporting period for data breaches in Australia, and how does it compare to other jurisdictions?
-The reporting period for data breaches in Australia is up to 30 days, which is longer than the 72-hour requirement in some other jurisdictions, giving businesses more time to investigate and respond to a breach.
What is the general advice for businesses regarding data collection and privacy considerations?
-Businesses should consider what personal information they are collecting and why, ensuring that the impact on privacy is proportionate to their objectives and that they have the appropriate consent and disclosure in place.
Outlines
📜 Australian Privacy Law Developments and Consultations
In this segment, Kelly Dixon, a managing principal lawyer at McPherson Kelly in Australia, introduces the topic of recent developments in Australian privacy law. She emphasizes the importance for all businesses to be aware of ongoing privacy law consultations before the parliament, as they could have far-reaching implications beyond just digital platforms. Two key consultations are highlighted: the proposed Online Privacy Bill, which aims to establish a code for social media platforms and increase privacy penalties, and a second proposal that aligns Australia's privacy law more closely with GDPR standards. Key aspects of the latter include a direct right of action for individuals, more prescriptive notice and consent requirements, standard contractual clauses, and rights to object and erasure. Dixon advises businesses to stay informed about these legislative changes, as they could significantly impact their operations.
🚨 Recent Privacy Breaches and Commissioner Determinations in Australia
This paragraph delves into notable privacy breaches and regulatory actions in Australia. A significant incident involved a data breach in New South Wales where approximately 500,000 addresses, including sensitive sites like defense locations and domestic violence shelters, were leaked. Although the Privacy Commissioner determined it was not a breach as defined by privacy laws, the incident raised public concern and prompted a review of QR check-in processes. Another case discussed involves 7-Eleven, which was found to have violated customer privacy by collecting biometric information through in-store tablets without proper consent or disclosure. The privacy commissioner's determination underscored the importance of adequate notice and the necessity of collection for the primary purpose. The segment concludes with advice from the Office of the Australian Information Commissioner (OAIC), urging businesses to implement robust data breach mechanisms and privacy policies, train staff, and have procedures in place to address potential breaches. The message is clear: after four years of the data breach mechanism being in place, businesses should be prepared to handle such incidents effectively.
Mindmap
Keywords
💡Privacy Law
💡Online Privacy Bill
💡Privacy Penalties
💡Data Breach
💡QR Check-ins
💡Biometric Information
💡Demographic Profiling
💡Privacy Commissioner
💡Data Breach Mechanism
💡Human Error
💡Privacy Principles
Highlights
Kelly Dixon, managing principal lawyer of the Danderon office of McPherson Kelly in Australia, discusses recent developments in Australian privacy law.
There are two privacy consultations before the Australian parliament, focusing on online and digital legislation with broad implications for businesses.
The proposed Online Privacy Bill aims to create a code for social media platforms and increase privacy penalties to match consumer law penalties.
New investigative powers are proposed for the Privacy Commissioner under the Online Privacy Bill.
The second proposal seeks to align Australian privacy law more closely with GDPR, introducing direct rights of action for individuals.
Legislation proposes more prescriptive notice and consent requirements, and standard contractual clauses for the first time in Australia.
Changes to default privacy settings and new rights to object and erasure are being considered, similar to GDPR jurisdictions.
A data breach in New South Wales exposed 500,000 addresses, including sensitive sites like defense locations and domestic violence shelters.
The Privacy Commissioner determined the New South Wales data leak was not a privacy breach due to the nature of the leaked data.
The data breach raised concerns about the security of sensitive sites and the public's trust in data handling.
The incident prompted a review of Australia's QR check-in process in light of the amount of data shared with the government during the pandemic.
7-Eleven in Australia was found to have interfered with customer privacy by collecting biometric information without consent.
The privacy breach by 7-Eleven involved using collected biometric data for demographic profiling without proper disclosure.
The OAIC's database report indicates a shift from education to enforcement, expecting businesses to have data breach mechanisms in place.
The report emphasizes the need for businesses to have privacy policies and procedures, and to train staff on incident response.
Most data breaches are due to malicious hacks and human error, highlighting the importance of robust privacy practices.
Australian businesses have a 30-day window to report data breaches, which is longer than the 72-hour period in some jurisdictions.
Transcripts
welcome everyone i'm pleased to have
here
in this privacy espresso uh episode
kelly dixon managing principal lawyer of
the danderon office of mcpherson kelly
in australia evidently we have been
hearing a lot of
data privacy updates and news from
australia so we want to have kelly here
describe them kelly welcome hello thank
you very much and uh hello to everyone
who is watching and listening to this
it is actually a good opportunity for us
to be speaking about some australian
developments in privacy law i do know
that uh all around the world there's
been various media grabs and newspaper
articles about some of the things that
have been occurring here in australia so
i thought what we would do today is uh
talk just very quickly about some
legislative developments that are
occurring in australia
and also look at some interesting recent
cases as well to know about these new
privacy proposals that are in australia
because they will have some big impacts
perfectly so can you tell us why normal
businesses or otherwise all businesses
should be aware of these privacy law
consultations
yeah so in australia at the moment there
are two privacy consultations that are
before parliament and being looked at by
some of our committees and what i think
is really important to note is that both
of these consultations have been framed
and they have been named as
online or digital
consultations and and pieces of
legislation so i think it's very easy
for businesses to say oh well i don't
need to worry about this because it
relates to online platforms or it
relates to digital platforms
but the actual legislation goes a lot
more deep and broad than that so it can
apply if this legislation is passed
to all sorts of businesses so
for the first one which is a proposed
online privacy bill
what it's going to do is create a code
for social media platforms but for all
businesses what's also hidden in there
is that there is a proposal to increase
privacy penalties in australia
to match the penalties in our consumer
law so that means that the penalties can
be the higher of 10 million dollars
three times the benefit received from
the contravention or 10 of turnover and
our privacy commissioner is also
proposed to have some new investigative
powers then the second proposal if it
gets passed will bring australia's
privacy law a little bit closer to gdpr
some of the proposals that are in this
piece of legislation are for there to be
a direct right of action for individuals
to take against businesses
some changes to definitions to improve
the understanding of privacy but also
importantly for australia we're looking
at more prescriptive notice and consent
requirements
introducing some standard contractual
clauses some sccs that we've never had
before some changes to default settings
for for privacy as well and a right to
object and to erasure which uh rights
you know in in gdpr jurisdictions but
not here yet for us so um i'd encourage
people to continue to look at this as it
passes through uh consideration but
don't discount it just because it
relates to digital thank you very much
kelly um evidently so australia is one
of those countries that has
initiated a pattern towards the gdpr
international standards also in terms of
fines let's talk about the case
around the world the news went that the
the new south wales government uh
suffered a data breach what can you tell
us about it
yes so this was an interesting one in
new south wales which is one of the
states in australia there was a data
breach there was a leak of uh 500 000
addresses
and this was related to uh covert uh and
our qr check-ins and those sorts of
things
what made this interesting and
concerning for people is that those 500
000 or so addresses
included defense sites domestic violence
shelters
australia's infrastructure networks
and so you know this was data that had
been uploaded onto a website uh probably
in hindsight in in situations when it
shouldn't have been
now the new south wales government did
report that to the privacy commissioner
who determined that it was not a privacy
breach as defined
and the reason for that is that the data
that was leaked was business addresses
what the consequence is though is that
some of those sites are very sensitive
sites
and so the the thought in the public was
well people could use that information
to then go and visit the domestic
violence shelters or the defense uh
structures and sites um so it wasn't a
strict privacy breach but it certainly
caused some concern for
australians and for more vulnerable
consumers
but i think that what it also did was
it's quite timely at the moment we're
currently looking at our qr check-in
process
and whether now that australia is
starting to open up from isolation again
just how useful and effective doing a qr
check-in is
so
you know i think it's just brought to
light that there is an awful lot of data
and particularly through covert so much
data was given to government shared with
government
and uh this breach really was perhaps
just not some great thought about what
was being made available in
circumstances where it didn't need to be
really very interesting and there are
some other interesting cases for
instance the 7-eleven you mentioned
briefly in the in the outset yes so
7-eleven is a case that has happened uh
just recently in australia as well and
this is where our privacy commissioner
has made a determination that 7-11 the
convenience store
did interfere with customer privacy so
what 711 was doing in australia in some
of its stores was it had put some ipads
some some tablets in store
to record customers in-store experience
so people could do a survey
once they were in store about how their
shopping experience had been
but part of that was that these tablets
collected biometric information they
took photographs of the people who were
filling in the surveys
and
7-eleven say that the reason that they
were doing that was to help prevent
duplicated surveys or people you know
circumventing that
but what the commissioner found was that
that biometric information was also
being used for uh demographic profiling
and there was no consent to that
occurring and that wasn't disclosed in
the collection statements that were
provided when people first signed up to
to one of these surveys um so that was
held to be a breach of a couple of
australia's privacy principles the the
apps and the guidance that we have there
and it was basically about not adequate
notice of collection and collection not
being reasonably necessary for the
primary purpose that they were doing all
of this so i think that you know what
that case was really about and the
reminder to australian businesses
is about what are you collecting what
personal information is it and why are
you collecting it and having that
thought about
is the impact on privacy proportionate
to what you're trying to do so that was
one of our commissioner determinations
the the father you echoed this advice is
particularly fundamental so talking in
terms of general policy the the recent
database report of the palestinian
information commissioner was released
can you give us your your comment about
it and some tips to businesses out there
yes so the the oaic publishes uh
statistics about the number of data
breach reports that we have and
australia's data breach mechanism has
been in place for four years now so i
think that the biggest tip and the
biggest message to come out of the
report is that the privacy commissioner
isn't so much doing education as
enforcement and expecting businesses to
have data breach mechanisms in place you
know it's been four years so businesses
should now have appropriate systems in
place
and uh maybe this is the case everywhere
around the world but the vast majority
of data breaches come from malicious
hacks and from human error so really the
the message for businesses is to
consider privacy and to have privacy
policies in place and to have procedures
for staff to follow and to train staff
about what to do if something goes wrong
or if they become aware that there has
been a potential incident or breach
one of the saving graces perhaps in
australia is that our data breach
mechanism reporting period
is up to 30 days not 72 hours so
australian businesses do have longer to
investigate and to try to work out what
has happened
but that 30 day is certainly considered
to be an upper limit
and it should be notified a lot earlier
than that thank you so much the clear
message is four years were given now
it's time to take action and
let's meet again with privacy rules in
one of the next episodes thank you very
much kelly it sounds good thank you
Weitere ähnliche Videos ansehen
Seri Ekonomi Digital: Pentingnya Perlindungan Data Pribadi di Indonesia
S3E10 | DPDPA Compliance for MNC Offices in India | #DPDPA #privacycast #mnc
S1E8 | How law enforcement is using OSINT
How to Implement GDPR Part 1 :Roadmap for Implementation
Why Privacy Matters in Cybersecurity | Ep 32
"Unlock the Secrets of Data Privacy Interviews - You Won't Believe What They Ask!"
5.0 / 5 (0 votes)