Peter Leonard

There is growing consensus that the Australian Privacy Act, in common with similar statutes in other jurisdictions, needs a major overhaul.This paper explores some of the key concerns enlivening debate as to the appropriate scope of reform of Australian data privacy law, with a particular focus upon proposals for reform of the Australian Privacy Act. The paper concludes with an opinionated design manifesto for reform of the Australian Privacy Act, to ensure that the statute becomes fit for… Show more

There is growing consensus that the Australian Privacy Act, in common with similar statutes in other jurisdictions, needs a major overhaul.This paper explores some of the key concerns enlivening debate as to the appropriate scope of reform of Australian data privacy law, with a particular focus upon proposals for reform of the Australian Privacy Act. The paper concludes with an opinionated design manifesto for reform of the Australian Privacy Act, to ensure that the statute becomes fit for purpose for the 21st century - albeit now over two decades into that century. Show less

While many organisations are implementing artificial intelligence and machine learning solutions, there are costs and risks that need to be carefully considered. This article reviews how organisations should assure that humans, algorthms and machines play nicely with each other, with trasnparent and mutually understood rules of engagement.

A manifesto for embedding good governance in the design of automation applications

The central problems with the Australian Privacy Act 1988 are not as to coverage or
comprehensiveness. There are deficiencies in the Act, including lack of clear statement of purpose and
certain exemptions. Addressing these deficiencies alone will not render data privacy regulation fit for
the next decade. More fundamental change is required. This submission addresses the changes that are needed.

Prospective value of data is often not recognized in infrastructure deals. Often the problem is that the nature and source of that data is overlooked. Increasingly valuable data is created and can be captured in almost every infrastructure deal. This is the case regardless of whether it is a so called “smart” (data using) infrastructure deal.
The world has moved on since clauses in some infrastructure project agreements in common use today were developed. Intellectual property and… Show more

Prospective value of data is often not recognized in infrastructure deals. Often the problem is that the nature and source of that data is overlooked. Increasingly valuable data is created and can be captured in almost every infrastructure deal. This is the case regardless of whether it is a so called “smart” (data using) infrastructure deal.
The world has moved on since clauses in some infrastructure project agreements in common use today were developed. Intellectual property and confidential information clauses in many common use infrastructure contracts are not fit for purpose in addressing data value and use, and allocation of rights in and to data.
Many parties commissioning and financing infrastructure builds are inadvertently giving away data value that they should capture for themselves—or at least derive value by trading it away.
This paper considers how to do good instratructure deals, taking data into account. Show less

Peter Leonard challenges some accepted 'wisdom' about the value of big data and how data driven businesses are regulated

Keeping a watchful eye on our new IoT device guests in our homes and workplaces: whom stops Dr Jekyll becoming Mr Hyde?

There is no reason to believe that organisations will be able to unravel high level statements
of ethical principles into concrete frameworks, governance forums, processes and
methodologies for making fair and ethically based decisions within those organisations.
Organisations need guidance and tools to aid them. We need to focus upon developing
practical tools and methodologies for use in our workplaces today to ensure that we
appropriately assess outputs and outcomes from… Show more

There is no reason to believe that organisations will be able to unravel high level statements
of ethical principles into concrete frameworks, governance forums, processes and
methodologies for making fair and ethically based decisions within those organisations.
Organisations need guidance and tools to aid them. We need to focus upon developing
practical tools and methodologies for use in our workplaces today to ensure that we
appropriately assess outputs and outcomes from computationally inferred behaviours of
humans using diverse data, algorithmic decision making and other applications of AI. Show less

High stakes battles are now being fought out around the globe over regulator-mandated access to consumer data. This article considers the common elements in these battles and the current state.

Over the last 12 months a number of governments around the world have proposed or enacted laws designed to facilitate trail of autonomous vehicles, generally with a stated objective of providing a statutory safe harbour that will encourage trials of vehicles driving in autonomous mode with the relevant jurisdiction.

On 13 February 2017 the Federal Parliament enacted the Privacy Amendment (Notifiable Data Breaches) Act 2017, inserting mandatory data breach notification requirements into the Privacy Act 1988. These provisions will replace the voluntary data breach notification guidelines as currently administered by the Privacy Commissioner and require entities subject to the Privacy Act to notify the Privacy Commissioner and affected individuals if the entity experiences a data breach of a kind covered by… Show more

On 13 February 2017 the Federal Parliament enacted the Privacy Amendment (Notifiable Data Breaches) Act 2017, inserting mandatory data breach notification requirements into the Privacy Act 1988. These provisions will replace the voluntary data breach notification guidelines as currently administered by the Privacy Commissioner and require entities subject to the Privacy Act to notify the Privacy Commissioner and affected individuals if the entity experiences a data breach of a kind covered by the Act. We review the new requirements below. Show less

In May 2015, the Australian Privacy Commissioner, Mr Timothy Pilgrim PSM, had found that Telstra had breached the (Australian Federal) Privacy Act 1988 (the ‘Privacy Act’) by failing to provide Mr Grubb with access to requested metadata relating to his use of Telstra telecommunications services as collected and held by Telstra in various databases for various purposes, some being purely technical e.g. operation of the network and monitoring its performance: Ben Grubb v. Telstra Corporation… Show more

In May 2015, the Australian Privacy Commissioner, Mr Timothy Pilgrim PSM, had found that Telstra had breached the (Australian Federal) Privacy Act 1988 (the ‘Privacy Act’) by failing to provide Mr Grubb with access to requested metadata relating to his use of Telstra telecommunications services as collected and held by Telstra in various databases for various purposes, some being purely technical e.g. operation of the network and monitoring its performance: Ben Grubb v. Telstra Corporation [2015] AICmr 35, 1 May 2015. Show less

In the sixteen years of this century we have already seen four phases of data disruption of business models. It is reasonable to suggest that the impact of each successive phase has been greater than the phase that preceded it. The phases overlap and some earlier phases continue to work out: some commentators suggest that the most radical restructuring of the media industry is only now in play.

Eli Fisher, co-editor of Communications Law Bulletin, sits down with partner Peter Leonard to discuss recent developments in privacy and data protection law.

This White Paper considers the use of as-a-service offerings, also referred to as cloud services or on-demand software services, and how to ensure that this use is consistent with compliance concerns including Australian privacy law and good business practice.

Data is at the heart of the Internet of Things (or, IoT, also known as the Internet of Everything).

Management of data handling and data analysis, and of data sharing between business entities, will be a core issue in provision of most IoT services. Data management is also critical in the operation of IoT communications platforms and the sensor, communication, control and reporting devices used in IoT services. Diverse data capture, multiple data flows and substantial value-add by data… Show more

Data is at the heart of the Internet of Things (or, IoT, also known as the Internet of Everything).

Management of data handling and data analysis, and of data sharing between business entities, will be a core issue in provision of most IoT services. Data management is also critical in the operation of IoT communications platforms and the sensor, communication, control and reporting devices used in IoT services. Diverse data capture, multiple data flows and substantial value-add by data analytics are at the essence of IoT services.

More and better data creates significant opportunities for most businesses. It also brings disruption to many existing business and new sources of business risk.

This brief paper outlines opportunities and risks. Show less

The Australian (Federal) Government’s consultation paper as to the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 notes the proposed “relatively higher notification threshold” is intended to “help avoid the risk of individuals experiencing ‘notification fatigue’ and will also help avoid unnecessary administrative costs for business”.

To extract value from your treasure trove of data and unlock value, you will often need to work with other parties. The problem is that many data analytics services contracts currently in use are not fit for purpose. Below are some key ways to get your contracts right.

Australian privacy practitioners might be forgiven their disbelief at the sudden and uncharacteristic range of privacy issues making the Australian headlines.

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (in this article, the ‘2015 Act’) made important and controversial amendments to the Telecommunications (Interception and Access) Act 1979 (‘TIA Act’) and the Telecommunications Act 1997.

A review of Telstra Corporation Limited and Australian Privacy Commissioner Australian Administrative Appeals Tribunal, [2015] AATA 991, 18 December 2015
The Tribunal’s overturning of an earlier determination by the Australian Privacy Commissioner throws open the issue of when device information is ‘about an individual whose identity may be reasonably ascertained from the information.’

Mandatory data retention for communications services has engendered criticism and controversy in many countries. Pervasive and extensive communications data collection and retention has been stated by many Governments, including the Australian Government, as necessary to address new threats of internet facilitated terrorism, child exploitation and human trafficking. Criticisms as to pervasiveness have been met with government reassurances as to limitations as to who can access and some… Show more

Mandatory data retention for communications services has engendered criticism and controversy in many countries. Pervasive and extensive communications data collection and retention has been stated by many Governments, including the Australian Government, as necessary to address new threats of internet facilitated terrorism, child exploitation and human trafficking. Criticisms as to pervasiveness have been met with government reassurances as to limitations as to who can access and some safeguards as to permitted access and use.

Gilbert + Tobin partner Peter Leonard examines how the ‘digital exhaust’ of our daily lives might be retained and used and safeguards put in place under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (2015 Act). Show less

In Australia, as in many jurisdictions, there have been questions as to whether cloud services that involve offshoring of personal information can be provided from outside Australia in compliance with Australian privacy law and the requirements of regulators.

In this article, partner Peter Leonard considers the determination by the Australian Privacy Commissioner on journalist Ben Grubb’s attempts to access the metadata held by Telstra about his own mobile use considers the concept of when an individual is ‘reasonably identifiable.’ This article was published in Volume 15, Issue 3 edition of E-Commerce Law Reports.

The determination of the Australia Privacy Commissioner in Ben Grubb v Telstra Corporation addresses important questions as to when information collected by businesses must be treated as "personal information" because of a capability of that business to associate that information with an identifiable individual.

In this article, partner Peter Leonard examines the kinds of information that must be retained under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 and who can access this information. The financial and data security issues arising from the new retention regime are also considered. The article is part of a series published in the Data Protection Law & Policy journal. The first part of the series can be found here:… Show more

In this article, partner Peter Leonard examines the kinds of information that must be retained under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 and who can access this information. The financial and data security issues arising from the new retention regime are also considered. The article is part of a series published in the Data Protection Law & Policy journal. The first part of the series can be found here: http://www.gtlaw.com.au/wp-content/uploads/DPLP-May-2015_DPLP.pdf Show less

Metadata collection was highlighted in a recent determination by the Australian Privacy Commissioner which found Telstra had breached the Privacy Act ... But how relevant is it, given the government’s recent amendments to the Data Retention Act? Peter Leonard and Althea Carbon look at the big picture and the fine detail.

The Australian Parliament recently enacted requirements for communications providers to collect and retain information about communications carried by their services. The new law is controversial, but may well provide a lead for other countries considering mandatory retention requirements. In this issue of Data Protection Law & Policy, Partner Peter Leonard, describes the general operation of the laws, before delving deeper into their implications for communications service providers doing… Show more

The Australian Parliament recently enacted requirements for communications providers to collect and retain information about communications carried by their services. The new law is controversial, but may well provide a lead for other countries considering mandatory retention requirements. In this issue of Data Protection Law & Policy, Partner Peter Leonard, describes the general operation of the laws, before delving deeper into their implications for communications service providers doing business in Australia in the following issue. Show less

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (the ‘2014 Bill’) was tabled by the Minister for Communications, The Hon. Malcolm Turnbull MP, in the Australian Parliament on 30 October 2014. The Bill immediately engendered criticism and controversy that continued through its passage through Parliamentary Committees and debates. Notwithstanding those
criticisms and a number of critical reports of Parliamentary Committees, the final Act was passed on 26… Show more

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (the ‘2014 Bill’) was tabled by the Minister for Communications, The Hon. Malcolm Turnbull MP, in the Australian Parliament on 30 October 2014. The Bill immediately engendered criticism and controversy that continued through its passage through Parliamentary Committees and debates. Notwithstanding those
criticisms and a number of critical reports of Parliamentary Committees, the final Act was passed on 26 March 2015 with bipartisan support of the Federal Coalition and Australian Labor Party and assented to on 13 April 2015. Show less

Responses to high profile and high impact data breaches require particular care and integration of C-suite, legal and regulatory, public affairs and media teams. Gilbert + Tobin partner Peter Leonard examines how legal and regulatory counsel can facilitate this process. This article was published in the March 2015 edition of of ACLA.

Peter Leonard, Partner Gilbert + Tobin and Director iappANZ discusses how the sensible application of risk management principles to evaluate the effectiveness of technical, operational or contractual safeguards will often lead to controversial and sometimes uncertain conclusions. This article was first published in the iappANZ journal, March 2015.

Gilbert + Tobin partner and iappANZ director Peter Leonard discusses internet data retention in Australia and the proposed bill tabled in Parliament on 30 October 2014. This article was published in the February/March 2015 edition of the internet law bulletin.

This report provides an overview of the Office of the Australian Information Commissioner’s (‘OAIC’) eHealth compliance and enforcement activities. First published in eHealth Law & Policy – January 2015.

2015 may well be remembered as the year that the Australian media sector restructured for the digital age. The Federal (Liberal National Coalition) Government on its election in September 2013 inherited a number of key reports as to electronic and print media regulation that had been commissioned by the former Labor Government. Those reports include various proposals for simplification and standardisation of regulation of Australian print and electronic media.

Internet data retention is back on the political agenda.The Telecommunications (Interception and Access)Amendment (Data Retention) Bill 2014 (Cth) was tabled by the Minister for Communications, Malcolm Turnbull MP, in the Australian parliament on 30 October 2014. The controversy started immediately.

The rules in the Australian Privacy Act 1988 as to ‘accountability’ for offshore disclosures by Australian regulated entities continue to fuel debate between commercial lawyers when negotiating privacy provisions in commercial contracts. Gilbert + Tobin partner and iappANZ director Peter Leonard looks at the principal areas of debate.

Privacy breaches often arise through errors or inadvertence. Taking reasonable steps to protect information security is about more than putting a lock on a physical or electronic “door”. “Reasonable steps” require active steps to ensure that access controls work over time and are verifiably reliable. First published in the Privacy Law Bulletin (2014) 11(8).

Workplace monitoring and surveillance is becoming increasingly common. Take-up is stimulated by decline in the cost of pervasive surveillance across multiple communications modes and devices and increasing convenience of “out of the box” technological solutions for employers. This was first published in the Privacy Law Bulletin (2014) 11(7).

A key role for privacy regulators around the world is provision of guidance about how to apply privacy principles to design appropriate privacy settings and options into new business applications. Although national privacy laws differ greatly, regulatory guidance is frequently relevant and useful across multiple jurisdictions and different legislative schemes. This article was first published on The Privacy Advisor on 26 August 2014.

A presentation by Peter Leonard at the Warren Centre for Advanced Engineering Vision30 conference at Sydney Convention Centre on Friday 8 November 2013.

One open issue in privacy regulation is appropriate regulation of ‘big data’ analysis of customer transactional data.

TMT Partner Peter Leonard analyses the Australian Law Reform Commission’s Discussion Paper on Serious Invasions of Privacy in the Digital Era (released 31 March)

After three years of turmoil in Australian media policy, as at March 2014 a clearer view is emerging as to the likely future course of Australian media regulation. TMT lawyers Peter Leonard and Ewan Scobie comment on the state of convergence regulation in Australia.

Peter discusses the global debate as to how privacy regulation should address big data.

Peter is a contributing editor of a number of international journals and has co-edited the leading industry loose leaf- service for Communications Law and Policy in Australia. He has written extensively on communications policy and contracting and content, data and privacy regulation in the Asia Pacific region.