Information Technology

That Lazada’s online grocery platform RedMart has suffered a serious data breach this week should come as no surprise, especially since it has made several public missteps after folding the app into its own e-commerce app more than a year ago. The security oversight underscores the importance of putting in place a proper integration strategy when companies merge and one that should continue to be reviewed even after the transition is complete. 
News broke late-Friday that the data of 1.1 million RedMart accounts had been compromised, after an individual claimed to have access to a database containing their personal information including names, mailing addresses, email addresses, phone numbers, encrypted passwords, and partial credit card numbers. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

Lazada, which acquired RedMart in November 2016, sent a note Friday to affected customers informing them of a “RedMart data security incident” that it said was uncovered the day before, on October 29, as part of “regular proactive monitoring” carried out by the company’s cybersecurity team. RedMart customers were automatically logged out of their accounts and prompted to reset their passwords before relogging in. 
In its note, Lazada said the breach led to unauthorised access to a “RedMart-only database” that was hosted on a third-party service provider and had contained “out of date” customer data that was last updated on March 2019. It added that “immediate action” was taken to block the illegal access and that Lazada’s own customer data was not affected by the breach. 
The Southeast Asian e-commerce operator in January 2019 announced plans to integrate the RedMart app into its platform, more than two years after it acquired RedMart. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016. RedMart accounts were formally integrated on March 15, 2019 — the same month the compromised database was last updated.
The move had drawn sharp criticism from former RedMart customers in Singapore, who were promised the “same shopping experience — from browsing to ordering” on the integrated platform, but found this to be far from the truth when March 15 rolled over. 
Once beloved for its streamlined and clean users interface, the integrated RedMart experience was described by customers as cluttered, difficult navigate, and missing several popular features such as the ability to update a scheduled order and access to a favourite items list. 

Today, more than a year after the transition, user experience for RedMart — which currently has its own section on Lazada — remains inconsistent across its mobile and online platforms. While functions on its mobile app are largely functional, the least can be said for its online experience. RedMart customers on the Lazada website will hit a stalled page when they attempt to retrieve their favourite items list, and adding items to their cart will lead to a “network error” or an error page.
Clearly, some things have slipped through the cracks since the merger and a security breach was a matter of “when”, not “if”. 
Questions remain about Lazada’s security hygiene
That the database was outdated is irrelevant; the data it contained isn’t exactly transient in nature. I haven’t changed my mobile number in at least 20 years and how many actually move homes in under two years? 

That it was a “RedMart-only” database also is little consolation. RedMart customers’ login credentials were moved along with the integration and their passwords are used to log into the Lazada platform before they can access the RedMart section. So, why that still means their Lazada data is “not affected” needs further explanation. 
That the database was hosted on a “third-party service provider” is moot. Your customer data, your database, your responsibility. If it was last updated 18 months ago, then the system should have been retired and taken offline, away from the preying hands of hackers.
If it was left online for operational reasons, then policies and procedures should have been put in place to ensure the database remained updated, regularly checked for any potential vulnerabilities, and security patches promptly deployed. 
And there are many questions that still need to be answered. 
Was the breach actually discovered during a “regular proactive monitoring” or was it identified only after the hacker or hackers publicly declared they were in possession of the database and had put up the details for sale? 
Was Lazada’s cybersecurity team aware the second the database was breached, and not only when the hackers announced they had access to the data? When exactly did the breach occur? How long had the hackers been lurking in stealth mode? What else could they have breached?
With 1.1 million accounts compromised, Lazada not only faces a potentially stiff penalty from the relevant Singapore authorities, its reputation has taken a significant hit. Customers have taken to its social media profiles with questions about their data security and to decry the platform’s lack of security, including the absence of basic features such as two-factor authentication. 
These are issues Lazada could very well have avoided if it had put in place, from day one, a proper integration plan. One that could have helped ensure customers knew what to expect, that user experience remained consistent, and features were at the very least functional. 
A proper transition strategy also would identify systems that should be kept operational, and how they should be properly maintained, as well as pave out a timeline for those that were no longer needed and how these should be taken out of commission.
Now in damage control, it remains to be seen how Lazada will move to repair its brand. One thing’s for sure, with the missteps it has made — and continues to make — more “security incidents” may be on the way if Lazada doesn’t clean up its act, and quickly. 
RELATED COVERAGE More

Changing customer expectations simply because they must in the face of economic uncertainty, social movements, and changing geopolitics will have significant impact for information and IT security professionals across the globe. 2021 will be the beginning of a transition toward a new normal and organizations will continue to adapt to new business models.  

The cybersecurity trends Forrester expects to see in 2021: 
For instilling a toxic security culture a CISO from a Global 500 firm will be fired. Toxic security team culture harms employee retention and hinders recruiting. CISOs are responsible for identifying and addressing such issues on their team, but what happens when the problem stems from the CISO? Empowered employees understand that social media can amplify concerns if their company disregards them. Professional networks once privately shared details of toxic leaders and individuals to avoid, but now that conversation will become public — and rightfully so. 2021 will be a year of reckoning for leaders who create, tolerate, or ignore hostile cultures. CISOs must invest in improving empathy and people management skills and cultivate a positive culture for their teams to thrive in. 
Funding for non-US-headquartered cybersecurity companies will increase by 20%. Startup creation is increasingly a source of national pride and investment in Europe and Asia Pacific. Moves by the EU Commission to promote its digital sovereignty and further economic protectionism in Asia will result in increased funding for regional cybersecurity firms. Multinational firms must give up their single-sourcing approach and accept the reality of point solutions based on region. Develop a startup scouting capability to identify promising new regional security technology, build an adaptable procurement and sourcing plan to obtain them, and create standard security guidelines to create consistency across disparate vendors. 
Audit findings and budget pressure will lead to an uptick of risk quantification tech. Struggling firms cut spend on staffing and technology to survive 2020. In 2021, stagnant or declining budgets will require solid justification for spending. Risk quantification solutions that provide insights into the criticality of assets and potential impact of an issue in real time with business context will help security leaders determine what stays, what goes, and where limited increases should go. Examine risk quantification solutions — and their substantial required dependencies — to move beyond the tried-and-true basic business case that was sufficient during the growth years. 
And yes, there will be data breaches and ransomware. For more trends and insights for the year ahead, download Forrester’s complimentary 2021 Predictions eBook here.    
This post was written by Forrester Principal Analyst Heidi Shey, and it originally appeared here. 

Coronavirus More

Next year — 2021 — will be a year of transition. As communities, consumers, and businesses leave the pandemic behind, they will embrace a new normal. 

Three privacy-related trends will underpin this transition: 1) an ever-increasing appetite to collect, process, and share sensitive personal data from consumers and employees; 2) despite the recessionary economy, values-based consumers will increasingly prefer to engage with and entrust their data to ethical businesses; and 3) regulatory and compliance complexity in relation to data privacy will increase further. 
Against this scenario, for 2021, Forrester predicts that: 
Regulatory and legal activity related to employee privacy will increase 100%. Pandemic management, as well as a growing desire to improve workforce analytics and insights, will drive organizations to hungrily collect more and more employee data. We predict that in the next 12 months, regulatory and legal activity will double and overwhelm organizations that fail to take a thoughtful approach to employee data — one that respects and protects employee privacy. Companies must develop a privacy by-design approach to their initiatives that entails the collection, processing, and sharing of their employees’ personal data. 
One in four CMOs will invest more in technology to collect zero-party data. Digital advertising is on the brink of major, systematic changes. Values-based customers increasingly look to share their data with companies that embrace privacy as a value and treat data ethically. On top of it, the death of the third-party cookie forces companies to focus more on collecting data directly from customers and rely less on more risky third-party data. In 2021, CMOs will start to make strategic revisions to their ecosystem, and 25% of them will increase their capabilities to collect zero-party data. CMOs must partner with their security, risk, and privacy peers to select the right technology and craft processes that adequately support their objectives. 
CCPA 2.0 will pass and spur the introduction of federal privacy legislation in the US. In the next 12 months, two important events will shake privacy in the US. The California Privacy Rights Act (CPRA) will pass, and this will force the US government to finally introduce a bipartisan federal privacy bill that has a realistic chance of passage. Organizations need to identify what aspects of CPRA will apply to them and keep their eyes turned toward the national legislation when introduced to determine how to adjust their approach. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.     
This post was written by Senior Analyst Enza Iannopollo, and it originally appeared here.  More

Security researchers from Google have disclosed today a zero-day vulnerability in the Windows operating system that is currently under active exploitation.
The zero-day is expected to be patched on November 10, which is the date of Microsoft’s next Patch Tuesday, according to Ben Hawkes, team lead for Project Zero, Google’s elite vulnerability research team.

On Twitter, Hawkes said the Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another a Chrome zero-day (tracked as CVE-2020-15999) that his team disclosed last week.
The Chrome zero-day was used to allow attackers to run malicious code inside Chrome, while the Windows zero-day was the second part of this attack, allowing threat actors to escape Chrome’s secure container and run code on the underlying operating system — in what security experts call a sandbox escape.
The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug. Details were published today, as Microsoft did not release a patch in the allotted time.

Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
— Ben Hawkes (@benhawkes) October 30, 2020

Windows 7 to Windows 10 are impacted
According to Google’s report, the zero-day is a bug in the Windows kernel that can be exploited to elevate an attacker’s code with additional permissions.
Per the report, the vulnerability impacts all Windows versions between Windows 7 and the most recent Windows 10 release.

Proof of concept code to reproduce attacks was also include.
Hawkes did not provide details about who was using these two zero-days. Usually, most zero-days are discovered by nation-sponsored hacking groups or large cybercrime groups.
Per the same Google report, the attacks were also confirmed by a second Google security team, Google’s Threat Analysis Group (TAG).
Shane Huntley, Google TAG Director, said the attacks are not related to the US election.
The Chrome zero-day was patched in Chrome version 86.0.4240.111.
This is the second time that Google discloses a two-pronged attack that involved a Windows and a Chrome zero-day. In March 2019, Google said that threat actors have also combined a Chrome zero-day (CVE-2019-5786) with a Windows zero-day (CVE-2019-0808). More

Singapore-based online grocery platform RedMart has suffered a data breach that compromised personal data of 1.1 million accounts. An individual has claimed to be in possession of the database involved in the breach, which contains various personal information such as mailing addresses, encrypted passwords, and partial credit card numbers. 
RedMart customers on Friday were logged out of their accounts and prompted to reset their passwords before relogging in. They also were informed of a “RedMart data security incident” that was discovered the day before, on October 29, as part of “regular proactive monitoring” carried out by the company’s cybersecurity team. 

In its note to customers, RedMart’s parent company Lazada said the breach led to unauthorised access to a “RedMart-only database” that was hosted on a third-party service provider. Data on this system was last updated on March 2019 and contained personal information such as names, phone numbers, encrypted passwords, and partial credit card numbers. 
Lazada in January 2019 announced plans to integrate the RedMart app into its e-commerce platform, more than two years after it acquired RedMart in November 2016. It also unveiled plans to expand the online grocery service to other Southeast Asian markets. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016.
Lazada had stressed the breach impacted only RedMart accounts, and did not affect the data of Lazada’s customers. RedMart accounts were formally integrated from March 15, 2019 — the same month the compromised database was last updated.
ZDNet asked Lazada several questions including how and when the breach happened, why the database was left active since it was no longer in use, and the recourse for customers who might experience a fraudulent credit card transaction due to the RedMart breach. 
Lazada did not directly address most of the questions, but did confirm that 1.1 million accounts were affected.

A spokesperson said the compromised database was a “legacy” system that was no longer in use and not linked to any Lazada database. 
He added that the company’s cybersecurity had discovered an individual claiming to be in possession of the database and took “immediate action” to block unauthorised access to the machine.
In an FAQ posted on its website regarding the security incident, Lazada said customers’ credit card information was “generally safe” as it did not store the full 16-digit card number and CVV on its systems that are required for payment. “Nonetheless, we recommend that you keep vigilant and monitor for any unusual activity or suspicious transactions on your credit cards,” it noted.
Lazada said it had “voluntarily” reported the security incident to Singapore’s Personal Data Protection Commission (PDPC) and was in touch with other relevant authorities, including the Singapore Police Force.
Under Singapore’s Personal Data Protection Act (PDPA), organisations are expected to notify the authorities of a suspected data security breach if it affects more than 500 individuals or where “significant harm or impact” to the individuals are likely to occur due to the breach. They also must do so no later than 72 hours after completing their assessment of the breach and take no more than 30 days to complete an investigation into a suspected data security breach.
The PDPA is administered by the PDPC. 
RELATED COVERAGE More

All the signs were there. If my parents knew then what parents know now, they would have been prepared. But back in the 1960s and 1970s, the maker movement was still far in the future. Robots were something you only saw in movies and awesome TV shows (or as my Mom would often put it, “What in the world are you watching?”). Telling her that Lost in Space wasn’t “in the world” tended to get me the All Powerful Glare of Motherly Annoyance.
But now, if a kid is a natural tinkerer, there are positive outlets for their inclination. There are great STEM (science, technology, engineering, and mathematics) kits and toys that can ignite a kid’s interest and focus it on learning, while at the same time making learning fun.
In this guide, we’re focusing mostly on the technology and engineering areas, providing you with some great kits and toys that teach and inspire programming and making with robots and digital technology.

Lego Robotics for kids
LEGO
If you’re talking about robotics and kids, the very best place to start is Lego. Lego has long been an innovator not only in the maker space but in robotics as well. In this guide, we kick off our exploration of goodies for geeky girls and boys with a Star Wars-themed robotics kit.
Kids can build use more than a thousand components to build R2-D2, a Gonk droid, and a Mouse droid. Then, with an app, they can program these fan favorites with a variety of different easy-to-access programming and learning tools.
$194 at Amazon

Kids build their own computer
Piper
OK, I love this thing. You’re probably going to notice me saying that a lot during this guide because I was the kid this stuff was made for. I would have been so excited had I been given this kit.
Here are the details: Your kid puts together their computer, complete with circuit connections (no soldering required) and case assembly. Then they can use the Raspberry Pi to learn and play. But you know what will fire up your kid: there’s a Raspberry Pi Mindcraft edition kids can play right on this machine. It even includes a display and a mouse.
$249 at Amazon

Play with code without a computer
Playz
I love this thing, too! First, it allows you to be geeky even if you’re on a camping trip or have a power outage. So, if you’re living through an apocalypse (what? too soon?) and still want to teach your kid to code, this is a great place to start.
Computer science and coding revolve around some basic guidelines and theories that are common across all computing. This kit shows how that works, from the basics of encryption (where your kids can make an actual cypher mechanism) to sorting algorithms. If you want your kids to get some away-from-screen time and still learn what they’re fascinated by, this is a good buy.
$35 at Amazon

Learn the basics of mechanisms
Engino
Not only do I love this thing, I want it. Yes, even now. And not just because my wife says I sometimes have the emotional maturity of a five year old.  I want it (and so will your kid) because it shows how to make things that have mechanical properties.
Here’s the thing: If you want to make something that has a linkage, a connection, a joint, or moves as part of its operation, you need to understand these concepts. This Lego-clone kit shows you how to do just that, and as a bonus, it’s under $30.
$28 at Amazon

The definitive Lego robotics kit
LEGO
I have the previous version, and I’ve built all sorts of cool programmable machines. I often use this for prototyping ideas before I decide to fabricate a more robust unit out of wood, metal, or plastic.
This is an amazing kit. It is pricey, but you get a complete robotics building experience with very few limitations. If you can budget for it, it’s definitely a gift to buy for yourself, er, your kid. Yeah, for your kid. Or buy it for yourself and get your kid a stuffed animal. That’s what I did. Of course, my kid is an 8-pound dog and he hates robots, tech, and plastic. My dreams of building him a robot car were completely dashed by his Luddite level of disinterest*, so I had to use this for other fun projects.
*Yes, we definitely see the irony in that an uber-geek’s dog, named Pixel, is completely anti-technology. But we love him so very much anyway.
$439 at Amazon

App-enabled robot ball
Sphero
I have a couple of Sphero robots, including the BB8 version. And yes, I did buy it because I thought my little dog would have a blast chasing it, but Pixel doesn’t like it at all. Kids will, though, because — especially with this model — it’s app-enabled, allowing all sorts of interesting programming and experimenting.
Don’t discount the value of a ball as a programmable device. It can easily go up and down carpets, it’s small enough to make it through relatively narrow gaps, and it’s maneuverable as heck. It’s even waterproof.
$96 at Amazon

Arduino kit with lots of parts
Elegoo
I’ve bought three or four of these for myself over the past few years, mostly as a way to have a wide selection of parts and sensors for my Arduino projects.
This kit is not for little kids. Your kid should probably be a teenager and have some experience building things and possibly programming. The kit comes with some basic tutorials, but, to be honest, they’re not fabulous. But the selection of components is, and that’s where the magic comes. So, if you or your kid are comfortable Googling or YouTube searching for near Arduino projects and tutorials, this kit will give you the parts to make it happen. Plus, it’s under $50.
$37 at Amazon

When you start to get serious about robots
Occus
My first robot was a robot tank. My buddy and I took a radio-controlled toy tank, added our own sensors, and hooked the radio control unit to a port on my PC. We then programmed it to move around the room. It was basic, running on BASIC.
This is a metal chassis, a great starting point for a more ambitious robot. If you’re serious about building a robot and you want a robust starting point, this chassis should get you going. Of course, you’ll need to add a lot to it before it’s knocking over your plants and getting tangled in extension cords, but that’s the point. This is a foundation to build upon.
$406 at Amazon

Let’s get away from plastic for just a little while
Smartstoy
Tired of everything being made from plastic? Want to teach your kid about sustainable materials? Consider this laser-cut solar-powered car kit. Not only is the power from the sun, but the wooden chassis is both robust and biodegradable.
You can probably just snap it together, but a little wood glue (or plain old Elmer’s) should make the car strong enough to put it through its paces.
$21 at Amazon

Build a robot with a POV camera
Yahboom
The only thing I’m not that thrilled about with this is you have to add your own Raspberry Pi because the kit doesn’t come with one. I really think they should have listed two models on Amazon, one with a Pi and one without. That way, you’re not tasked with finding your own (don’t worry, we’ll list a standalone Pi in our next listing).
In any case, this is great because it allows you to build a roving device that your kid can drive from the point of view of the robot’s camera. That seems like it would be a ton of fun.
$138 at Amazon

Put together your own little computer
CanaKit
I can’t say I love this thing because it’s not a toy, but I like it. I’ve bought a bunch of these, because I use them to drive my 3D printers. While you can get a standalone Pi for about $60, I recommend spending the extra $20 to have a power source, heat sinks, fan, and case that you know will work with the Pi. It even has an HDMI cable in the kit.
If you want that $20 back and don’t mind using a board with only 2GB of RAM instead of 4GB, then this version is for you. You’re spending just about $60 and getting all the goodies.
$83 at Amazon

All of DJI’s drone smarts in a robot kit
DJI
If you want to learn robotics and have fun doing it with primo hardware, this is your toy. At more than $500, it’s not cheap, but it comes with omni-directional wheels, a laser canon, and a canon that shoots small beads (yeah, I’m thinking of Ralphie and “You’ll shoot your eye out,” too).
You can create an instant battle bot scenario with two or more of these (just in case you want to spend thousands of dollars on robot toys), but the real meat of the product is the programmability and teaching tools. There are a bunch of exercises, and you can program with either Sketch or Python. Finally, DJI includes a full series of videos, so your kid can take a video class with hands-on use of the device. It’s just so darned cool.
$549 at Amazon
Our process
I used a very simple selection mechanism while looking for these toys. If I didn’t have an overwhelming desire to buy it, and it didn’t take a supreme act of willpower to not click the Buy Now button, I didn’t list it. Since my internal kid is about as wonder-filled and geeky as they come, I figured if I was excited by it, other kids would probably be as well.
Obviously, I stuck to the coding and robotics world, but I wanted to go beyond some of the classic robot toys like LEGO and provide toys that were not only of a wide range of capabilities but price points and even learning experiences. Let me know in the comments below if I nailed it or not.
How to choose
Normally, in these lists, I try to provide you with guidance on how to pick the product or service you need. But you know your kids far better than I. As I mentioned, I’m a doggie daddy, so I don’t have a lot of experience with what kids these days groove on. But I’ll tell you this:Choose less complex toys for kids who have less experience and more complex toys for kids who have already built or programmed more ambitious projects.
Good luck and have a happy holiday season.
Need more gift ideas?

Check out our ZDNet Recommends directory or Holiday Gifts hub for some more inspiration. 
Our sister sites also have the following gift guides: 
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Microsoft has warned Windows 10 customers that it has received “a small number of reports” about attacks on its Netlogon protocol, which it patched in August. 
The Windows maker issued another alert on Thursday following its warning in September that attackers were exploiting the elevation of privilege vulnerability affecting the Netlogon Remote Protocol (MS-NRPC). 

Windows 10

It’s a protocol used by admins for authenticating Windows Server as a domain controller. The flaw it contained was serious enough for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to order US government agencies to apply Microsoft’s patch for the bug – tracked as CVE-2020-1472 but also called Zerologon –  within three days of its release in the August Patch Tuesday update.
SEE: Security Awareness and Training policy (TechRepublic Premium)    
Defensive security researchers found that the bug was easy to exploit, making it a prime target for more opportunistic attackers. But when Microsoft released the patch on Tuesday, August 11, some system admins were not aware of its severity. 
Attackers could exploit the flaw to run malware on a device on the network after spoofing Active Directory domain controller accounts. As a weapon, it had the added bonus of publicly available proof-of-concept Zerologon exploits soon after Microsoft released its patch. 
CISA warned agencies to patch the flaw swiftly because Windows Server domain controllers are widely used in US government networks, and the bug had a rare severity rating of 10 out of 10. It prompted CISA to direct agencies to apply the patch on the same week as Microsoft’s August 11 patch was released.

Microsoft has updated its support document for the bug to provide further clarity. It recommends that admins update Domain Controllers with the patch, monitor logs for devices making connections to the server, and to enable enforcement mode. 
Microsoft and CISA are particularly concerned that the flaw could be used to by cyber attackers to disrupt the US elections. The company in September warned that Chinese, Iranian, and Russian hackers had targeted the Biden and Trump campaigns.
“We contacted CISA, which has issued an additional alert to remind state and local agencies, including those involved in the US elections, about applying steps necessary to address this vulnerability,” Microsoft said. 
The bug was serious enough for Microsoft to issue a registry key that helped admins enable ‘enforcement mode’ before the company makes that mode mandatory on February 9, 2021.    More

Australia’s Attorney-General Christian Porter announced on Friday the terms of reference and issues paper that his department will use as a basis for its review of the Privacy Act.
The wide-ranging review will consider the definition of personal information; whether existing exemptions for small businesses, political parties, and the storing of employee records to comply with the Act should remain; whether individuals should gain the power to drag privacy violators to court; and whether a privacy tort should be created.
The review was agreed to as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry.
In posing 67 questions for submissions to respond to, the Attorney-General’s Department (AGD) has asked whether the definition of personal information should be extended to inferred personal information as well as whether additional protections should be extended to de-identified, anonymised, and pseudonymised information.
Of particular interest in the paper was the failure of Australian privacy laws to be compatible with those in Europe, especially the General Data Protection Regulation (GDPR), with exemptions created in the Australian law two decades ago being a roadblock.
“The [Australian Law Reform Commission (ALRC)] noted that no other comparable jurisdiction (the United Kingdom, New Zealand, Canada, and the European Union) exempts small businesses from the general privacy law,” the paper said.
“The Senate Committee inquiry further recommended the removal of the exemption given the privacy regimes in overseas jurisdictions have operated effectively without a small business exemption and that the existence of the exemption was one of the key outstanding issues preventing Australia from seeking adequacy with the EU.

“[The ALRC] also noted that the United Kingdom does not exempt employee records and that removing the exemption may facilitate recognition of the adequacy of Australian privacy law by the EU.”
On the flip side, the paper pointed out that only UK and Germany were in Australia’s top 15 two-way trading partners while other economies around the Asia-Pacific made up 72% of trade. The EU only accounted for 13.5%.
“As less trade is undertaken with the EU than within the APEC region, the government’s recent priority has been to ensure adequate privacy protections within and between APEC economies,” the AGD said.
“Requiring businesses to comply with different information handling requirements under the Act, [Cross-Border Privacy Rules] and GDPR could result in a regulatory landscape that is overly complex. On the other hand, compliance with the GDPR may give businesses a competitive advantage in engendering consumer trust.”
The privacy law benchmark: What is GDPR? Everything you need to know
Currently in Australia, if a business has revenue under AU$3 million, it is exempt from the Act, and the paper wrestled with the idea of whether a threshold should remain, and if so, what should it be since businesses under that threshold could handle sensitive personal information yet maintaining the threshold could increase compliance costs for those businesses.
Leaning on the ACCC’s recommendations, the paper raised the prospect of requiring organisations requesting personal data to implement defaults to make collection of information opt-in. It also asked whether individuals should be made to consent for each purpose and time their information is collected and whether the core concept of consent was effective.
The paper also asked whether there should be higher requirements to destroy or de-identify personal information that is held by organisations and whether Australia should have a “right to erasure”, which would be an analogue to Europe’s right to be forgotten.
The potential of handing Australians the power to initiate court action to seek compensation from privacy breaches was also raised — Australians currently can only directly apply for an injunction — and questions on how to stop the courts being filled with actions over “trivial breaches”, such as funnelling complaints via the Office of the Information Commissioner for conciliation or capping damages, were also asked.
The paper also discussed the idea of whether a statutory tort of privacy was needed, with the AGD saying it would allow for privacy breaches not covered by the Privacy Act to be caught, but also that recent criminal legislation may lower the need for such a tort.
“A key issue for the design of a statutory tort of privacy is the types of liability it would cover. That is, liability based on intention, liability based on negligence or strict liability,” the AGD said.
“The ALRC recommended that a statutory tort should be confined to intentional or reckless invasions of privacy and should not extend to negligent invasions of privacy or attract strict liability. However, it is questionable that an invasion of privacy due to gross negligence where a person may not have been reckless but failed to exercise even the slightest degree of care and diligence in relation to an obvious risk should be outside scope.”
The terms of reference also stated the review would not look into any changes to the Privacy Act that were made to cater for the government’s COVIDSafe app, nor recent changes made to credit reporting.
Submissions to the review have a deadline of November 29, with a discussion paper set to appear early next year. A date for the final report was not specified.
“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Porter said.
“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers, and support the growing digital economy.”
The review will also examine the effectiveness of the Notifiable Data Breaches scheme.
“The NDB Scheme commenced on 22 February 2018. There are therefore some difficulties in determining at this stage whether the scheme has achieved its long term objectives,” the AGD said.
Related Coverage More