2024 Cyber and Privacy Outlook
Exploring cyber risks
James Cole, Partner
Cyber and Data Protection are a part of every organisation's risk landscape and are rapidly becoming one of the most complex webs of regulation and risk. This trend will continue at an accelerated pace as 2024 unfolds leaving unprepared businesses with substantial remediation projects.
Cyber and Privacy (C&P) has continued to grow from a niche area to a front-of-mind enterprise risk for practically any business. C&P represents a unique combination of regulatory and commercial risks, in that even seemingly innocent business activities can increase an organisation's risk exposure, whether it's from cyber and data incidents or regulatory risk, both domestically and internationally.
In practice, this means businesses need to understand the risks associated with C&P and actively identify, minimise and manage, and where possible transfer these risks by incorporating cyber and privacy as core components of your enterprise risk framework.
Cyber and Privacy are not set and forget. They are risks that are highly dynamic and subject to rapidly changing threat landscapes and regulatory obligations. Foreign regulatory regimes continue on the path of extraterritorial applicability increasing the complexity of managing cyber and privacy law risks. This unique threat and regulatory landscape requires an active C&P risk management program that spans holistically across all business activities, departments, and management levels. In short: Cyber and Privacy are the responsibility of the whole organisation from the Board, Directors, and Management, to every Department. The days of saying it's IT's problem are gone!
What activities can expose you to cyber and privacy risk?
Cyber and Privacy risks can arise anytime you operate a system, use Cloud software, or collect, store, process, generate, or disclose data, whether it's personal information or commercially sensitive data. All systems (yes, your Cloud systems too) and all data carry risk for your business. Data assets can add significant value to a business, but at the same time, they can be a toxic asset exposing your business to substantial legal, regulatory, and sometimes even existential risks.
Cyber and Privacy risks can arise any time you:
- collect personal information;
- generate new data from other data sources;
- disclose data to any third-party, including service providers like your Cloud providers;
- enter into any contract;
- stand-up any IT system;
- use a Cloud-based system (such as Microsoft 365, AWS, Azure, SalesForce, SAP, Zoom, or Xero)
- use, develop, or deploy any form of Artificial Intelligence (AI) or machine learning;
- conduct marketing campaigns, run advertisements or send emails to customers or leads;
- recruit new staff; and
- so much more...
The biggest cyber and privacy risk of them all, is the one you haven't identified, mitigated, monitored, and transferred.
When it comes to Cyber and Privacy, we frequently hear people say: "we use Cloud so we're safe" Using Cloud does not transfer the majority of your cyber and privacy risks. You are still the one responsible for the security and management of a substantial portion of the system and all of the data you store or process in the Cloud (read about the Shared Responsibility Model that you contractually agreed to as part of engaging a Cloud Service Provider).
Standalone cyber insurance is an invaluable tool for risk transfer, but it only transfers your financial risks and only under specific and limited circumstances. Most non-cyber insurance policies have shifted over the course of the last few years, and even more quickly in 2023, to exclude claims arising from cyber incidents. This makes standalone cyber insurance a critical component of your business insurance needs. However, we note that having cyber insurance does not absolve you of any of your responsibilities, but it can soften the financial blow in the event of a cyber incident or data breach!
Australian cyber and privacy regulation in 2024?
2023 brought an increased political focus on enhancing Australian cyber resiliency through new Government initiatives, strategic plans, legislative amendments, and proposed regulatory change. 2024 is already showing a strong focus on implementing substantial changes in both the Cyber and Privacy regulatory spaces across all industries and organisational sizes. This includes both substantial domestic legislative change and increased risks from foreign extraterritorial regimes.
We have outlined some of the key factors impacting on the Australian cyber and privacy landscape in 2024 below:
OAIC Priorities for 2024
The OAIC outlined that its priorities for 2024 will be centred on:
- the security of personal information;
- Artificial Intelligence;
- Consumer Data Rights; and
- privacy law reform.
Particular emphasis will be placed on assisting regulated entities to prepare for the upcoming privacy reforms. AI regulation is likely to continue to be a key regulatory area for 2024.
Back to the Three-Commissioner Model
Starting in February 2024, the three-Commissioner model will be re-introduced to the OAIC. This change is an important signal that privacy is centre stage and reforms are coming.
Angelene Falk, who took up the combined roles of Privacy Commissioner and Australian Information Commissioner in August 2018, has signalled that she will not seek another term. Commissioner Falk will remain as Information Commissioner, heading up the OAIC, until the end of her current term in August 2024. The Attorney-General's Department has commenced the search for her successor.
On 19 February 2024, Ms Elizabeth Tydd will commence her role as Freedom of Information (FOI) Commissioner. Ms Tydd has been the Information Commissioner and CEO of the NSW Information and Privacy Commission since 2013.
On 26 February 2024, Ms Carly Kind will commence her role as Privacy Commissioner. Since 2019, she has been the inaugural Director of the London-based Ada Lovelace Institute. Ms Kind is a human rights lawyer and leading authority on the intersection of technology policy, privacy, and human rights. She has advised widely on issues relating to digital rights, privacy and data protection, and corporate accountability.
From a privacy perspective, the appointment of Ms Kind may signal a further intention to focus more strongly on privacy compliance and enforcement of digital rights of individuals. However, it is unlikely that we will see frequent or substantial OAIC enforcement actions, particularly actions against SME entities before the Privacy Act reforms make their way through Parliament. The OAIC is likely to continue to apply a softer touch, collaborative enforcement strategy for at least the majority of 2024.
The OAIC goes to the Federal Court: First of its kind enforcement action
The Office of the Australian Information Commissioner (OAIC) started its first major move into enforcement in 2023 bringing an action relating to data breach response and compliance with APP 11 (Security of Personal Information). The OAIC commenced Federal Court proceedings against Australian Clinical Labs (ACL) in November 2023.
The Commissioner has alleged that ACL seriously interfered with the privacy of millions of Australians from May 2021 to September 2022 and failed to take reasonable steps in line with their obligations under APP 11. The Commissioner has further alleged that ACL's actions constitute:
- breaches of Australian Privacy Principle (APP) 11.1(b) - requiring entities to take reasonable steps to protect personal information it holds from unauthorised access;
- contravention of section 26WH(2), requiring entities to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe an eligible data breach has occurred to complete the assessment within 30 days; and
- contravention of section 26WK(2), requiring an entity to notify the OAIC of an eligible data breach as soon as practicable after becoming aware of reasonable grounds to believe that there has been an eligible data breach.
Commissioner Falk noted that “As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.” The concise statement (redacted) can be read here.
The OAIC is asking for a penalty of $2.2 million per breach. In future breaches, companies could be fined under the Privacy Act's new penalty regime legislated at the end of 2022 raising the previous maximum civil penalty for companies from $2.2 million to the greater of:
- a.$50 million dollars;
- b.3x the value of benefits obtained or attributable to the breach (if quantifiable); or
- c.30% of the corporations' adjusted turnover during the 'breach turnover period' (if the court cannot determine the value of the benefit obtained or attributable to the breach, subject to a minimum breach turnover period of 12 months (and no maximum).
Privacy Act review and modernisation process continues
The Government is continuing the process to substantially modernise the Privacy Act with support to, among many other things, to:
- a.broaden the scope of the definition of “personal information”, including adding IP addresses;
- b.change the current exemptions including removing the Small Business Exemption and either removing or modifying the Employee Records Exemption;
- c.increase obligations around transparency and consent, including a requirement to include explicit data purpose statements and minimum/maximum retention periods in privacy policies;
- d.introduce new requirements to ensure that the collection, use and disclosure of personal information is undertaken in a “fair and reasonable” manner;
- e.introduce stricter requirements to anonymise data rather than merely de-identify personal information;
- f.implement strict new obligations and codes of practice where personal information relates to children modelled on the UK Children's Code (or Age appropriate design code);
- g.introduce a new Tort in Privacy and open the door to class-actions in privacy;
- h.legislate new individual rights including:
- i.the Right to Object to the collection, use or disclosure of their information; and
- ii.Right to be Forgotten - with some limitations; and
- iii.an unqualified right for individuals to object to any collection, use or disclosure of personal information for direct marketing purposes.
Outlook for 2024
The amendment of the Privacy Act, while likely to make its way through Parliament in 2024, is unlikely to take effect until 2025, most likely mid-year. It is highly likely that the Government will provide for the immediate effectiveness of some provisions while including a delayed implementation of more economically challenging provisions, such as the removal of the Small Business Exemption. This will give organisations a window of opportunity to lift their business practices and compliance before facing a new tiered administrative penalty regime that could see financial penalties applied broadly across Australian entities of all sizes and expand the OAIC's powers to assess penalties without the requirement to bring an action in the Federal Court.
Many organisations are likely to find it challenging to prepare for changes to the Privacy Act without substantially re-thinking their current risk management practices and undertaking holistic compliance projects. Organisations that want to ensure a smooth privacy maturity uplift process and spread the compliance costs over multiple years have the opportunity to start early in 2024 by taking some key preparation steps:
- 1.conduct a review of all business activities that collect, process or use, and disclose personal information;
- 2.develop and maintain a Record of Processing Activities (ROPA);
- 3.work with privacy professionals to identify privacy impacts of business activities and opportunities to incorporate privacy-by-design and minimise privacy risks;
- 4.map out existing legal obligations and the legitimate basis for possessing all personal information held by the organisation and the minimum and maximum retention periods;
- 5.review contracts and ensure they incorporate adequate data protection and cyber breach clauses; and
- 6.provide privacy training for all staff, Directors and the Board.
Developed countries, notably with the exception of Australia, have been further developing and harmonising Standard Contractual Clauses (SCCs) that allow organisations to enable data to flow cross-border. SCCs have become a key component of international commerce involving non-adequacy third countries such as Australia and even where using Cloud-based services hosted in third countries.
ASEAN recently published a Joint Guide to the ASEAN Model Contractual Clauses and EU Standard Contractual Clauses to help organisations navigate the differences in the two models and implementations for Controller to Controller transfers and Controller to Processor transfers helping to lower the cost to compliance for businesses in ASEAN member states and the Union.
Given the timeframe for amending the Privacy Act and likely phased implementation, it is unlikely that Australia will achieve a Data Protection adequacy status anytime in 2024 or even 2025. This means businesses looking to facilitate data flows between Australia and most developed countries will continue to need additional safeguards, such as entering into Standard Contractual Clauses (SCCs), or regional equivalents, before data can begin to flow. This will continue to present a barrier to international commerce and increased compliance cost to Australian businesses.
New South Wales and Queensland have moved forward with substantial legislative changes to implement mandatory breach notification schemes.
The NSW Mandatory Breach Notification scheme commenced in November 2023. State agencies will now be required to notify the Information and Privacy Commission of breaches.
Similar to NSW, Queensland agencies will be required to notify the Office of the Information Commissioner and affected individuals of data breaches. The Queensland reforms are expected to commence on 1 July 2025. Local governments will have a 12 month transitional period.
Both schemes operate on the basis of a likely risk of harm assessment mechanism.
Outlook for 2024
State level data breach notification laws are likely to be examined by more States and Territories in coming years. For 2024, it is likely that private entities providing products and services to the NSW and Queensland Governments may face contractual flow down effects of these notification regimes and increased costs in responding to data breach incidents.
ASIC chair Joe Longo has issued a very clear warning to all directors that they can face potential enforcement action by ASIC if they do not act with reasonable care and diligence in relation to cyber security. During a cyber conference in Sydney, he stated that "If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC, based on the directors not acting with reasonable care and diligence.”
Boards and directors are expected to take measures that are proportional to the nature, scale and complexity of their organisations and the sensitivity of key assets the organisation holds. These measures should include reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification. This sentiment was echoed by the Australian Government in proposing the introduction of new cybersecurity laws, including the proposed development of a small business cyber health check scheme.
Longo went on to stress that ASIC expects boards and directors to include oversight of risk in digital supply chains, including taking an active role in assessing third-party cyber risk.
Outlook for 2024
ASIC's continued warnings on the duties owed by Directors relating to cybersecurity is strongly echoed internationally - particularly in the United States where the Securities and Exchange Commission has issued Final Rules relating to mandatory cybersecurity disclosures that includes details of Board oversight and management capabilities. It is likely that we will see more enforcement action by ASIC against Director's of companies that are found to have inadequate oversight and management of cybersecurity risks.
Regulatory action in 2024 is far more likely to be focused on the upper end of the market, publicly traded companies, heavily regulated entities such as financial services (AFSL and ACL holders in particular), and in any breach in which large numbers of Australians or shareholders are harmed or likely to experience serious harm. Notwithstanding this, we could see the link between Director's duties and cybersecurity play a pivotal role in future litigations and civil actions for negligence following cyber breaches that result in third-party losses, such as funds diversion frauds following a business email compromise incident.
Overall, the message is clear: it doesn't matter how big or small your company is, if you're a Director, you have a duty to act with care and diligence that covers cybersecurity.
The Australian Government has begun consultation processes on proposals to further enhance the Security of Critical Infrastructure Act (SOCI) to:
- a.clarify obligations to protect data storage systems that store 'business critical data';
- b.introduce last resort consequence management powers for the Minister for Home Affairs;
- c.consolidate security requirements for the telecommunications sector;
- d.simplify information sharing mechanisms; and
- e.provide a power for the Secretary of Home Affairs or a relevant regulator to direct critical infrastructure entities to address deficiencies in risk management programs.
Outlook for 2024
The Government is very likely to continue their focus on critical infrastructure throughout 2024 with a view to clarifying the regulations and obligations, ensuring business critical data is captured, and critical infrastructure supply chain security is effectively managed. It is very likely that we will see a much more active role for the Minister and National Cyber Security bodies in responding to any attack on critical infrastructure.
Proposed new Cyber Security Laws
The Australian Government has begun consultation processes on proposals to further enhance Cyber Security Laws to:
- a.require secure-by-design standards for Internet of Things devices;
- b.mandatory, no-fault Ransomware payment reporting obligations, with substantial carve-outs;
- c.limit the use of information provided to the Australian Signals Directorate and the National Cyber Security Coordinator;
- d.establish a Cyber Incident Review Board;
- e.create a Cyber health check scheme for small business;
- f.introduce an App store code of practice;
- g.introduce incident response code of practice; and
- h.develop industry data classification models.
Digital Identification takes a step forward
The Digital ID Bill and Digital ID (Transitional and Consequential Provisions) Bill 2023 were introduced in November 2023 as a major step forward for Australia's digital ID program. The program, unlike past iterations, proposes voluntary schemes for individuals. The program will introduce a voluntary Digital ID system that can be used to verify one's identity without having to provide copies of identity documents such as a passport or driver's licence each time an entity needs to conduct an ID verification check.
Outlook for 2024
It is likely that 2024 will bring with it a substantial re-alignment of Australia's federal laws applicable to cyber security along with an influx of industry specific codes of practice, particularly around higher risk cyber activities such as AI. Where possible, the Government is likely to leverage existing laws rather than introduce new legislation, in-line with their past approach to expanding existing law into emerging areas. However, we are likely to see new legislation covering cyber security threats in areas poorly served by existing laws such as artificial intelligence, ransomware response, Internet of Things, and small business cyber resiliency.
While the Government has hotly debated mandating ransomware notification, with the current consultation focused on a no-fault ransomware payment reporting obligation, there are likely to be substantial carve-outs. Current proposals would limit the no-fault reporting obligation by implementing a reporting threshold in line with the Tax Code's definition of a Small Business (aggregate turnover less than A$10 million). However, this would limit the reporting obligation to less than 2% of registered entities resulting in statistically insignificance of any data collected on ransomware trends.
We are likely to see continued, if not heavily expanded, application of Australia's autonomous cyber sanctions regime, as was used in January 2024 against a Russian individual linked to the Medibank attack. It is highly likely that Federal resources will continue to be focused on taking the cyber fight to the criminals through both autonomous action and international law enforcement cooperation. As Australia's sanctions regime is more widely applied to cyber attacks, the complexity of responding to ransomware incidents is likely to increase. If an organisation intends to pay a ransom (we strongly advocate against paying ransoms), increased application of domestic and international sanctions against individuals associated with ransomware groups complicate required due diligence and increase the cost of responding to the ransomware incidents. This is particularly challenging where ransomware incident attribution is technically difficult.
2024 will likely see increased cyber regulation in key sectors such as healthcare and financial services. We anticipate that ASIC and APRA will pay closer attention to regulated entity cyber security readiness increasing the complexity of compliance programs.
Development of one-stop-shop Digital ID schemes will continue as legislation progresses through Parliament enabling organisations to meet legal obligations while allowing individuals to, voluntarily, manage their personal information and protect their identities. This scheme, if successful, will help to reduce toxic data that puts organisations at risk while maintaining compliance with legal obligations such as those under anti-money laundering laws.
Artificial Intelligence (AI) is almost certainly going to become more pervasive in our daily and professional lives in 2024. A Forrester noted a prediction that Bring your own AI (BYOAI), using AI as part of their job delivery, will grow to as much as 60% of workers in 2024. If this prediction holds, we are likely to see both positive and negative impacts. While productivity may increase, so will the legal, security, and privacy risks necessitating strong regulation. While regulation specific to AI is still in early discussion in Australia, the effort is ramping up both domestically, and more substantially on the international stage with extraterritorial applications that can impact on Australian businesses.
The Department of Industry, Science and Resources concluded its Safe and Responsible AI in Australia Discussion Paper for consultation in mid-2023. In January 2024, the Government published their interim response to the consultation. The interim response outlines details on what action the government will take in 2024 and in the longer term. The government stated an intention to ensure the design, development and deployment of AI in legitimate high-risk settings is safe and reliable while aiming to ensure low-risk AI is not impeded.
The government stated an intention to:
- using testing, transparency and accountability measures as a means of prevent harms from high-risk AI;
- further clarifying and strengthening laws to safeguard citizens from the adverse effects of AI; and
- working internationally to support safe development and deployment practices relating to AI.
Outlook for 2024
AI will remain the hot topic for 2024 and a central part of legislative and regulatory reform globally. The pending amendment of the Australian Privacy Act will also likely include some impacts on the use of AI technologies. A key focus of AI regulation proposals has been on developing increased transparency and accountability for organisations that use AI technologies to handle personal information, as well as enhanced enforcement powers the Office of the Australian Information Commissioner.
It is anticipated that 2024 will see a stronger focus on industry codes of practice and guidance. However, it should be noted that many countries, in particular the European Union, are developing AI laws with substantial extraterritorial reach that could easily impact on Australian businesses designing, developing, or using AI.
The Australian Communications and Media Authority (ACMA) has been very active in taking enforcement action and assessing penalties under the Spam Act amounting to over $9 million in 2023.
Compliance with the, often poorly understood, Spam Act continues to be a substantial challenge for many businesses resulting in financial penalties and will likely see more investigations and penalties in 2024.
The activities that attracted penalties in 2023 was most commonly:
- sending marketing emails;
- sending SMS without consent;
- sending marketing emails or SMS without contact details of the sender; and
- sending marketing emails or SMS without a functional unsubscribe facility.
Outlook for 2024
The ACMA is very likely to continue to assess large penalties against organisations for breach of the Spam Act. The rules set out in the Spam Act, while appearing simple, can be challenging for some organisations to understand and implement. It is very likely Spam is going to ramp up heavily from both fraudsters and companies thinking they are complying or failing to adequately review content before sending it.
Throughout 2023, we saw an increased frequency of civil actions relating to cyber security incidents and data breaches. This doesn't just include the well publicised class-actions arising from the Optus and Medibank breaches.
Small businesses are being sued by their customers that lose money as a result of funds redirection frauds (invoices with altered payment details). These types of cyber frauds often occur as part of a business email compromise incident and are an extremely common type of cyber attack for small to medium businesses who often don't have as strong cyber defences as larger businesses.
It is becoming more common for customers, and their insurers, to pursue damages from companies that fail to take reasonable measures to protect personal information and the cybersecurity of systems. 2024 is likely to see substantially more cases looking to test the waters of a company, and Director's, duty of care in relation to cybersecurity.
What's happening in the International regulatory space in 2024?
When it comes to Cyber, it is extremely easy for a company to be exposed to international laws.
A few of the ways your business can be exposed to foreign jurisdiction include:
- establishing a 'brick and mortar' presence in another country;
- advertising to customers physically resident in foreign countries (even without a 'brick and mortar' presence);
- advertising services on your website with a 'virtual phone number' tied to a foreign country or services in a foreign language;
- employing remote work staff in other countries;
- conducting transactions in foreign currencies;
- operating recruiting campaigns in other countries;
- contracting with overseas service providers or contractors (yes, that includes Cloud services);
- selling physical products that are exported overseas or engaging with an overseas services reseller;
- designing and developing, or operating, an Artificial Intelligence (AI) product or service that operates in a foreign jurisdiction or (coming soon) has outputs that are consumed overseas; and
- providing your services as a services provider to an overseas company or even an Australian company that is itself subject to the laws of a foreign jurisdiction.
International cyber and data protection laws are extremely complex to navigate and require specialised expertise to ensure compliance and effectively manage your risk. Foreign regulators are far more likely to, and frequently do, assess substantial financial penalties for non-compliance - usually in the millions. Many other countries are also much more litigious than Australia.
Below we explore just a small sampling of key international regulatory and legislative initiatives. We expect to see a strong regulatory focus on:
- Artificial Intelligence (AI);
- Cookie banner enforcement;
- biometric information privacy;
- clarification and enforcement actions around Director's duties in cybersecurity;
- data flow regulation to third-countries (i.e. non-adequacy countries such as Australia); and
- continued enforcement actions and penalties from activist actions and following major data breaches.
Biometric Information Privacy Code
The New Zealand Office of the Privacy Commissioner is progressing with drafting new privacy rules relating to biometric information with expectations of launching a consultation in 2024 on a biometric information privacy code.
The Commissioner has proposed a broad scope for the code covering the collection and use of biometric information to verify, identify or categorise individuals using automated processes. Current proposals do not extend the scope to manual processes or research that use biometric information. The proposed code will have a focus on proportionality, transparency and notification requirements, as well as purpose limitation.
It is expected that the Privacy Commissioner will provide additional guidance on using biometric information in-line with obligations under the proposed code and the NZ Privacy Act.
EU Adequacy Status renewed
New Zealand continues to benefit from ‘adequate’ data protection safeguards after the EU completed their review of the existing 11 GDPR adequacy statues at the start of 2024. This means that data can continue to flow freely from the EU to New Zealand without further conditions or authorisations such as organisations having to implement additional safeguards such as entering into the standard contractual clauses - still an issue for EU - Australia data flows.
Targeting Cookie Banner compliance and enforcement with AI
UK Information Commissioner (ICO) is actively pursuing 'cookie banner' compliance in 2024. The ICO expects that all websites operating in the UK or targeting UK residents using advertising cookies or similar technologies give people a fair choice to consent or reject to the use of such technologies. Website cookie banners should make it as easy to reject non-essential cookies as it is to accept them.
In the words of the ICO “as we’ll be steadily working our way through the list of websites offering services to UK users to give them all the same message, it makes sense to be compliant before the regulator comes knocking”. Websites that continue to disregard the law, the ICO has stressed it is ramping up enforcement action in 2024. The ICO stated they are currently developing an AI solution to identify websites offering services to UK residents with non-compliant cookie banners with a planned 'hackathon' in early 2024 to explore the practical implementation of the 'enforcement' AI solution.
The ICO is sending a clear message to all companies offering services to users in the UK that time is running out to get their Data Protection and Privacy compliance in order before facing regulatory consequences.
Amending the UK Data Protection Act (GDPR)
The 2023 Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations were made on 18 December 2023 and came into force on 31 December 2023. A key aspect of the amendments are to re-align data protection legislation in the UK to refer to rights derived from UK law rather than retained EU law. The changes preserve similar rights to those previously preserved in retained EU law while demonstrating the UK's commitment to the protection of data subject rights - a key factor when the UK's EU adequacy status is reviewed. From a practice perspective, the changes do not substantively change the principles and obligations set out in the General Data Protection Regulation (GDPR).
The Artificial Intelligence (AI) Act
It's impossible to talk about cyber regulation in the European Union in 2024 without looking at the very-soon to be official: Artificial Intelligence (AI) Act.
The comprehensive AI Act, which includes substantial extraterritorial provisions, was unanimously approved by the ambassadors of the 27 member states of the EU. The next steps for the AI Act include:
- 13 February 2024: the AI rulebook will be set for adoption by the EU Parliament's Internal Market and Civil Liberties Committees;
- 10-11 April 2024 (tentatively scheduled): plenary vote
Following successful completion of the above steps, the AI Act will come into force 20 days after publication in the official journal. Certain provisions will come into force at later dates including:
- 6 months after coming into effect: Bans on prohibited practices will be effective
- 1 year later: obligations on AI models will take effect
- 2 years later: all other provisions take effect with an additional year for classification of high-risk AI systems that require third-party conformity assessments.
The extraterritorial applicability of the EU AI Act (i.e. it's effect on Australian businesses) can be quite substantial and easy to trigger. Article 2 of the Regulation defines the scope of the AI Act as applying to (among a few other less common triggers):
- providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are established within the Union or in a third country;
- users of AI systems located within the Union; and
- providers and users of AI systems that are located in a third country, where the output produced by the system is used in the Union.
General Data Protection Regulation (GDPR) Compliance
EU General Data Protection Regulation (GDPR) compliance will continue to pose a substantial risk for businesses globally, particularly as the GDPR is used as the gold standard model for privacy laws globally. While some countries have achieved, and maintained, a formal adequacy status, congrats New Zealand, allowing for easy data transfers with Europe, others, such as Australia must follow much more complex contractual and legal assessment processes to comply. It is very likely that Australia will not be able to achieve a positive adequacy decision until after the Small Business Exemption is removed from the Privacy Act. Australia's broad privacy law exemptions have always been a stumbling block for European adequacy, and a substantial roadblock to free trade negotiations, which commenced in 2018.
2023 also saw the largest GDPR fine every issued when Facebook's parent company, Meta, was fined €1.3 billion euros by the Irish supervisory authority for transferring data collected from EU/EEA Facebook users to the United States breaching the 2020 Schrems II decision.
Case Note: CJEU rules on credit scores under Article 22 (SCHUFA Holding) - Case C-634/21
On December 7, 2023, the Court of Justice of the European Union (“CJEU”) ruled against the German credit bureau SCHUFA that credit scoring constitutes automated decision-making, and is prohibited under Article 22 of the GDPR unless certain conditions are met. Article 22 prohibits the use of personal data in fully automated decision-making processes that result in a legal or “similarly significant” effect to data subjects. Article 22 does allow for this type of automated decision-making where the data subject consents to the automated processing or certain other conditions (including being necessary for the performance of a contract) are met. The CJEU held that a credit agency’s calculations of creditworthiness count as automated decision-making under Article 22 where a third party “draws strongly on that to establish, implement or terminate a contractual relationship.”
Unless an exception exists in the Germany's federal laws, credit scoring agencies in the EU will be forced to obtain consumers’ express consent before they can calculate the data subject's credit worthiness, and will have to provide consumers with an opportunity to object to a credit score.
Read the CJEU's full decision here.
Cyber and Privacy regulation has been front and centre all across the United States in 2023 and it is fully expected 2024 will continue this trend. It is unlikely that we will see a national harmonisation of privacy laws in the US as State-level, and sometimes even Municipal-level, and industry based regulation remains the norm. This will continue to create a complex web of cyber and privacy laws that drive increased cost in breach response and related notifications.
The Securities and Exchange Commission (SEC) Final Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
A key development in US law has revolved around the Securities and Exchange Commission's (SEC) cybersecurity disclosure rules which came into effect in December 2023. The 'Final Rules' require companies subject to the Securities Exchange Act of 1934 to disclose both material cybersecurity incidents and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance (Regulation S-K Item 106).
The SEC Final Rules require companies to include descriptions of their cybersecurity processes for assessing, identifying, and managing material cyber risks in addition to material effects or reasonably likely effects of risks from cybersecurity. Entities annual disclosures must also disclose any previous cybersecurity incidents. Item 106 further requires disclosure of the Board of Director's oversight of cybersecurity risks and management's role and expertise relating to assessing and managing material cyber risks.
Many companies have already begun filing their 10-K disclosures with the Part 1C cybersecurity information. The disclosures provide substantial insight into how entities across various industries and sizes are approaching cybersecurity risk management and governance giving researchers and experts new data to analyse on common industry practices and governance gaps.
The Final Rules also add “material cybersecurity incident” to the list of items that trigger disclosure obligations for Foreign Private Issuers (FPI), (capturing many larger Australian companies across the transportation, banking and finance, and mining sectors). If an FPI discloses or publicises (or is required to disclose or publicise) a material cybersecurity incident in a foreign jurisdiction, such as Australia, to any stock exchange (including the ASX), or to security holders, the FPI must promptly disclose the same information regarding the incident to the SEC.
The Final Rules affect domestic registrants and FPIs subject to the reporting requirements under the Securities Exchange Act. The Rules also apply to business development companies as defined in section 2(a)(48) of the Investment Company Act of 1940.
New Privacy Laws entering force in 2024
On 1 July 2024, new State privacy laws will come into force including:
- Oregon Consumer Privacy Act
- Texas Data Privacy and Security Act
- Florida Digital Bill of Rights
On 31 March 2024, the Washington State My Health Data Act will go into effect.
On 1 October 2024, the Montana Consumer Privacy Act will become effective.
Consumer Right to Portability coming into force (Québec)
Companies operating in Canada, or exposed to Canadian law are gearing up to comply with new consumer rights coming into force in 2024.
The right to portability will become effective on 22 September 2024 through amendments to the Québec Act respecting the protection of personal information in the private sector. A federal level implementation of the right to portability is progressing through Parliament, as part of Bill C-27, which includes amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). The amendments include a proposed Consumer Privacy Protection Act (CPPA) that is making it's way through the House of Commons Standing Committee on Industry and Technology.
It is very likely that we will see substantial Canadian legislative change in cyber and privacy in 2024.
Bill C-27: Artificial Intelligence and Data Act
The Canadian Government is continuing with their commitment to pass the Artificial Intelligence and Data Act. However, it is not expected to be effective before 2025. The scope of the Canadian AI Act is still hotly debated and likely to end up being a mix-and-match of the European, American, and Chinese regulations.
Amending the cybersecurity laws: critical infrastructure takes the stage
In December 2023, the Cyber Security Agency of Singapore (CSA) published a consultation paper on a draft amendment to Singapore's cybersecurity laws: Cybersecurity (Amendment) Bill 2023 (Bill), which may progress in 2024.
The Bill's aim is to extend the coverage of Singapore’s cybersecurity laws to a broader group of entities, including:
- 1.Computing vendors
- 2.Foundational digital infrastructure entities
- 3.Systems of temporary cybersecurity concern
- 4.Entities of special cybersecurity interest
Consultations closed on 15 January 2024.
Where do we go from here?
In response to the growing complexity of the cyber and privacy regulatory landscape, AB's Cyber and Privacy team have put together a broad range of services to help business of all sizes. You can learn more about our Cyber and Technology Solutions here and our Privacy and Data Protection Solutions here.
We have developed two key solutions to help businesses better understand their cyber and privacy risks:
- the Cyber Readiness Assessment (click to learn more)
- the Privacy Capability Assessment (click to learn more)
These solutions are designed to: - identify the gaps in your risk management;
- build better understanding of your legal and regulatory obligations;
- help you establish and demonstrate regulatory compliance; and
- assist you in obtaining or renewing your cyber insurance coverage.
Get a no obligation consultation
At Albrecht Burrows, we understand the complexity and urgency of cyber and privacy risks facing businesses today. Get a no obligation consultation with our experts to better understand how your business can increase your resilience to cyber and privacy threats and regulatory risks. Our team of experienced multidisciplinary professionals will work closely with you to create personalised risk management solutions tailored to your business' unique needs needs and budget. Don't wait until it's too late – schedule your no-obligation consultation today and take proactive steps towards protecting your business from cyber threats and privacy breaches.
James A. Cole
Partner | Head of Cyber & Privacy
My passion is helping our clients to implement holistic and commercial technology, privacy, and governance strategies that are aligned to their business objectives and risk appetite. I enjoy holistically applying my expertise across technology, business, and law enabling me to get to the heart of the issues and achieve positive, long-term results for clients.
James has spent more than two decades specialising in information security, strategic operations, and Governance, Risk & Compliance helping businesses and government seamlessly integrate privacy, technology, security, and compliance with business objectives.
James’ success as a computer scientist and lawyer has been centred on his core belief that privacy, security, and compliance do not have to be onerous activities that hinder business.
James’ expertise is wide ranging on every axis. He has advised organisations across both private and public sectors, as well as a broad range of industries including financial services, insurance, technology, healthcare, and government.
His advice spans across:
- international commercial expansions and regulatory compliance
- international privacy regimes including GDPR, CCPA, HIPPA, PIPEDA, UK PECR, ePrivacy Directive
- Access to Information / Freedom of Information
- multi-jurisdictional privacy and data protection
- artificial intelligence (AI) and facial recognition technology including ISO 42001
- cyber resiliency and preparation & prevention of cybercrime
- cyber governance, risk and compliance including ISO 27001 & NIST 800-53
- contractual liability in cyber & technology, and privacy & data protection
- misleading and deceptive conduct in financial services including AFSL compliance and breach investigation & reporting
- data breach incident response and remediation
Academic Credentials
- Bachelor of Laws (Honours) - Queensland University of Technology
- Bachelor of Computer Science - University of Calgary
- Bachelor of Arts (English Literature and Philosophy) - Trent University
- Postgraduate Studies (Law) - University of British Columbia
- Diploma in Insurance Law - Law Society of Ireland
- Masters of International Security Studies (Distinction)- Macquarie University
- Masters of Policing, Intelligence & Counter Terrorism (Distinction) - Macquarie University
Certifications
- Certified Information Privacy Professional / Europe (CIPM/E) - International Association of Privacy Professionals (IAPP)
- Certified Information Privacy Manager (CIPM) - International Association of Privacy Professionals (IAPP)
- Certificate in Data Protection Practice - Law Society of Ireland
- Certificate in General Data Protection Regulation (GDPR) - Law Society of Ireland
- Security+, Computer Technology Industry Association (CompTIA)
- Canadian Securities Course (CSC) - Canadian Securities Institute
- Australia - New South Wales - Lawyer
- Australia - High Court of Australia - Solicitor
- New Zealand - Barrister and Solicitor (inactive)
- England & Wales - Registered Foreign Lawyer
- Privacy and Data Protection
- Cyber and Technology
- Insurance
- Artificial intelligence (AI)
- International Private
- Corporate and Commercial
- Administrative and Regulatory
2024
- Law Society of New South Wales - Member of the Taskforce on Artificial Intelligence
2023
- UNSW Edge Seminar - Cyber Security & Data Breaches: the new governance frontier
- Gartner Security & Risk Summit - CISO Masterclass on the Ins & Outs of Cyber Insurance
- AISA CyberCon Canberra - Ask an Expert - Ask a cyber insurance breach coach about prevention and incident response planning
2022
- Tenable on Tour - Managing data risks and the role of legal teams
- Law Society of NSW Annual Conference The value of data, what you can do with it and what you can't (Moderator)
- Young Lawyers Criminal Law Sub-Committee, Law Society of NSW - The challenges of responding to cybercrime
- Albrecht Burrows & Law Squared webinar - Privacy: a whole of enterprise risk
- Law Society of NSW CPD webinar - Risk management as a strategic business tool: why legal is so much more than a dustpan and brush
2021
- Pemba Capital Partners Lunch and Learn - Cybersecurity in financial services
Mark Anderson
Legal Consultant, Lawyer (NZ)
Managing risk with both technical precision and pragmatism is critical in the modern environment. Properly understanding your business needs and then delivering that advice together with integrity, trust and loyalty are fundamental to ensuring your most optimal outcomes.
Mark is a highly awarded legal risk adviser and barrister to New Zealand and international business, governmental entities and public bodies. He has more than 20 years experience advising on risk including cyber risks and breach responses, technology contract liability, security and governance, health and safety, environmental, competition and other regulatory investigations.
He has provided incident response advice globally to clients in need, including those in Europe, Australia, New Zealand and across APAC, after developing global incident response panels drawing together legal, IT, Forensic and PR professions to manage cyber crises. He has managed some of the highest profile cyber breaches in Australasia.
Mark is a trusted leader with a high level of integrity, professionalism, and discretion. An exceptional strategist committed to minimising current and perceived risks while providing innovative, future focused and pragmatic legal strategies to achieve your objectives.
Recognised by peers for tenacity and a proven ability to direct technology and cyber risk/data breach incident responses, regulatory notifications, and insurance operations during business interruptions following a cyber incident. Mark has been ranked as a leading lawyer in the Legal 500 (2020&2021) and top lawyer privacy by Best Lawyers (2017-2023).
LLB (Otago University)
BA (Hons - International Relations & Politics)
- New Zealand - Barrister and Solicitor. Currently registered Barrister
Technology
Cyber Incident Response
Privacy
Insurance
Litigation
Board Risk and Governance Advisory
Administrative and Regulatory
Regulatory Investigation Response
Aviation and Marine Risks
Health and Safety
Environmental / Climate Change Risk
Data subject rights: The real risk of privacy and security for business 2022
Ransomware - the mechanics of ransom payments - Seminar Insurance industry 2021
The Globalisation of Privacy Breach Law – European developments and impact on Australasia - New Zealand Insurance Law Assocation – March 2020.
Cyber, conflict and cover: time for a re-think? 2018 Seminar and publication
Connected and Autonomous Vehicles: The future? Oral and written evidence 2016
Emotionally intelligent advice
While for the modern lawyer being able to manage relationships is par-for-the-course, our experience is that the impact that emotional factors can have on business outcomes is vastly underestimated. Human issues represent an entire spectrum of factors that can have very little to do with the legal merits of an issue, and can provide opportunities for leverage as well as unique avenues towards resolution. When managed well they can lead to exceptional outcomes that would not have seemed possible when assessing the matter on paper.
AB offers exceptional legal advice delivered by highly skilled and brilliant lawyers who are fantastic to deal with; personable, easy to talk to and compassionate. The commerciality of their advice is matched only by their commitment to simplifying the law and finding practical, creative solutions!"
Tas Demos
Managing Partner, BDH Leaders
Interested?
We'd love to work with you!
If you've decided now is the time, just get in touch and we can put a proposal together ASAP!
Also, while our rates are always competitive, they become even more so when the projects scale - so why not do a few things at once?
The sooner you get in touch, the sooner we can tick these issues off your list, leaving you free to focus on what's important.
All the best from the AB Cyber and Privacy Team!
Data breach emergencies
If you have experienced a data breach, whether unintential employee errors, employee data theft, or you’ve been the victim of a cyber-attack, the first 48 hours is crucial. So don’t waste any time, just get in touch.
Reach out, day or night.
If you don’t reach us straight away, we will get in touch ASAP!
Email us on [email protected]
Breach emergency Line: 02 8318 5980
Smart Commercial Lawyers
Delivering emotionally intelligent legal solutions
ablaw.com.au | [email protected]
Reception 02 8014 2511
Level 12, 111 Elizabeth Street
Sydney NSW 2000
Level 11, 456 Lonsdale Street
Melbourne VIC 3000
Rahiri Chambers
Level 10, Britomart Place
Auckland CBD