Legal & Regulatory Risk – Page 2

Breaking Down the Privacy Act Review Report #2: Modifying the employee records exemption

Mar 01 2023

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

The section of the Report dealing with the employee records exemption highlighted significant debate and difference of opinion. Employers expressed a strong desire to retain or even strengthen the exemption; employee representatives consider reform is needed.

In that context the Report does not conclude how the changes should take effect, but proposals 7.1(a)-7.1(d) recommend stronger protection of private sector employee information, to:

enhance transparency over what employee information is collected and why
ensure employers have adequate flexibility to deal with employees’ information to administer the employment relationship (and addressing whether consent should be required to collect sensitive information)
ensure adequate security and destruction measures around employee personal information, and
notify employees and the OAIC of data breaches involving employee personal information.

What does this mean for my organisation?

Private sector employers who don’t yet have a good grasp of the breadth of information they collect and hold about their employees will need to stocktake their collection activities and sharpen their focus on why they collect such information; prepare appropriate collection notices and employee privacy policies (if not used already); and ensure employee information is appropriately covered in their security measures and considered in their data breach response plans.

Feb 27 2023

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Under proposals 4.1-4.4 of the Report, changes to broaden the definition of Personal Information are on the horizon. Under the proposed amendments, the word “about” in the definition of Personal Information will be amended to “relates to”. That is – “information or an opinion that relates to an identified individual…”. This brings the definition in line with other legislative frameworks that regulate privacy and ensures consistency with the language used in the GDPR definition of ‘Personal Data’.

Amendment of the definition of ‘collection’ is also proposed to expressly cover information obtained by any means, including inferred or generated information. The Report also states that ‘reasonably identifiable’ should be supported by a non-exhaustive list of circumstances to which APP entities will be expected to have regard to in their assessment of what is ‘Personal Information’.

What does this mean for my organisation?

With such a broader interpretation, APP entities will need to have regard to a larger set of information that could fall within the definition. This will see information such as mobile location data, IP addresses, social media handles, mobile advertising IDs and other technical information more clearly fall within the definition.

Feb 16 2023

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

The Government has today released the Report of the Attorney General’s Department’s review of the Privacy Act 1988 (Cth). The Government is seeking feedback on the 116 proposals in the Report before deciding what further steps to take. Submissions on the report are due on 31 March 2023. With this timing, it’s possible that we will see the review finalised towards the end of the first half of 2023.

The report can be accessed here.

The proposals made in the Report centre around:

Jan 23 2023

By Claude-Étienne Armingaud, Camille Scarparo and Alexandra Séguis

This survey follows the CNIL’s announcement on 24 November 2022 that it aims at “better understanding the economic challenges associated with the collection and processing of personal data in mobile applications” as part of its 2022-2024 strategic plan.

The CNIL considered data collection via mobile applications greatly lacks transparency as opposed to cookies collection on websites.

The expected inputs are to be used for the purpose of drafting recommendations to be submitted to public consultation during the second semester of this year.

Concurrently to its ever-active enforcement of website cookie framework, the CNIL also recently started going after mobile applications for their use of personal data, often leverage as a primary source of revenue for free-to-play mobile games. The most recent example being the French mobile game publisher Voodoo SAS, with a fine of EUR3 million for breach of user consent for targeted ads on 29 December 2022. Indeed, the CNIL considered that even when users did not consent to the tracking for advertising purposes, Voodoo still accessed the IDFV (Apple’s “IDentifier For Vendors” (“IDFV”) – an identifier assigned to app operators, which facilitates targeted advertising) and processed browsing information for advertising purposes, constituting a violation of French privacy law and the GDPR.

The CNIL now calls for economic contributions from experts, interest groups, regulatory entities and experienced private individuals in the field. The call for contributions closes on 10 February 2023. Contributions can be submitted by completing a questionnaire and/or a written statement at the following email address: ecodesapplis@cnil.fr.

All contributions will be covered by professional secrecy and will be published in the form of a synthetic and aggregated report.

New Privacy Enforcement Act commences in Australia

Dec 14 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

Dec 02 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Earlier this week (on 29 November), the Australian Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which was introduced to Parliament on 26 October 2022.

The Bill amends the following:

Privacy Act 1988 to expand the Australian Information Commissioner’s enforcement and information sharing powers and increase penalties for serious or repeated interferences with privacy;

Australian Communications and Media Authority Act 2005 to enable the Australian Communications and Media Authority to disclose information to a non-corporate Commonwealth entity that is responsible for enforcing one or more laws of the Commonwealth; and

Australian Information Commissioner Act 2010 to allow the Australian Information Commissioner to delegate certain functions or powers.

Nov 25 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

We’ve just returned from the annual iapp Australia/New Zealand privacy conference held in Sydney this week, and it was a whirlwind. Even if you’re not one of around half of Australians affected by two of the biggest data breaches in our recent history, you’ll be aware a lot is changing – and a lot more is poised to change – in this space.

We’ll be blogging over the coming weeks about some of the key themes and changes your organisation will need to prepare for, including:

– new regulatory enforcement tools

– higher expectations of the way personal information is collected and secured, and when it needs to be destroyed

– potential removal of key exemptions such as the employee records exemption that your business may currently rely on,

– and of course the major penalty increases that seek to deter privacy breaches being viewed as ‘the cost of doing business’,

as Australia tightens the protections around the collection and use of Australians’ personal information.

Stay tuned!

UK Government publishes new proposed data protection law

Jul 27 2022

By Claude-Étienne Armingaud, Nóirín McFadden and Keisha Phippen

The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
More exemptions from the requirement to obtain consent to cookies.
Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

No News is Bad News! Big digital platforms flex their influence to no avail.

Mar 03 2021

By Cameron Abbott, Michelle Aggromito and Jacqueline Patishman

After severe criticism from the Australian government and others, Facebook has reversed its initial response to the controversial news media code of banning all Australian news on its platform, now stating that news and key pages concerning public health and government will be restored (although it has not provided a deadline for when this will occur).

Jul 24 2020

By Cameron Abbott and Keely O’Dowd

The Australian Government is currently developing its next Cyber Security Strategy, which is scheduled for release in the coming months.

The Australian Government 2020 Cyber Security Strategy Industry Advisory Panel has released a report consisting of 60 recommendations to inform the 2020 Cyber Security Strategy. The Panel’s 60 recommendations are structured around five key pillars:

Catagory:Legal & Regulatory Risk

Breaking Down the Privacy Act Review Report #2: Modifying the employee records exemption

Breaking down the Privacy Act Review Report #1: More Personal Information to be captured by the Act

The wait is over: The Privacy Act Review Report has been published!

SURVEY ON THE ECONOMICS ON PERSONAL DATA ON MOBILE APPS LAUNCHED BY FRANCE’S PRIVACY WATCHDOG

New Privacy Enforcement Act commences in Australia

Australia passes Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws

No News is Bad News! Big digital platforms flex their influence to no avail.

Update: Australia’s 2020 Cyber Security Strategy