Data hacks a hot button issue that could spark more court cases
Privacy consulting in Australia is booming, driven by extra data protection regulations and consumers who expect more, says privacy commissioner turned consultant Anna Johnston.
In the 20 years since Anna Johnston was NSW deputy privacy commissioner, the “hot button” issues around data protection have changed dramatically.
“When I was in that regulator’s position, Facebook didn’t exist yet and social media was just beginning,” Ms Johnston tells The Australian.
“We didn’t have smartphones. Google was brand new. The hot button privacy issues at that time were very much around government powers and surveillance.
“I was in that role in and after September 11. The focus was on national security and surveillance of populations.”
Ms Johnston, whose privacy consulting firm Salinger recently merged with Helios, which is part of the HPX Group legal firm, said that 20 years ago the issues that agitated the public were RFID tags in clothing or bag searches in supermarkets.
Now, after the technology changes over the past two decades – including the boom in artificial intelligence – businesses were concentrating on “getting value from data in a way that didn’t exist 20 or more years ago”, Ms Johnston said.
But one of the biggest changes had been community expectations about privacy, she said.
“Australians are getting more and more concerned about privacy. More in tune with impacts of the large scale data breaches,” she said.
Ms Johnston cited the examples of data breaches suffered by Optus, Medibank and Latitude Financial, where customers’ information was stolen and in some cases published on the dark web as a result of a cyber attack.
“Data breaches really brought home for a lot of people the real world impacts of what happens if too much information was collected or it was held for too long and it wasn’t stored appropriately,” she said.
The privacy consulting market in Australia and globally is booming, driven by regulations such as the European Union general data protection regulation, California’s consumer privacy act and Australia’s privacy act.
Ms Johnston’s Salinger merged with the HPX Group late last year. HPX Group brings together Hamilton Locke, a corporate and commercial law firm, Source, a legal, governance, compliance and risk services platform, and Helios, which provides information security and privacy support services.
Since the merger, Ms Johnston said her clients could now access privacy impact assessments and have an in-house lawyer negotiate a contract for technology solutions.
As well, they can now conduct cyber incident responses after a data breach.
“There’s a real skill to understanding and applying the law in an operational sense,” she said.
Ms Johnston agreed there could be an increase in litigation – including class actions and regulatory action – as a result of data breaches, which has been spurred on by consumer concerns about privacy.
Speaking of Australia’s privacy commissioner Carly Kind, Ms Johnston said it “feels like there is a new sheriff in town”.
“She’s been in the role just under a year now and she’s really proactive. She’s enforcement-focused,” she said.
The Albanese government’s first tranche of privacy reforms passed through parliament on November 29.
Their origins can be traced back to 2019, when the Australian Competition & Consumer Commission released a report into how the introduction of digital platforms changed consumer and business practices.
Given the volume of consumer data collected and stored by most businesses and consumer services, the ACCC recommended reforming provacy laws to “ensure consumers are adequately informed, empowered and protected, as to how their data is being used and collected”.
While a second tranche of reform is expected to be introduced to parliament in 2025, changes made in the first tranche mean people can now sue for serious invasions of privacy.
People can sue if their personal information is misused and they had a reasonable expectation of privacy.
The Office of the Australian Information Commission has new enforcement options. It can now impose medium and lower level civil penalties for serious or repeated privacy interference, not just large penalties.
It can now issue infringement notices directly without going to court. Entities can challenge the penalty notice in the Federal Court, and search premises and seize evidence if they are investigating a possible civil breach.
The malicious release of personal data online or over the phone, called doxxing, now attracts a criminal charge.
Key Star insider turns ASIC witness ahead of blockbuster court case
Former Star Entertainment CFO Harry Theodore will give crucial evidence about how the gaming giant used China Union Pay cards, in ASIC’s looming legal fight against 10 other executives.
ODPP slammed for ‘no evidence’
A District Court judge has criticised the NSW prosecution office for running a sexual assault matter that had ‘just no evidence’ to prove its case beyond reasonable doubt, in an extraordinary trial that left the jury questioning why the case was brought to court.