While we await progress on the broad-reaching reforms to Australia’s Privacy Act proposed in the Attorney-General’s Review Report published in February 2023, there are plenty of other developments in the cyber, privacy, data and digital space that organisations should be aware of:
On 31 July 2023, the International Bar Association (IBA) published a report on best governance practices for senior executives and boards focussing on protecting against cyber risks, stemming from its review of 10 jurisdictions, including Australia, the United States and the United Kingdom.
In brief, regulators across the jurisdictions reviewed expect boards and management to actively manage the organisation’s cyber security risks. The IBA observes that the threat of personal liability of directors and management for poor cyber security governance is starting to emerge, including through general directors duties.
The recommendations indicate that the board and management of an organisation should ensure that:
Further, the agenda of boards and organisations should include:
Financial services organisations have until 1 July 2025 to comply with the Australian Prudential Regulation Authority’s (APRA) new Prudential Standard CPS 230 Operational Risk Management, which will replace CPS/SPS/HPS 231 (Material outsourcing) and CPS/SPS 232 (Business continuity).
CPS 230 focusses on operational risks that are caused by inadequate or failed internal processes or systems, or the actions or inactions of third parties or events. It is intended to ensure that regulated entities appropriately manage risks, especially disruption to critical operations. In relation to outsourcing and third party services, its premise is that a regulated entity should not outsource to a service provider unless the regulated entity has fully and effectively identified and managed the associated risks of doing so.
APRA has also released a draft Prudential Practice Guide CPG 230 for consultation (open to submissions until 13 October 2023), to accompany the new standard.
Compliance with CPS 230 will require:
The long lead time for CPS 230 recognises that establishing process to comply with these new requirements will not be something that can be done quickly at the last minute. In particular, like the CPS 234 transition, compliance with CPS 230 may require regulated entities to negotiate changes to their existing contracts with service providers (from 1 July 2026, or the first renewal date after 1 July 2025), including to address matters not listed in CPS 231 such as compliance, force majeure and its consequences, and specific termination provisions.
APRA is in the process of reviewing the compliance of some 300 financial services organisations with CPS 234, the prudential standard on information security. The report released by APRA following the first quarter of its assessments indicates that, in general, organisations need to:
Even organisations not regulated by APRA are likely to benefit from reviewing their cyber security measures against the gaps and recommendations in APRA’s report.
The latest chapter in the ACCC’s five-year Digital Platforms Services Inquiry is focussing on data brokers, organisations that aggregate and sell individuals’ personal information to businesses, as well as organisations that supply data to, or use data from, data brokers. The ACCC published an issues paper on 10 July 2023, and consultation closed on 7 August 2023.
The issues paper specifically notes that the inquiry will not review the operation of Australian privacy laws, which is outside the scope of the inquiry. However, the ACCC proposes to canvas a number of privacy-related issues, such as the types of information collected, where it is collected from, and how it is collected, stored, processed and analysed. We also expect the inquiry to grapple with interesting questions about how organisations collect and use “non-private” personal information (i.e. personal information published online), which is rarely a black-and-white area in terms of privacy compliance.
The inquiry also proposes to look at the competitive dynamics in the data broking industry, as well as potential consumer and small business harms.
The ACCC is due to report to the Treasurer on this inquiry by 31 March 2024.
Australia has its eyes set on a significant expansion to its digital identity program, including to connect the Federal digital identity system to State and Territory systems, and consulting on allowing statutory declarations to be signed by individuals using their digital identity.
After several years in the works, the Australian Government has announced that it expects to consult on new digital identity legislation in September 2023 and introduce new legislation by the end of 2023. This legislation will, among other matters, allow Australia’s digital identity framework to be rolled out to private sector organisations (as currently, it is a policy-based framework that can be used by Commonwealth Government agencies), and enshrine various privacy and consumer protections.
Further, the Commonwealth, State and Territory ministers have endorsed a National Strategy for Identity Resilience which aims to ensure that Commonwealth, State and Territory digital identity systems adhere to the same underlying principles.
As we have previously reported, the Privacy Act 1988 (Cth) was amended in December 2022 to substantially increase the maximum penalty for a serious or repeated interference with privacy to the greater of:
A recent High Court case has clarified how penalties are calculated with reference to the value of the benefit obtained by a corporation. Considering the position under an equivalent position in the Criminal Code Act 1995 (Cth), the High Court clarified that the “benefit” refers to the entirety of the proceeds to the corporation from the conduct – the “value of an advantage as provided or as obtained, no more and no less” – not just the net proceeds or profits.
The Australian Communications and Media Authority (ACMA) has announced that food delivery service, DoorDash, has paid a fine of A$2,011,320 for sending more than 1 million text messages and emails in breach of the Spam Act 2003 (Cth).
Specifically, between February and October 2022, DoorDash sent more than 566,000 promotional emails to customers who had previously unsubscribed, and more than 515,000 text messages to prospective DoorDash drivers without a functional unsubscribe facility. DoorDash was found to have internally mischaracterised the texts to prospective drivers as “factual”, when they were promotional (and therefore subject to the Spam Act) because they included offers and incentives.
ACMA observed that DoorDash’s explanation that the messages were sent, in part, due to a technical error was “no excuse” for a large business conducting high-volume marketing. ACMA also warned that spam compliance remains an ongoing enforcement priority for ACMA.
The Office of the Australian Information Commissioner (OAIC), the Australian privacy regulator, has completed its latest three-yearly review of community attitudes to privacy, which demonstrates that Australians are increasingly concerned about their privacy in the wake of high profile data breaches and the increasing adoption of technologies such as artificial intelligence and facial recognition.
However, while many Australians are focussed on the security of their personal information and scams, only a small minority of survey respondents know about the specific protections of the Privacy Act, read organisations’ privacy policies, or change how they engage with an organisation based on that organisation’s privacy practices.
Nevertheless, from a privacy risk perspective, organisations should be mindful that even if privacy-conscious and privacy-aware individuals are a small proportion of its customer base, organisations should regularly review their compliance with the Privacy Act to mitigate the risk of privacy complaints by those individuals (including complaints to the OAIC).
The community attitudes survey is likely to shape the ongoing Privacy Act reforms, as respondents have broadly supported changes such as rights to erasure (rights to be forgotten), direct rights of action, and removal of the political parties exemption.
While the Privacy Act Review Report was released in February 2023, the Attorney-General’s Department is yet to release draft legislation for consultation. As we have previously discussed, the Review Report indicates that the reforms will be far-reaching, and we expect that if legislation is passed, there will be a 12-24 month transition period before organisations are required to be compliant with the new laws.
The OAIC is now more than 12 months into its investigation into the use of facial recognition technology by certain major Australian retailers. The release of its findings will clarify whether and how organisations can use these technologies in compliance with their privacy obligations.
For a more detailed briefing on any of these updates, or to discuss how JWS can assist your organisation manage its risks in these rapidly evolving areas, please get in touch.
As Australia debates reforms to non-compete clauses, the implications for venture capital (VC) and private equity (PE) firms are significant, particularly regarding business sales and funding...
While all eyes have been on the recent introduction of the privacy reform Bill to Parliament, there have been a number of other updates that continue to inform the shifting patterns of opportunity,...
Johnson Winter Slattery advised Archer Capital on the ~A$820 million sale of illion to Experian, bringing together two of Australia's three consumer credit bureaux. JWS advised on all legal aspects...