Office of the Australian Information Commissioner

We’ve published 2 new guides for businesses that articulate how Australian privacy law applies to artificial intelligence (AI) and set out our expectations as the regulator. Work for a business? The first guide will make it easier for your business to comply with your privacy obligations when using commercially available AI products and help you to select an appropriate product: https://lnkd.in/gH8frTkU Developing AI products? Our second guide provides privacy advice around using personal information to train generative AI models: https://lnkd.in/gvg-ra7N Privacy Commissioner Carly Kind said: ‘Our new guides should remove any doubt about how Australia’s existing privacy law applies to AI, make compliance easier, and help businesses follow privacy best practice.’ For more information, read our media release: https://lnkd.in/gWQanb6m

⚡ It's a big day for privacy here in Australia! ⚡ Last night the Senate passed the Privacy and Other Legislation Amendment Bill, the result of many years' work to begin to advance reform of the Privacy Act. The Bill contains some really significant pieces: ✅The introduction of a statutory tort for serious invasions of privacy, giving individuals a route to seek redress for privacy harms in the courts, ✅Expansion of the enforcement and investigative powers available to the Office of the Australian Information Commissioner, ✅A new power for my office to develop a Children's Online Privacy Code, which will cover not only social media platforms but any online services likely to be accessed by children, ✅A new facility for the Governor General to stipulate a 'white list' of countries with adequate privacy protections to facilitate cross-border data transfers, and ✅A requirement that privacy policies contain information about any automated decision-making system in use which could reasonably be expected to significantly affect the rights or interests of an individual. These new powers and functions come at a critical time, as privacy harms increase and the Australian community demands more power over their personal information. They were also adopted in the same parliamentary session in which the Senate passed the social media ban, which I believe in time will fundamentally shape the online ecosystem by requiring social media platforms to age assure all users. The OAIC has a significant role to play in ensuring this new requirement is applied consistently with individuals' privacy rights, by: *️⃣Oversighting the age assurance trial to be conducted in early 2025 to ascertain privacy-preserving methods for age assurance, *️⃣Ensuring that platforms don't compel users to provide government-issued identity documents, and that they provide alternative means for age assurance, and *️⃣Ensuring that platforms comply with the obligation to delete data collected for age assurance purposes and not to use it for any other purposes without voluntary, informed, current, unambiguous and specific consent. 2025 is going to be a big year for privacy and for the OAIC as we expand both our powers and our mandate!

Privacy Commissioner Carly Kind was a keynote speaker at the IAPP ANZ Summit earlier this week. She joined IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy for a conversation about her first year in the role, the OAIC’s regulatory priorities, recent enforcement action and privacy law reform.

🎙️ A key priority for the OAIC is ensuring we take a forward-looking and technologically-informed view of applying the Australian Privacy Principles as written. One area of sustained focus for us has been data scraping practices, and compliance with the requirement under APP 3.5 that the collection of personal information must only be by fair and lawful means. In addition to our proceedings against Clearview, we also issued a determination in this area in the Court Data decision in February 2024 (https://lnkd.in/eexfsqSn). Yesterday, we further advanced our jurisprudence on APP 3.5 in dual determinations related to investigations into Master Wealth Control (https://lnkd.in/eWcNfyQ7) and Property Lovers (https://lnkd.in/eS2eU7xH). In considering whether the scraping of individuals' personal information from daily court listings and other databases was done by fair means, I undertook a broad assessment of a number of all the relevant circumstances, namely: - The respondents collected individuals’ personal information from published daily court listings and subscription-based services, in circumstances where those individuals did not have any knowledge or hold a reasonable expectation that their personal information was being collected. Daily court listings are transitory in nature and it was not the intention that information is made available indefinitely or for commercial purposes. - The respondents were scraping data to compile a list of individuals thought to be in distressed, vulnerable situations as they are a party to court proceedings because of bankruptcy, a deceased estate or a divorce. This information was then distributed explicitly to enable the deliberate targeting those individuals in order to capitalise on their vulnerability.

Did you know we’re the privacy regulator for Digital ID? Digital ID allows users to verify existing ID documents online against official records held by government agencies. The aim of Digital ID is to reduce the unnecessary collection of identity information and combat data theft. Robust privacy safeguards are essential for Digital ID to function effectively and to ensure individuals can use the system with confidence. As privacy regulator, we’ll help stakeholders understand the Digital ID privacy safeguards through providing guidance. We’ll also provide assurance to the community of the privacy protections in the Digital ID system by using our range of enforcement powers to ensure individuals’ privacy is protected. Learn more: www.digitalidsystem.gov.au #DigitalID #DigitalIdentity #Privacy

Privacy Commissioner Carly Kind has found that scraping data to target vulnerable people by Master Wealth Control Pty Ltd (DG Institute) and Property Lovers Pty Ltd was unlawful and interfered with the privacy of individuals. Both companies have been linked to Ms Dominique Grubisa and provided similar training courses to members of the public with a focus on property investment. Paying participants of the companies’ Elite Mentoring Program were encouraged to find ‘distressed properties’ in circumstances where a property owner might be incentivised to sell their property below market value as result of divorce, bankruptcy or a deceased estate. Commissioner Kind found the companies failed to: - collect the personal information by fair means - take reasonable steps to notify individuals whose information was collected - ensure the information it collected was accurate and up to date. Commissioner Kind has ordered both companies immediately cease unfairly collecting personal information of individuals from third parties, destroy their leads lists within 30 days, provide the OAIC with evidence of action taken to address the issues raised, and update their privacy policies. Property Lovers must also publish a written apology.   Media release: https://lnkd.in/gy_v2Cn3

Today I appeared before the Senate Committee scrutinising the government's plans to establish a minimum age of 16 for access to social media sites. I answered questions about the privacy protections in the Bill, but I didn't get to share some of my bigger thoughts on the proposal, so I thought I'd do that here.

We’ve released our 2023-24 #AnnualCyberThreatReport. The report highlights the rapidly evolving cyber threat landscape and reinforces the need to prioritise improved cyber defences to protect our nation’s #CyberSecurity. As data continues to be produced and stored in greater volumes, the attack surface has become more exploitable, and both criminal and state-sponsored cyber actors are taking advantage of vulnerabilities and gaps. This, coupled with geopolitical uncertainty, underscores the need for strengthened cyber security. 👉 State-sponsored cyber actors are persistently targeting Australian governments and critical infrastructure. These cyber operations are evolving globally, with the capability to gather intelligence, exert malign influence and pre-position on networks for disruptive effects. This threat is likely to increase as geostrategic competition grows, requiring greater partnership between government and industry to deter this activity. 👉 Critical infrastructure services are an attractive target to malicious cyber actors. This includes essential services such as power grids, water delivery systems, transport networks and health services. Of particular concern are operational technology systems. These are often not secure by design and many traditional security controls cannot be applied, making it likely that malicious cyber targeting of these systems will rise. 👉 Cybercrime is an evolving and persistent threat. Cybercriminals are evolving their tactics and capitalising on new opportunities, like artificial intelligence, to exploit victims. 👉 Collaboration across public and private sectors is key to effective cyber resilience. This report is only possible because Australians reported cybercrime, incidents and vulnerabilities to us. All Australians should report incidents to make us collectively stronger and put cyber threats on everyone’s radar. Learn more about the evolving cyber threat landscape in our report 👉 https://lnkd.in/gXUaip6X ASD thanks all of the organisations that contributed to this report, including: ACCC, Australian Department of Foreign Affairs and Trade, Australian Federal Police, Australian Institute of Criminology, Australian Security Intelligence Organisation, Defence Intelligence Organisation, Australian Department of Home Affairs, National Cyber Security Coordinator, Office of the Australian Information Commissioner & Reserve Bank of Australia

Thinking about using facial recognition technology for facial identification in a commercial or retail setting?   Our new guidance sets out key privacy principles you need to consider: https://lnkd.in/gPRn9Wnu

Today, the OAIC published my determination that retailer Bunnings Group Limited breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system. In this article, I'm sharing important takeaways from the determination for other retailers considering using facial recognition technology.