IIS Newsletter #12 2024 – Happy Holidays and season greetings – Landmark privacy settlement and Cyber Security Legislative Rules

News and Notables

Landmark privacy settlement for Australian Facebook users

The Office of the Information Commissioner (OAIC) has announced a landmark settlement from the proceedings against Meta (formerly Facebook) regarding the Cambridge Analytica incident. As part of the settlement, Meta has agreed to establish a $50 million payment program for eligible Australian Facebook users affected by the misuse of their personal data. The program, managed independently, will allow over 300,000 Australians to seek compensation for economic or non-economic impacts, including general distress caused by the misuse of their information. This marks the largest privacy-focused payment in Australian history and the most significant sum Meta has paid outside the U.S. for this incident.

The settlement strengthens the Privacy Act’s authority over global digital platforms operating in Australia. As long-time advocates in this field, IIS welcomes the trend towards increased accountability for organisations who fail to safeguard the privacy of Australians. This outcome is a major milestone for privacy rights in Australia and IIS congratulates the team at OAIC!

Cyber and Infrastructure Security Centre consults on Subordinate Legislation following Royal Assent of the Cyber Security Legislative Package

The Cyber and Infrastructure Security Centre held a virtual Town Hall to consult the industry on the development of subordinate legislation (‘Rules’) to support the Cyber Security Legislative Package which received Royal Assent on 29 November 2024. The event, which occurred on 16 December 2024, provided an overview of the suite of Rules to be developed that gives effect to some of the measures under the Cyber Security Act 2024 and Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024. Consultations session are expected to continue throughout January and February 2025.

Please contact IIS to have a confidential chat on how we can support your business to become compliance ready.

Western Australia passes first ever privacy law

Western Australia passed its first ever privacy law with the Privacy and Responsible Information Sharing Bill 2024. The Bill provides a framework to protect personal information handled by public entities, Ministers, Parliamentary Secretaries and contracted service providers to public entities. It also implements new rules for the sharing of information between public entities, and establishes the office of Chief Data Office “to lead and develop public sector capability for responsible information sharing”.

Notably, the Bill expands on and reforms certain privacy concepts which advocates have long called in federal privacy reform. This includes:

• extending the definition of personal information to include the personal information of deceased, or information from which predictions of behaviour or preferences can be inferred; and
• introducing a ‘fair and reasonable’ test to the collection, use and disclosure of personal information.

Watch this space as these reforms are also expected to come with ‘tranche 2’ of the federal Privacy laws.

Senate Select Committee calls for sweeping Artificial Intelligence Act

On 26 November 2024 the Senate Select Committee on Adopting Artificial Intelligence tabled their final report. The Senate Committee made 13 recommendations related to the opportunities and impacts for Australia arising out of the uptake of AI technologies. Relevantly, the report called for:

• the introduction of an Artificial Intelligence Act – a new, whole-of-economy, dedicated legislation to regulate high-risk uses of AI (rec 1);
• general-purpose AI models, which include large language models such as OpenAI’s GPT-4/o1 and Google’s Gemini, are to be explicitly captured in the definition of high-risk (rec 3); and
• the Australian Government to implement the automated decision-making recommendations from the Privacy Act review, including Proposal 19.3 for individuals to request information about automated decisions with legal or significant effects (rec 11).

This report marks another step towards AI regulation in Australia. Please contact IIS to have a confidential chat on how we can support your organisation to become compliance ready.

IIS Community Contributions

Malcolm Crompton to feature in upcoming privacy documentary

IIS Founder Malcolm Crompton will feature in an upcoming privacy documentary ‘Privacy People’ which is set to release in 2025. The film, directed by Stephen Bolinger (CPO, Informa), delves into the diverse interpretations of privacy and its significance to individuals and societies. The narrative features esteemed privacy experts from various fields, including government, industry, academia, and civil society including our very own Malcolm Crompton.

The trailer can be viewed here!

Happy Holidays!

As the year quickly comes to an end, we would like to wish you happy holidays and a good season’s break. The IIS office will be closed from the 20nd of December 2024, returning on the 6th of January 2025.