Author - admin

1
And it’s here! China’s new privacy laws come into effect
2
FACIAL RECOGNITION REVERSION – FACEBOOK TO SHUT DOWN FACIAL RECOGNITION SYSTEM, AUSTRALIAN REGULATOR CRACKS DOWN
3
Long awaited increase to privacy breach penalties – a step closer to reality
4
Good practice – the storage of COVID-19 vaccination certificates
5
Ransomware plan of action
6
Privacy obligations when collecting COVID-19 vaccination status
7
Reminder for our Apple-friendly readers
8
UK consults on new data protection regime
9
GDPR: Irish supervisory authority fines WhatsApp 225 million
10
An even ‘hacking’ field – Government Surveillance Bill passed by Parliament

And it’s here! China’s new privacy laws come into effect

By Cameron Abbott, Rob Pulham and Ella Richards

On 1 November 2021 the People’s Republic of China (PRC) effected the Personal Information Protection Law (PIPL).

The PIPL joins existing Cybersecurity Law and Data Security Law to broaden privacy obligations within the PRC. This comprehensive legislation governs the treatment of personal information within the PRC and strengthens the existing data localisation requirements.

Our colleagues have summarised the PIPL Draft Bill here and prepared advice on the collection of employee’s personal information under the PIPL here.         

FACIAL RECOGNITION REVERSION – FACEBOOK TO SHUT DOWN FACIAL RECOGNITION SYSTEM, AUSTRALIAN REGULATOR CRACKS DOWN

By Cameron Abbott, Rob Pulham, Max Evans and James Gray

Facebook (now referred to as Meta) has announced that it will shut down its decade-old Face Recognition system as part of a company-wide move to reduce the use of facial recognition.

The shutdown will see Facebook delete more than one billion individuals’ facial recognition templates and cease automatically recognising them in photos and videos posted to the platform. Facebook is no stranger to facial recognition controversy, having reached a $550 million USD settlement following an Illinois class action over the non-consensual collection and storing of users’ biometric information.

In its announcement, Facebook highlighted the benefits of facial recognition technology, such as improving accessibility for the visually impaired, but also conceded that regulatory uncertainty and growing concerns about the potential misuse of the technology outweighed those positive use cases.

The voluntary move by Facebook may be a prudent risk reduction step in Australia given there have been recent moves by the Australian privacy regulator against the indiscriminate use of facial recognition tools, including recently ordering an organisation to cease collecting and to destroy its existing facial images and biometric templates in respect of Australian individuals.

This certainly isn’t the end for facial recognition systems. Facebook suggested in its announcement that it intends to develop future applications for the technology once the IT environment allows for greater transparency, user control and privacy. We will keep you posted.

Long awaited increase to privacy breach penalties – a step closer to reality

By Cameron Abbott, Rob Pulham, Max Evans and Ella Richards

On October 25 the Australian Attorney-General’s Department released a draft bill amending the Privacy Act 1988 (the Draft Bill), inviting industry submissions by 6 December 2021.

We have been hearing about an alignment with Australian consumer and competition law penalties for quite some time – and the Draft Bill does not disappoint.

Under the Draft Bill, the maximum penalties applicable to companies for serious or repeated privacy breaches will increase to the greater of:

  • $10 million
  • three times the value of any benefit obtained through the misuse of information, or
  • 10% of the corporate group’s annual Australian turnover.

The Draft Bill also enables the introduction of an online privacy code, covering a wide scope of organisations to regulate social media services, large online platforms and data brokerage services. It is expected that industry will be given the first opportunity to develop the code, for approval by the Commissioner – with the ability for the Commissioner to develop the code in certain circumstances.

Finally, the Draft Bill introduces information sharing powers to facilitate greater engagement between the Information Commissioner and law enforcement bodies, alternative complaint bodies and State, Territory or foreign privacy regulators. This means the Information Commissioner or the receiving authority will be able to share information and documents to more effectively exercise their respective functions and powers.

With regulators banding together, maximum penalties becoming meaningful and a binding online privacy code on the horizon – there has never been a better time to get your Privacy house in order!

Good practice – the storage of COVID-19 vaccination certificates

By Cameron Abbott, Rob Pulham and Ella Richards

As the public’s focus in NSW and Victoria turns quickly to reopening and emerging from lockdowns, we have experienced an increased focus across the country on vaccination rates. Public health orders and laws in several Australian jurisdictions have changed to require businesses to, amongst other things, collect, store and hold vaccine information about their workers, and to take steps to ensure unvaccinated persons do not enter their premises.

This has led to businesses collecting vaccination information including in the form of government-issued COVID-19 vaccination certificates. However the collection of this information creates additional legal and cyber security risks. Some federal government issued certificates contain an individual healthcare identifier (IHI) – a number individually identifies an Australian for healthcare purposes (it is more sensitive than your Medicare number). The IHI combined with the individual’s name and date of birth creates an attractive opportunity for cyber criminals. It is so sensitive that it comes with its own specific legislation sanctions including criminal penalties for breach.

Businesses should ensure they have the right processes in place when collecting and storing this kind of information to avoid exposure to civil and criminal penalties, including up to two years’ imprisonment for improper use or disclosure of an IHI.

For more information on the appropriate processes for collection and storage of vaccination information, please contact Cameron Abbott from our Privacy team. K&L Gates will keep you informed of any further updates.

Ransomware plan of action

By Cameron Abbott, Rob Pulham and Ella Richards

Following the 60% increase in ransomware attacks over the past year, the Department of Home Affairs has released a Ransomware Action Plan – proposing to introduce mandatory reporting requirements for companies who have been hit by a ransomware attack.

Under the proposal, companies with a turnover of $10 million or more per year will be required to inform the Australian Cyber Security Centre soon after experiencing a ransomware attack and will face civil penalties if they fail to comply. The government is also planning to introduce a standalone offence for cybercriminals who seek to target critical infrastructure as part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

This document is part of Australia’s overarching 2020 Cyber Security Strategy, with industry and community consultation anticipated in the near future. Stand by for further developments.

Privacy obligations when collecting COVID-19 vaccination status

By Cameron Abbott, Rob Pulham and Ella Richards

Some Australian jurisdictions have imposed obligations on businesses and employers to either sight, or collect and hold, information about their workers’ COVID-19 vaccination status, or to take reasonable steps to ensure unvaccinated individuals do not enter their worksites or premises. For example, on 7 October 2021, the Premier of Victoria released Directions that require employers to collect information about workers’ COVID-19 vaccination status before allowing them to work anywhere outside of the employees’ usual place of residence. Industry-specific obligations (with some differences to those Directions) also apply to some settings such as education, construction and healthcare. Similarly, under public health orders in New South Wales, certain businesses from 11 October 2021 must take reasonable steps to ensure people who are not fully vaccinated do not enter their premises.

The Victorian Government Directions for workers are in effect from today, 15 October 2021, meaning that many employees must provide proof of either receiving their first dose or having booked their first dose by 22 October 2021.

To comply with privacy obligations (including under applicable health records legislation), employers must provide employees with a clear collection statement that outlines, among other things:

  1. the types of sensitive information that the employer is collecting;
  2. the purpose of the collection;
  3. who the employer may disclose the information to, including specifying if any of these parties are outside of Australia; and
  4. a reference to the employer’s Privacy Policy that applies to the information collected about employees.

Even where a business is not subject to these mandatory collection requirements, they may wish to collect this information from employees to assist the business to maintain a safe and secure working environment (including, for example, to provide encouragement to staff to get vaccinated – subject to the requirements around providing incentives to do so).

If you would like advice on your Privacy obligations as an employer, please reach out to Cameron Abbott from our Privacy team. For further information on the Victorian Government Directions, see the Alert from our K&L Gates employment team here.

Reminder for our Apple-friendly readers

By Cameron Abbott and Ella Richards

Apple has released critical security updates for a vulnerability found by researchers at Citizen Lab for several Apple devices. This includes all iPhones, iPads, Mac Computers, Apple Watches and the Safari Web Browser.

The vulnerability could allow a threat actor to infect devices with spyware without the users knowledge. Once infected, the threat actor could then perform any action on the device that a normal user would. This could include actions like turning the camera and microphone on or recording messages, texts, emails, and phone calls.

Apple encourages all users of their products to update their devices as soon as possible.

UK consults on new data protection regime

By Norin McFadden and Claude-Étienne Armingaud

The UK government has unveiled its much-trailed plans to reform its data protection laws, outlined in a consultation document which is open for public comment until 19 November 2021.

Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers. 

Some of the changes to the UK GDPR proposed in the consultation document are:

  • Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
  • Removal of the right to human review of decisions made on the basis of solely automated data processing.
  • Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.

The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:

  • Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
  • Removing the requirement for websites to obtain consent before serving some analytics cookies.
  • Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.

GDPR: Irish supervisory authority fines WhatsApp 225 million

By Claude-Etienne Armingaud, Camille Scarparo and Léa Fertani.

Further to investigations initiated by the Data Protection Commission (or DPC, the Irish supervisory authority) in 2018, Whatsapp Ireland Limited has received a EUR 225 million fine on 2 September 2021. The company infringed multiple GDPR provisions including in relation with the information provided to data subjects which breached the obligation to ensure transparency of processing (Articles 13 and 14 GDPR).

Following GDPR’s one-stop-shop mechanism and as WhatsApp operates cross-border flows of personal data, the DPC had initially been designated as lead supervisory authority (‘LSA’). Article 60 GDPR requires the LSA to submit a draft decision to its impacted counterparts across the European Union (the ‘Concerned Supervisory Authorities’). Such draft has been submitted in December 2020 and the Hungarian, Portuguese, Italian, French, Dutch, Polish, German (local and federal) Concerned Supervisory Authorities unanimously raised objections to the DPC in January 2021. The objections mostly addressed the lax approach by the DPC in the assessment of WhatsApp’s breach of GDPR as well as the amount of the initially contemplated fine in view of the dozens of millions of individuals affected by such breach across the European Union.

This resulted in a non-consensual situation, escalading to the dispute resolution process under Article 65 GDPR conducted by the European Data Protection Board (EDPB). The binding decision, adopted on 28 July 2021 and subsequently notified to the DPC, required the Irish supervisory authority to reassess and increase the fine, thus leading to the second-highest fine under GDPR since its entry into force in 2018.

An even ‘hacking’ field – Government Surveillance Bill passed by Parliament

By Cameron Abbott and Ella Richards

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Identify and Disrupt Bill) passed both houses of federal parliament on 25 August 2021. The new legislation extends the power of law enforcement agencies to identify and disrupt suspected online criminal activity through the provision of three new warrants.

The new warrants provide the Australian Federal Police and the Australian Criminal Intelligence Commission with the power to:

  1. Modify or delete the data of suspected offenders (data disruption warrants);
  2. Collect intelligence on criminal networks (network activity warrants), and
  3. Take control of a suspected offenders’ online account (account takeover warrants).

Anyone required to assist with government hacking is protected from civil liability. However, anyone who refuses to comply can face up to 10 years’ imprisonment.

Online criminal networks are evolving rapidly with the use of anonymising technology – making the detection of serious online crime near impossible. Encrypted applications such as Discord have stated that approximately 536 verified dealers sold $100,000+ of illegal substances/stolen goods in one week, despite Discord’s “zero-tolerance” approach to illegal activity.

On the other hand, the Office of the Australian Information Commissioner (OAIC) previously warned that the new warrant powers could adversely impact the privacy of a large number of individuals – including those with no suspected involvement in criminal activity.

The complexity of online crime makes it increasingly necessary for law enforcement agencies to level the playing field, identify suspected criminal activity and intercept that activity before it is actioned. However, proportionate consideration of individual privacy rights has created a lively debate in the passage of the legislation thus far.

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 is now awaiting Royal Assent. Keep an eye on our Cyber Law Watch blog further updates.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.