Cyber Law Watch – Insight on how cyber risk is being mitigated and managed across the globe

Clarifications of Legal Bases for Cross-Border Data Transfers in Landmark Judgment by the Guangzhou Internet Court in China

Nov 06 2024

By: Sarah Kwong, Dan Wu, and Amigo Lan Xie

The Guangzhou Internet Court in China (Court) issued a landmark judgment under the Personal Information Protection Law (PIPL) (Judgment). This marked the first court decision in China regarding cross-border personal information transfers. In the case, the plaintiff expressed concerns about his personal information being transferred internationally without his explicit consent, while the defendants argued that the data processing was necessary for contractual obligations and aligned with industry standards.

Mass. SJC Limits Website Tracking Technology Claims Under Wiretap Act

Nov 04 2024

By: Christopher Valente and Michael Stortz

In a critical new decision, the Massachusetts Supreme Judicial Court has confirmed that the state’s anti-wiretapping statute does not extend to website tracking technologies. In Vita v. New England Baptist Hospital, the Court held that the state’s 1968 Wiretap Act (Mass. G.L. c. 272, § 99) does not apply to the deployment of online software that collects and transmits information regarding user interactions with websites to third parties.

The Court’s opinion is both extensive and precise, in that the Court’s ruling turned on the scope of the Wiretap Act’s prohibition against unauthorized interception of “communications,” a phrase undefined in the statute. Canvassing dictionary definitions, prior decisions under the Act, and caselaw from outside of the Commonwealth, the Court determined that “communications” applies to “conversations and messages between people[,]” rather than web browsing or other standard interactions with websites. Noting the “significant difference between communicating with a person and communicating with a website,” the Court rejected plaintiffs’ claims that the hospital defendants violated the Wiretap Act by deploying website tracking technologies before obtaining user consent.

In dissent, Justice Wentlandt argued that the majority’s opinion improperly limited the statute’s scope, and that the hospital defendants’ privacy policies misrepresented that users’ identities and privacy would be protected. Notably, both the majority and dissent agreed that users might have other remedies under common law, and that the analysis may differ depending on whether the interception involved confidential medical information, as opposed to browsing history on public websites involving less potentially sensitive topics.

The decision illustrates the difficulties of applying decades-old statutes in the context of current online tracking tools. As the majority aptly observed, the plaintiffs’ proposed reading of the Wiretap Act would potentially impose “severe criminal and civil penalties” on “thousands of websites of owners” across myriad industries. As courts across jurisdictions grapple with this ever-increasing species of litigation, the Vita decision may help establish guardrails, based on the specific online activity at issue, the nature of the website or application, and user consent to the challenged technology.

Higher Regional Court of Hamm (Germany): Claims for Moral Damages Under Art. 82 GDPR are Assignable – German Class Actions Coming?

Oct 04 2024

By Dr. Thomas Nietsch and Andreas Müller

On July 24, 2024, the OLG Hamm ruled that claims for moral damages under Art. 82 GDPR are generally assignable (case number: 11 U 69/23).

Australian Privacy Law Reform – The Wait is (Almost!) Over

Sep 12 2024

By: Cameron Abbott, Stephanie Mayhew, and Rob Pulham

The long-awaited privacy reform has finally been introduced into the Australian Parliament today with the introduction of the Privacy and Other Legislation Amendment Bill 2024. Described as ‘Tranche 1’ of the reforms, the Bill introduces significant uplifts to several aspects of Australia’s privacy laws.

Decision by German Higher Regional Court Koblenz: Consent for Publication of Interview not Revocable

Aug 30 2024

By: Dr. Thomas Nietsch and Andreas Müller

On 31 July 2024 the Higher Regional Court of Koblenz (Oberlandesgericht Koblenz) has rejected an appeal to a verdict of the Regional Court of Koblenz (Landgericht Koblenz) for deletion of an interview published on YouTube, due to lacking a prospect of success (case number 4 U 238/23).

Privacy Reform Bill Just Around the Corner

Aug 26 2024

By: Cameron Abbott, Rob Pulham, and Lauren Hrysomallis

There appears to be a further delay to the long-anticipated privacy law reform legislation, most recently expected to be unveiled this month. But even with this delay the wait won’t be long; we could see a draft bill introduced in as little as three weeks’ time.

Japanese Government Published Checklist and Guidance Related to AI and Copyrights

Aug 26 2024

By: Aiko Yamada and Yuki Sako

On 31 July 2024, the Agency for Cultural Affairs, Government of Japan (the Agency) published “Checklist and Guidance related to AI and Copyrights” (the Checklist), suggesting some ideas to resolve unsettled issues related to “Do inputs to AI infringe copyrights?” (see our previous blog “Japanese Government Identified Issues Related to AI and Copyrights”) for AI developers as described below:

Ransomware attacks – is there harm even when nothing is stolen?

Aug 20 2024

In November 2020, accounting and consulting firm Nexia Australia (Nexia) was alerted to a “REvil” ransomware attack taking place within its system. The attackers threatened to post personal information of Nexia’s clients, customers and staff online unless it paid a $1m ransom within 72 hours.

It was reported that the hackers appeared to have posted Nexia’s confidential files onto the dark web; however, further investigation revealed that the hackers had merely posted screenshots of Nexia’s files. Realising this, Nexia dismissed the threat and refused to pay the ransom.

But it didn’t end there.

Shortly after the attack, a news service found the Nexia file screenshots on the dark web and publicised that the company’s confidential information had been stolen and shared. Not only did Nexia have to reassure panicking clients that their confidential information remained uncompromised, it had to convince the Australian Securities and Investments Commission, the Australian Federal Police and the Privacy Commissioner that nothing of concern had been taken.

It doesn’t help that ransomware-as-a-service is becoming an increasingly lucrative business for cybercriminals to launch this type of attack. All that is needed is off-the-shelf malware, a wallet of cryptocurrency and it’s ready to deploy against an unsuspecting organisation.

The attack on Nexia demonstrates that even if there is no evidence that confidential information has been leaked, organisations can still suffer significant damage. The cost of reassuring stakeholders and mitigating reputational harm can almost match the consequences of a full blown attack.

As Warren Buffet famously quoted, “It takes 20 years to build a reputation and 5 minutes to ruin it”. While Nexia recovered valiantly, this serves as a lesson that even when unsuccessful, the public ramifications of a ransomware attack are not to be underestimated.

Australian Privacy Reform Series Refresher: What Are These Reforms?

Aug 13 2024

By Cameron Abbott, Rob Pulham, and Stephanie Mayhew

In 2023 the Attorney-General’s Department released the “Privacy Act Review Report” (Review Report), which considered whether the Australian Privacy Act 1988 (Cth) and its enforcement mechanisms are fit for purpose in an environment where Australians now live much of their lives online and their information is collected and used for a myriad of purposes in the digital economy.