Hello all! I hope everyone’s October has been pleasant.
In this week’s newsletter, we feature several stories about Australian data privacy that center on the fallout after a spate of data breaches hit Australian firms in the past few months. For those of you who missed the news, Australia’s second largest mobile carrier, Optus, suffered a major data breach that exposed the personal information contained within 10 million customer accounts. It’s just one of several breaches this year, including MyDeal, Vinomofo, and Medibank.
Currently, the most relevant piece of Australian legislation for the protection of individuals’ personal information is the Privacy Act 1988. Although the law has been updated several times in its history, it still seems like Australia is in sore need of a fresh, new piece of data privacy legislation.
Between the EU leading the charge in data privacy law, the many American states that are implementing their own laws, and the potential for a US federal data privacy law on the horizon, it seems like Australia has some catching up to do. The recent series of data breaches serves to underscore the fact that robust data privacy practices aren’t just about respecting consumer rights or avoiding fines; they’re about reducing risk and harm as well.
While there’s no doubt that many Australian companies are focused on implementing cybersecurity and data protection best practices, true data privacy can only be achieved when all members of an economy agree on and adhere to the same set of standards. In turn, that’s only really possible when there’s a data privacy regulation in place.
There’s been some movement in the Australian parliament, though to date it looks like most of the focus lies on updating the Privacy Act rather than introducing a new omnibus data privacy bill like the GDPR or CPRA. It’ll be interesting to see whether and how Australia adjusts its posture on data privacy going forward.
Best,
Arlo
Privacy Act amendment introduced before Australian Parliament
Australia currently relies on the Privacy Act 1988 to issue fines against businesses who expose consumers’ personal information in a data breach, which carries a maximum fine of AU$2.22 million. In response to recent data breaches, Attorney General Mark Dreyfus introduced the Privacy Legislation Amendment Bill 2022 to parliament to increase the maximum fine to AU$50 million and grant additional powers to Australian authorities to regulate data breaches. The bill has moved to a second reading, one of multiple steps it must pass before being enacted into law.
Read more
Texas sues Google for allegedly capturing biometric data of millions without consent
Texas’s Attorney General Ken Paxton’s office has filed a lawsuit against Google alleging that its products and services like Google Photos, Google Assistant, and Nest Hub Max violate the state’s Capture or Use of Biometric Identifiers Act.
"In blatant defiance of that law, Google has, since at least 2015, collected biometric data from innumerable Texans and used their faces and their voices to serve Google’s commercial ends," the complaint said. "Indeed, all across the state, everyday Texans have become unwitting cash cows being milked by Google for profits."
Read more
The US Congressional Research Service publishes a report on the EU-US Data Privacy Framework
The US Congressional Research Service has issued a report analyzing the recent EU-US Data Privacy Framework and supporting executive order. Among the report’s findings are how the legality of EU-US data flows may require amending FISA, how Congress should consider legislation to protect the framework should the executive order later be revoked, and more.
Read more
U.S. Department of Commerce Appoints Members for New Internet of Things Advisory Board
The Department of Commerce has appointed 16 experts to serve on the new Internet of Things Advisory Board (IoTAB). The board will advise the government on the impact of IoT and IoT-related regulations. Data privacy has been a consistent concern with IoT devices, so the creation of this advisory board may lead to further regulation around how IoT devices handle personal information in the future.
Read more
How Australia Fell Behind on Data Privacy
A spate of cyberattacks reveal how Australian companies and policies are lagging behind when it comes to data privacy. New York Times reporters spoke to government officials and data privacy experts to understand why Australia has fallen behind, and what it needs to do to catch up.
Read more
FTC brings action against CEO of alcohol delivery company over data breach
In a rare move, the Federal Trade Commission has brought individual sanctions against James Cory Rellas, the CEO of alcohol delivery company Drizly. The sanctions come on the heels of allegations of security failures at Drizly that exposed the personal information of about 2.5 million customers. If the proposed order goes through, it will follow Rellas across businesses. He will be required to implement a security program at any companies he runs that collect information from more than 25,000 people.
Read more
New York Legislature Considers New York Child Data Privacy and Protection Act
Taking a cue from California, which recently passed its own children’s data privacy regulation, the New York Senate is considering passing the New York Child Data Privacy and Protection Act. The act would ban data collection and targeted advertising directed to children under 18, require data controllers to assess the impact of their products on children, and impose additional obligations.
Read more
Osano blog: Why and how to collaborate with your vendors on DSARs
Handling data subject access requests (DSARs) internally is difficult enough, but many data privacy regulations require you to work with your vendors that handle your consumers’ personal information. This post details how to streamline interorganizational DSARs and minimize the chance you get held liable for your vendors’ actions.
Read more
Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.