Latest news on Australian privacy and information security laws

PrivacyRules
22 Mar 202209:58

Summary

TLDRIn this Privacy Espresso episode, Kelly Dixon, a managing principal lawyer, discusses significant developments in Australian privacy law. She highlights two key consultations before parliament that aim to increase penalties and align privacy law with GDPR standards. Dixon also addresses a data breach involving New South Wales government and a case involving 7-Eleven's misuse of biometric data, emphasizing the importance of businesses understanding and implementing robust privacy policies. The discussion underscores the need for businesses to be proactive in privacy protection, especially as the OAIC shifts from education to enforcement.

Takeaways

  • 📘 Australia is currently undergoing legislative developments in privacy law that could have significant impacts on businesses.
  • 🔍 Two privacy consultations are before the Australian parliament, focusing on online and digital legislation, which may extend beyond just online platforms.
  • 💰 Proposed changes include increasing privacy penalties to match those in consumer law, with fines potentially reaching up to 10 million dollars, three times the benefit of the contravention, or 10% of turnover.
  • 🕵️‍♂️ The Australian Privacy Commissioner may be granted new investigative powers to enforce privacy laws more effectively.
  • 📜 The second proposal aims to align Australia's privacy law more closely with GDPR standards, introducing rights such as direct action for individuals and more prescriptive notice and consent requirements.
  • 🏥 A recent data breach in New South Wales exposed sensitive information, including defense sites and domestic violence shelters, highlighting the importance of data security.
  • 🛑 The privacy breach was not officially classified as one by the Privacy Commissioner because the leaked data was considered business addresses, but it raised public concern.
  • 🏪 The 7-Eleven case demonstrated the importance of obtaining proper consent and providing adequate notice when collecting personal information, especially biometric data.
  • 📊 The OAIC's database report indicates a shift from education to enforcement in data breach management, emphasizing the need for businesses to have robust systems in place.
  • ⏱ Australian businesses have a 30-day window to report data breaches, which is longer than the 72-hour period in some other jurisdictions, but prompt reporting is still expected.
  • 🛡️ The key takeaway for businesses is to have privacy policies and procedures in place, train staff on data handling, and be prepared to respond to potential breaches.

Q & A

  • What is the main topic of discussion in the 'Privacy Espresso' episode featuring Kelly Dixon?

    -The main topic of discussion is the recent developments in Australian privacy law, including legislative changes and significant cases that have implications for businesses operating in Australia.

  • Why should businesses be aware of the current privacy law consultations in Australia?

    -Businesses should be aware of the privacy law consultations because the proposed legislation, although named as online or digital, could apply broadly to all sorts of businesses, potentially increasing penalties and introducing new privacy requirements similar to GDPR.

  • What are the two privacy consultations currently before the Australian Parliament?

    -The two consultations are a proposed Online Privacy Bill, which would create a code for social media platforms and increase privacy penalties, and a second proposal aimed at aligning Australia's privacy law more closely with GDPR, including a direct right of action for individuals and more prescriptive notice and consent requirements.

  • What was the significance of the data breach involving the New South Wales government?

    -The significance of the data breach was that it exposed sensitive information, including addresses of defense sites, domestic violence shelters, and infrastructure networks, raising concerns about the security of such data and the potential misuse of information by the public.

  • Why did the Privacy Commissioner determine that the New South Wales data breach was not a privacy breach as defined?

    -The Privacy Commissioner determined that it was not a privacy breach because the leaked data consisted of business addresses, which are not typically considered private under the current definitions.

  • What was the outcome of the 7-Eleven case in Australia regarding customer privacy?

    -The Australian Privacy Commissioner determined that 7-Eleven interfered with customer privacy by collecting biometric information through tablets in stores without adequate notice or consent, using it for demographic profiling, which was a breach of Australia's privacy principles.

  • What is one of the key takeaways from the recent database report by the Australian Information Commissioner?

    -A key takeaway is that after four years of Australia's data breach mechanism being in place, the Privacy Commissioner is moving from education to enforcement, expecting businesses to have robust data breach response systems in place.

  • What are some of the actions businesses should take in light of the data breach report findings?

    -Businesses should implement privacy policies, establish procedures for staff to follow in case of a breach, and provide training to staff on how to respond to potential incidents or breaches.

  • What is the reporting period for data breaches in Australia, and how does it compare to other jurisdictions?

    -The reporting period for data breaches in Australia is up to 30 days, which is longer than the 72-hour requirement in some other jurisdictions, giving businesses more time to investigate and respond to a breach.

  • What is the general advice for businesses regarding data collection and privacy considerations?

    -Businesses should consider what personal information they are collecting and why, ensuring that the impact on privacy is proportionate to their objectives and that they have the appropriate consent and disclosure in place.

Outlines

00:00

📜 Australian Privacy Law Developments and Consultations

In this segment, Kelly Dixon, a managing principal lawyer at McPherson Kelly in Australia, introduces the topic of recent developments in Australian privacy law. She emphasizes the importance for all businesses to be aware of ongoing privacy law consultations before the parliament, as they could have far-reaching implications beyond just digital platforms. Two key consultations are highlighted: the proposed Online Privacy Bill, which aims to establish a code for social media platforms and increase privacy penalties, and a second proposal that aligns Australia's privacy law more closely with GDPR standards. Key aspects of the latter include a direct right of action for individuals, more prescriptive notice and consent requirements, standard contractual clauses, and rights to object and erasure. Dixon advises businesses to stay informed about these legislative changes, as they could significantly impact their operations.

05:02

🚨 Recent Privacy Breaches and Commissioner Determinations in Australia

This paragraph delves into notable privacy breaches and regulatory actions in Australia. A significant incident involved a data breach in New South Wales where approximately 500,000 addresses, including sensitive sites like defense locations and domestic violence shelters, were leaked. Although the Privacy Commissioner determined it was not a breach as defined by privacy laws, the incident raised public concern and prompted a review of QR check-in processes. Another case discussed involves 7-Eleven, which was found to have violated customer privacy by collecting biometric information through in-store tablets without proper consent or disclosure. The privacy commissioner's determination underscored the importance of adequate notice and the necessity of collection for the primary purpose. The segment concludes with advice from the Office of the Australian Information Commissioner (OAIC), urging businesses to implement robust data breach mechanisms and privacy policies, train staff, and have procedures in place to address potential breaches. The message is clear: after four years of the data breach mechanism being in place, businesses should be prepared to handle such incidents effectively.

Mindmap

Keywords

💡Privacy Law

Privacy Law refers to a set of legal regulations that govern the collection, use, and disclosure of personal information. In the context of the video, Privacy Law is central as it discusses the developments and implications of privacy legislation in Australia. The script mentions that there are two privacy consultations before the Australian parliament, indicating the evolving nature of these laws and their importance to businesses.

💡Online Privacy Bill

The Online Privacy Bill is a proposed legislation in Australia aimed at creating a code for social media platforms. It is mentioned in the script as a part of the legislative developments that could significantly impact businesses. The bill not only targets social media but also proposes to increase privacy penalties and grant new investigative powers to the Privacy Commissioner, emphasizing the need for businesses to be aware of such legislative changes.

💡Privacy Penalties

Privacy Penalties are fines or punishments imposed for violations of privacy laws. The script highlights a proposal to increase these penalties in Australia to align with consumer law penalties, which could include fines up to 10 million dollars, three times the benefit gained from the violation, or 10% of a company's turnover. This underscores the severe consequences businesses may face if they do not comply with privacy regulations.

💡Data Breach

A Data Breach occurs when unauthorized individuals gain access to sensitive information. The video script discusses a specific case in New South Wales, Australia, where 500,000 addresses were leaked, including those of defense sites and domestic violence shelters. This incident, although not legally considered a privacy breach, raised concerns about the security of sensitive data and the potential risks to vulnerable individuals.

💡QR Check-ins

QR Check-ins refer to a method of tracking and recording individuals' visits to venues using Quick Response codes, especially relevant during the COVID-19 pandemic. The script mentions the QR check-ins in relation to the data breach in New South Wales, highlighting the large amount of data collected by governments and the need for careful handling and consideration of privacy implications.

💡Biometric Information

Biometric Information includes unique biological characteristics such as fingerprints, facial patterns, or iris scans. In the context of the 7-Eleven case mentioned in the script, the company collected biometric information through photographs taken for survey purposes without proper consent, leading to a breach of privacy principles and emphasizing the importance of obtaining informed consent for such data collection.

💡Demographic Profiling

Demographic Profiling is the process of collecting and analyzing data about a person's demographic characteristics, such as age, gender, or ethnicity. The script refers to 7-Eleven using biometric information for demographic profiling without consent, which was found to be a breach of privacy, illustrating the need for transparency and consent when using personal data for such purposes.

💡Privacy Commissioner

The Privacy Commissioner is an official responsible for overseeing and enforcing privacy laws. In the script, the Privacy Commissioner of Australia is mentioned in relation to the proposed legislative changes, the data breach in New South Wales, and the 7-Eleven case. The role emphasizes the importance of having an authority to investigate and determine breaches, as well as to guide businesses on privacy compliance.

💡Data Breach Mechanism

A Data Breach Mechanism refers to the procedures and systems in place for identifying, reporting, and managing data breaches. The script discusses the four-year anniversary of Australia's data breach mechanism, indicating that businesses are expected to have such mechanisms in place and are moving from an educational phase to an enforcement phase, where non-compliance can lead to penalties.

💡Human Error

Human Error refers to mistakes made by individuals that can lead to unintended consequences, such as data breaches. The script points out that a significant number of data breaches are caused by human error, emphasizing the need for businesses to train their staff on privacy policies and procedures to prevent such incidents.

💡Privacy Principles

Privacy Principles are a set of guidelines that outline how personal information should be handled in accordance with privacy laws. The script refers to a breach of Australia's privacy principles in the 7-Eleven case, where the collection of biometric information without adequate notice and consent violated these principles, highlighting the importance of adhering to these guidelines for businesses.

Highlights

Kelly Dixon, managing principal lawyer of the Danderon office of McPherson Kelly in Australia, discusses recent developments in Australian privacy law.

There are two privacy consultations before the Australian parliament, focusing on online and digital legislation with broad implications for businesses.

The proposed Online Privacy Bill aims to create a code for social media platforms and increase privacy penalties to match consumer law penalties.

New investigative powers are proposed for the Privacy Commissioner under the Online Privacy Bill.

The second proposal seeks to align Australian privacy law more closely with GDPR, introducing direct rights of action for individuals.

Legislation proposes more prescriptive notice and consent requirements, and standard contractual clauses for the first time in Australia.

Changes to default privacy settings and new rights to object and erasure are being considered, similar to GDPR jurisdictions.

A data breach in New South Wales exposed 500,000 addresses, including sensitive sites like defense locations and domestic violence shelters.

The Privacy Commissioner determined the New South Wales data leak was not a privacy breach due to the nature of the leaked data.

The data breach raised concerns about the security of sensitive sites and the public's trust in data handling.

The incident prompted a review of Australia's QR check-in process in light of the amount of data shared with the government during the pandemic.

7-Eleven in Australia was found to have interfered with customer privacy by collecting biometric information without consent.

The privacy breach by 7-Eleven involved using collected biometric data for demographic profiling without proper disclosure.

The OAIC's database report indicates a shift from education to enforcement, expecting businesses to have data breach mechanisms in place.

The report emphasizes the need for businesses to have privacy policies and procedures, and to train staff on incident response.

Most data breaches are due to malicious hacks and human error, highlighting the importance of robust privacy practices.

Australian businesses have a 30-day window to report data breaches, which is longer than the 72-hour period in some jurisdictions.

Transcripts

play00:00

welcome everyone i'm pleased to have

play00:02

here

play00:03

in this privacy espresso uh episode

play00:06

kelly dixon managing principal lawyer of

play00:08

the danderon office of mcpherson kelly

play00:11

in australia evidently we have been

play00:13

hearing a lot of

play00:14

data privacy updates and news from

play00:17

australia so we want to have kelly here

play00:20

describe them kelly welcome hello thank

play00:23

you very much and uh hello to everyone

play00:25

who is watching and listening to this

play00:28

it is actually a good opportunity for us

play00:30

to be speaking about some australian

play00:32

developments in privacy law i do know

play00:35

that uh all around the world there's

play00:37

been various media grabs and newspaper

play00:40

articles about some of the things that

play00:42

have been occurring here in australia so

play00:44

i thought what we would do today is uh

play00:47

talk just very quickly about some

play00:49

legislative developments that are

play00:51

occurring in australia

play00:53

and also look at some interesting recent

play00:55

cases as well to know about these new

play00:58

privacy proposals that are in australia

play01:00

because they will have some big impacts

play01:02

perfectly so can you tell us why normal

play01:06

businesses or otherwise all businesses

play01:08

should be aware of these privacy law

play01:10

consultations

play01:11

yeah so in australia at the moment there

play01:13

are two privacy consultations that are

play01:16

before parliament and being looked at by

play01:19

some of our committees and what i think

play01:21

is really important to note is that both

play01:23

of these consultations have been framed

play01:26

and they have been named as

play01:29

online or digital

play01:32

consultations and and pieces of

play01:34

legislation so i think it's very easy

play01:37

for businesses to say oh well i don't

play01:39

need to worry about this because it

play01:41

relates to online platforms or it

play01:43

relates to digital platforms

play01:46

but the actual legislation goes a lot

play01:50

more deep and broad than that so it can

play01:53

apply if this legislation is passed

play01:56

to all sorts of businesses so

play01:58

for the first one which is a proposed

play02:00

online privacy bill

play02:03

what it's going to do is create a code

play02:05

for social media platforms but for all

play02:08

businesses what's also hidden in there

play02:11

is that there is a proposal to increase

play02:13

privacy penalties in australia

play02:16

to match the penalties in our consumer

play02:18

law so that means that the penalties can

play02:21

be the higher of 10 million dollars

play02:24

three times the benefit received from

play02:26

the contravention or 10 of turnover and

play02:30

our privacy commissioner is also

play02:31

proposed to have some new investigative

play02:34

powers then the second proposal if it

play02:37

gets passed will bring australia's

play02:39

privacy law a little bit closer to gdpr

play02:42

some of the proposals that are in this

play02:44

piece of legislation are for there to be

play02:47

a direct right of action for individuals

play02:49

to take against businesses

play02:51

some changes to definitions to improve

play02:55

the understanding of privacy but also

play02:57

importantly for australia we're looking

play03:00

at more prescriptive notice and consent

play03:03

requirements

play03:04

introducing some standard contractual

play03:06

clauses some sccs that we've never had

play03:09

before some changes to default settings

play03:11

for for privacy as well and a right to

play03:14

object and to erasure which uh rights

play03:17

you know in in gdpr jurisdictions but

play03:20

not here yet for us so um i'd encourage

play03:23

people to continue to look at this as it

play03:25

passes through uh consideration but

play03:28

don't discount it just because it

play03:30

relates to digital thank you very much

play03:32

kelly um evidently so australia is one

play03:35

of those countries that has

play03:37

initiated a pattern towards the gdpr

play03:40

international standards also in terms of

play03:42

fines let's talk about the case

play03:45

around the world the news went that the

play03:47

the new south wales government uh

play03:49

suffered a data breach what can you tell

play03:51

us about it

play03:52

yes so this was an interesting one in

play03:55

new south wales which is one of the

play03:56

states in australia there was a data

play03:59

breach there was a leak of uh 500 000

play04:03

addresses

play04:05

and this was related to uh covert uh and

play04:08

our qr check-ins and those sorts of

play04:10

things

play04:11

what made this interesting and

play04:12

concerning for people is that those 500

play04:16

000 or so addresses

play04:18

included defense sites domestic violence

play04:21

shelters

play04:23

australia's infrastructure networks

play04:25

and so you know this was data that had

play04:28

been uploaded onto a website uh probably

play04:31

in hindsight in in situations when it

play04:33

shouldn't have been

play04:35

now the new south wales government did

play04:37

report that to the privacy commissioner

play04:39

who determined that it was not a privacy

play04:42

breach as defined

play04:44

and the reason for that is that the data

play04:47

that was leaked was business addresses

play04:51

what the consequence is though is that

play04:54

some of those sites are very sensitive

play04:56

sites

play04:57

and so the the thought in the public was

play04:59

well people could use that information

play05:01

to then go and visit the domestic

play05:03

violence shelters or the defense uh

play05:06

structures and sites um so it wasn't a

play05:09

strict privacy breach but it certainly

play05:11

caused some concern for

play05:13

australians and for more vulnerable

play05:16

consumers

play05:17

but i think that what it also did was

play05:20

it's quite timely at the moment we're

play05:21

currently looking at our qr check-in

play05:24

process

play05:25

and whether now that australia is

play05:27

starting to open up from isolation again

play05:30

just how useful and effective doing a qr

play05:34

check-in is

play05:35

so

play05:36

you know i think it's just brought to

play05:38

light that there is an awful lot of data

play05:40

and particularly through covert so much

play05:42

data was given to government shared with

play05:45

government

play05:46

and uh this breach really was perhaps

play05:49

just not some great thought about what

play05:52

was being made available in

play05:54

circumstances where it didn't need to be

play05:57

really very interesting and there are

play05:59

some other interesting cases for

play06:01

instance the 7-eleven you mentioned

play06:02

briefly in the in the outset yes so

play06:05

7-eleven is a case that has happened uh

play06:07

just recently in australia as well and

play06:09

this is where our privacy commissioner

play06:11

has made a determination that 7-11 the

play06:14

convenience store

play06:16

did interfere with customer privacy so

play06:19

what 711 was doing in australia in some

play06:22

of its stores was it had put some ipads

play06:26

some some tablets in store

play06:28

to record customers in-store experience

play06:32

so people could do a survey

play06:34

once they were in store about how their

play06:36

shopping experience had been

play06:39

but part of that was that these tablets

play06:42

collected biometric information they

play06:44

took photographs of the people who were

play06:46

filling in the surveys

play06:48

and

play06:49

7-eleven say that the reason that they

play06:51

were doing that was to help prevent

play06:53

duplicated surveys or people you know

play06:57

circumventing that

play06:59

but what the commissioner found was that

play07:01

that biometric information was also

play07:04

being used for uh demographic profiling

play07:08

and there was no consent to that

play07:10

occurring and that wasn't disclosed in

play07:12

the collection statements that were

play07:14

provided when people first signed up to

play07:17

to one of these surveys um so that was

play07:20

held to be a breach of a couple of

play07:22

australia's privacy principles the the

play07:25

apps and the guidance that we have there

play07:28

and it was basically about not adequate

play07:30

notice of collection and collection not

play07:33

being reasonably necessary for the

play07:36

primary purpose that they were doing all

play07:38

of this so i think that you know what

play07:40

that case was really about and the

play07:42

reminder to australian businesses

play07:44

is about what are you collecting what

play07:47

personal information is it and why are

play07:49

you collecting it and having that

play07:51

thought about

play07:53

is the impact on privacy proportionate

play07:55

to what you're trying to do so that was

play07:58

one of our commissioner determinations

play08:00

the the father you echoed this advice is

play08:02

particularly fundamental so talking in

play08:04

terms of general policy the the recent

play08:07

database report of the palestinian

play08:09

information commissioner was released

play08:12

can you give us your your comment about

play08:14

it and some tips to businesses out there

play08:17

yes so the the oaic publishes uh

play08:20

statistics about the number of data

play08:22

breach reports that we have and

play08:24

australia's data breach mechanism has

play08:26

been in place for four years now so i

play08:28

think that the biggest tip and the

play08:30

biggest message to come out of the

play08:32

report is that the privacy commissioner

play08:35

isn't so much doing education as

play08:38

enforcement and expecting businesses to

play08:41

have data breach mechanisms in place you

play08:44

know it's been four years so businesses

play08:46

should now have appropriate systems in

play08:49

place

play08:50

and uh maybe this is the case everywhere

play08:52

around the world but the vast majority

play08:55

of data breaches come from malicious

play08:58

hacks and from human error so really the

play09:01

the message for businesses is to

play09:03

consider privacy and to have privacy

play09:06

policies in place and to have procedures

play09:08

for staff to follow and to train staff

play09:11

about what to do if something goes wrong

play09:13

or if they become aware that there has

play09:15

been a potential incident or breach

play09:19

one of the saving graces perhaps in

play09:21

australia is that our data breach

play09:23

mechanism reporting period

play09:26

is up to 30 days not 72 hours so

play09:31

australian businesses do have longer to

play09:34

investigate and to try to work out what

play09:36

has happened

play09:38

but that 30 day is certainly considered

play09:40

to be an upper limit

play09:42

and it should be notified a lot earlier

play09:44

than that thank you so much the clear

play09:46

message is four years were given now

play09:48

it's time to take action and

play09:51

let's meet again with privacy rules in

play09:54

one of the next episodes thank you very

play09:55

much kelly it sounds good thank you

Browse More Related Video

How to Implement GDPR Part 1 :Roadmap for Implementation

How to Implement GDPR Part 2 :Roadmap for Implementation

ChatGPT: come tutelare la tua PRIVACY [Tutorial]

"Unlock the Secrets of Data Privacy Interviews - You Won't Believe What They Ask!"

GDPR Compliance Journey - 08 Privacy Notice

Turn THIS on if you use iCloud!

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Privacy LawAustraliaLegislationOnline PrivacyData BreachGDPR StandardsBusiness ComplianceConsumer ProtectionQR Check-insBiometric Data