Law - Privacy108 | Australian Data Privacy & Security Consulting

Key Takeaways From 4 Recent OAIC Determinations

Earlier in 2025, the Office of the Australian Information Commissioner (OAIC) released four determinations covering...

20 May, 2025

Qld IPOLA is Coming, So What Do You Need To Do?

If you don’t know what IPOLA refers to, this post may not be for you....

30 March, 2025

ASIC v FIIG … Another cyber security case

Cybersecurity remains a critical concern for financial institutions, and Australian regulators are taking a firm...

21 March, 2025

Collecting Information From The Internet: Some Learnings

Organisations are collecting more and more data in today’s digital economy, and it can often...

14 March, 2025

Understanding India’s Draft Digital Personal Data Protection Act (DPDPA) Rules: Key Insights

The Digital Personal Data Protection Act, 2023 (DPDPA) – India’s new, comprehensive privacy law -...

15 January, 2025

About The Bunnings Privacy Decision: CCTV and Facial Recognition Technology Are A Potent Mix

Combining CCTV with facial recognition technology is a new-ish technology that has slipped under the...

28 November, 2024

Where Are We With The Privacy Act Reforms? A November 2024 Update

If you’re curious about the status of the first tranche of Privacy Act reforms, here’s...

21 November, 2024

New Cyber Security Regulation for Australia

Draft new cyber security bills were released this month. The purpose of the new laws...

15 October, 2024

Lessons From The OAIC Data Breach Report: Jan–June 2024

The January to June 2024 Data Breach Report from the Office of the Australian Information...

18 September, 2024

Even With The Proposed Privacy Act Changes, We Are Not There Yet

After nearly five years of discussion, the much-anticipated Privacy Act changes were introduced into Parliament...

17 September, 2024

AI guardrails proposed for Australia

The Australian Federal Government announced in September 2024 that it will release ten mandatory AI...

11 September, 2024

How Far Does The Privacy Act Employee Record Exemption Go?

Employee records of current or former private sector employees are exempt from the Australian Privacy...

22 August, 2024

European Data Protection Cases You Should Know About

If you’re taking the CIPP/E or just interested in how European and EU data protection...

29 May, 2024

Data Breach Reporting Obligations in Australia: Lessons from Recent Determinations

We’ve analysed two determinations from the Australian Information Commissioner relating to data breach reporting and...

15 May, 2024

Privacy Act Changes To Support Greater Transparency

What will the proposed changes to Australia’s Privacy Act mean for transparency? For Privacy Awareness Week...

01 May, 2024

An illustration of a digital identity with a person standing behind the screen with a stylus pen

Australia’s New Digital Identity Legislation Passed: Is That a Good Thing?

Australia’s Digital ID Bill passed on Mar 28, 2024. Our new ID system is designed...

08 April, 2024

Privacy Impact Assessment Triggers: When Should You Do a PIA?

Privacy Impact Assessments are a powerful and often overlooked tool. They’re a compliance requirement, in...

28 January, 2024

No legal professional privilege for Deloitte forensic report in Optus data breach litigation

Optus has lost a bid in the Australian federal court to keep secret a Deloitte...

19 November, 2023

OAIC sues ACL for security failure

In November 2023, the Office of the Australian Information Commissioner (OAIC) announced the commencement of...

16 November, 2023

Persevering Progress: Privacy Act ‘Accountability’ Reforms

Earlier this year, we provided an update on the privacy reform proposals related to ‘accountability’...

27 October, 2023

Cyber security regulation in Australia: What’s the current status?

Will Australia be getting a Cyber Security Act any time soon? The cyber security regulatory...

27 October, 2023

Privacy Act changes … still more thinking to be done?

Changes to the Privacy Act changes have been been flagged in the Australian Government’s response...

10 October, 2023

ACCC fines Meta … two cops on the privacy beat

In July 2023, the Australian Federal Court ordered two subsidiaries of social media giant Meta...

06 October, 2023

Australia’s AI regulation discussion paper: Late to the party again …

Regulating AI has been on the agenda globally for some time, amid growing concern over...

24 July, 2023

Finally! A new EU-US Data Transfer Framework

After three years of limbo, personal data can flow from the EU to companies in...

12 July, 2023

AI Regulation Around The World

In May, hundreds of AI experts warned that AI (if left unchecked) could pose an...

30 June, 2023

Privacy after death: Time for a re-think?

In Australia, privacy protections don't apply once you're dead. What do Kylie Minogue, John Lennon, Madge...

29 June, 2023

Key Themes from Recent Spam Penalties by ACMA

Sending unsolicited emails, or spam, can not only damage your organisation’s reputation but also land...

19 May, 2023

More about dark patterns …

Dark patterns is a subject close to our heart. We’ve written about them before, including: Dark...

09 May, 2023

Increased Accountability Obligations: Privacy Act Review Report Deep Dive Part 4

In February 2023, the Australian Attorney-General released its Privacy Act Review Report 2022 and we...

08 May, 2023

New Australian Laws Proposed for Direct Marketing, Targeting, & Data Analytics: Privacy Act Review Report Deep Dive Part 3

We’ll continue our deep dive into Australia’s Privacy Act Review report in this article. We...

26 April, 2023

Australia’s New Cyber Security Strategy: Call for submissions

On 8 December 2022, the Minister for Cyber Security, the Hon. Clare O’Neil MP, announced...

20 April, 2023

Ch. Ch. Ch. Changing Definitions in Australian Privacy: Privacy Act Review Deep Dive

We’re continuing our deep dive into the Privacy Act Review Report. You can read our...

18 April, 2023

Responding to Access Requests: Practical Tips to Meet Your Privacy Obligations

Organisations covered by the Australian Privacy Act must provide access to the personal information the...

12 April, 2023

Avoiding Privacy Issues When Recruiting Staff: 10 Practical Tips

When a potential hire sends you their CV, you will likely collect their personal information....

25 February, 2023

More on recording conversations in Australia: What is allowed?

Can you record conversations in Australia? This is the most common question we get asked...

25 January, 2023

Online DNA Testing – Solving mysteries and creating new problems?

DNA testing – should we care? You may have seen The Lost King, a fascinating film...

23 January, 2023

Big data and de-identification: Taking a risk management approach

Big data offers huge benefits: it improves human life with new medical and health solutions...

11 January, 2023

Electronic Surveillance Reform in Australia: What can we expect next?

Australia’s regulation of electronic surveillance has been a mess for some time. When it announced...

18 December, 2022

CPRA: New privacy obligations in California to take effect from 1 January 2023

The CPRA (California Privacy Rights Act) is set to change the face of privacy in...

24 November, 2022

Privacy Act Amendments: Real deterrent or window dressing?

With Optus and Medibank data breaches affecting over 10 million Australians, many have pointed to...

09 November, 2022

California’s Sephora Enforcement Action – What Does It Mean for Australian Organisations?

While million-dollar fines are commonplace in Europe, the $1.2million settlement following the Sephora Enforcement Action...

21 October, 2022

Email Marketing Compliance Do’s & Don’ts When Buying Lists and Data Scraping

Email marketing can be exceptionally effective – but engaging in it is also rife with...

17 October, 2022

Optus Data Breach: Time for change?

The Optus data breach has exposed how harmful a cyber incident can be. Many are...

05 October, 2022

The Right to Privacy & Roe v Wade: The Little-Known Link Between Privacy Rights and Abortion Explained

Roe v Wade, the US Supreme Court case which protected the right to abortion for...

23 September, 2022

Employee Photos and Privacy: What You Need To Know

Key takeaways: Employee photos may be personal information for the purposes of the Privacy Act,...

10 April, 2021

Email Marketing Laws in Australia That Direct Marketers Need to Know About

Email marketing is remarkably effective. In its 2021 Email Marketing ROI Statistics report Barilliance cites the average return-on-investment...

07 May, 2021

Is a work email address covered by privacy laws?

One of the most common privacy questions is: are work email addresses considered personal information...

11 October, 2021

What does privacy compliance cost Australian small businesses?

Small businesses[1] are largely exempt from the Australian Privacy Act 1988 (Cth) and this is...

14 December, 2021

Data Breach Notifications in Australia: The basic guide to who, what, when, how, and why

The Office of the Australian Information Commissioner (OAIC) recently released its Notifiable Data Breaches Report: January...

26 October, 2021

Data Mapping: How to Map Your Data for Better Privacy Management

Data mapping is one of the most critical steps in any privacy program. Maintaining a...

19 June, 2021

More surveillance powers for Australian law enforcement

Australian federal law enforcement agencies can now alter online data and take over on-line accounts....

09 September, 2021

The end to ASIC v RI Advice: Cyber security take-aways for Australian organisations

In early May 2022, the Australian Federal Court released its judgement in the long-running ASIC...

06 May, 2022

Ransomware in Australia: Legal Liability, Notifications and Your Obligations

Ransomware in Australia is on the rise! As a result, regulators are paying more and...

23 March, 2022

The Difference Between ‘Security’ and ‘Privacy’ Jobs – And Why IT Matters

Today, there’s no such thing as the ‘ideal background’ for a privacy professional. Privacy is...

01 April, 2021

Privacy Cases in Australia: Any Progress?

In 2019, we reported on three (3) Australian data breach class actions. Nearly 2 years...

26 May, 2020

Voice Recording Laws: Is It Legal to Record a Conversation in Australia?

Australia has a patchwork of state laws that cover listening devices and the surveillance of...

15 September, 2022

Banner with the Chinese flag where the red background includes data processing. There's a text overlay that says China's PIPL

Who Needs to Comply with China’s PIPL?

Organisations are getting used to the extraterritorial scope of privacy laws enacted in other countries,...

20 August, 2022

Canada’s Digital Charter Implementation Act 2022 – And What Australia Can Learn From It

Canada appears to be looking to update and strengthen its digital privacy with the introduction...

12 August, 2022

Queensland’s Information Privacy Act review: What’s being considered?

Queensland is updating its Information Privacy and Right to Information Framework, with a consultation paper...

10 August, 2022

The American Data Privacy and Protection Act (ADPPA): What’s happening?

The American Data Privacy and Protection Act (ADPPA) is making its way through the US...

10 August, 2022

PIPL: Proposed China SCCs for Cross Border Transfers

On 30 June 2022, the Cyberspace Administration of China (CAC) released a template agreement for...

05 August, 2022

What is Australia doing about scams? The ACCC’s 3 pronged approach

The Australian Competition and Consumer Commission (ACCC) has proposed a “three-pronged approach” to ensure Australia...

22 July, 2022

Thailand Privacy Law Becomes Operational: 5 Compliance Issues

Thailand enacted its comprehensive privacy law on 28 May 2019. After giving covered organisations three...

14 July, 2022

What Privacy Professionals Need to Know About Dark Patterns Regulation

Dark patterns regulation has emerged as a focus in both the US and EU over...

30 June, 2022

EU’s New Deal for Consumers: a dark future for dark patterns

Laws banning dark patterns, hidden advertising, and manipulated consumer reviews became effective in the EU...

24 June, 2022

Privacy Enforcement in APAC: Privacy Breach Penalties by APAC Regulators

Privacy breaches and enforcement in Europe, the US, and Australia garner much media attention in...

17 June, 2022

Transfer Impact Assessments Under the New SCCs: What You Need to Know

The New SCCs require organisations to undertake a transfer impact assessment before completing a transfer...

10 June, 2022

Delayed Data Breach Notification: When is it okay to delay?

Under Australian law, organisations are required to notify the Office of the Australian Information Commissioner...

22 April, 2022

The Consequences of Privacy Regulatory Inaction: Some lessons from the EU for Australia

When the GDPR introduced hefty new fines and more stream lined enforcement, many privacy advocates...

24 March, 2022

China’s PIPL: A Guide to What’s Covered

China’s privacy law, the Personal Information Protection Law (PIPL), came into effect on November 1,...

09 March, 2022

Cambridge Analytica Scandal Fallout: Facebook Appeal Dismissed by Australia’s Federal Court

Late last month, in our coverage of the largest GDPR fines in 2021, we outlined...

10 February, 2022

GDPR Fines in 2021: What can we learn?

EU privacy regulators last year levied fines totalling more than €1 billion for GDPR breaches,...

26 January, 2022

Australia’s Privacy Act Review: Another missed opportunity?

Privacy 108 has submitted its response to the Privacy Act Review Discussion Paper. You can...

25 January, 2022

Re-introducing the Re-identification Offence Bill: The dumbest privacy idea this year?

The Privacy Act Discussion Paper, the latest stage in the comprehensive review of Australia's Privacy ...

29 December, 2021

CLOUD Agreement eases law enforcement access to big tech data

On December 15, 2021, the United States and Australia signed an agreement to make it...

19 December, 2021

Should small businesses be exempt from the Privacy Act?

In October 2021, the Australian Attorney-General's Department issued a discussion paper seeking further submissions on...

30 November, 2021

Ransomware Action Plan: Another new cyber security law for Australia?

In mid-October 2021, Australia’s new Ransomware Action Plan was released by the Department of Home...

02 November, 2021

Update on Australia’s First Cyber Security Case: ASIC v RI Advice

Earlier this year, we published a post about Australia’s First Cyber Security Case – ASIC...

30 October, 2021

The Changing Landscape of Cookie Laws in APAC

How are Cookie laws changing in APAC? We recently covered the move away from the use...

25 October, 2021

China’s new Personal Information Privacy Law: Yet another piece in a complex puzzle

Another piece is added to the jigsaw of China’s privacy and security laws. The Personal...

25 August, 2021

Is cyber security regulation possible in Australia?

On 13 July 2021, the Australian Government through the Department of Home Affairs (DHA) opened consultation...

05 August, 2021

Mandatory notice of ransomware payments: Is it a good idea?

There is no doubt that ransomware attacks are amongst the most serious cyber threats to...

03 August, 2021

China’s new Data Security Law (DSL): Another piece in a complex puzzle

China has released a new Data Security Law that adds to the existing web of...

08 July, 2021

Ensuring AI supports Human Rights? Recommendations from the Australian Human Rights Commission

Concerns around bias, discrimination and unfairness dog the use of Artificial Intelligence, not without justification...

06 July, 2021

Privacy Impact Assessments as a Business Tool: Make better decisions with PIAs

Privacy impact assessments are an underutilised tool that organisations can use to enhance data protection...

12 June, 2021

Concluding the Saga? The New SCCs for GDPR-Compliant Third-Party Data Transfers Have Arrived

On 4 June, the European Commission (EC) published its finalised version of the new Standard...

11 June, 2021

World-First Enforcement in ACCC v Google: Here’s What You Need To Know

The ACCC has successfully argued that Google engaged in misleading and deceptive conduct in a world-first enforcement proceeding....

22 May, 2021

Digital Privacy in Australia in 2021: 3 Lessons for Australian Businesses from Global Privacy Laws

Global privacy law is undergoing massive change. Different countries are trying to keep up with...

19 May, 2021

5 Steps to Ensure Your Privacy Policies are Effective

Our earlier article about Flight Centre’s 2017 privacy breach and OAIC investigation received quite a bit of...

22 April, 2021

Securing health information: What can we learn from the OAIC’s assessment of Healthscope?

In November 2020, the OAIC released its report into Healthscope’s security and privacy processes. According...

29 March, 2021

A Quick Guide to Safely Transferring Files – Digitally

The safety of digital files in transit was recently thrown into the spotlight by the Accellion...

25 March, 2021

A solution to the trans-Atlantic data transfer problem: Cryptoloc provides GDPR supplementary measures

Brisbane based Cryptoloc's innovative encryption process may be the supplementary measure your business needs to...

25 March, 2021

3 Business Lessons From The OAIC 2020 Highlights

The OAIC 2020 Highlights Infographic gives us plenty of information about the direction of privacy...

12 March, 2021

Australia’s first cyber security case? ASIC v RI Advice

ASIC's action against RI Advice Group might be Australia's first cyber security case. On 21 August...

11 March, 2021

Draft UK Adequacy Decisions – Things are looking up for EU-UK data transfers

The EU Commission’s draft opinion favours recognising UK as an adequate jurisdiction for data transfers,...

22 February, 2021

What’s Up With WhatsApp’s Privacy Policy?

In January, WhatsApp users received a popup outlining that they’d need to agree to the new terms...

19 February, 2021

Privacy 108 Responds to Privacy Act Issues Paper

In November 2020, the Australian Federal Government commenced its latest review of the Privacy Act...

31 January, 2021

Who’s responsible? Employer liability for data breaches

Are employers responsible for their employees' data breaches? A recent decision in the UK might allay...

21 July, 2020

NZ gets a new privacy law … but has it gone far enough?

On 26 June 2020, the NZ Parliament passed a bill reforming the nation's privacy law,...

02 July, 2020

Privacy and Australia’s COVIDSafe App

How does Australia’s COVIDSafe App stack up from a privacy perspective? Introduction For most, the exit strategy...

18 June, 2020

Australian class actions for data breach: A new phenomena?

Given the uncertainty about the right to sue for breach of privacy in Australia, introduction...

25 May, 2020

Test, track and trace: privacy issues for Australian businesses

Test, track and trace is becoming the universal strategy to support a move out of...

18 May, 2020

Privacy

Security

Training

Privacy People