Digital Bytes – cyber, privacy & data update

Quick summary

While we await progress on the broad-reaching reforms to Australia’s Privacy Act proposed in the Attorney-General’s Review Report published in February 2023, there are plenty of other developments in the cyber, privacy, data and digital space that organisations should be aware of:

• The IBA’s report on cyber security risk governance makes 17 recommendations for company boards and senior management based on its review of cyber risk governance across 10 jurisdictions, including Australia.
• Financial services organisations should start mapping out how they will comply with APRA’s broad new CPS 230 (Operational risk management).  Compliance with CPS 234 (Information security) is also in the spotlight following APRA’s report indicating that regulated organisations should generally uplift their supply chain management and incident report plans.
• There are updates on the ACCC’s inquiry into data brokers, upcoming consultation on digital identity legislation, and a High Court clarification on the calculation of privacy penalties.
• ACMA’s A$2 million fine issued to DoorDash for breaching Australia’s Spam Act reminds organisations about the importance of appropriately categorising commercial electronic messages, and that sending messages due to a “technical error” is no excuse for non-compliance.
• Finally, the OAIC’s latest Community attitudes to privacy survey reminds us that Australians are more privacy-aware than ever.

Report on best governance practices addressing cyber security risk

On 31 July 2023, the International Bar Association (IBA) published a report on best governance practices for senior executives and boards focussing on protecting against cyber risks, stemming from its review of 10 jurisdictions, including Australia, the United States and the United Kingdom.

In brief, regulators across the jurisdictions reviewed expect boards and management to actively manage the organisation’s cyber security risks. The IBA observes that the threat of personal liability of directors and management for poor cyber security governance is starting to emerge, including through general directors duties.

The recommendations indicate that the board and management of an organisation should ensure that:

1. The organisation has defined risk tolerance levels for cyber security.
2. The organisation has a cyber incident response plan, and a cybersecurity testing and training program (both for IT assets, and for its people).
3. The organisation has adopted appropriate cyber security standards, including a clear explanation for why those standards have been adopted (over others).
4. They have sufficient cyber security expertise, and that the organisation has a clear reporting structure for cyber security matters.

Further, the agenda of boards and organisations should include:

1. Regular review of sector- and business-cyber security risks facing the organisation, its key information assets, and significant regulatory requirements.  These matters should be updated where there are significant business or legal developments.
2. Regularly testing and reviewing the organisation’s cyber incident response plan.
3. Reviewing results from cyber security testing and training programs, and the results of compliance audits with cyber security standards.

APRA’s new operational risk management prudential standard commences 1 July 2025

Financial services organisations have until 1 July 2025 to comply with the Australian Prudential Regulation Authority’s (APRA) new Prudential Standard CPS 230 Operational Risk Management, which will replace CPS/SPS/HPS 231 (Material outsourcing) and CPS/SPS 232 (Business continuity).

CPS 230 focusses on operational risks that are caused by inadequate or failed internal processes or systems, or the actions or inactions of third parties or events.  It is intended to ensure that regulated entities appropriately manage risks, especially disruption to critical operations.  In relation to outsourcing and third party services, its premise is that a regulated entity should not outsource to a service provider unless the regulated entity has fully and effectively identified and managed the associated risks of doing so.

APRA has also released a draft Prudential Practice Guide CPG 230 for consultation (open to submissions until 13 October 2023), to accompany the new standard.

Compliance with CPS 230 will require:

• new risk management processes, including roles and responsibilities;
• a revised approach and uplift in business continuity arrangements; and
• uplifts to service provider contracts and management of service providers, including due diligence and financial and non-financial risk identification.

The long lead time for CPS 230 recognises that establishing process to comply with these new requirements will not be something that can be done quickly at the last minute.  In particular, like the CPS 234 transition, compliance with CPS 230 may require regulated entities to negotiate changes to their existing contracts with service providers (from 1 July 2026, or the first renewal date after 1 July 2025), including to address matters not listed in CPS 231 such as compliance, force majeure and its consequences, and specific termination provisions.

APRA’s review into information security compliance demonstrates need for improvement

APRA is in the process of reviewing the compliance of some 300 financial services organisations with CPS 234, the prudential standard on information security.  The report released by APRA following the first quarter of its assessments indicates that, in general, organisations need to:

• better manage their supply chain risk, including by identifying information assets managed by third parties in order to then determine the appropriate controls for those assets;
• uplift their incident response plans to test a range of plausible disruption scenarios, including data breach, credential compromise, and denial-of-service attacks amongst others; and
• ensure that independent audits of information security controls are undertaken by auditors with appropriate security qualifications and skills.

Even organisations not regulated by APRA are likely to benefit from reviewing their cyber security measures against the gaps and recommendations in APRA’s report.

ACCC’s inquiry into data brokers to consider privacy, competition and consumer and small business harms

The latest chapter in the ACCC’s five-year Digital Platforms Services Inquiry is focussing on data brokers, organisations that aggregate and sell individuals’ personal information to businesses, as well as organisations that supply data to, or use data from, data brokers.  The ACCC published an issues paper on 10 July 2023, and consultation closed on 7 August 2023.

The issues paper specifically notes that the inquiry will not review the operation of Australian privacy laws, which is outside the scope of the inquiry. However, the ACCC proposes to canvas a number of privacy-related issues, such as the types of information collected, where it is collected from, and how it is collected, stored, processed and analysed.  We also expect the inquiry to grapple with interesting questions about how organisations collect and use “non-private” personal information (i.e. personal information published online), which is rarely a black-and-white area in terms of privacy compliance.

The inquiry also proposes to look at the competitive dynamics in the data broking industry, as well as potential consumer and small business harms.

The ACCC is due to report to the Treasurer on this inquiry by 31 March 2024.

Developments in Australia’s digital identity landscape

Australia has its eyes set on a significant expansion to its digital identity program, including to connect the Federal digital identity system to State and Territory systems, and consulting on allowing statutory declarations to be signed by individuals using their digital identity.

After several years in the works, the Australian Government has announced that it expects to consult on new digital identity legislation in September 2023 and introduce new legislation by the end of 2023.  This legislation will, among other matters, allow Australia’s digital identity framework to be rolled out to private sector organisations (as currently, it is a policy-based framework that can be used by Commonwealth Government agencies), and enshrine various privacy and consumer protections.

Further, the Commonwealth, State and Territory ministers have endorsed a National Strategy for Identity Resilience which aims to ensure that Commonwealth, State and Territory digital identity systems adhere to the same underlying principles.

Calculation of new privacy penalties clarified

As we have previously reported, the Privacy Act 1988 (Cth) was amended in December 2022 to substantially increase the maximum penalty for a serious or repeated interference with privacy to the greater of:

• A$50 million;
• three times the value of the benefit obtained by the entity from the privacy breach, whether directly or indirectly, if that can be determined by a court; or
• 30% of the entity’s adjusted turnover (meaning the sum of all supplies that the entity and its related bodies corporate make) during the past 12 months or the relevant breach period, whichever is longer.

A recent High Court case has clarified how penalties are calculated with reference to the value of the benefit obtained by a corporation.  Considering the position under an equivalent position in the Criminal Code Act 1995 (Cth), the High Court clarified that the “benefit” refers to the entirety of the proceeds to the corporation from the conduct – the “value of an advantage as provided or as obtained, no more and no less” – not just the net proceeds or profits.

DoorDash hit with a $2 million fine for spam breaches

The Australian Communications and Media Authority (ACMA) has announced that food delivery service, DoorDash, has paid a fine of A$2,011,320 for sending more than 1 million text messages and emails in breach of the Spam Act 2003 (Cth).

Specifically, between February and October 2022, DoorDash sent more than 566,000 promotional emails to customers who had previously unsubscribed, and more than 515,000 text messages to prospective DoorDash drivers without a functional unsubscribe facility. DoorDash was found to have internally mischaracterised the texts to prospective drivers as “factual”, when they were promotional (and therefore subject to the Spam Act) because they included offers and incentives.

ACMA observed that DoorDash’s explanation that the messages were sent, in part, due to a technical error was “no excuse” for a large business conducting high-volume marketing. ACMA also warned that spam compliance remains an ongoing enforcement priority for ACMA.

Community attitudes to privacy show increased concern in privacy and security

The Office of the Australian Information Commissioner (OAIC), the Australian privacy regulator, has completed its latest three-yearly review of community attitudes to privacy, which demonstrates that Australians are increasingly concerned about their privacy in the wake of high profile data breaches and the increasing adoption of technologies such as artificial intelligence and facial recognition.

However, while many Australians are focussed on the security of their personal information and scams, only a small minority of survey respondents know about the specific protections of the Privacy Act, read organisations’ privacy policies, or change how they engage with an organisation based on that organisation’s privacy practices.

Nevertheless, from a privacy risk perspective, organisations should be mindful that even if privacy-conscious and privacy-aware individuals are a small proportion of its customer base, organisations should regularly review their compliance with the Privacy Act to mitigate the risk of privacy complaints by those individuals (including complaints to the OAIC).

The community attitudes survey is likely to shape the ongoing Privacy Act reforms, as respondents have broadly supported changes such as rights to erasure (rights to be forgotten), direct rights of action, and removal of the political parties exemption. 

Watch this space

While the Privacy Act Review Report was released in February 2023, the Attorney-General’s Department is yet to release draft legislation for consultation.  As we have previously discussed, the Review Report indicates that the reforms will be far-reaching, and we expect that if legislation is passed, there will be a 12-24 month transition period before organisations are required to be compliant with the new laws.

The OAIC is now more than 12 months into its investigation into the use of facial recognition technology by certain major Australian retailers.  The release of its findings will clarify whether and how organisations can use these technologies in compliance with their privacy obligations.

For a more detailed briefing on any of these updates, or to discuss how JWS can assist your organisation manage its risks in these rapidly evolving areas, please get in touch.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).