Latest Legal Updates

ASIC report calls for better AI governance in the financial services sector

Date: 30 October 2024
Source: Australian Securities & Investments Commission (ASIC)

Abstract:.

On 29 October 2024 ASIC released a report titled Beware the gap: Governance arrangements in the face of AI innovation (REP 798) urging financial services and credit licensees to ensure their governance practices keep pace with their increasing adoption of artificial intelligence (AI). The report presents the findings from ASIC’s first review of the governance practices relating to AI of 23 licensees in the retail banking, credit, general and life insurance and financial advice sectors.

Key findings

1. Varied and accelerating AI use: AI use varied significantly across the surveyed licensees. Some have been using forms of AI for several years while others are still early in their journey. However overall, adoption of AI is accelerating rapidly.
2. Increase in generative AI use: While most current use cases used long-established, well-understood techniques, there is a shift towards more complex and opaque techniques (such as neural networks used in deep learning and generative AI). The use of generative AI, in particular, is increasing exponentially, presenting new risk management challenges.
3. AI and decision making: AI use was…

---

China releases finalised Network Data Security Management Regulations

Date: 30 October 2024
Source: Cyberspace Administration of China

Abstract:

China has released its finalised Network Data Security Management Regulations (Regulations), which are set to come into effect on 1 January 2025.

The Regulations strengthen existing data protection laws and provide wider and more comprehensive guidance on how data holders should handle personal information and critical data. Harsher penalties for non-compliance will also apply.

The Regulations will sit under the authority of the primary legislation of the Cybersecurity Law (CSL), China’s Data Security Law (DSL), and the Data Security Law and the Personal Information Protection Law (PIPL). Under these laws, the Regulations will have extra-territorial reach meaning that whilst the Regulations will apply to all data processing activities and their security management and supervision that are conducted within China it may also apply to entities that process the personal information of individuals in China for the purpose of either providing products or services to the individuals in China or analysing and evaluating the individuals' activities as stated in the PIPL.

Further, the Regulations will apply to data processing outside of China if it harms the national security, public interests, or legitimate rights…

---

New data protection guidance for charities and not-for-profits

Date: 25 October 2024
Source: Australian Charities and Not-for-profits Commission

Abstract:.

The Australian Charities and Not-for-profits Commission, in collaboration with the Office of the Australian Information Commissioner (OAIC), has released updated guidance on managing personal information and data to aid charitable organisations to better understand their obligations under privacy law.

The updated guidance outlines clear steps for charities to protect personal data and comply with their legal obligations.

Areas covered by the guidance include data collection, secure storage of data and handling of personal data. The guidance also has an emphasis on transparency, outlining the need for charities to build data management trust with donors, beneficiaries and volunteers.

The guidance has been made in line with the OAIC’s updated privacy guidance.

Read the ACNC’s full media release access the updated guidance here.

---

Joint committee release Hansard on inquiry into capability of law enforcement to respond to cybercrime

Date: 24 October 2024
Source: Parliament of Australia

Abstract:

The Parliamentary Joint Committee on Law Enforcement has released a Proof Committee Hansard on its inquiry into the capability of law enforcement to respond to cybercrime.

The Committee identified several challenges facing law enforcement in combating cybercrime, in particular, the scale and impact of cybercrime. Cybercrime is on the rise and is costing Australians billions of dollars each year with around 47% of Australian having experienced some form of cybercrime, with small businesses being particularly vulnerable.

The Committee placed an emphasis on the need for greater education in the prevention of cybercrime through awareness in all segments of society. In particular the Committee noted the need for targeted, tailored education for different groups; schools, businesses, and community groups. Current awareness and cyber literacy campaigns are seen as being insufficient to meet the needs of these groups.

The Committee also noted the importance of support for victims of cybercrime particularly as many feel shame and reluctance to report crimes.

In response to recent legislative and policy initiatives including the 2023-2030 Australian Cyber Security Strategy, the Committee had…

---

Department of Industry releases AI Impact Navigator

Date: 24 October 2024
Source: Department of Industry, Science, and Resources

Abstract:.

The Department of Industry, Science and Resources (DISR) has released their AI Impact Navigator (the Navigator).

The Navigator is a framework that provides companies with tools to assess and measure the impact and outcomes of their use of Artificial Intelligence (AI). This includes templates for readiness surveys, implementation plans and impact assessments. These tools are to be implemented in a continuous improvement cycle referred to as Plan, Act, Adapt.

The Navigator is aligned with the Voluntary AI Safety Standard and has an emphasis on public reporting and building trust with consumers and other stakeholders, as reflected in its ‘four dimensions’ structure aimed at boosting the positive impacts of the use of AI:

• social licence and corporate transparency;
• workforce and productivity;
• effective AI and community impact; and
• customer experience and consumer rights.

To read more and access the AI Impact Navigator see here.

---

Department of Industry, Science and Resources publishes AI and ESG guidance documents

Date: 23 October 2024
Source: AI and ESG – An introductory guide for ESG practitioners

The Department of Industry, Science and Resources (DISR) together with the National Artificial Intelligence Centre have published a practical guide for Environmental Social and Governance (ESG) practitioners on how to understand the implications and opportunities of Artificial Intelligence (AI) in a guidance document “AI and ESG – An introductory guide for ESG practitioners” (Guide).

The Guide assists ESG practitioners by showing how AI can support ESG solutions and provides practical examples of where AI governance can intersect with ESG governance, along with supporting the implementation of the Voluntary AI Safety Standard.

The Guide has been released in conjunction an AI Impact Navigator resource that is designed to help businesses better understand, manage and report the impact and outcome of their AI systems use.

To access the Guide, see the DISR website here. To access the AI Impact Navigator, see the DISR website here.

---

Victorian Information Commissioner releases issue statement on VPS organisations

Date: 22 October 2024
Source: Office of the Australian Information Commissioner

Abstract:

The Office of the Victorian Information Commissioner (OVIC) has, together with the Public Record Office Victoria (PROV), released a joint statement on how Victorian public sector organisations (VPS organisations) can mitigate the privacy impacts of an incident, specifically in relation to personal information.

This includes incidents caused by malicious third party or internal party acts, human error or by a failure of the VPS organisation to implement effective privacy security practices.

In the statement, the OVIC and PROV list the minimum expectations they have for VPS organisations;

• Organisations must not collect more personal information than is necessary for the organisation’s functions;
• Organisations must implement information security practices that are in line with their obligations, this includes organisations covered by Pt 4 of the Privacy and Data Protection Act 2014 (Vic), who must adhere to the Victorian Protective Data Security Standards;
• A records disposal program should be in place;
• Organisations must not de-identify records prior to the minimum retention period to ensure that records retain their use for their original purposes;
• Consideration must be given to the risks involved with…

---

OAIC releases new AI privacy compliance guides

Date: 22 October 2024
Source: Office of the Australian Information Commissioner

Abstract:

The Office of the Australian Information Commissioner (OAIC) has released two new guides on the application of Australian privacy law to artificial intelligence (AI).

The first guide clarifies how businesses can comply with their privacy obligations when using commercial AI products and how to choose an appropriate AI product. This includes guidance on when privacy obligations apply to personal information input into an AI system as well as data generated by AI that contains personal information and the key risks associated with the use of AI.

The second guide gives privacy guidance to developers who are using personal information to train generative AI models. This includes guidance on what data can be legally used to train generative AI models as well as what steps must be taken to ensure accuracy in models.

These guides are aimed at promoting the OAIC’s focus on privacy in emerging technologies like AI through making compliance with Australian privacy law easier for both businesses and developers.

Access ‘Guidance on privacy and the use of commercially available AI products’ here.

Access ‘Guidance on privacy and developing and…

---

Privacy and Other Legislation Amendment Bill 2024 referred to Senate Legal and Constitutional Affairs Committee

Date: 16 October 2024
Source: Parliament of the Commonwealth of Australia

The Privacy and Other Legislation Amendment Bill 2024 (Cth), as explained in the previous Latest Legal Update; Privacy and Other Legislation Amendment Bill 2024 introduced, has now been referred to the Senate Legal and Constitutional Affairs Committee for inquiry and report by 11 November 2024.

The Bill and Explanatory Memorandum are available for download here.

---

Parliament introduces Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024

Date: 16 October 2024
Source: Parliament of Australia

Abstract:

Parliament has introduced the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 as part of a suite of reforms aimed at strengthening cyber security laws in Australia.

The Bill proposes the introduction of limited use obligations for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD).

These provisions would apply where information regarding a cyber security incident is voluntarily given to the ASD by an impacted entity, is created by the ASD in performing its functions or is Relevant Information given to the ASD by the Coordinator.

The ASD would be able to use or disclose this information in limited circumstances, confined to the ASD’s functions in assisting the reporting entity or a Commonwealth/State body to respond to, mitigate or resolve an incident as well as advising Ministers and enabling performance by certain bodies of their statutory functions.

Access the full Cyber Security Legislative Package 2024 here.

---

Parliament introduces Cyber Security Bill 2024

Date: 16 October 2024
Source: Parliament of Australia

Abstract:.

The Cyber Security Bill 2024 (the Cyber Security Bill) has been introduced into Parliament as part of a suite of reforms aimed at strengthening cyber security laws in Australia.

The Cyber Security Bill proposes to impose mandatory ransomware payment reporting obligations on two categories of entities:

Category One includes entities that:

• Are not federal or state bodies;
• Carry on business within Australia with an annual turnover for the previous financial year that exceeds the turnover threshold (likely to be $3 million); and
• are not defined as responsible entities for a critical infrastructure asset under the Security of Critical Infrastructure Act 2018 (SOCI Act).

Category Two entities are those responsible for a critical infrastructure asset. This includes entities that do not exceed the turnover threshold, or where they are federal or state bodies.

Reports must be made to the designated federal body and reporting obligations will be triggered where:

• A cyber security incident has occurred, is occurring or is imminent;
• The incident has had, is having or could be reasonably expected to have an impact on the entity;
• The attacking entity is making extortion demands in…

---

Parliament introduces Amendments to Security of Critical Infrastructure Act 2018 (SOCI Act) Bill 2024

Date: 16 October 2024
Source: Parliament of Australia

Abstract:

Parliament has introduced the Amendments to Security of Critical Infrastructure Act 2018 (SOCI Act) Bill 2024 as part of a suite of reforms aimed at strengthening cyber security laws in Australia.

The Bill introduces several critical amendments to the SOCI Act:

• Part One of the Bill would expand the kinds of assets regulated by the SOCI Act to include data storage systems that contain business critical data.
• Part Two of the Bill proposes to expand the current government assistance powers under the SOCI Act to apply to a broader range of incidents. This would mean that the Government would have the power to make an entity take action in response to data incidents more broadly rather than just cyber incidents.
• The Bill also proposes a new definition of ‘protected information’ to provide clarity.
• Finally, Part Four provides the Government with the ability to issue directions to 'address serious deficiencies' that are identified in a responsible entity's risk management program.

Relevant entities should take notice of these proposed reforms and make proactive steps towards compliance.

Access the full…

---

101 recommendations: The Victorian Freedom of Information Act proposed to become the Right to Information Act

Date: 15 October 2024
Source: www.parliament.vic.au

Abstract:

The Parliament of Victoria’s Integrity and Oversight Committee has recommended some changes to the Freedom of Information Act 1982 (Vic) (FOI Act), to improve accessibility in the form of more proactive releases of information. The Committee was tasked with inquiring into a number of matters relating to the FOI Act, and has made 101 recommendations.

 

What is primary recommendation?

The Committee’s principal recommendation is that the current FOI Act be replaced with a newly titled Right to Information Act. The new Act would have a ‘push’ model under which the maximum amount of government-held information is proactively or informally released by agencies and ministers as a matter of course, unless disclosure would cause an identifiable harm that is not outweighed by the public interest in releasing the information.

 

What are some other recommendations?

• A new definition of ‘information’ - A ‘broad, technologically neutral’ new definition of ‘information’, replacing the use of the word ‘document’ in the existing legislation, to fully encompass the ways information is created, received, recorded, used, shared and stored in the digital age
• A…

---

Landmark Cyber Security Legislation Package introduced

Date: 10 October 2024
Source: Tony Burke MP and Department of Home Affairs

Abstract:.

The Federal Government has introduced the ‘Cyber Security Legislative Package’ (the Legislative Package) which will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy. If passed, the Legislative Package will deliver Australia’s first standalone Cyber Security Act.

The initiatives are aimed at bringing Australian cyber law in line with international best practice standards and ensuring that Australia has the capacity to become a global leader in cyber security.

New measures taken in addressing these shortfalls will:

• mandate minimum cyber security standards for smart devices;
• introduce mandatory ransomware reporting for specified businesses to report ransom payments;
• introduce a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD); and
• establish a Cyber Incident Review Board.

The Legislative Package will further reform the Security of Critical Infrastructure Act 2018 (SOCI Act) to:

• clarify existing obligations for systems holding critical business data;
• streamline information sharing across industry and Government;
• give the Government power to direct entities to address critical deficiencies in their risk management strategies; and
• relocate regulation of the security of telecommunications into the SOCI Act.

---

Sanctions update - Australia imposes cyber sanctions on Russian cybercriminals

Date: 3 October 2024
Source: Federal Register of Legislation

The Autonomous Sanctions (Designated Persons and Entities and Declared Persons – Thematic Sanctions) Amendment (No. 5) Instrument 2024 (Cth) designates three Russian individuals for targeted financial sanctions and travel bans under Australia's autonomous sanctions regime on the grounds of their involvement in the Russian cybercrime syndicate known as “Evil Corp”.

The sanctioned individuals are:

• Maksim Viktorovich Yakubets, founder and leader of Evil Corp;
• Igor Olegovich Turashev, senior administrator of Evil Corp and DoppelPaymer ransomware group; and
• Aleksandr Viktorovich Ryzhenko, second-in-command of Evil Corp and affiliate of Lockbit ransomware group.

The Minister for Foreign Affairs was satisfied that these individuals were involved in significant cyber incidents within the meaning of regulations 6A(2) and (3) of the Autonomous Sanctions Regulations 2011 (Cth) by virtue of being involved in Evil Corp as well as its precursors and subgroups.

For more information, see the full text of the instrument and explanatory statement.

---

ASIC calls for licensing of cryptocurrency industry

Date: 3 October 2024
Source: Australian Securities & Investments Commission (ASIC)

Abstract:.

Australian Securities and Investments Commission (ASIC) Commissioner, Alan Kirkland, has announced that most cryptocurrency businesses in Australia will need to obtain a financial services license.

“ASIC’s message is that a significant number of crypto-asset firms in the Australian market are likely to need a licence under the current law. This is because we think many widely traded crypto assets are a financial product,” Mr Kirkland announced, prior to speaking at the Australian Financial Review’s (AFR) Crypto and Digital Assets Summit on 23 September 2024.

ASIC has announced that it is preparing to update Information Sheet 225 by November 2024 which will clarify how particular crypto tokens (which represent digital ownership rights) and certain products will be treated.

The Government has previously released a token mapping consultation paper to identify how crypto assets and related services should be regulated. The Government subsequently released a proposal paper “Regulating Digital Asset Platforms” paper in October 2023 (submissions closed in December 2023) which proposes a new regulatory framework in Chapter 7 of the Corporations Act 2001 under which certain activities would require an Australian Financial…

---

Department of Industry, Science and Resources releases their Voluntary AI Safety Standard

Date: 23 September 2024
Source: Australian Competition and Consumer Commission

The Digital Platform Regulators Forum (DP-REG) has released its third working paper on multimodal foundation models (MFMs) and its impacts on consumer protection, competition, privacy and online safety.

MFMs are a type of generative artificial intelligence (AI) that can work with different data types, such as images, text and audio. MFMs are a significant improvement from large language models (LLMs) which process text and have potential for future adoption by businesses and consumers.

The potential harms of MFMs include:

• the difficulty of determining whether content is genuine or AI-generated without clear disclosure and labelling;
• the use of personal information by MFMs to produce highly personalised content that is more persuasive and more likely to be distributed; and
• subsequent challenges for enforcement and regulation across the competition and consumer, privacy and online safety sectors.

The DP-REG’s regulatory members recognise the specific risks of MFMs for each of their sectors:

• Australian Competition and Consumer Commission (ACCC): Scams and misleading conduct may be exacerbated by MFMs which can be used to create deepfake videos and images that misrepresent…

---

Department of Industry, Science and Resources releases their Voluntary AI Safety Standard

Date: 20 September 2024
Source: Department of Industry, Science and Resources

Abstract:

The Department of Industry, Science and Resources has released their Voluntary AI Safety Standard (the standard), to be used as a guide for the safe and responsible use of Artificial Intelligence (AI) in Australia.

Included within the standard are ten voluntary guiderails for the use of AI as well as a guide on the implementation of these guardrails and when they should be used. These guardrails include establishing accountability processes within organisations as well as risk management guidelines.

The guardrails apply to all organisations within the AI supply chain and also includes definitions, tools and information on the interaction between AI and other business guidance and regulations.

Read the full Voluntary Safety Standard here.

---

Department of Industry, Science and Resources seeks feedback on AI guardrails proposals

Date: 20 September 2024
Source: Department of Industry, Science and Resources

Abstract:

The Department of Industry, Science and Resources (the department), is calling for feedback on their proposals paper, Introducing mandatory guardrails for AI in high-risk settings, which outlines the department's proposed guardrails for artificial intelligence (AI).

The proposed guardrails set expectations on the safe and responsible use of AI when utilised in high-risk settings in Australia. The aim of the guardrails is to build public trust around the use of AI, address potential risks and harms resulting from AI, and provide businesses with greater certainty in regard to AI regulation.

The department is seeking feedback on:

• the proposed guardrails
• the proposed definition of high-risk AI and;
• regulatory options for mandating the guardrails.

Submissions close 4 October 2024.

Read the full proposals paper and make submissions here.

---

Electronic Transactions Amendment Regulations 2024

Date: 17 September 2024
Source: Electronic Transactions Amendment Regulations 2024 (Cth)
Jurisdiction: Commonwealth

Abstract:

The Electronic Transactions Amendment Regulations 2024 (Cth) (the Regulations) and its Explanatory Memorandum were released 12 September 2024.

The Electronic Transactions Act 1999 (Cth) (the Act) prescribes how electronic means may be used to complete transactions that are typically done in paper formats. Section 7A(2) of the Principal Regulations provides that the certain provisions of the Act do not apply to certain specified Commonwealth Laws.

The Regulations serve the purposes of lessening the scope of certain exemptions contained in the Electronic Transactions Regulations 2020 (Cth) (the Principal Regulations). The Regulations remove two exemptions, items 8 and 9 of clause 1 of Schedule 1 to the Principal Regulations, and amend a further two exemptions, table items 19 and 78 of clause 1 of Schedule 1 of the Principal Regulations.

These amendments come in response to amendments made to the Australian Passports Act 2005 (Cth) and the Australian Passports Determination 2015 (Cth) and will aid in the facilitation of online applications for Australian travel documents.

Amendments have also been made to the exemptions applying to the Commonwealth Electoral Act 1918 (Cth) as well…

---

Consultation on exposure draft legislation for the Scams Prevention Framework opens

Date: 13 September 2024
Source: The Treasury

The Australian Government has released the draft legislation for the implementation of the Scams Prevention Framework (Framework) and its explanatory materials.

The Framework is a multifaceted approach to protect Australian consumers from scams and aims to require service providers to comply with overarching principles regarding:

• governance arrangements relating to scams; and
• detecting, reporting, disrupting, preventing and responding to scams.

The Framework involves heavy penalties for non-compliance and pathways for consumers to resolve disputes and seek redress.

The Minister for Financial Services has stated that the Framework will first apply to the banking and telecommunication sectors, as well as digital platform service providers starting with providers of social media, direct messaging services and paid search engine advertising.

The Treasury is seeking submissions on the effectiveness of the draft legislation to implement the Framework and of the draft explanatory materials in explaining the policy context and operation of the proposed new law to stakeholders.

The consultation closes on 4 October 2024.

See the Treasury’s website for more information on the consultation here.

---

UK Bill to expand personal property rights to digital assets

Date: 13 September 2024
Source: UK Parliament

Abstract:

On 11 September 2024, the Property (Digital Assets etc) Bill 2024 (the Bill) was introduced in the House of Lords as HL Bill 31.

The Bill, which expands personal property rights to include digital assets such as cryptocurrency, non-fungible tokens and carbon credits, reads:

A thing (including a thing that is digital or electronic in nature) is not prevented from being the object of personal property rights merely because it is neither

(a) a thing in possession, nor
(b) a thing in action.

Upon its commencement, the Property (Digital Assets etc) Act 2024 would only extend to England and Wales. Digital assets were previously not included in English and Welsh property law.

The Bill comes following the Law Commission’s report on digital assets in 2023, which sought to identify any barriers to the recognition of digital assets as property.

UK Justice Minister Heidi Alexander describes the Bill as essential to “keep pace with evolving technologies” by bringing clarity to complex property cases and settlements.

For more information, read the Ministry of Justice’s media release on the Bill here.

The Bill is available…

---

Privacy and Other Legislation Amendment Bill 2024 introduced

Date: 12 September 2024
Source: Parliament of the Commonwealth of Australia

Abstract:

On 12 September 2024, the Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Bill) was introduced to Parliament and read for the first time. This Bill comes following the 2023 review of the Privacy Act 1988 (Cth) and seeks to implement 23 of the 25 legislative proposals agreed to in the Government Response to the Privacy Act Review.

The Bill would strengthen the enforcement of privacy protections through several avenues, including:

• allowing the Federal Court of Australia and the Federal Circuit and Family Court of Australia to make any order in relation to a contravention of the Privacy Act;
• granting the Office of the Australian Information Commissioner (OAIC) to use the investigation and monitoring powers granted by Pts 2 and 3 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth);
• requiring the OAIC to develop a new Children’s Online Privacy Code;
• allowing for public inquiries into privacy-related matters to be conducted by the Information Commissioner at the discretion or approval of the Minister; and
• introducing new civil penalties allowing the OAIC to better deal with less serious or egregious…

---

New federal legislation will introduce minimum ages for access to social media and other relevant online platforms

Date: 11 September 2024

Abstract:

On 10 September 2024, Prime Minister Anthony Albanese announced that legislation enforcing minimum ages for access to social media and other digital platforms will be introduced in 2024.

The initiative to better protect Australian children online will be Commonwealth-led and the legislation will introduced at the federal level. This approach allows a greater level of alignment with the existing national regulatory framework under the Online Safety Act 2021. However, input from the Australian States and Territories will nonetheless inform the final legislation.

A statement by the eSafety Commissioner revealed that in early October, digital industry stakeholders are expected to present draft codes covering limiting children’s access to 8 sections of the online industry. Pornography, social media services, messaging and gaming services, and app stores are among some of the online content that the draft codes will address. Final draft codes are due to be considered by the eSafety Commissioner by 19 December 2024. Work on reviewing age assurance techniques under the Online Safety Act 2021 and advocacy for digital literacy and safety by design is ongoing and will…

---

Consultation on the proposed mandatory guardrails for the safe and responsible use of AI in Australia opens

Date: 10 September 2024
Source: Department of Industry, Science and Resources

The Department of Industry, Science and Resources (Department) is seeking feedback on the mandatory guardrails for the use of artificial intelligence (AI) following the release of the proposals paper on “Safe and responsible AI in Australia”.

 

Principles for defining high-risk AI

The consultation will seek feedback on the proposed approach to defining high-risk AI into two broad categories that relate to:

• uses of AI systems or general-purpose AI (GPAI) models that are known and foreseeable; and
• advanced and highly capable GPAI models where all possible applications and risks cannot be foreseen.

In designating AI as high-risk based on intended and foreseeable uses, the proposed considerations include the risks of adverse impacts to human rights, health and safety as well as the wider legal, systemic impacts to the broader Australian society, environment, economy and rule of law.

 

Mandatory guardrails for safe and responsible AI use

The 10 proposed mandatory guardrails aim to address harms and risks from AI, provide greater regulatory certainty for businesses and foster public trust. The proposed guardrails would require…

---

Provide your feedback – the Information and Privacy Commission seeks consultation on new guide to undertaking privacy impact assessments on AI systems

Date: 3 September 2024
Source: Information and Privacy Commission (IPC)

Following the release of the Guide to Privacy Impact Assessments in NSW, the Information and Privacy Commission (IPC) has created a complementary guide to provide agencies with more specific guidance on AI-related privacy risks. It has been developed to ensure that agencies understand, assess, and mitigate privacy risks when employing AI systems and projects to complete Privacy Impact Assessments (PIAs).

In particular, the type of AI considered includes Generative AI, Machine Learning (ML), Natural Language Processing (NLP), and Computer Vision (CV) which all have potential privacy risks.

A consultation paper has been released, seeking public feedback and submissions from privacy practitioners in NSW. The following questions have been highlighted to be of focus:

1. Would this guidance assist you in navigating AI projects from a privacy perspective?
2. Are there areas in the guidance you believe are missing?
3. Is the guidance relevant, useful, clear, and practical?

---

United Nations’ Special Rapporteur on the right to privacy comments on the state of Australian privacy law

Date: 2 September 2024

Abstract:

From 8 to 19 August 2024, the United Nations’ Special Rapporteur on the right to privacy, Dr. Ana Brian Nougrères, undertook an official visit to Australa. Having met with representatives from a variety of public and private institutions, Dr Nougrères released an End of Mission Statement outlining her 10 preliminary observations on the state of Australia’s privacy landscape in regard to the following subjects:

1. Privacy Law framework – need to reform and formally align national law to international human rights
2. State and Territory level and how interacts with Commonwealth Government re personal data and privacy
3. Cybersecurity
4. Artificial Intelligence (AI) and other technological advances
5. Privacy in the criminal law/national security context
6. Digital literacy and privacy
7. Intersectionality of privacy with human rights of other vulnerable groups
8. Children and privacy
9. Gender and privacy
10. Indigenous population and privacy

Summarising Dr. Nougrères’ general observations, she encouraged the ongoing reform of Australian privacy laws and urged the process to be expedited.

---

Abigail Bradshaw appointed Director-General of the Australian Signals Directorate

Date: 29 August 2024

Abstract:

On 26 August 2024, the Australian Government announced that Abigail Bradshaw will be appointed as the new Director-General of the Australian Signals Directorate. She will be succeeding the current Director-General, Rachel Nobel. Subject to approval by the Federal Executive Council, this change will take effect on 6 September 2024.

Abigail Bradshaw has served as Deputy Director-General of the Australian Signals Directorate as well as the Head of the Australian Cybersecurity Centre since March 2020. Ms Bradshaw has significant experience in the areas of cyber security, national security, intelligence, crisis management and incident response and has been endorsed by both Prime Minister Anthony Albanese and Minister for Defence Richard Marles.

---

Governance Institute of Australia releases guide on effective cyber risk management

Date: 22 August 2024

Abstract:

The Governance Institute of Australia (GIA) has released a guide on effective cyber risk management, titled “Effective Cyber Risk Management: A best practice governance guide for digitally secure and resilient organisations” (the Guide).

The Guide has been developed to help decision-makers, directors, managers and other relevant stakeholders at organisations of all sizes understand cyber risk management at a holistic and practical level. This will assist those individuals to be more effective when tasked with developing, implementing, evaluating or endorsing cyber risk management frameworks and governments. The Guide comprises nine substantive sections:

• Introduction
• What is Cyber Risk?
• Key Elements of Governance
• Elements of Cyber Risk Management Framework
• Risk Management Process
• The Regulatory Landscape
• Standards, Frameworks and Certifications
• Resources
• International Regulations

Individuals and organisations alike should take some time to become familiar with cyber governance best practices. As technology continues to become increasingly integrated with Australian business and commerce, the need to be aware of, and protect against, associated cyber risks also grows in importance. Guidance from reputable sources such as the GIA is a reliable way to become informed while also being sure that information is up-to-date and compliant with any applicable laws or regulations.

The full Guide is available here.

---

Parliament passes criminal laws against sharing sexually explicit ‘deepfakes’

Date: 21 August 2024

Abstract:

On 21 August 2024, the Criminal Code Amendment (Deepfake Sexual Material) Bill 2024 was passed by the Commonwealth Parliament, after its second reading in the Senate.

The Act will criminalise the sharing of ‘deepfake’ pornography, realistic pornographic material that has been generated using any form of technology, by amending Part 10.6 of the Criminal Code Act 1995 (Cth) to introduce an offence of “using a carriage service to transmit sexual material without consent”. Limited exceptions are set out within the section. The Act will also contain aggravated forms of this offence, in the form of harsher penalties in circumstances were the individual transmitting the sexual material is also responsible for creating it – up to seven years imprisonment.

The phrase ‘non-consensual sharing of sexual material’ refers to the sharing of an image, video or audio of a person in an intimate manner using a carriage service (such as on social media or using the internet), where the sharing of the image, video or audio was without the consent of the person depicted in the material. It is colloquially known as ‘revenge porn’, and commonly referred to as ‘image-based abuse’.

The text of the Bill as passed by both houses is not available yet, however the Bill as it was first introduced is available here and the explanatory memorandum is available here. The Bill will take affect the day after it receives Royal Assent.

---

United States Copyright Office releases the first part of its long-awaited report on “Copyright and Artificial Intelligence”

Date: 19 August 2024

Abstract:

The United States Copyright Office (USCO) has released the first part of its long-awaited report on “Copyright and Artificial Intelligence” (the Report).

The first part of the report focusses on “Digital Replicas”, a term which it defines as “a video, image, or audio recording that’s has been digitally created or manipulated to realistically but falsely depict an individual”. Digital replicas can be authorized or unauthorized and can be produced using by many types of digital technology outside of artificial intelligence. While there are many genuine and productive uses for digital replicas, it is their potential for harm that has been the impetus for regulatory focus on this type of technology. The Reports groups potential harms into three categories:

1. The creation of sexually explicit material
2. The creation of fraudulent material to scam or steal from unknowing victims, and false celebrity endorsements.
3. Use of the technology to spread political disinformation.

The first substantive part of the Report, “Protection Against Unauthorized Digital replicas’, which makes up the bulk of the report, begins with an investigation into how existing legislation provides protection against harmful uses of digital replicas.

---

Australia enters into Memorandum of Understanding on Countering Foreign State Information Manipulation with the United States of America

Date: 8 August 2024

Abstract:

On 5 August 2024, Australia entered into a Memorandum of Understanding with The United States of America on Countering Foreign State Information Manipulation (MOU).

Penny Wong, the Australian Minister for Foreign Affairs, took part in the annual Australia-United States Ministerial Consultations (AUSMIN) in Annapolis, Maryland. AUSMIN is the main forum for co-operation, discussion, and bilateral consultation between Australian and the United States of America. During AUSMIN, Australia entered into the MOU which calls for increased cooperation between governments to identify and counter foreign state information manipulation. In doing so, Australia endorsed the following five action areas as a framework for future bilateral efforts to counter foreign state information manipulation:

• Going beyond "monitor-and-report" approaches, to include developing strategies and implementing actions to counter the threat of foreign state information manipulation.
• Establishing specific governance structures and institutions designed to counter foreign state information manipulation.
• Ensure adequate technical means and human capacity to maintain threat awareness.
• Align civil society, independent media, and academia with the goals of, government-led initiatives to counter foreign state information manipulation.
• Participate in multilateral organizations and plurilateral groupings that are leveraging international cooperation to counter and build resilience against foreign state information manipulation.

---

Law Council of Australia submits recommendations to the Australian Government for the implementation of the Digital ID Scheme

Date: 5 August 2024

Abstract:

The Law Council of Australia has provided four recommendations relating to the incoming Digital ID Scheme in a submission to the Department of Finance.

The first recommendation is that there be appropriate Privacy Act reforms so that the Australian Government represents the ‘gold standard’ for providing strong privacy and cybersecurity measures when implementing the Digital ID Legislation. This includes a strong legislative framework covering the collection, use, and disclosure of an individua’s biometric data and other personal or sensitive information. The Law Council of Australia also suggests the inclusion of a private right of action for consumers who are affected by invasions of privacy.

The second recommendation is for more in-depth considerations of consent mechanisms within the Digital ID Legislation. The Digital ID Accreditation Rules currently require entities to ensure there is a process that is presented in clear, simple and accessible terms by which individuals can provide, vary or withdraw their consent. However, there is no guidance on the specific mechanisms that entities can use which may lead to unnecessarily complicated or burdensome consent processes, even if they are in clear terms, deterring individuals from exercising their right of consent.

The Law Council of Australia expressed concern with the centralized nature of the Digital ID Scheme in terms of the collection and storage of personal identifiable information.

---

Capacity, coherence, risks and opportunities – Digital Platform Regulators Forum sets their direction

Date: 5 August 2024
Source: Australian Government Digital Platform Regulators Forum

Abstract:

The four members of the Digital Platform Regulators Forum (DP-REG) comprising of the Australian Competition and Consumer Commission (ACCC), the Australian Communications and Media Authority (ACMA), the eSafety Commissioner (eSafety) and the Office of the Australian Information Commissioner (OAIC) have agreed on collective goals for 2024-2025 and the strategic priorities for 2024-2026.

What is the DP-REG?

In March 2022, ACCC, ACMA, eSafety and OAIC formalised existing collaborative arrangements to form DP-REG.

Through DP-REG, members share information about, and collaborate on, cross-cutting issues and activities involving the regulation of digital platforms. This includes consideration of how competition, consumer protection, privacy, online safety and data issues intersect.

What’s ahead for DP-REG?

The collective goals have been identified as:

• To build capacity
• To promote regulatory coherence
• To respond to emerging risks and opportunities.

DP-REG members have agreed on strategic priorities for 2024–26 to progress these goals with a view towards ensuring that Australia’s digital economy is a safe, trusted, fair, innovative and competitive space.

To build capacity across 2024–26, DP-REG members will:

• Increase members’ digital platforms regulatory capability: DP-REG members will share information and progress joint work to increase their capability.
• Increase information/intelligence sharing capability: DP-REG members will collaborate to improve information sharing systems and authorising environments.

---

Tony Burke MP replaces Clare O’Neil MP as the Minister for Cyber Security

Date: 15 June 2024

Abstract:

On 28 July 2024, Prime Minister Anthony Albanese announced changes to the Cabinet and Ministry, including the appointment of Tony Burke MP as the new Minister for Cyber Security. Tony Burke MP is also the Minister for Home Affairs, the Minister for Immigration and multicultural Affairs, the Minister for Arts and Leader of the House.

The previous Minister for Cyber Security, Clare O’Neil MP, is now the Minister for Housing and the Minister for Homelessness.

The Cabinet reshuffle was brought on by the retirement of Linda Burney, the Minister for Indigenous Affairs, and Brenda O’Connor, the Minister for Skills and Training.

The full statement of the Prime Minister as well as the details of the reshuffle is available here.

---

ACCC confirms topics for final report of the Digital Platforms Services Inquiry

Date: 29 July 2024
Source: Australian Competition and Consumer Commission

Abstract:

The Australian Competition and Consumer Commission (ACCC) has released an issues paper for its Digital Platform Services Inquiry (DPSI) summarising the main topics that the report will focus on.

The main topics for the final report include:

• recent international regulatory and legislative developments and their impact on competition and consumers;
• major market developments and key trends for digital platform services; and
• potential and emerging competition and consumer issues.

The issues paper details recent international regulatory and legislative developments in the European Union, India, Germany, South Korea, Japan and the United Kingdom. The final report will likely provide more insight on other jurisdictions and include developments leading up to the report’s publication.

The ACCC also intends to provide updated information on topics of its earlier DPSI reports on online private messaging and app marketplaces and invites interested parties to share their views on existing and upcoming developments or key trends in these services and markets.

The scope of the ACCC’s considerations will also cover:

• potential competition and consumer issues in online gaming markets and cloud computing services; and
• concerns regarding generative AI’s impacts on impacting the ability of new entrants to compete with digital platform services that use it and how it can increase consumer interaction with particular platforms.

---

The Artificial Intelligence Act is published in the European Union’s Official Journal marking its acceptance into EU law

Date: 18 July 2024

Abstract:

On 12 July 2024 the European Union’s (EU) Artificial intelligence Act (AI Act) was published in the EU Official Journal officially marking its acceptance into EU law.

The AI Act introduces a comprehensive legal framework to regulate artificial intelligence systems throughout their full lifecycle, from the beginning of development through to implementation, use and maintenance. The AI Act adopts a risk-based regulatory approach, meaning the greater the level of risk a particular AI system is assessed to pose the more rigorous the regulations that apply under the AI Act will be. Conversely, the lower the level or risk the less stringent the regulatory requirements.

As the AI Act establishes obligations for providers, deployers, importers, distributors and product manufacturers, entities or individuals that deal in artificial intelligence products or services that may not be based in the EU may still be subject to the legislation if they have some link to the EU jurisdiction. For this reason, it is important to be familiar with the provisions of the AI Act and how they might affect business operations and activities in the EU.

---

Three Directions released under the Protective Security Policy Framework on how to protect against cybersecurity risks

Date: 18 July 2024

Abstract:

The Secretary of the Department of Home Affairs has released three mandatory Directions under the Australian Government’s Protective Security Policy Framework (PSPF). The PSPF is an Australian Government issued framework designed to aid government entities to protect people, information and assets both within Australia and Overseas.

The three Directions that have been issued specifically relate to the management of cybersecurity risks to the Australian Government:

• Direction 001-2024 Managing Foreign Ownership, Control or Influence Risks in Technology Assets: This Direction requires Australian Government entities to identify indicators of Foreign Ownership, Control or Influence risk as they relate to procurement and maintenance of technology assets, and to appropriately manage and report those risks.
• The full Direction 001-2024 is available here.
• Direction 002-2024 Technology Asset Stocktake: This Direction requires Australian Government entities to conduct a technology asset stocktake on all internet-facing systems or services to identify and actively manage the risks associated with vulnerable technologies they manage, including those they manage for other entities.
• The full Direction 002-2024 is available here.

---

Office of the Australian Information Commissioner releases new procedures to be followed by government agencies and ministers in Information Commissioner reviews

Date: 15 June 2024

Abstract:

As of 1 July 2024, updated procedures to be followed by government agencies and ministers regarding applications to the Information Commissioner for a review of a decision made under the Freedom of Information Act are in effect.

The directions document (the Direction) released by the Office of the Australian Information Commissioner, which contains the updated procedures, is divided into 5 parts:

• Part 1: About this Direction – guidance on the intended application and interpretation of the Direction.
• Part 2: Matters applying to all applications – broad-level information about the purpose of the review process and the manner in which it is to be conducted.
• Part 3: General procedure for IC review of access refusal and access grant decisions – details the general procedure for conducting a review of access refusal and access grant decisions.
• Part 4: Procedures for IC review of specific types of decisions – details special procedures that apply to reviews of specific types of decisions by the Information Commissioner.

---

Office of the Australian Information Commissioner releases new procedures to be followed by applicants in Information Commissioner reviews

Date: 15 July 2024

Abstract:

As of 1 July 2024, updated procedures for prospective applicants regarding applications to the Information Commissioner for a review of a decision made under the Freedom of Information Act (FOI Act) are in effect.

The directions are split into three parts. Part 2, titled “Matters applying to all applications” contains the majority of the substantive information within the direction.

Part 2 is divided into four sections: general principles, making an application for IC review, during the IC review, and decisions made under the s 55K of the FOI Act. The first section contains broad-level information about the purpose of the Information Commissioner (IC) review process and the manner in which it is to be conducted. The second section details how an applicant should make an application for review of a decision by the Information Commissioner, covering the following points:

• The appropriate form and process for submitting the application.
• The applicant’s contact details and additional information about the applicant to include in the application.
• Details to include about the specific decision of which a review is being requested in the application.

---

Justice Jackman suggests cryptocurrency should be considered property under Australian common law

Date: 3 July 2024

Abstract:

On 21 June 2024, Justice Jackman, a judge of the Federal Court of Australia, delivered a paper to the Commercial Law Association of Australia titled ‘Is Cryptocurrency Property?’. The paper begins with an explanation of what cryptocurrency is, followed by an analysis of the position taken on the issue by courts in other jurisdictions including New Zealand, the United Kingdom, Singapore and Canada.

Justice Jackman then considers the issue in the Australian legal context, firstly examining how cryptocurrency fits into the choses in action and choses in possession dichotomy, concluding that there is “no obstacle in treating cryptocurrency as a chose in action”.

Secondly, the question of alienability or transferability was touched upon. The alienability or transferability of cryptocurrency is a highly technical matter but ultimately one that was somewhat moot as alienability or transferability is most likely “not an indispensable attribute of property” in Australian common law.

The third issue was cryptocurrency being regarded as “information”, which is not considered property. Comparisons are drawn between cryptocurrency and confidential information, which the High Court of Australia has described as sometimes having a proprietary character. Justice Jackman suggests cryptocurrency should be treated similarly.

---

Apple becomes the first victim of the EU’s Digital Markets Act due to non-compliant App Store terms

Date: 3 July 2024
Source: Australian Competition and Consumer Commission (ACCC)

Abstract:

Last week the European Commission provisionally found that Apple has breached the European Union’s (EU) Digital Markets Act (DMA).

The Digital Markets Act came into force in 2022 and aims to ensure that large online platforms determined by a set of objective criteria – called ‘gatekeepers’ – act fairly online and behave in a way that leaves room for contestability. Apple has previously been designated as a gatekeeper under the DMA. Article 5(4) of the DMA requires gatekeepers to allow developers distributing their apps via the gatekeeper’s app store to, free of charge, inform their customers of cheaper purchasing possibilities, steer them to those offers and allow them to make purchases.

The European Commission’s preliminary finding was that Apple’s App Store business terms did not allow developers to freely steer customers. The European Commission identified several examples of terms that supported this finding. Firstly, developers are prohibited from providing pricing information within their apps or communicating with customers in any other way to promote offers on external distribution channels. Secondly, while Apple permits developers to include links within their apps that redirects users to webpage were purchases can be made, this is subject to several communication and promotional restrictions. Lastly, the fees charged by Apple for facilitating the acquisition of new customers by developers was found to be beyond what is strictly necessary.

---

Australian Government releases framework for the safe and responsible use of artificial intelligence in government

Date: 28 June 2024

Abstract:

Following a meeting of Australia’s Data and Digital Ministers on 21 June 2024, the National Framework for the Assurance of Artificial Intelligence in Government (the Framework) was agreed to and released. The purpose of the framework is to provide a nationally consistent approach for the assurance of artificial intelligence (AI) in government, enabling lawful, safe and responsible use of the technology.

The bulk of the report is spent detailing how Australia’s AI Ethics Principles – Human, societal and environmental wellbeing, human-centred values, fairness, privacy protection and security, reliability and safety, transparency and explainability, contestability, and accountability – can be practically applied by governments in their assurance of AI. Further, the Framework establishes five ‘cornerstones of assurance’ that are intended to assist governments to ensure their assurance practices are aligned with the AI Ethics Principes. The five cornerstones are the following:

• Governance – AI governance comprises the organisational structure, policies, processes, regulation, roles, responsibilities and risk management frameworks that ensures the safe and responsible use of AI in a way that is fit for the future. Challenges in the use of AI cut across core government functions such as data and technology governance, privacy, human rights, diversity and inclusion, ethics, cyber security, audit, intellectual property, risk management, digital investment and procurement.

---

ACCC product safety priorities for 2024–25 with new focus on emerging technology and improving product safety data

Date: 27 June 2024
Source: Australian Competition and Consumer Commission (ACCC)

Abstract:

On 27 June 2024, Ms Gina Cass-Gottlieb, Chair of the Australian Competition and Consumer Commission (ACCC) announced the ACCC’s product safety priorities for 2024–25 at the National Consumer Congress 2024.

The ACCC’s five key priorities of product safety for 2024–25 are:

• Young children’s product safety: The ACCC will focus on developing safety standards for both toppling furniture and infant sleep products, as well as on increasing consumer awareness on infant sleep safety through a public campaign. Emerging risks will also be monitored, including the risk of choking from baby bottle self-feeding devices.
• Product safety online: The ACCC will encourage best practices from online platforms and raise awareness to reduce safety risks from goods sold online via targeted engagement with online marketplaces and collaboration with other domestic and international regulators.
• Sustainability and maintaining product safety: The ACCC will continue to support Australia’s transition to a net-zero economy by raising awareness about lithium-ion battery safety and harmonising the electrical safety regulatory framework for household electrical consumer products. Guidance on product safety issues in buying and selling second hand goods online will also be released to support safe sustainable consumption.

---

EU member states seek to harmonize complaints handling under the GDPR

Date: 24 June 2024

Abstract:

The European Council has agreed on a common position for member states as it relates to enforcement of the General Data Protection Regulation (GDPR). The GDPR requires national data protection authorities, responsible for enforcing the GDPR, to cooperate when a data protection case concerns cross-border processing. The proposal seeks to speed up the process of handling cross-border complaints filed by citizens or organisations, and any follow-up investigations. It also seeks to provide common rules on the involvement of the complainant in the procedure and harmonisation of the requirements for a cross-border action to be admissible.

If passed by the European Parliament, clearer, specific timelines intended to speed up the cooperation process could be introduced by member states. A new enhanced cooperation procedure between data protection authorities is also proposed, which allows data protection authorities to act swiftly on non-contentious cases, supplemented by an early resolution mechanism which allows authorities to resolve a case prior to initiating standard procedures, for eg. when the relevant company has addressed the infringement or an amicable settlement has been reached. For more complex negotiation, additional cooperation rules would be in place.

Negotiations with the European Parliament are not due to commence.

---

Australian Signals Directorate makes key changes in quarterly update to the Information Security Manual

Date: 24 June 2024

Abstract:

On the 13th June 2024, the Australian Signals Directorate (ASD) released the quarterly update to its Information Security Manual (ISM).

The purpose of the Information Security Manual is to provide a cyber security framework that an organisation can implement, using their risk management framework, in order to protect their information technology and operational technology systems, applications and data from cyber threats. It is intended to be used by the senior technology and security professionals within an organisation. It is worth nothing that organisations have no obligations to comply with the suggestions made in the Information Security Manual.

The ASD identifies a number of notable changes that have been made in this update as compared to the previous edition:

1. Governance of operational technology (OT) cyber security: a new control recommending that an organisation’s CISO provide cyber security leadership on OT cyber security, in addition to their traditional leadership role for information technology (IT) cyber security.
2. OT cyber supply chain security: new controls recommending that cyber supply chain security be extended to cover OT equipment (in addition to IT equipment).
3. AI application development: a new control recommending that the Open Worldwide Application Security Project’s (OWASP) top 10 vulnerabilities in large language model (LLM) applications be mitigated. A new control recommending that LLM applications evaluate user prompts to detect and mitigate adversarial suffixes designed to generate sensitive or harmful content.

---

ACCC report reveals consumer discomfort and poor visibility regarding existing data collection practices

Date: 20 June 2024

Abstract:

The Australian Competition & Consumer Commission (ACCC) has released its eighth report – “Interim report 8: data products and services – how information is collected and used by data forms in Australia” – as part of its broader digital platform services inquiry.

The report’s findings with regard to consumer attitudes towards, and awareness of, data collection practices is perhaps the biggest takeaway. A survey conducted by the Office of the Australian Information Commissioner (OAIC) found that only 21% of Australians ‘always or often’ read an organisations privacy policy before providing personal information. The results of this OAIC survey are seemingly at odds with those of another survey conducted by the Consumer Policy Research Centre (CPRC), which found that 74% of Australians were uncomfortable with the idea of their personal information being shared or sold. Australian consumers are not being appropriately informed about how their information is being used by organisations, despite being uncomfortable with their personal information being shared or sold. This may be partly because it is estimated that it would take an Australian consumer 46 hours per month to read all the privacy policies that they encounter.

---

Bill to criminalise the sharing of deepfake pornography introduced to parliament

Date: 7 June 2024

Abstract:

On 5 June 2024, a bill that criminalises the sharing of ‘deepfake’ pornography – realistic pornographic material that has been generated using artificial technology – was introduced and read for the first time in the House of Representatives.

The Criminal Code Amendment (Deepfake Sexual Material) Bill 2024 amends s 474.17A of the Criminal Code Act 1995 (Cth) to create a new offence of “using a carriage service to transmit sexual material without consent”:

1. A person (the first person) commits an offence if:
   1. the first person uses a carriage service to transmit material of another person; and
   2. the other person is, or appears to be, 18 years of age or older; and
   3. the material depicts, or appears to depict:
      1. the other person engaging in a sexual pose or sexual activity (whether or not in the presence of other persons); or
      2. a sexual organ or the anal region of the other person; or
      3. if the other person is female—the other person’s breasts; and
   4. the first person:
      1. knows that the other person does not consent to the transmission of the material: or
      2. is reckless as to whether the other person consents to the transmission of the material

Penalty: Imprisonment for 6 years.

---

OAIC takes action against Medibank over alleged 2022 Privacy Act breach

Date: 6 June 2024
Source: Office of the Australian Information Commissioner

Abstract:

The Office of the Australian Information Commissioner (OAIC) has commenced civil proceedings in the Federal Court (FCA) against Medibank Private, alleging that the health insurer failed to take adequate and reasonable steps to protect the personal information of 9.7 million customers between March 2021 and October 2022. In failing to take reasonable steps to protect the data from unauthorised access, the OAIC alleges that the conduct of Medibank is in breach of the Privacy Act 1988.

Following a cyber attack in October of 2022, hackers released the personal information of 9.7 million current and former customers of Medibank to the dark web including sensitive medical data.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” said acting Australian Information Commissioner Elizabeth Tydd. “We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

The FCA has the ability to apply a $2.2 million fine for each proven breach of the Act.

The OAIC said that this should act as a “wakeup call” to Australian organisations to strengthen their cybersecurity in the face of a growing digital world.

Read the full media release here.

---

Amendments to the Online Safety (Basic Online Safety Expectations) Determination creates additional expectations for online service providers

Date: 5 June 2024

Abstract:

On 30 May 2024 a set of amendments to the Online Safety (Basic Online Safety Expectations) Determination 2022 (Cth) were registered, creating a number of additional expectations for online service providers. These amendments have taken effect as of 31 May 2024.

In recent years, novel threats and potential dangers have emerged as online technologies have continued to develop. In particular, threats posed by artificial intelligence, recommender systems (e.g. social media algorithms) and the need for further protections for the increased number of children online. The Online Safety (Basic Online Safety Expectations) Amendment Determination 2024 (Cth) (the Amendment Determination) makes several amendments aimed at addressing these issues.

The Amendment Determination creates the following additional expectations for providers of online services:

• Ensure that the best interests of the child are a primary consideration in the design and operation of any service likely to be accessed by children.
• Make available controls that give users choice and autonomy in deciding who they interact with, the content they receive, and their level of privacy.
• Consider user safety in the design and operation of generative artificial intelligence capabilities, and proactively minimise the extent to which they are used to produce or facilitate unlawful or harmful material (including deepfake images) and activity.

---

Victoria and Queensland Courts release guidelines on the use of artificial intelligence tools in legal contexts

Date: 30 May 2024

Abstract:

Queensland Courts and the Supreme Court of Victoria have each released a set of guidelines on the responsible use of artificial intelligence (AI) tools in legal settings.

Though similar, the guidelines are not identical – those released by Queensland Courts focus on the responsible use of generative AI tools by non-lawyers, who are representing themselves (or others) in any civil or criminal proceeding in Queensland courts and tribunals. The use of AI tools by non-lawyers to aid in preparation of court and legal documents has become increasingly prevalent. The Queensland Courts guidelines, among other things, suggest that these individuals:

• Educate themselves about generative AI tools and what they are, and are not, suitable to be used for.
• Do not input any private, confidential, suppressed or legally privileged information when using generative AI tools.
• Remain mindful that it is an individual’s responsibility to ensure information relied upon or provided to a court or tribunal is accurate.
• Be conscious of ethical issues, such as copyright or plagiarism.
• follow general cybersecurity best practices to ensure their own security and that of the courts and tribunals.

The Queensland Courts guidelines are available here.

---

ASX provides guidance demonstrating how listing companies can comply with market disclosure requirements when experiencing a cyber incident

Date: 30 May 2024

Abstract:

The Australian Securities Exchange (ASX) has provided guidance on how listed companies can comply with market disclosure requirements while investigating and responding to a cyber incident.

The guidance comes in the form of a worked example of a listed company experiencing a cyber incident. The example demonstrates how ASX market disclosure requirements will apply, including relevant exceptions, contents of announcements, the treatment of confidential engagement with regulators, and the use of trading halts and voluntary suspensions.

The example will be added as Example I under Annexure A within Guidance Note 8 of the ASX Listing Rules – Continuous Disclosure: Listing Rules 3.1-3.1B.

The ASX has released a marked-up version highlighting the changes that have been made vis-à-vis the previous version, which is available here.

---

Digital ID legislation expected to commence in November 2024

Date: 20 May 2024

Abstract:

The Digital ID Bill 2024 and the Digital ID (Transitional and Consequential Provisions) Bill, which passed in the Senate last month, have now passed the House of Representatives.

The Bills represent an Australia-wide legislative framework for Digital ID services. These services are designed to allow individuals to verify their identity online, access government services more easily, increase the privacy of their personal data, and streamline the process of logging into various government services with different usernames and passwords.

There will now be a phased expansion of the existing Digital ID system to further state and territory government services and the private sector. Accordingly, there privacy and security safeguards for users as well as more robust regulation and governance of the Digital ID services would also be strengthened.

The Bills strengthen privacy requirements for accredited providers under the Trusted Digital Identity Framework (the government’s existing voluntary digital ID accreditation scheme). These include prohibitions on the use of single identifiers, the disclosure of information for marketing, and restrictions on the collection, use and disclosure of biometrics and other personal information. Penalties for non-compliance are included in the Bill. This aims to ensure individuals using digital ID services from accredited providers can be sure their information and privacy is protected.

---

ASX Compliance Update – 6th edition 2024

Date: 20 May 2024
Source: Australian Securities Exchange (ASX)

Abstract:

On 16 May 2024, the Australian Securities Exchange (ASX) issued Compliance Update No. 06/24, highlighting two key updates:

1. New Data Breach Example in Guidance Note 8:
   
   The ASX has introduced a new example to Guidance Note 8 on Continuous Disclosure Listing Rules 3.1 – 3.1B, addressing common disclosure issues during cyber incidents. The example illustrates how existing rules apply to a hypothetical data breach scenario, including the use of trading halts, voluntary suspensions, and confidential engagement with regulators. This updated Guidance Note, which takes effect from 27 May 2024, will be accessible via ASX Online and the ASX website.
2. Nomination of External Director Candidates for Election at AGM:
   
   Under Listing Rule 14.3, listed entities must accept nominations for director elections up to 35 business days before the annual general meeting unless otherwise specified in the entity’s constitution. For industries requiring regulatory approvals for director appointments, ASX advises entities to handle nominations such that candidates can be conditionally appointed, pending necessary approvals.

For more, see the full Listed@ASX Compliance Update no. 06/24 here.

Subscribe to our practice area round-up emails.

---

The Digital ID Bill 2024 introduced to House of Representatives

Date: 16 May 2024

Abstract:

On the 14th of May 2024 the Digital ID Bill 2024, which was passed in the Senate last month, was introduced and read for the first time in the House of Representatives. The following day, it was read a second time, debated and referred to the Federation Chamber.

The Digital ID Bill 2024 proposes an Australia-wide legislative framework for the operation of digital identification services. It is intended to increase the ease and security of online verification and access to government services while ensuring the individuals’ personal data remains safe.

All the second reading speeches, including that of the minister, as well as the text of the bill and the explanatory memorandums’ are available here.

---

The Australian Cyber Security Centre releases guidance paper on how to procure secure and verifiable technology

Date: 16 May 2024

Abstract:

The Australian Signals Directorate’s Australian Cyber Security Centre in collaboration with the respective cybersecurity agencies of the USA, Canada, United Kingdom and New Zealand, have released a paper on ‘Choosing secure and verifiable technologies’.

The release of the paper was motivated by the increasing need for manufacturers and organisations alike to embrace the concept that technology should be secure-by-design and secure-by-default. This ensures the safety and security of consumer privacy and data as well as promoting a resilient cybersecurity environment with regard to consumer technology. Accordingly, organisations procuring digital products or services should have regard to these particular security concepts and consider whether the security standards of a product or service are acceptable for use within the organisation. This paper is intended to inform manufacturers and organisations of the relevant concepts to be aware of as part of the manufacturing and procurement processes.

The paper consists of four sections: Introduction, Section 1 – External procurement considerations, Section 2 – Internal procurement considerations, and Appendix.

The Introduction outlines the motivation for the paper, as well as its purpose and intended audience. Sections 1 and 2 form the substantive part of the paper. These sections detail a number of considerations to have throughout the pre-purchase, purchasing, and post-purchase stages of procurement. Considerations that may be of particular interest include security requirements, data sharing and sovereignty, regulated industries, risk management, and security incident event management and security orchestration, automation and response.

---

The Attorney-General of Australia hints that major privacy reform is coming as early as August

Date: 15 May 2024

Abstract:

In a recent speech, the Commonwealth Attorney-General of Australia, has suggested there are plans for legislation that will overhaul the Privacy Act to be introduced by August 2024.

At the recent 2024 edition of the Privacy by Design Awards, the Commonwealth Attorney-General Hon Mark Dreyfus, the current Attorney-General of Australia, gave a speech touching upon various aspects of Australia’s privacy landscape. Within the speech the Attorney-General spoke about topics such as the importance of privacy by design to foster consumer confidence, the expansion of Australia’s Digital ID system and the Identity Verification Services Act, and the creation and investment in the Credential Protection Register.

The Attorney-General also spoke about the Privacy Act and the need for privacy reform in Australia given the rapid advancement of technology and its growing importance to the economy and to the everyday lives of Australians. To this end, the Hon Mark Dreyfus stated that:

At the request of the Prime Minister I will now be bringing forward legislation in August to overhaul the Privacy Act and protect Australians from doxxxing - the malicious use of their personal and private information. We will also seek to strengthen laws against hate speech.

---

Federal Court’s first ruling against a non-cash payment facility involving crypto

Court: Federal Court of Australia
Judge(s): Downes J
Judgment date: 3 May 2024
Catchwords: s 911A of the Corporations Act 2001 (Cth) contraventions — exemptions from holding an Australian Financial Services Licence — non-cash payment facility — digital currency and crypto assets — authorised representative — financial product and financial product advice — ss 12DA and 12DB of the Australian Securities and Investments Commission Act 2001 (Cth) contraventions — promotion of non-cash payment facility involving crypto — false or misleading representations —misleading or deceptive conduct

Abstract:

In proceeding brought by the Australian Securities and Investments Commission (ASIC), the Federal Court has declared that BPS Financial Pty Ltd (BPS) contravened s 911A(1) and 911A(5B) of the Corporations Act 2001 (Cth) (Corporations Act) and ss 12DA(1), 12DB(1)(a) and 12DB(1)(e) of the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) in respect of a non-cash payment facility that relates to the “Qoin” crypto-asset tokens and digital wallets (together as “Qoin Facility”), which BPS established in 2020.

---

Australia utilises its autonomous cyber sanctions framework for just the second time

Date: 9 May 2024

Abstract:

For just the second time, Australia has made use of its autonomous cyber sanctions framework under the Autonomous Sanctions Act 2011 to impose a targeted financial sanction and travel ban on an individual, in this case, Dimitry Yuryevich Khoroshev.

Dimitry Yuryevich Khoroshev is a Russian citizen who held a senior leadership role in the LockBit ransomware group, a major ransomware operation that was responsible for 18% of reported ransomware incidents in Australia in 2023 across 119 reported victims. LockBit has also been responsible for ransomware incidents in the United Kingdom and the United States.

The Australian Signals Directorate and Australian Federal Police worked in cooperation with the relevant organisations from the United Kingdom and the United States to identify Dmitry Yuryevich Khoroshev as a key figure in the ransomware group, prior to the issue of these sanctions.

---

United States highlights the need for international cooperation in newly released digital policy strategy

Date: 8 May 2024

Abstract:

The United States Department of State (responsible for the United States’ foreign policy and relations) has launched the “United States’ International Cyberspace and Digital Policy Strategy: Towards an Innovative, Secure, and Rights-Respecting Digital Future” (the Digital Policy Strategy).

The Digital Policy Strategy explores the opportunities and challenges that an increasingly digital world presents to national security, societal norms, digital freedoms, the digital economy, technology governance, and public-private cooperation. In each of these areas, the Digital Policy Strategy focusses on achieving ‘digital solidarity’, a term which speaks to “a willingness to work together on shared goals, to help partners build capacity, and to provide mutual support” and “aligns U.S. national interests with those of our international partners through compatible approaches to technology governance, sustains strong partnerships with civil society and the private sector, and embraces cybersecurity resilience built on a diversity of products and services made by trusted technology vendors.” In order to build digital solidarity, the Digital Policy Strategy has three guiding principles:

---

ACCC report on scam activity cause for positivity in the war against scams

Date: 2 May 2024

Abstract:

The Australian Competition & Consumer Commission’s (ACCC) National Anti-Scam Centre has released a report on the key trends in scam activity in Australia and their impacts in 2023.

The total number of scam reports exceeded 601,000 for the year, representing an 18.5% increase on the 2022 figure. However, positively, combined reported losses from scam activity was down 13%, from 3.1 billion dollars in 2022 to 2.74 billion dollars in 2023. The top 5 types of scams by total losses, in decreasing order were: investment (1.3B), remote access (256M), romance (201.1M), phishing (137.4M), payment redirection (91.6M). These statistics may not represent the full extent of losses associated with scams, as it is estimated that 30% of scams goes unreported. This data was consolidated from four organisations – ReportCyber, IDCARE, Australian Financial Crimes Exchange (AFCX) and the Australian Securities and Investments Commission.

---

Colorado lawmakers enact privacy bill to protect individuals’ biological data

Date: 29 April 2024

Abstract:

The Colorado General Assembly has enacted a new bill which aims to protect the privacy of individuals’ biological data.

The bill expands the definition of “sensitive data” contained within the Colorado Privacy Act 2024 to include biological data, which includes data “generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions” as well as data “generated by the measurement of the activity of an individual’s central or peripheral nervous systems that can be processed by or with the assistance of a device.

---

Supreme Court of New South Wales grants injunction against unknown hackers in cybersecurity incident (HWL Ebsworth Lawyers v Persons Unknown)

Date: 29 April 2024
Court: Supreme Court of New South Wales
Judge(s): Slattery J
Judgment date: 12 February 2024

Abstract:

The Supreme Court of New South Wales handed down a significant decision which establishes that courts can grant victims of data breaches or cybersecurity incidents injunctive relief restraining the perpetrators from dealing in any stolen data.

HWL Ebsworth Lawyers were victims of a of a cybersecurity incident where the perpetrators claim to have stolen confidential data, including sensitive client records and advice, personal information of individuals, sensitive information relating to government affairs and private corporate information. The perpetrators threatened to publish the files unless they were paid a ransom by HWL Ebsworth Lawyer. After refusing to pay the ransom, some of the files were made available on the dark web, following which HWL Ebsworth Lawyers filed a summons and application for interlocutory orders seeking relief against the perpetrators on 27 June 2023. The interlocutory relief was subsequently granted, restraining the perpetrators from dealing further with the data.

---

European Data Protection Board gives official verdict on “consent or pay” business models

Date: 29 April 2024

Abstract:

The European Data Protection Board (EDPB) has released an Opinion of the Board on “Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms” that is mostly disapproving of the radical concept.

The “consent or pay” business model essentially offers users of a website or other online service two options – either be able to access the website or use the service for free by consenting to their personal information being collected and used for targeted advertising, or pay a fee in order to use the website ad avoid the data collection and subsequent advertising.

In its opinion the EDPB believed that in most cases, it will not be possible for large online platforms to comply with the requirements of the EU’s General Data Protection Regulation (GDPR) law while using a consent or pay business model.

---

Have your say – Select Committee on Adopting Artificial Intelligence accepting submissions during its inquiry

Date: 17 April 2024

Abstract:

The Select Committee on Adopting Artificial Intelligence (the AI Committee) is accepting submissions from the public about their experiences with and views on adopting AI until 10 May 2024. The AI Committee was established for the purpose of inquiring into, and reporting on, the opportunities and impacts for Australia arising out of the increased uptake of AI technology. In particular:

• a. recent trends and opportunities in the development and adoption of AI technologies in Australia and overseas, in particular regarding generative AI;
• b. risks and harms arising from the adoption of AI technologies, including bias, discrimination and error;

---

Sweeping new bill unveiled that could revolutionise the data privacy landscape in the United States

Date: 11 April 2024

Abstract:

A new data privacy bill, the American Privacy Rights Act, was unveiled in the United States on 7 April 2023. It proposes to restrict the scope of consumer data that technology companies can collect to only what is essential for the products and services provided. It also gives individuals greater control over their personal data, including the ability to prevent their data being sold (disclosure would be required if data has been transferred to foreign adversaries, and in the case of ‘sensitive’ data, express consent is required if it can be transferred) or to compel its deletion. Additionally, individuals will be given the option to opt out of targeted advertising. If these rights are violated, individuals would be empowered to take action and recover damages. There is also a number of obligations on entities to conduct annual reviews of algorithms and processes to ensure that they are not causing harm, discrimination and are otherwise compliant.

Under the bill, the U.S. Federal Trade Commission and state attorneys would also be given the broad authority to oversee consumer privacy issues, and establish enforcement mechanisms to ensure the obligations are complied with.’

---

Government Credential Protection Register Scheme is proving successful – what is it?

Date: 11 April 2024

Abstract:

A statement released by Attorney-General’s Department on 10 April 2023 has revealed the success of new protective measures implemented in response to the 2022 Optus data breach during which the sensitive personal details of 10 million individuals, including identity documents such as passports and driving licences, were compromised.

One of the measures was the establishment of the Identity Verification Service Credential Protection Register (IVSCPR). The purpose of the register is to protect individuals who have had their identity documents stolen from further harm by preventing the compromised documents being used as forms of identity. The legitimate owners are still able to use the documents, but only for their primary purpose (for example, a passport can be used for travelling).

Since its establishment, over 300,000 fraudulent attempt to use stolen identity documents have been blocked. The success has resulted in a further $3.3 million being pledged to enhancing the IVSCPR in 2023. Once the enhancements are completed, document issuers and other trusted organisations will have the ability to directly update the register in virtually real-time.

---

China releases long-awaited simplification of its data export regime

Date: 3 April 2024

Abstract: 

The Cyberspace Administration of China (CAC) has released its long-awaited Provisions on Regulation and Promoting Cross-Border Data Flows, as well as a second edition of its Guidelines for Security Assessment Filings and the Guidelines for Filing Personal Information Expert Standard Contract. All three newly released documents are effective immediately.

Previously, China’s data export regime required any export of “important data” to be conducted via one of three total schemes: A security assessment organised by the CAC, certification by a licensed third-party institution, or the execution of a standard contract formulated and issued by the CAC. This regime proved to be particularly burdensome on the businesses and other entities attempting to comply with its requirements. This was owing to the complexity of the regime, requiring extensive documentation work in all cases, as well as the ambiguous definition of “important data” and uncertain timeframes for the completion of a filing.

A number of exemptions have been established under the new provisions; if data export activities fall under the scope of one of the exemptions, then they can be conducted without having to follow one of the aforementioned schemes.

---

The United States and United Kingdom join forces in the field of artificial intelligence testing

Date: 3 April 2024

Abstract:

On 1 April 2024 the United States and United Kingdom signed a Memorandum of Understanding for collaboration on the development of robust testing for advanced artificial intelligence (AI) models. This includes plans to align their scientific approaches and an aim to jointly accelerate and iterate suites of evaluation for artificial intelligence models, systems and agents. The Memorandum of Understanding will take effect immediately.

The Memorandum of Understanding was signed by the United States Commerce Secretary Gina Raimondo and the United Kingdom Technology Secretary Michelle Donelan.

More information is available on the respective countries’ government websites.

---

Australian Senate passes Digital ID Bill

Date: 3 April 2024

Abstract:

On 27 March 2024, the Australian Senate passed the Digital ID Bill and the Digital ID (Transitional and Consequential Provisions) Bill.

The Digital ID Bill represents an Australia-wide legislative framework for Digital ID services. These services are designed to allow individuals to verify their identity online, access government services more easily, increase the privacy of their personal data, and streamline the process of logging into various government services with different usernames and passwords.

Following passage of the Digital ID Bill, there will be a phased expansion of the existing Digital ID system to further state and territory government services and the private sector. Accordingly, there privacy and security safeguards for users as well as more robust regulation and governance of the Digital ID services would also be strengthened.

This follows an endorsement of the Digital ID Bill by the Senate Economics Legislation Committee in early March, who were pleased overall “with the numerous benefits that a legislated digital ID scheme will bring to individuals and businesses who choose to participate in the system”.

The text of the Digital ID Bill is available here.

---

European Union’s Cybersecurity Resilience Act has been approved – but what is it?

Date: 27 March 2024

Abstract:

On Tuesday 12 March, the European Parliament voted in favour of approving the European Union (EU) Cyber Resilience Act. All that remains is formal approval by the European Council before it will enter into force.

The Cyber Resilience Act (CRA) aims to address the lack of EU legislation targeting the standards of cybersecurity in products that contain digital elements, which can include products with either hardware or software components. The specific objectives as set out in the text of the CRA are as follows:

1. Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle
2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers
3. Enhance the transparency of security properties of products with digital elements
4. Enable businesses and consumers to use products with digital elements securely

---

Australian Government seeking public submissions on Privacy Act reforms to target doxxing

Date: 22 March 2024

Abstract:

The Attorney-General is seeking consultation on proposed reforms to the Privacy Act 1988 in order to address the growing threat of doxxing.

Doxxing is defined as the intentional exposure of an individual’s identity, private information or personal details without their consent. The practice can often leave victims vulnerable to public embarrassment and discrimination as well as putting their personal safety at risk.

The Australian Government is proposing to introduce new provisions to the Privacy Act 1988 to provide specific protection to individuals against the practice of doxxing. The proposed changes are as follows:

• A new statutory tort for serious invasions of privacy would allow individuals to seek redress through the courts if they have fallen victim to doxing,
• Giving individuals greater control and transparency over their personal information, including the introduction of new or strengthened individual rights to access, object, erase, correct, and de-index their personal information, and
• Progressing other privacy reform proposals contained in the Privacy Act review that bring the Privacy Act into the digital age, uplift protections, and raise awareness of obligations for responsible personal information handling.

---

European Parliament passes Artificial Intelligence Act

Date: 22 March 2024

Abstract:

The European Union’s proposed Artificial Intelligence (AI) Act is a step closer to coming into force after the European Parliament voted in favour of it last month – 523 votes for versus only 46 against.

Following a final review by EU lawyer-linguists, it is expected that the 27 member states of the EU will endorse the proposed law in April before final publishing it in the EU’s official Journal in May or June.

The AI Act takes a risk-based approach to AI regulation, meaning the level of regulation will be proportional to the level of perceived risk of the AI tool. AI tools deemed to carry the most risk will be outrightly banned under the act. Some provisions of the act will come into force 12 months after the law becomes official, while others will only come into force after 24 months.

The full text of the AI Act in its current form is available here.

---

United Kingdom’s Information Commissioner’s Office seeking public input on radical “consent or pay” online business model

Date: 18 March 2024

Abstract: 

The Information Commissioner’s Office – the United Kingdom’s independent body tasked with upholding information rights – is seeking public input on a “consent or pay” approach to online website access which some businesses are considering adopting.

The “consent or pay” approach gives online users a choice to visit and use a website for free provided they consent to having their personal information collected and used for personalised or targeted advertising. Alternatively, users can pay a fee and avoid this data collection and tracking.

Consultation on “consent or pay” approaches commenced on 6 March 2024 and will remain open until 17 April 2024. Information is available about the relevant laws, considerations for organisations, exact mechanisms and more on the consultation page.

This consultation process is part of a larger campaign by the Information Commissioner’s office to ensure current online targeted advertising practices, such as the use of advertising cookies and the ability for users to consent to the use of such technologies, are compliant with the existing laws.

---

ACCC launches inquiry into general internet search services in Australia

Date: 18 March 2024
Source: Australian Competition and Consumer Commission

Abstract:

The Australian Competition and Consumer Commission (ACCC) has released an issues paper for its new inquiry into the state of competition in general internet search services such as Google and Bing in Australia. This new inquiry is part of the ACCC’s ongoing Digital Platform Services Inquiry (see our previous Latest Legal Update here).

The issues paper seeks the views of interested parties about the level of competition present in general search services as well as general trends in search quality and the relationship between the two.

The inquiry will also consider the impacts of regulatory and industry developments including those in other jurisdictions and the emergence of AI-powered search engines and its potential impact on competition in the market for general search services. The report will not examine issues relating to generative AI more broadly, including privacy, online safety, or misinformation issues.

The ACCC previously considered competition and consumer issues in general search and web browser services in its September 2021 and July 2019 Digital Platforms Inquiry reports.

---

European Commission guilty of data privacy malpractice under EU regulation

Date: 18 March 2024

Abstract:

European Data Protection Supervisor (EDPS) announced last week that the European Commission itself has infringed a number of European Union (EU) data protection regulations through its use of Microsoft 365.

Regulation (EU) 2018/1725 regulates the data practices of official EU bodies, offices and agencies. In summary, the European Commission failed to comply with the regulation by:

1. Failing to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA (European Economic Area) is afforded an equivalent level of protection as is guaranteed within the EU/EEA.
2. Failing to sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes in its contract with Microsoft for the use of Microsoft 365.

These failures constitute 11 infringements of 10 different articles of Regulation (EU) 2018/1725.

The EDPS decided to take a number of corrective measures against the European Commission in respect of the infringements. In summary, the European Commission is required to:

1. Suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision.

---

Senate Economics Legislation Committee delivers its verdict on the Digital ID Bill in new report

Date: 6 March 2024

Abstract:

The Senate Economics and Legislation Committee (‘the Committee’) has published its report on the Digital ID Bill 2023 and the related Digital ID (Transitional and Consequential Provisions) Bill 2023 (‘the Bills’). In late 2023, the Commonwealth government proposed measures to strengthen the existing Digital ID schemes by introducing the Bills in the Senate. The Bills were subsequently referred to the Senate Economics Legislation Committee (‘the Committee’) to conduct a comprehensive inquiry and deliver a report on the merits of the Bills.

The report, published on 28 February 2024, explores the purpose and the provisions of the Bills as well as other areas including its financial impact, regulatory impact, stages of consultation and legislative scrutiny. The committee then delivered their views with special focus on the Bills’ voluntariness, security, privacy, costs, interoperability, phasing and mechanisms for redress.

The Committee was pleased overall “with the numerous benefits that a legislated digital ID scheme will bring to individuals and businesses who choose to participate in the system.”

---

Treasury announces review of Australia’s credit reporting framework

Date: 1 March 2024
Source: The Australian Treasury

Abstract:

The Australian Government has announced an independent review of Australia’s Credit Reporting Framework.

The review will evaluate the effectiveness and efficiency of the credit reporting provisions in the Privacy Act 1988 (Cth) and the National Consumer Credit Protection Act 2009 (Cth) in enabling effective lending decisions by credit providers while ensuring the personal information of consumers is adequately protected.

The review is being conducted by former Australian Prudential Regulation Authority (APRA) senior executive Heidi Richards, with a report to be delivered by 1 October 2024.

For more information, see the terms of reference for the review here, and Treasury’s statement here.

• the impacts on essential services and critical infrastructure;
• whether the conduct involved loss of or risk to life;

---

Federal Court delivers judgment applying financial services law to crypto-backed financial products

Date: 29 February 2024

Abstract: 

The rise of cryptocurrency has led to the creation of a new sector of the financial services industry based around digital assets. However, it remains unclear how the relevant existing laws will apply to this new breed of financial services.

The recent decision in Australian Securities and Investments Commission v Web3 Ventures Pty Ltd [2024] FCA 64 shed some light on this issue. The respondent (trading as ‘Block Earner’) offered a product which allowed users to lend their cryptocurrency holdings to the company in exchange for a fixed interest rate. The Federal Court found that this met the definition of a managed investment scheme and a facility for making a financial investment, leading to the conclusion that Block Earner had engaged in unlicensed financial services conduct by offering this product.

This judgement serves as a remind that although cryptocurrency and other digital assets remain under-regulated, financial offerings that involve these assets may still be considered financial products under the existing law if they operate as such, regardless of the underlying mechanics.

The full judgement is available here.

---

Latest data breach statistics highlight the risk of outsourcing information handling to third parties

Date: 28 February 2024
Jurisdiction: Office of the Australian Information Commissioner (OAIC)

Abstract:

The notifiable data breaches report released last week by the OAIC for the months of July 2023 to December 2023 indicated that there were 483 data breaches reported to the OAIC, representing a 19% increase from the first half of 2023. Additionally, there were 121 secondary notifications (notifications of the same data breach by multiple parties) up from only 29 in the previous 6 months.

With the majority of these data reaches resulting from a breach of a third-party cloud provider or other related software-service provider, the report highlights the risk associated with outsourcing personal information handling. Speaking on the report’s findings, Australian Information Commissioner Angelene Falk urged organisations to “proactively address privacy risks in contractual agreement with third party providers […] This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory obligations.”

---

OVIC releases new guidance on use of personal information with ChatGPT

Date: 16 February 2024
Jurisdiction: Office of the Victorian Information Commission

Abstract:

The Office of the Victorian Information Commission (OVIC) has released new guidance on the use of personal information with Chat Generative Pre-Trained Transformer (ChatGPT).

The guidance specifically relates to use of the ChatGPT platform by Victorian public sector (VPS) organisations but raises concerns that are potentially applicable to all organisations.

OVIC outlines the following concerns:

• The use of ChatGPT means that information is disclosed to OpenAI. Information shared may then be accessed by or used by individuals outside of your organisation for unauthorised purposes. This is in contravention of Information Privacy Principles (IPPs) 2.1, 4.1 and 9.
• The generation of personal information with ChatGPT may be unlawful and result in inaccurate information, or opinions, being generated and subsequently used or disclosed, in contravention of IPPs 1.1, 1.2, 3.1 and 10.
• The input of personal information into ChatGPT allows OpenAI to indefinitely retain that information in contravention of IPP 4.2 and an organisations’ obligations under the Public Records Act 1973.

Read the Office of the Victorian Information Commission ’s full public statement here .

---

CCC releases second survey for Consumer Data Right stakeholders

Date: 8 February 2024
Source: Australian Competition and Consumer Commission (ACCC)

Abstract:

The ACCC is conducting a survey to better understand the needs of Consumer Data Right stakeholders. The survey is aimed at businesses and individuals that are holders or receivers of data under the Consumer Data Right scheme, or provide services to these parties. This includes data holders, accredited persons, Consumer Data Right representatives and third-party service providers.

The ACCC hopes the survey will reveal how participants’ views have changed since a similar survey was conducted in 2022. The survey will also help gauge the effectiveness of initiatives that have been introduced in that time.

The survey is available here.

---

Australian Government releases official guidance for organisations on using AI systems securely

Date: 1 February 2024
Jurisdiction: Australian Signals Directorate

Abstract:

The Australian Signal Directorate’s Australian Cyber Security Centre, collaborating with several international governmental partners, have released ‘Engaging with Artificial Intelligence (AI)’, a guidance paper focussing on the safe and secure use of AI systems.

The guidance paper begins with a description of the growth opportunities around AI as well as the associated risks, and briefly explains some of the most popular sub-fields of AI, including machine learning, natural language processing and generative AI.

The body consists of an exploration (including case studies) of some of the challenges that arise when engaging with AI. These include:

• Data poisoning of an AI Model
• Input manipulation attacks – Prompt injection and adversarial examples
• Generative AI hallucinations
• Privacy and intellectual property concerns
• Model stealing attack

This is followed by eleven mitigation considerations for organisations looking to use and engage with AI systems. The considerations are as follows:

• Has your organisation implemented the cyber security frameworks relevant to its jurisdiction?
• How will the system affect your organisation’s privacy and data protection obligations?
• Does your organisation enforce multi-factor authentication?

---

Sanctions update – Australia imposes first sanctions in response to Medibank cyber incident

Date: 24 January 2024
Jurisdiction: Federal Register of Legislation

Abstract:

The Minister for Foreign Affairs has made the Autonomous Sanctions (Designated Persons and Entities and Declared Persons – Thematic Sanctions) Amendment (No. 1) Instrument 2024 (Cth) to impose sanctions on an individual for the first time under the “significant cyber incident” thematic sanctions criteria in the Autonomous Sanctions Regulations 2011 (Cth) (Regulations).

The sanctions have been imposed on Russian citizen Aleksandr Ermakov (also known as Alexander Ermakov, GustaveDore, aiiis_ermak, blade_runner and JimJones) for his alleged involvement in the Medibank significant cyber incident in 2022.

The Regulations allow the Minister to impose targeted financial sanctions and travel bans on a person if the Minister is satisfied that the person has caused, assisted or been complicit in a significant cyber incident. In determining whether a cyber incident is “significant”, the Minister may have regard to (among other things):

• the maliciousness of the conduct;
• the impacts on essential services and critical infrastructure;
• whether the conduct involved loss of or risk to life;

---

The Australian Government floats mandatory safeguards for high-risk AI in interim response paper

Date: 18 January 2024
Jurisdiction: Department of Industry, Science and Resources

Abstract: 

On 17 January 2024 the Australian Government published its interim response to the Safe and Responsible AI in Australia discussion paper released in June 2023. The interim response outlines a number of immediate and proposed measures to address the issues that have been raised during the consultation period.

The interim response focusses on gaps identified by a number of submissions regarding the lack of safeguards around the deployment of AI in legitimate but high-risk contexts. Accordingly, the Australian Government will consider mandatory safeguards for individuals and entities developing or deploying AI systems in legitimate, high-risk settings. The proposed safeguards will be focussed on:

• Testing – could include internal and external testing, best-practice information sharing, ongoing auditing and monitoring, and cybersecurity reporting.
• Transparency – could include labelling or watermarking content that is AI-generated, public reporting of AI system limitations, capabilities and areas of appropriate use, and public reporting of training data, data processing and testing.
• Accountability – could include designated roles with responsibility for AI safety, and training for developers or deployers of AI in some settings.

---

Have your say — Australian Government seeks consultation on new cybersecurity legislation

Date: 10 January 2024
Source: Department of Home Affairs

Abstract:

In line with the 2023-2030 Australian Cyber Security Strategy, the Australian Government has identified opportunities to strengthen cybersecurity laws by introducing new legislation and amending the existing Security of Critical Infrastructure Act 2018 (Cth).

A consultation paper has been released by the Department of Home Affairs, seeking public submissions on the proposed reforms. In summary, the consultation paper proposes new legislation that will establish:

• A mandatory cybersecurity standard for consumer-grade smart devices to address security risks posed by the proliferation of Internet of Things devices.
• Ransomware reporting obligations for businesses that are either impacted by a ransomware or cyber extortion attack, or have made a ransomware or extortion payment.
• A legislative framework that will encourage industry to voluntarily provide information to the Australian Signals Directorate and the National Cyber Security Coordinator about or in the case of a cyber incident. The framework will attempt to balance confidentiality guarantees for entities while also enabling appropriate information sharing.

---

AI management: ISO/IEC 42001 released

Date: 19 December 2023
Source: ISO

Abstract:

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have released their new standards for artificial intelligence (AI) management systems.

The standards outline requirements and guidance for the establishing, implementing, and maintaining of AI management systems within organisations. The aim of these global standards is to aid organisations in managing both the benefits and responsibilities that come with the use of AI. Any organisation that utilises AI can adopt the requirements and guidance regardless of size or kind.

Access ISO/IEC 42001 here.

---

Freedom of Information (Volume 4 - Considering the Public Interest) Guidelines 2023

Date: 7 December 2023
Jurisdiction: ACT

Abstract: 

As of 1 December 2023, the Freedom of Information (Volume 4 – Considering the public interest) Guidelines 2023 (the 2023 Guidelines) has replaced the previous 2020 edition of the guidelines.

The purpose of the guidelines is to provide assistance to decision-makers when making a decision under the Freedom of Information Act 2016 as to whether it would be contrary to public interest to disclose government information. The guidelines provide information about the guiding principles for decision-makers, common terms and phrases, and categories of information that are taken to be contrary to public interest to disclose. It also explains how to apply the public interest test to ensure all relevant factors are balanced in the process of reaching a decision.

The changes to the 2023 Guidelines as compared to the 2020 version are as follows:

• All information that is subject to legal professional privilege will be considered contrary to public interest if disclosed under the 2023 Guidelines. Previously, there had been an exception for information protected by legal professional privilege if it might reveal corruption, the commission of an offence or that a law enforcement investigation had exceeded its legal limits.

---

Freedom of Information (Miscellaneous) Amendment Bill 2023

Date: 7 December 2023
Jurisdiction: South Australia

Abstract:

On 29 November, the Freedom of Information (Miscellaneous) Amendment Bill 2023 (the Bill) was introduced to South Australia’s legislative council. The Bill amends South Australia’s Freedom of Information Act 1991 in order to authorise and encourage the proactive public release of government information by agencies.

Some of the key proposals contained within the Bill are to:

• Require that applications to access agencies' documents are:

• in writing
• contain necessary information to identify the document
• specify a postal address in Australia (and email address if possible)
• are accompanied by such application fee as may be prescribed
• are lodged in a manner determined by the agency

• Require that the application to access a document that contains personal information of the applicant must be accompanied by relevant identity evidence for the applicant
• Provide that disclosure of a document would be contrary to the public interest if there are public interest considerations that would outweigh the public interest considerations in favour of disclosure

---

Digital ID Bill 2023 (Cth)

Date: 6 December 2023
Jurisdiction: Commonwealth

Abstract:

On 30 November, the Digital ID Bill 2023 (Cth) (the Bill) was introduced in the Senate. The aim of the Bill is to strengthen existing Digital ID schemes by increasing governance, privacy, and consumer protections as well as to provide legislative backing to the expansion of the schemes.

The Bill strengthens privacy requirements for accredited providers under the Trusted Digital Identity Framework (the government’s existing voluntary digital ID accreditation scheme). These include prohibitions on the use of single identifiers, the disclosure of information for marketing, and restrictions on the collection, use and disclosure of biometrics and other personal information. Penalties for non-compliance are included in the Bill. This aims to ensure individuals using digital ID services from accredited providers can be sure their information and privacy is protected.

The Bill also provides for expansion of the Australian Government Digital ID System (AGDIS). Phases 1 and 2 of the expansion will see the reciprocal use of digital IDs and attribute providers in Commonwealth and state and territory services. Eventually the government’s digital ID services and attribute providers will expand to the private sector under Phase 3.

---

Australian Signals Directorate announces changes to Essential Eight Maturity Model

Date: 30 November 2023
Source: Australian Signals Directorate

Abstract:

Australian Signals Directorate (ASD) has announced changes to its Essential Eight Maturity Model.

The Essential Eight Maturity Model is a set of mitigation strategies that organisations are recommended implement in order to protect against cybersecurity threats.

Specific changes are split between three levels of maturity. To determine the level of maturity applicable to it, an organisation needs to consider the likelihood of being targeted is influenced by their desirability to malicious actors, and the consequences of a cybersecurity incident on the level of mitigation strategies it has in place.

The changes are thorough and fall under each of the following topics:

• Patch applications and operating systems
• Multi-factor authentication
• Restrict administrative privileges
• Application control
• Restrict Microsoft Office macros
• User application hardening
• Regular backups

---

OAIC welcomes newly appointed Privacy and Freedom of Information Commissioners

Date: 29 November 2023
Source: Office of the Australian Information Commissioner (OAIC)

Abstract:

This week the Australian Government appointed two new commissioners in order to fully restore the OAIC.

Elizabeth Tydd has been appointed as the Freedom of Information Commissioner for a five-year term. Elizabeth Tydd was previously the Information Commissioner and CEO of the NSW Information and Privacy Commission. The appointment will commence on 19 February 2024. Toni Pirani will continue as acting Freedom of Information Commissioner in the interim.

Carly Kind has been appointed as the Privacy Commissioner. Carly Kind has expertise in data protection, AI policy, practice and governance, privacy and technology law policy. The appointment will commence on 26 February 2024. Angelene Falk will continue as Privacy Commissioner in the interim.

These appointments mark the first time since 2015 that the OAIC will have standalone Privacy and Freedom of Information Commissioners.

The full OAIC media release is available here.

---

Privacy and Personal Information Protection Act 1998 (NSW) amendments come into effect

Date: 29 November 2023
Source: Privacy and Personal Information Protection Act 1998 (NSW)

Abstract:

Amendments to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) have now come into effect as of 28 November 2023.

Passed by the NSW Parliament in November 2022, the amendments impact the responsibilities of agencies under the PPIP Act. Under the new Mandatory Notification of Data Breach Scheme, agencies must now provide notifications to the Privacy Commissioner and affected individuals in the event of an eligible data breach involving personal or health information.

Read the full Privacy and Personal Information Protection Amendment Bill 2022 here.

---

Information Privacy and Other Legislation Amendment Bill 2023 (Queensland)

Date: 29 November 2023
Jurisdiction: Queensland

On 28 November 2023 the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Bill 2023 (the Bill).

The Bill will amend a number of Queensland laws, including the Information Privacy Act 2009 in order to bolster the state’s data and privacy framework. Notable changes include:

• The creation of a mandatory data breaches reporting scheme
• Introduction of new Queensland Privacy Principles
• Amendments or insertion of definitions of key terms such as “personal information” and “sensitive information” to better align with the Privacy Act 1998 (Cth)

---

Governance Institute of Australia report recommends organisations improve their data governance practices

Date: 23 November 2023
Source: Governance Institute of Australia

Abstract: 

A report released by the Governance Institute of Australia (GIA) has revealed that understanding of data governance requirements and associated best practices is lacking in many Australian organisations.

The GIA conducted a survey of 345 individuals including senior governance and risk professionals, C-suite executives, directors and other professionals for their report on ‘Data governance in Australia’. Among the most alarming findings were that over 50% of respondents’ organisations did not have a data governance framework, and almost 60% of respondents believed that the board of their organisation did not have an understanding the organisation’s current data governance challenges.

Based on the findings of the report, the GIA makes the following recommendations for organisations in relation to data governance:

---

Australian Information Commissioner and Privacy Commissioner provides insight into government plans for artificial intelligence and privacy law reform

Date: 2 November 2023
Source: Office of the Australian Information Commissioner

Abstract:

Angelene Falk, the Australian Information Commissioner and Privacy Commissioner, delivered a speech at the Australian Government Solicitor FOI and Privacy Law Conference on 31 October 2023.

The speech provided insight into the Government’s approach to a number of topics, most relevantly artificial intelligence and privacy law reform.

On the topic of AI, Falk began by noting that the Australian Government has identified artificial intelligence as a critical technology in the national interest and that accordingly there are several initiatives underway to promote trusted, secure and responsible AI. Further, it was revealed that in early October the Commonwealth, state and territory education ministers agreed to an Australian framework for generative AI in schools. The purpose of the framework is to guide the responsible and ethical use of generative AI tools in ways that benefit students, schools and society. Speaking on the possibility of dedicated AI regulation, Falk reveals the OAIC’s position was that consideration should be given to how existing frameworks should be strengthened and enhanced to provide adequate safeguards before a separate regulator regime specific to AI is considered.

---

Australian Government releases its 2023-2030 Cyber Security Strategy

Date: 22 November 2023
Source: Department of Home Affairs

Abstract:

The Australian Government has released its 2023-2030 Australian Cyber Security Strategy (the Strategy). Following the release of a related discussion paper in early 2023, over 330 submissions were received and over 700 stakeholders consulted informing the development of the Strategy.

The Strategy sets out six ‘cyber shields’ that form an overarching framework to bolster Australian cyber security. The six shields and some of the key changes that will be made to give effect to them, are as follows:

1. Strong businesses and citizens

The Strategy acknowledges the importance of all members of Australian society sharing the responsibility for cybersecurity. In order to develop this shield, the Australian Government will:

• Support small and medium businesses to strengthen their cyber security

---

Private school reprimanded by Australian Information Commissioner (Pacific Lutheran College (Privacy))

Date: 15 November 2023
Court: Australian Information Commissioner
Judge(s): Angelene Falk
Judgment date: 24 October 2023

Abstract:

Pacific Lutheran College (PLC) were victims of a data breach that amounted to an eligible data breach under the Privacy Act 1988 (Privacy Act). PLC’s obligations under the Privacy Act in respect of this incident and whether they had been properly complied with were the subject of scrutiny by the Australian Information Commissioner, Angelene Falk.

The case:

PLC, a private school in Queensland, operates an onsite Early Learning Centre and Outside School Hours Care Services. On 28 May 2020 there was unauthorised access by a third party of the email account of the manager of the Early Learning Centre and Outside School Hours Care Services. The email account was regularly used to collect information from individuals including birth certificates, credit card details, Medicare card details and tax file numbers.

The Office of the Australian Information Commissioner investigated the acts and practices of PLC, particularly focussing on PLC’s compliance with three sections of the Privacy Act around the time of the incident on 28 May 2020.

---

AI Governance on the agenda with the Bletchley Declaration

Date: 15 November 2023
Source: www.industry.gov.au

Abstract: 

Australia along with 27 other countries signed the Bletchley Declaration following the inaugural Artificial Intelligence (AI) Safety Summit held in the United Kingdom on 1-2 November 2023. This declaration seeks to established a shared understanding of the opportunities and risks posed by frontier AI. The signatories agreed to share knowledge on AI safety and research, as well as intelligence about AI’s misuse.

As part of this declaration, the signatories recognised that many risks arising from AI are inherently international in nature, and so are best addressed through international cooperation. Relatedly, the UN Secretary General, António Guterres made a statement at the AI Summit that underscored the importance of basing principles of AI governance on the United Nations Charter and the Universal Declaration of Human Rights. The Secretary General highlighted concerns with AI’s disruption to job markets and economies; and the loss of cultural diversity that could result from algorithms that perpetuate biases and stereotypes.

The rapidly developing global conversation regarding AI governance has been driven by the growth in generative AI.

---

Annual Cyber Threat Report records cyber attacks on critical infrastructure and attempts to extract maximum payments from victims

Date: 15 November 2023
Source: www.cyber.gov.au

Abstract:

The Australian Signals Directorate (ASD) through its technical authority on cybersecurity, the Australian Cyber Security Centre (ACSC) has published the Annual Cyber Threat Report 2022-23. The report demonstrates that a range of malicious cyber actors regularly targeted Australian networks leading to 14% rise in average cost of cybercrime per report. The average cost of cybercrime for small businesses was $46,000, for medium businesses $97,000 and large businesses $71,000. The top 3 cybercrime types for businesses were email compromise, businesses email compromise fraud, and online banking fraud. With regard to individuals, identity fraud, online banking fraud and online shopping fraud were the top 3 cybercrime type.

ASD noted in its report that cybercriminals constantly evolved their operations against Australian organisations, with ASD responding to 127 extortion-related incidents, 118 of which volved involved ransomware or other forms of restriction to systems, files or accounts. Meanwhile, significant data breaches resulted in millions of Australians having their information stolen and leaked on the dark web.

---

Joint ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right

Date: 25 October 2023
Source: Office of the Australian Information Commissioner (OAIC)

The Australian Competition Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) have published a joint policy to outline their approach toward compliance and enforcement of the Consumer Data Right (CDR).

The CDR allows consumers to have more control over their personal data held by businesses and how this data is shared. The CDR regulatory framework consists of:

• Core provisions under the Competition and Consumer Act 2010 (Cth), the Privacy Act 1988 (Cth) and the Australian Information Commissioner Act 2010 (Cth);
• Rules made under legislation (Rules);
• the Competition and Consumer Regulations 2010 (Cth); and
• Consumer Data Standards made under the Rules.

---

Microsoft announces $5 billion investment in Australia

Date: 25 October 2023
Source: Prime Minister of Australia

Abstract:

Prime Minister Anthony Albanese has announced a $5 billion investment in Australia from Microsoft.

Microsoft will collaborate with the Australian Signals Directorate (ASD) on the Microsoft-ASD Cyber Shield in order to strengthen Australia’s defences against cyber threats to individuals, businesses and governments. This will be done through an improved capability to identify, prevent and respond to cyber threats and will be one of the first steps taken as part of the 2023-2030 Cyber-Security Strategy, which aims for Australia to become a world-leading cyber secure and resilient nation by 2030.

The investment will fund the further expansion of Microsoft’s hyperscale cloud computing and artificial intelligence infrastructure over the next two years. In doing so, Microsoft will grow its local footprint from 20 to 29 sites across Sydney, Canberra and Melbourne.

---

Key findings from OAIC annual report 2022-23

Date: 19 October 2023
Source: Office of the Australian Information Commissioner (OAIC)

Abstract:

The Office of the Australian Information Commissioner (OAIC) has published its annual report for 2022-23 (Report), which highlights the work undertaken by the OAIC to uphold privacy and information access rights. The OAIC’s regulatory activities include conducting investigations, handling complaints, reviewing decisions made under the Freedom of Information Act 1982 (Cth), monitoring agency administration, and providing advice to the government and the community.

According to the Report, in 2022-23, the OAIC:

• received 1,647 applications for Information Commissioner review of freedom of information (FOI) decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%);
• received 212 FOI complaints (down 2%) and finalised 124 (down 44%);
• received 34% more privacy complaints (a record number of 3,402) than in 2021–22, and finalised 2,576 privacy complaints (up 17%), with the average time taken to finalise a privacy complaint being 6.4 months;
• received 895 notifications under the Notifiable Data Breaches scheme (up 5%), with the average time taken to finalise a data breach notification being 55 days;
• handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%);

---

ACCC Chair reiterates need for reform in Digital Future Summit address

Date: 18 October 2023
Source: Australian Competition and Consumer Commission

In an address at King and Wood Mallesons' Digital Future Summit on 17 October 2023, Chair of the Australian Competition and Consumer Commission (ACCC) Gina Cass-Gottlieb reiterated the need for regulatory reform to address competition and consumer issues identified by the ACCC in its digital platforms work, including its Digital Platform Services Inquiry. See our previous Latest Legal Update: Platform for change: ACCC reinforces calls for targeted regulation of digital platforms to address competition and consumer issues.

Ms Cass-Gottlieb restated some of the ACCC’s proposed reforms, noting that it is “critical [Australia has] fit-for-purpose regulatory tools that ensure effective and robust competition and consumer protection.” In particular, she flagged the ACCC’s following proposals:

• New sector-specific mandatory codes of conduct for designated digital platforms, introducing targeted obligations to address anti-competitive conduct.
• Merger reforms to bring Australia’s merger regime more into line with many OECD countries, and protect competition in Australia during a period of economic transition (see our previous Latest Legal Update: “No longer fit for purpose” — ACCC Chair calls for reform of merger laws).

---

Treasury consults on regulation of digital and crypto assets

Date: 17 October 2023
Source: The Treasury

Abstract:

The Federal Government has released a proposal paper that recommends making crypto exchanges and digital asset platforms subject to existing Australian financial services laws and requiring platform operators to obtain an Australian Financial Services Licence. The proposal paper also recommends requiring digital asset platforms adhere to minimum standards for holding tokens, standards for custody software, and standards when transacting in tokens. Feedback on the proposal paper is due by 1 December 2023, with further consultation on draft legislation planned for 2024.

In recent years, consumers have suffered harm and lost assets due to the collapse of crypto platforms. The proposed regulatory framework intends to increase oversight, protect consumers, support innovation, provide certainty in the industry, and ensure consistency with other jurisdictions.

The proposal paper discusses approaches to regulating digital asset intermediaries, licensing digital asset intermediaries, introducing minimum standards for facility contracts, and introducing minimum standards for ‘financialised functions’.

See the proposal paper here and the media release from Hon Stephen Jones MP, Assistant Treasurer and Minister for Financial Services, here.

---

Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023 (Cth)

Date: 5 October 2023
Source: Federal Register of Legislation
Jurisdiction: Commonwealth
Status: Commenced

Abstract:

The Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023 commenced on 30 September 2023, extending the operation of sections 15A and 15B of the Telecommunications Regulations 2021 for a further twelve months. This will allow the Australian government additional time to weigh the ongoing appropriateness and effectiveness of the regulations and to implement a more permanent solution in primary legislation.

These sections allow the disclosure of information or documents to financial services entities (s 15A) or government entities (15B), circumventing the prohibitions contained in s 276 of the Telecommunications Act 1997, if it is for the purpose of cyber security. Sections 15A(2) and 15B(2) provide the specified circumstances that must be present for the disclosure to be allowable under the regulations.

The amendment also changes the form by which the Minister for Communications may specify additional types of information or documents as disclosable under the sections, from a notifiable instrument form to a legislative instrument form.

---

Upcoming Privacy Act reforms seek to strengthen individual rights and the regulator’s enforcement powers

Date: 4 October 2023
Source: www.ag.gov.au

Abstract:

The Federal Government’s agreement to amending the object of the Privacy Act 1988 (Cth) that this Act is about the protection of personal information and that there is a public interest in protecting privacy, signals the direction the reforms to the Privacy Act are likely to proceed.

On 28 September 2023, the Federal Government responded to the Privacy Act Review Report (the Response). The Practical Guidance Cybersecurity, Data Protection and Privacy module will shortly publish a toolkit that will address all these upcoming changes to the Privacy Act with easy-to-follow, practical guidance on how to uplift to your organisation’s privacy policies and procedures.

In the meantime, some of the key takeaways from the Federal Government’s Response is outlined below.

Broadening the scope of the Privacy Act

To date, small businesses with turnovers of less that $3 million have been exempt from the from the operation of the Privacy Act. Following further consultation, this exemption could be removed.

---

Government responds to Privacy Act Review Report

Date: 29 September 2023
Source: Australian Government Attorney-General’s Department

On 28 September 2023, the Australian Government responded to the Privacy Act Review Report (Report) released by the Attorney-General in February 2023 after nearly three years of extensive consultation. The Report reviews the scope and application of the Privacy Act 1988 (Cth) (Privacy Act), including whether the Privacy Act is fit for purpose and whether individuals should have direct rights of action to enforce privacy obligations, among other issues of protection, regulation, and enforcement.

Of the 116 proposals in the Report, the Government agrees to 38 proposals, agrees in-principle to 68 proposals and notes 10 proposals. ‘Agrees in-principle’ indicates that the Government would like to conduct a comprehensive impact analysis and further engagement before making a final decision on the implementation of the proposals.

---

Sony cyberattack highlights importance of strong cybersecurity practices

Date: 27 September 2023

Abstract:

This week Sony has been embroiled in yet another high-profile cybersecurity breach after ransomware group “Ransomed.vc” claimed to have gained access to all of the company’s systems. In an unexpected turn of events, a second individual ostensibly acting alone has claimed that the only legitimate breach of Sony’s systems was his own, through which he has gained access to the credentials for a number of Sony internal systems.

This sequence of events highlights the uncertain and unpredictable nature of cyberattacks that can threaten organisations of all sizes at any time. It also emphasises the importance of taking protective measures and developing robust processes to follow in case of any kind of breach or attack.

The latest guidance on ransomware states that organisations should prepare for any threats by creating incident response plans and identifying key stakeholders, developing security control sand seeking cyber insurance, identifying risks and briefing the board and senior staff on organisation protocols. Organisations should also continue to follow the Australian Signals Directorate Essential Eight:

• Application whitelisting
• Application patching
• Disabling Office macros
• User application hardening
• Restricting administrative privileges
• Patching operating systems
• Multi-factor authentication
• Daily backups

---

Commonwealth Government releases draft Digital ID Bill

Date: 25 September 2023
Source: Australian Government

Abstract:

The Australian Government has released a draft of the proposed Digital ID Bill, which aims to regulate the use and provision of Digital IDs across the entire country. The proposed legislation will expand the existing Digital ID system and introduce additional measures to ensure that Digital ID providers are storing and handling the private information of individuals safely and securely.

The bill will introduce a number of new regulatory strategies to achieve its purpose:

• The creation of an accreditation scheme for Digital ID service providers: The bill will introduce a voluntary Accreditation Scheme that providers of Digital ID services can opt into. The scheme will involve rigorous technical standards and appropriate mechanisms for enforcement. This will ensure that accredited Digital ID providers meet the desired standards in areas such privacy, cybersecurity and user experience.
• Increase the number of available Digital ID service providers: The bill allows for the Commonwealth Government to partner with state and territory governments as well as private sector organisations in order to increase the number of Digital ID service providers and facilitate more choice for consumers when creating and using Digital IDs.

---

ASIC sues provider of Kraken crypto exchange alleging design and distribution breaches

Date: 21 September 2023
Source: Australian Securities & Investments Commission (ASIC)

Abstract:

The Australian Securities & Investments Commission (ASIC) has commenced civil penalty proceedings against Bit Trade Pty Ltd (Bit Trade), the provider of the Kraken crypto exchange, in the Federal Court of Australia. ASIC alleges that Bit Trade contravened s 994B(2) of the Corporations Act 2010 (Cth) (Act) by failing to comply with the design and distribution obligations (DDO) for the margin trading product it offered to Australian customers on the Kraken exchange.

The DDO regime under Part 7.8A of the Act requires financial product issuers and distributors to design financial products that meet the needs and circumstances of consumers and to distribute those products in a targeted manner. Companies must make a target market determination (TMD), a mandatory public document identifying the target market and restrictions on distribution, and identify “review triggers” indicating that a TMD is no longer appropriate.

From January 2020, Bit Trade has offered a margin trading product known as “Margin Extensions” to Australian customers via the Kraken exchange.

---

Digital platform regulators make joint submission to consultation on ‘Safe and responsible AI in Australia’ Discussion Paper

Date: 12 September 2023
Source: Australian Government eSafety Commissioner

Abstract:

The Digital Platform Regulators forum (DP-REG), which includes the Australian Competition and Consumer Commission (ACCC), the Australian Communications and Media Authority (ACMA), the eSafety Commissioner, and the Office of the Australian Information Commissioner (OIAC), has given a joint submission in response to the Department of Industry, Science and Resources’ (DISR) consultation on the ‘Safe and responsible AI in Australia’ Discussion Paper.

In its submission, DP-REG outlined the opportunities and challenges posed by rapid developments in the use of artificial intelligence (AI), including potential implications for each member’s existing regulatory framework. The submission considered how existing regulatory frameworks can be used or enhanced in order to provide appropriate safeguards for the Australian public.

DP-REG seeks to promote a whole-of-government response to AI through ongoing collaboration and coordination, information sharing, and stakeholder engagement. To this end, DP-REG currently has three standing working groups: Digital Technology, Codes & Regulation, and Data & Research. This approach allows consideration of how competition, consumer protection, privacy, online safety and data issues intersect.

---

Minister for Home Affairs announces designation of 87 critical infrastructure assets as systems of national significance

Date: 11 September 2023

Abstract:

The Minister for Home Affairs, Clare O’Neil has designated 87 new critical infrastructure assets as “systems of national significance” (SoNS), emphasising the Government’s increasing focus on the protection of assets that would affect Australia’s social or economic stability, defence, or national security should they be subject to a cyber threat.

Part 6A of the Security of Critical Infrastructure Act 2018 (SOCI Act), enables the Minister for Home Affairs (the Minister) to declare a critical infrastructure asset to be a system of national significance. Once designated, SoNS continue to be subject to all the obligations that applied to that critical infrastructure asset under the SOCI Act before it was declared a SoNS. In addition to these obligations, entities responsible for assets designated as SoNS may be subject to Enhanced Cyber Security Obligations, outlined in Part 2C of the SOCI Act.

These obligations include the responsible entity needing to create response plans for cyber incidents, prep themselves through cyber security exercises, obtain assessments to identify and fix vulnerabilities and hand over system information or control over the systems to the Australian Signals Directorate if required.

---

Administrative Appeals Tribunal sheds light on non-economic loss under the Privacy Act (HYYL and Privacy Commissioner)

Date: 11 October 2023
Court: Administrative Appeals Tribunal
Tribunal Member(s): Justice Perry, Deputy President
Decision date: 13 September 2023

Abstract:

A decision of the Australian Administrative Appeals Tribunal has shed light on what will constitute loss or damage under the Privacy Act in cases where there has been a data breach.

The appeal concerned a declaration of the Privacy Commissioner (the respondent) relating to a data leak by the Department of Home Affairs, in breach of principles 5 and 7 of the Information Privacy Principles (the precursor to the Australian Privacy Principles).

On 10 February 2014, a document was uploaded onto the Department of Immigration and Citizenship’s website containing the personal information of 9258 individuals who were in immigration detention as at 31 January. Following an influx of complaints to the Office of the Australian Information Commissioner and a subsequent investigation, a representative complaint was lodged with the respondent seeking an apology, compensation for the class members who had suffered economic and non-economic loss, and aggravated damages.