James Patto

I have seen a lot of talk about a potential 21 trillion dollar fine for Medibank in the media in relation to the OAIC's civil penalty proceedings.

The number seems ridiculous right?

That’s what I thought as well, so, I have done a bit of digging around how realistic this outcome actually is under the Act. So, buckle up and come on a short trip down this rabbit hole with me…

Artificial intelligence (AI) is already changing the world – whether that is for better or for worse will depend on how effectively and responsibly its use and development is regulated and governed

ChatGPT, AutoGPT, Llama, generative AI… In what seems like a whirlwind couple of months, these once (largely) unknown terms have become mainstream in everyday conversations, and this is only the beginning. With the applications and use cases for generative AI only growing, it is critical that… Show more

Artificial intelligence (AI) is already changing the world – whether that is for better or for worse will depend on how effectively and responsibly its use and development is regulated and governed

ChatGPT, AutoGPT, Llama, generative AI… In what seems like a whirlwind couple of months, these once (largely) unknown terms have become mainstream in everyday conversations, and this is only the beginning. With the applications and use cases for generative AI only growing, it is critical that governments and businesses alike consider what this means for organisations, people and society and implement appropriate measures to address this.

The key challenge for governments is how do they regulate this new technology in a manner that facilitates innovation and improvement whilst ensuring safety, transparency and reliability. How do we make AI work for society in a positive way? Or, at least, in a manner that addresses potential negative consequences.

In this article, we consider AI in the current legal landscape in Australia, key legal concerns with AI and how governments around the world are moving to regulate it. We also look at how entities can proactively implement governance around AI to get the most out of AI in their business in a responsible way and ensure they get a head start on legal compliance. Show less

The eagerly awaited reforms to Australia’s privacy laws are about to get underway with the Australian Government releasing its response to the Privacy Act Review Report (Government Response) which, when originally released in February this year, made 116 recommendations to reform the Privacy Act 1988 (Cth) (see our summary and hot takes and our submission in response to the report). The recommendations proposed were ambitious, wide-ranging and, if implemented, would have resulted in the most… Show more

The eagerly awaited reforms to Australia’s privacy laws are about to get underway with the Australian Government releasing its response to the Privacy Act Review Report (Government Response) which, when originally released in February this year, made 116 recommendations to reform the Privacy Act 1988 (Cth) (see our summary and hot takes and our submission in response to the report). The recommendations proposed were ambitious, wide-ranging and, if implemented, would have resulted in the most significant change to Australian privacy laws since the introduction of the APPs. Show less

The highly-anticipated report of the Attorney-General’s Department’s review of the Privacy Act 1988 (Cth) has finally landed with significant flair. Two years in the making, the Report has put forward 116 proposals that, if implemented, will be the most dramatic change to the Australian privacy and data protection landscape since the introduction of the APPs. We have broken down the key themes and issues in the existing legislation, and some of the key reforms proposed by the Report.

Understand cyber incident regulatory notification obligations for organisations in Australia.

As organisations have continued to venture further into the digital realm, the risk profile of their organisation and operations has evolved significantly. The great opportunities that come with increased digitisation also brings the risk that threat actors or significant cyber events can disrupt and damage business and their stakeholders. With this change, we have seen a significant shift in… Show more

Understand cyber incident regulatory notification obligations for organisations in Australia.

As organisations have continued to venture further into the digital realm, the risk profile of their organisation and operations has evolved significantly. The great opportunities that come with increased digitisation also brings the risk that threat actors or significant cyber events can disrupt and damage business and their stakeholders. With this change, we have seen a significant shift in focus from regulators and law enforcement, with their eyes fixed on the cybercrime scourge. Show less

The proposed Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2023 seeks to amend the Broadcasting Services Act 1992 (Cth) and other relevant legislation to provide
new powers to combat online misinformation and disinformation.

The Bill will sit beside the current voluntary framework, creating powers to enforce the voluntary framework (if required) and create new codes. The Bill guidance describes the enforcement powers as a ‘last resort’ if… Show more

The proposed Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2023 seeks to amend the Broadcasting Services Act 1992 (Cth) and other relevant legislation to provide
new powers to combat online misinformation and disinformation.

The Bill will sit beside the current voluntary framework, creating powers to enforce the voluntary framework (if required) and create new codes. The Bill guidance describes the enforcement powers as a ‘last resort’ if voluntary efforts are inadequate, but does not give clear direction on what is to be considered before a mandatory code may be implemented.

The Government recognises the influence that false information may have on economic stability, safety and public order. According to the Government, the Bill aims to strike a balance between the serious harms that may arise from false information, such as the fall of the US stock markets following dissemination of a false image of an explosion of the Pentagon, and the importance of freedom of expression. Show less

With generative AI tools like ChatGPT well and truly becoming an ‘overnight’ sensation, many have been awakened to the potential for AI to revolutionise the way we do business. But the truth is that the use of AI technologies in everyday business functions is already commonplace. From Netflix using AI to recommend movies based on what we have previously watched, to the Commonwealth Bank of Australia using AI to detect suspicious and unusual banking behaviour on its digital platforms, AI is… Show more

With generative AI tools like ChatGPT well and truly becoming an ‘overnight’ sensation, many have been awakened to the potential for AI to revolutionise the way we do business. But the truth is that the use of AI technologies in everyday business functions is already commonplace. From Netflix using AI to recommend movies based on what we have previously watched, to the Commonwealth Bank of Australia using AI to detect suspicious and unusual banking behaviour on its digital platforms, AI is already disrupting traditional business.

In light of the staggering increase in AI use, directors are under mounting pressure to ensure their organisations are prepared to use AI in a responsible manner. But what does this really mean in practice?

Although specific black letter law regulating AI has yet to be formalised, directors need to understand their role and responsibilities in the deployment of AI. In short, that means implementing AI governance.

Australian laws have yet to clearly define what AI is, let alone what a director’s duties are when it comes to AI. But it could very well be on the horizon, with the Australian Government recently releasing a Discussion Paper on ‘Safe and responsible AI in Australia’.

AI is happening now, and directors should look to stay ahead of the curve. The choice is not between using AI
and not using AI. Given its prevalence and trajectory, AI will either be used by an organisation governed or
ungoverned – the choice is for the directors to make.

This article looks to unpack the relevance of directors’ duties to AI and how directors can effectively manage these duties. AI, with all its promises and opportunities, comes with a range of known risks. Without appropriate organisational governance, there is a real risk that AI becomes a source of harm and risk (and therefore, liability) to any business. Show less

n order to harness the opportunities of AI safely and responsibly, there is a need to establish a robust, holistic,
and accessible AI policy that underpins the development, procurement, implementation and use of AI. Here are some key considerations that organisations should take into account when considering AI governance policies.

Like technology itself, the process of acquiring technology in a modern, digital world has seen substantial change.

More and more, organisations are now finding themselves managing large transformation projects that transition from more traditional IT procurement arrangements (i.e. often single source, long term, fixed pricing) to a more decentralised suite of vendors under outcome based, agile, pay-as-you-go arrangements. Further, more organisations are finding themselves subject to… Show more

Like technology itself, the process of acquiring technology in a modern, digital world has seen substantial change.

More and more, organisations are now finding themselves managing large transformation projects that transition from more traditional IT procurement arrangements (i.e. often single source, long term, fixed pricing) to a more decentralised suite of vendors under outcome based, agile, pay-as-you-go arrangements. Further, more organisations are finding themselves subject to regulatory regimes which require an all-hazards approach to risk management, including through their supply chains (for example the new APRA CPS230 standard and the new Security of Critical Infrastructure Act 2018 (Cth) reforms). Show less

Australia’s Security of Critical Infrastructure (SOCI) regime has undergone a massive overhaul over the past several years, with the number of sectors captured by the legislation expanding from 4 to 11, substantial new obligations in relation to critical assets introduced, and the creation of a national regulatory body, the Cyber and Infrastructure Security Centre (CISC). The enhanced regime has meant many sectors – which previously were not regulated under the SOCI Act – now are, and many who… Show more

Australia’s Security of Critical Infrastructure (SOCI) regime has undergone a massive overhaul over the past several years, with the number of sectors captured by the legislation expanding from 4 to 11, substantial new obligations in relation to critical assets introduced, and the creation of a national regulatory body, the Cyber and Infrastructure Security Centre (CISC). The enhanced regime has meant many sectors – which previously were not regulated under the SOCI Act – now are, and many who are now regulated face significant uplift in a relatively short period of time in order to ensure compliance. And the journey is continuing… Show less

So, what can the Government do about underquoting? Traditionally, the Government has been targeting and attempting to enforce laws directly against the source – the underquoting agents - but that isn’t working. The biggest challenge with underquoting is that there are a lot of agents, a lot of listings to review and the enforcement effort required to make an impact is mammoth. Further, it is a relatively difficult job for Government to realistically work out where underquoting has occurred… Show more

So, what can the Government do about underquoting? Traditionally, the Government has been targeting and attempting to enforce laws directly against the source – the underquoting agents - but that isn’t working. The biggest challenge with underquoting is that there are a lot of agents, a lot of listings to review and the enforcement effort required to make an impact is mammoth. Further, it is a relatively difficult job for Government to realistically work out where underquoting has occurred, compared to just a lucky bumper sale.

The answer is simple - make digital real estate platforms responsible for agent underquoting on their platforms. Doing so will make the biggest players in the real estate game accountable for the misuse of their digital platforms by real estate agents – from which these organisations profit. Show less

Multi-disciplinary team summary of the new CI strategy and analysis of the risk management program rules, including how they differed from the draft rules.

High level analysis and comments on the long awaited Attorney General Department's Privacy Review Report

This article outlines the current state of play for key proposals, reforms and review processes taking place in relation to Australian privacy and cyber security laws and regulations.

In what could be one of the biggest overhauls of the Privacy Act 1988 (Cth) since the NPPs became the APPs, the Minister for Communications and the Arts, Mitch Fifield, and Attorney General, Christian Porter, have announced that the Federal Government is looking to make a number of significant changes to the privacy regime targeted at the social media and technology industry in Australia.

This article looks at the proposals and the ongoing ability of the OAIC to enforce privacy… Show more

In what could be one of the biggest overhauls of the Privacy Act 1988 (Cth) since the NPPs became the APPs, the Minister for Communications and the Arts, Mitch Fifield, and Attorney General, Christian Porter, have announced that the Federal Government is looking to make a number of significant changes to the privacy regime targeted at the social media and technology industry in Australia.

This article looks at the proposals and the ongoing ability of the OAIC to enforce privacy regulations given the scale of the task and its limited resources. Show less

Despite a flurry of political posturing by the major political parties on the final day of Parliament for 2018 and substantial industry criticism, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (also commonly referred to as the Assistance and Access Act or Encryption Act) has passed both Houses of Parliament with bipartisan support. The Act came into effect when it received Royal Assent on 8 December 2018, but that is not the end of the story for… Show more

Despite a flurry of political posturing by the major political parties on the final day of Parliament for 2018 and substantial industry criticism, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (also commonly referred to as the Assistance and Access Act or Encryption Act) has passed both Houses of Parliament with bipartisan support. The Act came into effect when it received Royal Assent on 8 December 2018, but that is not the end of the story for this Act … Show less

Earlier this year, after several frustrated efforts, Australia finally passed new mandatory data breach notification laws in the form of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (which will come into effect on or before 22 February 2018).

While much has already been written about the Act, there is still a degree of uncertainty as to how the new regime may play out in practice. In this article, we aim to guide readers through the practical application of the laws by… Show more

Earlier this year, after several frustrated efforts, Australia finally passed new mandatory data breach notification laws in the form of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (which will come into effect on or before 22 February 2018).

While much has already been written about the Act, there is still a degree of uncertainty as to how the new regime may play out in practice. In this article, we aim to guide readers through the practical application of the laws by reference to a number of hypothetical fact scenarios and, in the course of doing so, provide some practical compliance tips. Show less

Recent amendments to the Civil Aviation Safety Regulations (CASR) come into effect today (29 September 2016). The amendments are intended to simplify the regulatory requirements around the growing use of aerial drones in Australia, also known as unmanned aerial vehicles and, in Australian legislation, as remotely piloted aircraft - but they also introduce some new air safety requirements that will also impact drones.

Earlier this year, we released our inaugural cyber survey report, Perspectives on Cyber Risk (the Report), intended to provide insight into Australian organisations' cyber risk posture and cyber resilience capability.

Perhaps one of the more surprising findings in the Report was that surveyed organisations did not appear to be overly concerned about the risk of regulatory action flowing from a cyber breach.

In a week where the Victorian Government plugged a loophole in transport legislation to stifle Uber's quest for the sharing economy 'holy grail' (namely, legislative recognition and legality), the Victorian Supreme Court has put another dampener on the sharing economy by ruling that two tenants had breached their lease with their landlord by renting their leased apartment out using the popular home sharing website, Airbnb.

When Neo consulted the 'Oracle' in the Matrix movies, he was left confused and uncertain as to whether the Morpheus-led campaign to name him the 'chosen one' was true. One of the Oracle's more famous quotes was that 'we are all here to do what we are all here to do'.

This is a sentiment that, back in the real world (which may or may not be a matrix like computer simulation), our own 'oracle' (being Oracle Corporation, of Redwood City, California) might well agree with, particularly in… Show more

When Neo consulted the 'Oracle' in the Matrix movies, he was left confused and uncertain as to whether the Morpheus-led campaign to name him the 'chosen one' was true. One of the Oracle's more famous quotes was that 'we are all here to do what we are all here to do'.

This is a sentiment that, back in the real world (which may or may not be a matrix like computer simulation), our own 'oracle' (being Oracle Corporation, of Redwood City, California) might well agree with, particularly in relation to third party support and maintenance providers. However, in a recent challenge, Oracle has distinguished itself from the 'Oracle' in the Matrix by leaving no uncertainty as to its position on third party support and maintenance providers.

Show less

The hack of toy manufacturer VTech's computer systems, which was disclosed by the company late last year, has highlighted various privacy concerns with, and vulnerabilities of, the Internet of Things (IoT) phenomenon.

Welcome to the third instalment of the 'When IT hurts, it hurts: Mitigation strategies for cyber attack loss' blog series. Coinciding with the release of MinterEllison's cyber survey report, Perspectives on Cyber Risk (the Report), this series focuses on key areas of loss that an organisation may suffer as a result of a cyber attack, and key strategies to mitigate that loss.

Today's blog post looks at two other feared exposures of our survey respondents - business interruption and loss… Show more

Welcome to the third instalment of the 'When IT hurts, it hurts: Mitigation strategies for cyber attack loss' blog series. Coinciding with the release of MinterEllison's cyber survey report, Perspectives on Cyber Risk (the Report), this series focuses on key areas of loss that an organisation may suffer as a result of a cyber attack, and key strategies to mitigate that loss.

Today's blog post looks at two other feared exposures of our survey respondents - business interruption and loss of confidential information and intellectual property.

Show less

Welcome to the second instalment of the 'When IT hurts, it hurts' series on cyber attack loss. Coinciding with the release of MinterEllison's cyber survey report, Perspectives on Cyber Risk (the Report), this series focuses on key areas of loss that an organisation may suffer as a result of a cyber attack, and key strategies to mitigate that loss.

Today's blog post looks at our cyber survey respondents' most feared exposure – negative brand perception and reputational damage.

In what has been an eventful few weeks on the copyright high seas, after some set backs, rights holders commenced actions in the Federal Court to block a number of websites that they allege have the 'primary purpose' of infringing copyright. We've set out below a round up of these recent events.

As a chief information officer or chief security officer, it's probably not going to be good news when your phone lights up at 2am on a cool winter's night. Over the next few weeks we will post a series of blog posts setting out key areas of loss an organisation may suffer as a result of a cyber attack, and outlining some strategies that organisations can implement to assist with mitigating potential loss.

Information and communications technology is increasingly the backbone of global economic growth. Billions of people across the globe rely heavily on ICT for work, communication, entertainment and almost every other facet of their everyday lives. So it is unsurprising, then, that cyber security is now of critical domestic and international concern.

MinterEllison surveyed C-suite and senior executives in IT, Legal and Risk with a view to providing insights into Australian organisations… Show more

Information and communications technology is increasingly the backbone of global economic growth. Billions of people across the globe rely heavily on ICT for work, communication, entertainment and almost every other facet of their everyday lives. So it is unsurprising, then, that cyber security is now of critical domestic and international concern.

MinterEllison surveyed C-suite and senior executives in IT, Legal and Risk with a view to providing insights into Australian organisations risk posture in relation to cyber attacks, cyber resilience capability, and intentions in adopting services that increase their cyber risk exposure, and the results are presented in this special report. Show less

Just in time for the holiday period, we present a short history of internet law in verse. 'The tangled web we weave' looks back at some of the key developments in the history of the internet and internet law in Australia.

For perhaps the first time since the Copyright Amendment (Online Infringement) Act 2015 (Website Blocking Act) became law, there has been the publication of a demand for an internet service provider (ISP) to block access to an overseas website. More particularly, residential builder Simonds Homes has demanded that a small (as yet unnamed) ISP block access to a website hosted in India.

Following a Federal Circuit Court decision in 2014, the United States Supreme Court has refused to hear Google's appeal against Oracle regarding whether application programming interfaces (APIs) for the computer language Java are capable of attracting copyright protection. By refusing to hear this appeal, the highest court in the US has effectively declared that copyright may subsist in APIs, overruling Judge William Alsup's first instance decision.

Last week the Privacy Commissioner, Timothy Pilgrim, (Commissioner) made a determination that metadata held by Telstra is 'personal information' for the purposes of the Privacy Act 1988 (Cth) (the Act). Our blog post earlier this week outlined the determination by the Commissioner and his reasoning behind the decision. Telstra argues that the ramifications beyond this decision may have the potential to hamstring telecommunication companies (Telcos) in a sea of compliance and lead to higher… Show more

Last week the Privacy Commissioner, Timothy Pilgrim, (Commissioner) made a determination that metadata held by Telstra is 'personal information' for the purposes of the Privacy Act 1988 (Cth) (the Act). Our blog post earlier this week outlined the determination by the Commissioner and his reasoning behind the decision. Telstra argues that the ramifications beyond this decision may have the potential to hamstring telecommunication companies (Telcos) in a sea of compliance and lead to higher prices for consumers. In this post, we explore the compliance consequences with respect to key Australian Privacy Principles (APPs). Show less

Online infringers will soon receive a series of notices from their ISP under the proposed Copyright Notice Scheme 2015 (the Code).

The primary Australian telecommunications industry body, Communications Alliance, has submitted the final version of the Code for review and approval by the Australian Communications and Media Authority (ACMA). If the Code is approved, the majority of Australian ISPs must send notices to alleged copyright infringers at the request of a copyright owner. After… Show more

Online infringers will soon receive a series of notices from their ISP under the proposed Copyright Notice Scheme 2015 (the Code).

The primary Australian telecommunications industry body, Communications Alliance, has submitted the final version of the Code for review and approval by the Australian Communications and Media Authority (ACMA). If the Code is approved, the majority of Australian ISPs must send notices to alleged copyright infringers at the request of a copyright owner. After a user receives 3 notices in a 12 month period, the ISP must then assist the copyright owner if it applies to the court for preliminary discovery to identify the alleged infringers. Show less

In a landmark case in Australia that is a first of its kind (but undoubtedly will not be the last), damages have been awarded to New South Wales school teacher, Mrs Christine Mickle, for offensive and defamatory tweets and Facebook posts made by an ex-student of the school where she taught.

The purpose of this article is to provide a summary of the tax judgements relevant to the financial services industry from the Federal Court, Full Court of the Federal Court and the High Court from January 2013 to the start of December 2013.