The Bulletin - Law Society of South Australia by lawsocietysa

THE

BULLETIN THE LAW SOCIETY OF SA JOURNAL

VOLUME 44 – ISSUE 3 – APRIL 2022

CYBER SECURITY

The Legal Practice Productivity Solution Law firms using LEAP enjoy all the benefits of a state-of-the-art practice management system, as well as legal accounting, document assembly & management, and legal publishing assets all in one integrated solution.

Document Assembly & Management

Legal Accounting

Practice Management

Legal Publishing

leap.com.au

This issue of The Law Society of South Australia: Bulletin is cited as (2020) 44 (3) LSB(SA). ISSN 1038-6777

CONTENTS CYBERSECURITY 6

FEATURES & NEWS

It’s time to get our heads out of the sand and into the cloud By Alexandra Douvartzidis & Alexandra Harris

Facial recognition technology & the law: Are existing privacy & surveillance laws fit for purpose? By Caitlin Surman

REGULAR COLUMNS

Djokovic rallied to secure release before the ministerial discretions proved a winner By Chris Johnston & Rosa Torrefranca Tour de France 2021: Avoiding the Domino Effect in the Peloton By Annemarie Goodwin

Legal implications of ransomware attacks for legal practitioners and their clients – By Brooke Hall-Carney, Amy Coper-Boast & Elizabeth Carroll-Shaw An Analysis of the Law Society’s Cloud Computing Guidelines By Mark Ferraretto Governing Cybersecurity: critical infrastructure, spies & consumers By Robert Chalmers

Executive Members President: President-Elect: Vice President: Vice President: Treasurer: Immediate Past President: Council Member: Council Member:

J Stewart-Rattray J Marsh A Lazarevich M Tilmouth F Bell R Sandford M Mackie E Shaw

Metropolitan Council Members T Dibden M Tilmouth A Lazarevich M Mackie E Shaw J Marsh C Charles R Piccolo M Jones D Colovic E Fah N Harb L MacNichol L Polson M Young Country Members S Minney (Northern and Western Region) P Ryan (Central Region) J Kyrimis (Southern Region) Junior Members A Douvartzidis A Kenny Ex Ofﬁcio Members The Hon K Maher, Prof V Waye, Prof T Leiman Assoc Prof C Symes

KEY LAW SOCIET Y CONTACTS Chief Executive Stephen Hodder stephen.hodder@lawsocietysa.asn.au Executive Ofﬁcer Rosemary Pridmore rosemary.pridmore@lawsocietysa.asn.au Chief Operations Ofﬁcer Dale Weetman dale.weetman@lawsocietysa.asn.au Member Services Manager Michelle King michelle.king@lawsocietysa.asn.au Director (Ethics and Practice) Rosalind Burke rosalind.burke@lawsocietysa.asn.au Director (Law Claims) Kiley Rogers krogers@lawguard.com.au Manager (LAF) Annie MacRae annie.macrae@lawsocietysa.asn.au Programme Manager (CPD) Natalie Mackay Natalie.Mackay@lawsocietysa.asn.au Programme Manager (GDLP) Desiree Holland Desiree.Holland@lawsocietysa.asn.au

President’s Message

From the Editor

Tax Files: Trust Distribution Alerts By John Tucker

Wellbeing & Resilience: Doomscrolling: What is it and how can we stop it? – By Amy Nikolovski

Family Law Case Notes By Craig Nichol & Keleigh Robinson

Risk Watch: Control Your Trolls: Protecting Your Practice on Social Media practitioners – By Kate Marcus

Bookshelf Compiled by Lorna Hartwell

Gazing in the Gazette Compiled by Master Elizabeth Olsson

THE BULLETIN Editor Michael Esposito bulletin@lawsocietysa.asn.au Editorial Committee A Bradshaw P Wilkinson S Errington D Sheldon J Arena D Weekley B Armstrong D Misell M Ford The Law Society Bulletin is published monthly (except January) by: The Law Society of South Australia, Level 10-11, 178 North Tce, Adelaide Ph: (08) 8229 0200 Fax: (08) 8231 1929 Email: bulletin@lawsocietysa.asn.au All contributions letters and enquiries should be directed to The Editor, The Law Society Bulletin, GPO Box 2066, Adelaide 5001.

Views expressed in the Bulletin advertising material included are not necessarily endorsed by The Law Society of South Australia. No responsibility is accepted by the Society, Editor, Publisher or Printer for accuracy of information or errors or omissions. PUBLISHER/ADVERTISER Boylen GPO Box 1128 Adelaide 5001 Ph: (08) 8233 9433 Email: admin@boylen.com.au Studio Manager: Madelaine Raschella Elliott Layout: Henry Rivera Advertising Email: sales@boylen.com.au

FROM THE EDITOR

IN THIS ISSUE User awareness vital in the fight against cyber crime MICHAEL ESPOSITO, EDITOR

FACIAL RECOGNITION TECHNOLOGY Do our privacy laws measure up?

hen a video emerged online of Ukrainian President Voldymyr Zelenskiy seemingly telling his soldiers to lay down their weapons and return home, it signalled a new frontier of the information war, or to put it more accurately, the disinformation war. For the video was in fact a “deep fake”. A deep fake is a video that replaces a person’s face with a computer-generated likeness of that face, for the purpose of making it look like the person said or did something that they didn’t actually do. Fortunately, the quality of the Zelenskyy deep fake was not convincing enough, and was swiftly debunked, but with the pace of technology, we may only be a few years away from not being able to tell a real video from a deep fake, the consequences of which cannot be fully fathomed. Anyone who has had any experience of social media, especially during the past two years, would have some awareness of the toxic effect the spread of disinformation can have on public discourse, personal relationships, and democracy. Disinformation is also a cybersecurity issue. Users are targeted via phishing scams – correspondence which looks authentic but designed to give hackers access to personal and valuable information.

4 THE BULLETIN April 2022

Like deep fakes, these scams are becoming more sophisticated and realistic. No doubt many of us have received emails from so-called clients, or text messages about delivery packages (no doubt preying on the covid-inspired online shopping boom) asking us to follow a link or provide personal information. It is more important than ever for businesses to ensure they have robust cybersecurity systems in place. Reviewing and upgrading cybersecurity infrastructure is worth the investment, as the costs of a cyber attack could be catastrophic. As important as cybersecurity technology is user awareness training, as cyber attacks, such as phishing, rely on human weakness to succeed. It is why I consider this cybersecurity edition of The Bulletin to be such an important one. It contains a number of articles with great practical advice about how to protect valuable data and minimise the risk of debilitating cyber attacks. As cyber attacks continue to become more prevalent and damaging, it is just not viable to think “it won’t happen to me”. It most likely will, and the extent of the impact on you and your firm will largely depend on how seriously you took your cybersecurity. B

RANSWOMWARE ATTACKS Legal implications for lawyers

DJOKOVIC V AUSTRALIA Ministerial powers to cancel visas

PRESIDENT’S MESSAGE

New conduct rules apply to all SA practitioners JUSTIN STEWART-RATTRAY

he Society implemented new legal profession rules for SA legal practitioners on 1 January 2022. The new South Australian Legal Practitioners Conduct Rules (SALPCR), which replace the SA version of the Australian Solicitors Conduct Rules, provide a comprehensive set of legal profession rules which bind all SA legal practitioners including those who choose to practise exclusively as barristers. The SALPCR are the product of a review carried out by the Society as to the content and application of the legal profession rules in SA. Consideration of content included participation in the Law Council of Australia’s (LCA) review and redrafting of the Australian Solicitors Conduct Rules. For that review, the Society contributed to some important changes to the rules especially those relating to conflict of interest and sexual harassment and discrimination. In reviewing the application of the old rules one of the main issues was to ensure that the rules are expressed in such a way to make it clear that they apply to, and have disciplinary ramifications for, all SA legal practitioners regardless of the context in which they practise.

The changes to the structure and terminology used in the SALPCR ensure that they harmonise with the disciplinary provisions of the Legal Practitioners Act, especially with section 70 which provides that conduct consisting of a contravention of the legal profession rules is capable of constituting unsatisfactory professional conduct or professional misconduct. As section 70 does not exclude any class of practitioner from its ambit, and we have a fused profession in South Australia, it was decided necessary to amend the structure and terminology of the legal profession rules adopted by the Society (noting that the definition of “legal profession rules” is “the Society’s professional conduct rules”) to properly reflect those elements. The Society consulted closely with the SA Bar Association and the Legal Profession Conduct Commissioner in the development of the new rules. The SALPCR now consists of two sections, Part A and Part B. Part A consists of a new South Australian version of the Australian Solicitors Conduct Rules (ASCR) which replaces the word “solicitor” with “legal practitioner” and incorporates amendments which were the outcome of the LCA’s

review such as the new rule 11A (which provides for specific conflict of interest requirements for practitioners providing short term legal assistance) and the revised rule 42 (which deals with sexual harassment and discrimination). The rules in Part A apply to all SA legal practitioners other than those to whom Part B applies. Although they do contain some SAexclusive content (see rule 16A), Part A uses the same numbering as the LCA’s Australian Solicitors Conduct Rules for consistency and ease of cross-referencing. Part B applies to South Australian legal practitioners who hold a Category BA practising certificate or who have otherwise elected to practise exclusively as a barrister by qualifying for the barrister contribution under the South Australian Professional Indemnity Insurance Scheme. It comprises an amended version of the South Australian Bar Association Rules which are constructed to provide a rule regime that specifically applies to practitioners who choose to wholly practise as barristers. Detailed information about new Rule 11A and the amendments to Rule 42 will be published in the May edition of The Bulletin. B April 2022 THE BULLETIN

CYBER ATTACKS

IT’S TIME TO GET OUR HEADS OUT OF THE SAND AND INTO THE CLOUD ALEXANDRA DOUVARTZIDIS, ASSOCIATE AT HWL EBSWORTH LAWYERS AND MEMBER LEGAL TECHNOLOGY COMMITTEE, AND ALEXANDRA HARRIS, SENIOR ASSOCIATE AT TINDALL GASK BENTLEY LAWYERS AND MEMBER, LEGAL TECHNOLOGY COMMITTEE

ata breaches and cyber-attacks are occurring on a more frequent basis in Australia. Recently, the South Australian Government was the victim of a ransomware cyber-attack in November, 2021. The government first disclosed the extent of the data breach in November, when it said at least 38,000 employees had their records stolen and, in some cases, published on the dark web. It was later revealed that the breach impacted almost 80,000 employees.1 The South Australian Government is not the only victim of large cyberattacks. From other State Governments attacks amassing hundreds of thousands, to CANVA’s breach in 2019 impacting approximately 139 million of its users,2 cyber-attacks are almost a part of everyday life. Even though the Australian Government is revising its cybersecurity frameworks and policies, businesses, including law firms, cannot exclusively rely on the government for protections against cyber-attacks.3 It has become increasingly essential for lawyers and law firms to understand, embrace and implement emerging legal technologies in their individual practice and overarching firm policies, not only to improve efficiencies and work flow generally, but also to protect clients’ and their own sensitive information.

6 THE BULLETIN April 2022

It is somewhat obvious that law firms will competitively benefit from keeping up to date with technology and integrating it into their everyday practice. Every day we are seeing an increasing number of firms and courts around Australia move away from traditional paper storage to cloudbased storage and document management systems. What isn’t as obvious is the concept that being a ‘tech savvy’ lawyer, or at the very least keeping up to date with the latest technological advancements potentially falls under the overarching ethical obligations that lawyers must abide by. This article considers a common type of cyber-attack in detail, the risks and consequences for practitioners, and how practitioners can avoid cyber-attacks. We also consider what steps practitioners should take if an attack occurs, and what are the general benefits of increasing your overall knowledge of technology in everyday practice.

WHAT IS A “CYBER-ATTACK” AND WHAT ARE THE COMMON TYPES? A cyber-attack is when cybercriminals through the use of a computer launches an attack to disable systems, steal and/ or destroy data and information, or use a breached computer system to launch

additional attacks. Cybercriminals use different methods to launch a cyberattack that includes malware, phishing, ransomware, or other methods.4 Criminally motivated persons generally launch cyber-attacks in order to seek financial gain through the theft of actual monies and/or data information that they can hold ‘ransom’ and seek payment for the return or destruction of the information held. Occasionally, an attack is launched for the purposes of merely disrupting a company’s system,5 or for a multitude of other reasons. From ransomware to malware, the types of cyber-attacks individuals and companies face today are endless. For the purposes of this article, we focus on the key cyber-attack method of ‘phishing’ commonly faced by practitioners. Phishing is where cybercriminals send fraudulent messages in an attempt to steal confidential information, such as banking logins, credit card details, business login credentials or passwords/passphrases.6 Phishing, unlike hacking, relies on a person voluntarily providing information.7 ‘Spear phishing’ for example, is when messages sent to target specific individuals and/or organisations.8 It is not uncommon for more sophisticated messages to contain material that is true (or appears likely to be true) to make them seem more genuine.9

CYBER ATTACKS

Spear phishing often uses a method called ‘social engineering’ for its success. Social engineering is a way to manipulate people into taking action by fashioning very realistic ‘bait’ or messages. It usually involves a great deal of research by the cybercriminals to target its victims.10 The message itself will usually lead the unsuspecting recipient to a fake website full of malware, which is an intrusive software effectively designed to destroy computer systems.11 The technique of spear phishing is one of the key factors leading to successful cyber-attacks commonly known as a ‘business email compromise’ (BEC). One example of a BEC is where cybercriminals will, using spear phishing techniques, target companies who use online invoicing methods. The sting involves gaining remote access to a business’ (or customer / client) email and lying in wait for the perfect opportunity to strike.12 They will usually ‘keep watch’ for a while (typically with the use of malicious software mentioned above) and get a feel for the type of emails and invoices being sent. When the opportunity arises, they intercept the invoice, manually change the bank account details and redirect it to the victim for payment.

Common examples involve businesses sending an invoice for payment (that is shortly after intercepted) and there have also been reports of real estate agencies sending trust account details over email which have resulted in significant house deposits being lost to criminals in an instant. It is devastating, and all too easily avoided with the right knowledge and use of technology. Bank details should never be exchanged via email, as doing so leaves the sender vulnerable to a third party intercepting the email and editing the bank details so that monies are transferred to a third party account. Once this happens, it is very difficult and near impossible to retrieve the lost money. It is not uncommon to receive a scam email that is tailored to your firm. For example, you may receive an email from a prospective client. They may include a link which requires you to click to access their ‘documents’ (for example, they may include a link which appears to be Dropbox or a similar application). They may also appear to be a co-worker, such as a senior practitioner delegating tasks, using your co-workers name and the firms signature template to appear more realistic. Equally concerning, and often less

easy to identify, is when a scammer sends an email or message which appears to be from your own firm’s IT department (or another department). They may send a message appearing to be from your own company’s IT helpdesk asking you to click on a link and change your password because of a ‘new policy’. According to Scamwatch, BEC scams caused the highest losses across all scam types in 2019 costing businesses $132 million, according to the ACCC’s Targeting Scams report. Scamwatch alone received almost 6,000 reports from businesses in 2019 with $5.3 million in reported losses. False billing was the most commonly reported type of scam which includes BEC scams.13

WHAT ARE THE RISKS AND CONSEQUENCES FOR LAWYERS IF A CYBER-ATTACK OCCURS? Practitioners must realise the integral role played by technology in the legal profession and the consequences for practitioners when a cyber-attack occurs. Practitioners store and use personal and commercially sensitive information about their clients. If a law firm is the victim of a cyber-attack the consequences can be overwhelming for both the clients and the practice itself. Overall, failing to April 2022 THE BULLETIN

CYBER ATTACKS

be cautious of the risks and incorporating the use of technology into everyday practice could ultimately result in a breach of conduct and/or a practitioners’ obligations. For example, a cyber-attack may amount to breach of the South Australian Legal Practitioners Conduct Rules (the Rules), which sets out, amongst other things, that one of the fundamental duties of legal practitioners is to deliver legal services competently, diligently and as promptly as reasonably possible, and to ensure they avoid any compromise to their integrity and professional independence.14 The Rules also require practitioners to ensure that they do not disclose any information which is confidential to a client and is acquired during the client’s engagement.15 The bottom line: as a practitioner, you are responsible for keeping your client’s information safe. Even if sensitive information isn’t impacted during a cyber-attack, the consequences of an attack could affect the ongoing operations of the firm. For example, a major law firm was attacked by through a malware system, which compromised its operations for days. The firm had limited to no access to its computers or emails. It was recorded that the firm had to spend approximately 15,000 hours in overtime for its IT employees to address the issues.16

SO, HOW CAN YOU AVOID A CYBERATTACK? Practitioners should always be vigilant with their communications and use of technology, including computers and mobiles. Here are some tips prepared by the Australian Cyber Security Centre17 and

8 THE BULLETIN April 2022

the Law Society18 on how to reduce the risk of a cyber-attack: • Do not open any attachments or click on any links arising from emails where the sender is unknown. These links may redirect to a file or a malicious login page which can control your computer or capture your login details. • Before you click a link (in an email or on social media, instant messages, other web pages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video or web page without directly clicking on the suspicious link. • Even if the sender appears to be/ or is known, it is prudent to check with the sender confirming the email is genuine. Targeted attacks by professional computer hackers can easily masquerade and camouflage their emails to appear genuine. Emailed directions with respect to money and trust transactions should always be confirmed verbally. • If you’re not sure, talk through the suspicious message with a co-worker, or check its legitimacy by contacting the relevant business or organisation (using contact details sourced from the official company website). • Install anti-virus software on all devices and set it to automatically apply updates and conduct regular scans. • Account details for payment should always be provided verbally, or via a written document such as a bill

or retainer letter, and should not be included in the body of an email. Such details can be easily modified through cyber-attack techniques. If the bill or retainer letter containing the bank details is sent via email, it should be done so using the proper encryption software to ensure that third parties cannot gain access. • Educate your clients about cyberattacks and advise them to contact you immediately if they receive any in-genuine, weird or fake emails. Such emails may take the form of a request to pay money, receive details, or upload/downloading files. If you become aware of such activity, you should advise the client to refrain from opening any further emails. • Have sufficient cyber-crime insurance schemes in place. • Implement a cyber-attack procedure and plan for typical and worst-case scenarios. The Australian Cyber Security Centre has also developed the ‘essential eight’ mitigation strategies to help avoid cyber security incidents.19 In summary, the mitigation strategies suggest: • Application Whitelisting: The practice of specifying a list of approved software applications or executable files that are permitted to be present and active on a computer system. • Patch Applications: Application patch management is the process of testing, acquiring, and installing patches (code changes) on computer systems to avoid vulnerabilities. • User Application Hardening: Disable any unnecessary applications

Calls to the Australian Cyber Security Hotline in 2021 increased by almost 310% from the previous year. Professional services are among the top 3 sectors reporting cyber security incidents in 2021 ACSC Annual Cyber Threat Report

The legal profession is often targeted for the sensitive client data they hold. It is no longer a matter of if but when your organisation will be subject to a cyber intrusion attempt. With the onset of the Covid-19 global pandemic and the increasing shift to flexible workplace arrangements many organisations are inadvertently leaving themselves vulnerable to a cyber incident. Do you have the security in place to combat such a threat? Contact one of our security experts today for an obligation free discussion about your network security. Mention this ad and receive a complimentary dark web scan of your domain, usernames and passwords and an external vulnerability report of your primary site.

99 e 19 sinc

empower | connect | protect

Lettscom was established in Adelaide in 1999 and remains proudly South Australian owned and operated. Supporting businesses on a local, national, and global level for 23 years. Call: 08 8177 5600 Email: security@lettscom.com.au Web: lettscom.com.au

CYBER ATTACKS

•

and features that are likely to increase risks (Such as Java, Office Suite Macro Scripts, etc). Restrict Administrative Privileges: Restrict access to administrative accounts and operating systems based on user duties. Re-validate access to systems regularly. Multi-Factor Authentication: Multifactor authentication (MFA) is a security measure that requires two or more proofs of identity to grant you access. Maintain Daily Backups: Undertaking daily backups of your system to ensure a copy of all of the data is saved in the event of a data breach.

YOU’VE HAD A CYBER-ATTACK, WHAT DO YOU NEED TO DO? If your cyber-attack has potentially led to sensitive and confidential information being stolen, destroyed, and/or altered, it is important the breach is reported through the appropriate channels. Remember, even in circumstances where information may not have been impacted in some way, practitioners should report a cyber-attack, Practitioners should consider whether to report to the following entities: • South Australian Police • Australian Cybercrime Online Reporting Network • The South Australian Law Society • Scam Watch • Consumer & Business Services Further, if the cyber-attack has resulted in a data breach (meaning when personal information is accessed or disclosed without authorisation or alternatively is lost), then under the Notifiable Data Breaches scheme, an organisation or agency that must comply with Australian privacy law has to tell the affected party if a data breach is likely to cause them serious harm.20 An organisation or agency who has existing obligations under the Privacy Act must also report any serious data breach to the Office of the Australian Information Commissioner. This includes Australian Government

10 THE BULLETIN April 2022

agencies, businesses and not-for profit organisations that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.21 Generally, an organisation or agency (which has an obligation under the Privacy Act to report) has 30 days to assess whether a data breach is likely to result in serious harm.22 When a data breach occurs, an organisation or agency must endeavour to reduce the chance that an individual experiences harm. If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency is not obligated to advise the individual about the data breach. Should we apply this approach to the concept of maintaining client confidentiality – i.e., take it a step further and notify the party whose confidentiality has been breached as soon as practicable? Some would say yes, and indeed many law firms are erring on the side of caution and creating internal policies dealing with this very issue. For example, sending an email to the wrong recipient is all too easily done. It may be prudent to set up internal firm policy (as indicated above) providing some guidance around how individuals in the firm should respond to such an error. A simple step by step process may look like: • Contact the unintended recipient immediately and request that they destroy the email; and • Contact the affected individual whose confidentiality has been breached and explain the situation, including if applicable confirmation that the content has been destroyed by the unintended recipient.

WHAT ARE SOME OTHER BENEFITS FOR BEING “TECH-SAVVY”? Being “tech-savvy” is not just important to avoid the risk of a cyber-attack. Practitioners ought to frequently turn their minds to the vast array of technology

available to them and query how they can utilise it in their everyday practice for the ultimate benefit of their clients’. Embracing technology and the law can result in quicker more cost-effective communication, security and freedoms to work outside of the four walls of the office. For example, we have long embraced the use of email communications with clients (and others) as a main type of communication in practice. Emails enable effective and fast communications. Today, the majority of practitioners will often communicate through email more than utilise phone calls. Not only are we communicating through emails, we are creating a written record at the same time. Technology surrounding security measures (such as firewalls and other protection software) allow businesses such as law firms to protect and maintain client confidentiality as well as protect transactions surrounding trust monies and associated transactions. The use of cloud storage and document management systems (if used safely), can streamline significant tasks such as electronic discovery (eDiscovery). eDiscovery systems will often allow firms to create ‘shortcuts’ to streamline the review of documents. For example, eDiscovery systems provide tools to analyse documents to reduce the overall volume to be reviewed and/or discovered. Most systems, amongst other things, offer duplicate detection to group textually similar documents together to help the review process more efficient. Digital technology also enables us to practice the law outside of the traditional office environment which is increasingly relevant in our post COVID-19 world. Through virtual meetings and negotiations to video court appearances, being able to adopt to these modern practices can only serve to benefit a practitioner (and their clients). The flexibility to practice from any location is priceless, but we must ensure that appropriate measures are put in place to maintain cyber security. Having an understanding of the risks and identifying how to mitigate those is a good starting point. B

CYBER ATTACKS

Endnotes 1 ‘Personal details of up to 80,000 SA government employees accessed in cyber attack,’ Stacey Pestrin and Eugene Boisvert (10 December 2021) https://www.abc.net.au/news/2021-1210/thousands-of-sa-government-employeesaffected-by-cyber-attack/100690564 2 Canva criticised after data breach exposed 139m user details, Paul Smith (26 May 2019) https:// www.afr.com/technology/canva-criticisedafter-data-breach-exposed-139m-user-details20190526-p51r8i 3 Australian Cyber Security Centre, Common cyber threats, (accessed: 25 February 2022), https:// www.cyber.gov.au/acsc/view-all-content/ism 4 Ibid. 5 ‘What is a cyber-attack?’, IBM https://www.ibm. com/au-en/topics/cyber-attack (accessed: 25 February 2022). 6 Above n3. 7 Ibid; ‘What is phishing? How this cyber attack works and how to prevent it’, Josh Fruhlinger (4 September 2020), https://www.csoonline. com/article/2117843/what-is-phishing-how-

this-cyber-attack-works-and-how-to-prevent-it. html 8 ‘What is Spear Phishing?’, Kasperksy, (Accessed: 24 February 2022), https://www.kaspersky.com. au/resource-center/definitions/spear-phishing 9 Ibid. 10 ‘How Spear Phishing Makes BEC Attacks So Effective’, The PhishLabs Team, (2 August 2019) https://www.phishlabs.com/blog/how-spearphishing-makes-bec-attacks-so-effective/ 11 ‘What is malware?’, Joseph Regan & Ivan Belcic, (15 February 2022) https://www.avg.com/en/ signal/what-is-malware 12 Australian Cyber Security Centre, Business Email Compromise, https://www.cyber.gov.au/learn/ threats/business-email-compromise 13 ACCC Scamwatch, Business email compromise scams cost Australians $132 million, (23 June 2020), https://www.scamwatch.gov.au/news-alerts/ business-email-compromise-scams-costaustralians-132-million 14 South Australian Legal Practitioners Conduct Rules, rule 4.1.3. 15 Ibid, rule 9.

16 Law Protect, What are the main cyber risks for lawyers today? https://lawprotect.com.au/what-arecyber-risks-for-lawyers-today/ 17 Above n3. 18 The Law Society of South Australia, Cyber Security, https://www.lawsocietysa.asn.au/Public/ Publications/Resources/CyberSecurity.aspx 19 Australian Cyber Security Centre, Essential Eight Maturity Model, (October 2021) https:// www.cyber.gov.au/acsc/view-all-content/ publications/essential-eight-maturity-model 20 Australian Government Office of the Australian Information Commissioner, What is a notifiable data breach?, https://www.oaic.gov.au/privacy/ data-breaches/what-is-a-notifiable-data-breach 21 Australian Government Office of the Australian Information Commissioner, Notifiable Data Breach Scheme (February 2022), https://www.oaic.gov. au/privacy/guidance-and-advice/data-breachpreparation-and-response/part-4-notifiabledata-breach-ndb-scheme#:~:text=The Privacy Act requires certain,or after 22 February 2018.or after 22 February 2018.” 22 Ibid.

TECHNOLOGY MANAGED

Is your business cyber-secure? Your cyber-security posture needs to be strong if you want to remain protected and operational. We’re well versed in data protection and can support your business with cyber-security built into a technology solution that works for your business. Quickly minimize your cyber-risk One provider for all your technology needs Affordable and scalable solutions

Abrahem El-Sayed - Technology Sales Manager 0423 868 560 abrahem.elsayed@efex.com.au THINKEX HOLDINGS PTY LTD ABN 28 625 658 568

GET A

FREE

ASSESSMENT

FEATURE

FACIAL RECOGNITION TECHNOLOGY AND THE LAW: ARE EXISTING PRIVACY AND SURVEILLANCE LAWS FIT FOR PURPOSE? CAITLIN SURMAN, SENIOR ASSOCIATE, HWL EBSWORTH

ver the past few years, the development and use of Facial Recognition Technology (FRT) throughout Australia has grown exponentially but has been accompanied by widespread concerns about the capacity of existing legislative frameworks to regulate it appropriately, as well as a lack of specific legislation regulating its use. While lawmakers grapple with what that new legislative framework might look like, this article considers how Australia’s existing privacy and surveillance laws deal with FRT, including whether those laws adequately safeguard the use of FRT, and options for future reforms to these frameworks.

WHAT IS FRT AND HOW IS IT USED? FRT involves the automated extraction, digitisation and comparison of spatial and geometric distribution of facial features. Using an algorithm, FRT compares an image of a face with an image stored in a database, in order to identify a match.1 FRT is deployed in two main ways, being: 1. ‘one-to-one’ FRT, which is used to verify the identity of an individual by checking one image against a single, respective image to determine if they are the same person.2 It is often utilised in a controlled environment where the lighting is sufficient and the subject is in an optimal position to facilitate a successful comparison,3 and its most common application is unlocking a smartphone; 2. ‘one-to-many’, which is used to identify an unknown individual by comparing a select image against a large database;4

12 THE BULLETIN April 2022

This article focuses on ‘one-to-many’ FRT, which seeks to match a single facial image with a different facial image of the same individual that has been stored in a large database. It therefore relies on a much larger dataset to conduct a comparison, whilst the facial image being compared against the dataset is often taken from ‘the wild’ (eg CCTV surveillance) and is of lower quality.5 As a result, identifying a person using ‘one-to-many’ FRT is more difficult and prone to false matches and misidentification.6 In Australia, FRT is often used by banks and telecommunications companies for identity verification purposes, 7 and is used extensively by immigration authorities to verify the identity of passport holders at international borders/airports, as well as by law enforcement agencies throughout Australia for crime prevention and suspect identification purposes. Locally, SAPOL fully implemented its own FRT system (called ‘NEC NeoFace system’) in the Adelaide CBD in 2019, which integrates FRT with CCTV, ATM, and some social media footage.8 In November 2021, the Adelaide City Council announced plans to roll out an updated City Safe CCTV Network that will involve the introduction of facial and number plate recognition.9

EXISTING SURVEILLANCE LAWS Application to FRT There is no Commonwealth legislation that regulates the use of surveillance devices.10 Instead, this is currently governed by state and territory legislation. The relevant piece of legislation in South Australia is the Surveillance Devices Act 2016 (SA) (SDA).

The SDA prohibits: 1. the knowing installation, use or maintenance of an ‘optical surveillance device’11 by a person on a ‘premises’12 that visually records or observes a ‘private activity’ without the express or implied consent of all the key parties;13 and 2. the knowing use, communication or publication of information or material derived from the use of an optical surveillance device.14 The regulation of an optical surveillance device under the SDA is linked to the concept of a ‘private activity’, meaning an activity carried on in circumstances that may reasonably be taken to indicate that one or all of the parties do not want the activity to be observed by others.15 Accordingly, the SDA might prohibit FRT in circumstances where it is used for covert optical surveillance (unless an exception applies). The definition of ‘private activity’ excludes activities carried on in a public place.16 Accordingly, public authorities can use devices with FRT to monitor the activities of the general public in public spaces, or semi-public spaces, without breaching the SDA. Even if a person or government authority is prohibited from using a device to monitor FRT by the SDA, section 5(4) of the SDA sets out several exceptions to the general rule. These exceptions include where the use of the optical surveillance device is reasonably necessary for the protection of the ‘lawful interests’ of that person, or if the use of the device is in connection with the execution of a ‘surveillance device warrant’ or ‘surveillance device (emergency) authority’.

Transparent IT Support and Managed Services that deliver peace of mind. At Inter Intra, we are at war with business disruption. We act as your sentinel by providing transparent IT support through managed services, giving you peace of mind to focus on

•

future-proofing and growing your business. Your business is only as good as the IT infrastructure that supports it. Set your business up with the right technology foundations to

•

Years of experience supporting the legal sector with their IT infrastructure needs, and line of business applications.

•

IT Managed Services

•

Trusted local IT partner, for many SA based companies

Essential 8 Cyber benchmarking

guarantee success and prosperity.

Are you ready to start your IT Support journey?

Phone

Running your business is enough of a challenge these

1300 080 000 (+61) 1300 080 000 (International inquires)

days. Don’t let managing your IT infrastructure become a burden. At Inter Intra, we set your business up with the right technology foundations to guarantee success in the future.

Give us a call today for a free consultation.

www.interintra.com.au

Address Level 17 45 Grenfell Street, Adelaide 5000

April 2022 THE BULLETIN

FEATURE

The term ‘lawful interest’ is not defined by the SDA but the concept was given judicial consideration in Nanosecond Corporation Pty Ltd v Glen Carron Pty Ltd (2018) 132 SASR 63 (Nanosecond) where Doyle J held that the recording of a private conversation ‘just in case’ it might prove advantageous in future civil litigation is not enough for the purpose of establishing a lawful interest. The Court is more likely to find that a recording has been made in the protection of a person’s lawful interests where the conversation relates to an allegation of a serious crime or resisting such an allegation, or where a dispute has ‘crystallised into a real and identifiable concern about the imminent potential for significant harm to the commercial or legal interests of a person.17 Whilst Nanosecond concerned the use of a listening device, the same principles arguably apply to the recording of a private activity via an optical surveillance device with FRT. A further exception is contained in section 6(2) of the SDA, which provides that the prohibition on the use of an optical surveillance device does not apply if the use of the device is in the ‘public interest’. The term ‘public interest’ is not defined by the SDA.18

EXISTING PRIVACY LAWS Application to FRT Although the thirteen Australian Privacy Principles (APPs) in Schedule 1 to the Privacy Act 1988 (Cth) (Privacy Act) are intended to be technology neutral

14 THE BULLETIN April 2022

so as to preserve their relevance and applicability to changing technologies, 19 questions remain as to whether the APPs and Privacy Act sufficiently protect privacy where FRT is deployed. Australian privacy law treats biometric information as personal information.20 In particular, ‘Biometric information’ that is to be used for the purpose of ‘automated biometric verification’ or ‘biometric identification’, or ‘biometric templates’, is a type of ‘sensitive information’ for the purposes of the Privacy Act 1988 (Cth) and Australian Privacy Principles.21 ‘Biometric information’ is not defined by the Privacy Act or APPs, but it is generally regarded as being information that relates to a person’s physiological or biological characteristics that are persistent and unique to the individual (including their facial features, iris or hand geometry),22 and which can therefore be used to validate their identity.23 The terms ‘automated biometric verification’ or ‘biometric identification’ are not defined by the Privacy Act or the APPs either. However, the Biometrics Institute defines ‘biometrics’ as encompassing a variety of technologies in which unique attributes of people are used for identification and authentication,24 while the OAIC (Office of the Australian Information Commissioner) has indicated (in effect) that a technology will be ‘automated’ if it is based on an algorithm developed through machine learning technology.25

A ‘biometric template’ is a mathematical or digital representation of an individual’s biometric information.26 Machine learning algorithms then use the biometric template to match it with other biometric information for verification or identification purposes.27 Given the breadth of the definitions of ‘biometric information’, ‘automatic biometric verification’, ‘biometric identification’ and ‘biometric template’, the majority of biometric information captured by FRT is likely to fall within the protections of the Privacy Act and APPs, and the safeguards contained in Privacy Act and APPs will therefore apply to any biometric information collected by any FRT deployed by an ‘APP entity’.28 Current Safeguards As a form of ‘sensitive information’, biometric information is afforded a higher level of privacy protection under the Privacy Act and APPs than other personal information in recognition that its mishandling can have adverse consequences for an individual,29 meaning that an APP entity that collects and uses a person’s biometric information via FRT must adhere to stricter requirements. Consent The key requirements are contained in APP 3, which (in effect) provides that an APP entity may only solicit and collect a person’s biometric information if the information is reasonably necessary for one or more of the APP entity’s functions

Boost your bottom-line Collaborative cloud matter management with Microsoft Ofﬁce and Outlook integration, automate workﬂow and documents, manage emails, tasks, and calendars in one place. Book a demonstration at www.cabenet.com.au

FEATURE

or activities,30 the biometric information has been collected by ‘lawful and fair means’, 31 and the person consents to the collection of their biometric information (unless an exception applies).32 Consent for the purpose of the Privacy Act and APPs can be either ‘express consent’ or ‘implied consent’.33 As a general rule, an APP entity should seek express consent to the collection of sensitive information (including biometric information) as the potential privacy impact is greater.34 In either case, however, an individual must be adequately informed before giving consent.35 The Privacy Act and APPs contain five exceptions to the requirement for an APP entity to obtain a person’s consent prior to collecting sensitive information (including biometric information).36 The exceptions are broad and include: 1. where it is unreasonable or impracticable to obtain a person’s consent to the collection, and the APP entity reasonably believes the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety;37 2. where the APP entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the APP entity’s functions or activities has been, is being, or may be engaged in and reasonably believes that the collection is necessary in order for the entity to take appropriate action in relation to the matter; and 38 3. where an ‘enforcement body’39 reasonably believes that collecting the information is reasonably necessary for, or directly related to, one or more of the body’s functions or activities.40 Use & Disclosure of Biometric information As a type of sensitive information, special requirements also apply to the use and disclosure of biometric information after it has been collected via FRT. APP6 provides that an APP entity can only use or disclose biometric information for the original/primary purpose for which it was collected. For example, if a company collects the image of a person’s face for the purpose of unlocking their smartphone, the company would not (without consent) be permitted to use the individual’s face for an unrelated purpose, such as to build a database of people

16 THE BULLETIN April 2022

whose information could then be sold to a third party for marketing purposes.41 Biometric information can only be used or disclosed for a secondary purpose if an exception contained in APP 6.1 applies. Those exceptions include where the individual has consented to that secondary use or disclosure,42 or where an individual would ‘reasonably expect’43 the entity to use or disclose the information for that secondary purpose and the secondary purpose is directly related44 to the primary purpose of collection. There are also specific exceptions which enable an APP entity to share a person’s personal information (including their biometric information) with enforcement bodies.45

CONCERNS WITH EXISTING LAWS Concerns with surveillance laws Given how broad the legislated exceptions are, concerns have arisen that relying on these exceptions to justify the use of devices integrating FRT disproportionately affects a person’s privacy. The decision in Nanosecond curtails any such invasion to a limited extent by ensuring that the ‘lawful interest’ exception cannot be relied on to use FRT to visually monitor a person in anticipation that they might do something that might impinge upon a person’s lawful interest. However, more clear statutory limits as to what constitutes a ‘lawful interest’ would be helpful while the case law evolves. Similarly, a key concern raised in respect of FRT and the public interest exception is that its widespread use in public places is not necessary or proportionate to a goal of crime prevention or public safety, and that the use of FRT therefore improperly invades a person’s privacy.46 Options to prevent any unnecessary incursions on a person’s privacy could include to require that the optical surveillance be ‘reasonably necessary’ to protect the public interest, and to introduce a list of non-exclusive statutory considerations that must be taken into account when undertaking that assessment. Concerns with privacy laws Scope The Privacy Act and APPs are federal laws that only apply to organisations and agencies deploying FRT that fall within the definition of an ‘APP entity’. The definition of an ‘APP entity’ does not include state and territory authorities or

agencies, or organisations with an annual turnover of less than $3 million.47 Whilst some jurisdictions have their own specific privacy legislation that steps in to help safeguard a person’s privacy where FRT is used, there are other jurisdictions where no specific privacy legislation exists at all (including South Australia). In South Australia, the State public sector is required to comply with South Australian Information Privacy Principles (IPPs).48 However, the IPPs do not extend to biometric information, and there is no other legal framework which holds those agencies, authorities and organisations that fall outside the scope of the Privacy Act and APPs to account in SA. No true consent In the past year, the OAIC has issued two rulings in which it determined that the collection of biometric information by two separate companies (Clearview AI49 and 7Eleven50) contravened the consent requirements of the Privacy Act and APPs, demonstrating that whilst the OAIC is conscious of the privacy issues posed by FRT, the consent model under the current privacy regime is ill-equipped for FRT. The Privacy Act and APPs strictly require that APP entities collecting biometric information via FRT should obtain express consent, but the nature of FRT means that it is not practical (or often possible) to obtain true, express consent from individuals whose biometric information might be captured by FRT. Whilst obtaining express consent is arguably more realistic where ‘one-toone’ FRT is being utilised for a specific purpose in a controlled environment, it is hard to imagine a scenario where an APP entity deploying ‘one-to-many’ FRT would (or could) take steps to obtain express consent from every person whose biometric information they might capture. Accordingly, an APP entity that deploys FRT will usually need to infer a person’s consent to the collection of their biometric information by FRT. Even though inferred consent is an option, it is difficult for APP entities deploying FRT to provide people with enough information about how FRT collects and uses their biometric information before FRT captures their image. This means that most people captured by FRT will not have been properly informed about what they were

FEATURE

consenting to. Further, an individual will not often have the ability to refuse to provide their consent to the use of FRT, and may feel compelled to provide it due to the inconvenience of not doing so, or due to their lack of bargaining power. For example, although 7Eleven displayed a notice at the entrance to its stores to alert customers that they would be subject to FRT when they entered the store, 51 and sought to a infer that any customer who then chose to enter the store has provided consent, it is arguable that the customer had no choice (particularly if there were no convenient alternatives available to them). Breadth of exceptions Another criticism levelled at the Privacy Act and APPs is that the exemptions to the consent requirements of APP 3, and the single purpose requirement of APP6, are too broad and do not sufficiently protect people against invasions of privacy. The exemptions provided for in the Privacy

Act which allow for the collection and use/disclosure of sensitive information (including biometric information) without consent have been made on the basis of balancing individual interests against those of collective security.52 However, this balancing approach has arguably resulted in individual privacy being ‘traded off ’ against the wider community interests of preventing, detecting and prosecuting crime’.53

WHERE TO FROM HERE? The issues identified in this article suggest a review and assessment of existing privacy and surveillance laws is needed to address the unique challenges posed by biometric technologies. It is clear that while existing privacy and surveillance laws place a number of safeguards on the use of FRT in private enterprise, there is a gap in the regulation of the use of FRT by government authorities (particularly

in South Australia). This is particularly concerning when FRT is used by government authorities to make decisions that might infringe on an individual’s human rights in the context of policing and law enforcement. In March, 2021, the Australian Humans Rights Commission released the Human Rights and Technology Final Report 2021, which made a number of recommendations for the regulation of FRT, including the introduction of tailored legislation that regulates the use of FRT, and the introduction of a statutory cause of action for serious invasions of privacy.54 These recommendations have been made at the same time that the privacy law regime in Australia is undergoing a comprehensive review. Accordingly, it is hoped that those reviews can result in the incorporation of additional, more tailored safeguards to help balance the benefits flowing from the use of FRT against its risks to personal privacy. B

Auctioneers & Valuers

MGS (SA) is South Australia’s most experienced industrial auctioneers and valuers with over 40 years in the industry. Our expertise is second to none. Servicing Corporate Australia, Insolvency Practitioners, Legal Professionals, Accountants and Government. Jack Ruby’s Bar Providing an unparalleled solution management, valuations or disposal. Basement, 89for Kingasset William Street, Adelaide SA

Auctioneers & Valuers of Plant & Equipment for: • Business Restructuring • Succession Planning

• Acquisition & Disposal • Insolvency & Legal Disputes

www.mgs.net.au Mason Gray Strange Auctions (SA) Pty Ltd | P 8444 9111 | 370-378 Torrens Road, Kilkenny, SA 5009

FEATURE

Endnotes 1 Monique Mann* And Marcus Smith, ‘Automated Facial Recognition Technology: Recent Developments And Approaches To Oversight’ (2017) 40(1) UNSW Law Journal 121, 122. 2 This involves a computer checking whether a single facial image matches a different facial image of the same person: Australian Human Rights Commission, Human Rights and Technology (Final Report, March 2021) 113. 3 Eifeh Strom, ‘Facing challenges in face recognition: one-to-one vs. one-to-many’, Asmag (Web page, 19 September 2016) <https://www. asmag.com/showpost/21158.aspx> 4 Philip Brey, ‘Ethical Aspects of Facial Recognition Systems in Public Places’ (2004) 2 Journal of Information, Communication and Ethics in Society 97, 98 5 Seth Lazar, Clair Benn and Mario Gunther, ‘Large-scale facial recognition is incompatible with a free society’, The Conversation (Web page, 10 July 2020)< https://theconversation.com/largescale-facial-recognition-is-incompatible-with-afree-society-126282 6 Australian Human Rights Commission, Human Rights and Technology (Final Report, March 2021) 113. 7 Liz Campbell, ‘Why regulating facial recognition technology is so problematic - and necessary, The Conversation (Web Page, 26 November 2018) <’https://theconversation.com/why-regulatingfacial-recognition-technology-is-so-problematicand-necessary-107284> 8 ‘South Australia Police tap NEC for facial recognition edge over criminals’, NEC Organisation (Web page, 1 August 2016) <https://www.nec.com/en/ press/201608/global_20160801_03.html>. 9 Malcolm Sutton, ‘Facial recognition technology put on hold in Adelaide amidst privacy concerns’, ABC News (Web page, 10 November 2021) <https://www.abc.net.au/news/2021-11-10/ facial-recognition-tech-on-hold-amidst-privacyconcern/100608514> 10 Note that the Commonwealth Government has committed to reforming Australia’s laws governing electronic surveillance, and recently released a Discussion Paper “Reform of Australia’s electronic surveillance framework” which seeks input in respect of its proposal to repeal the Telecommunications (Interception and Access) Act 1979 (TIA Act), Surveillance Devices Act 2004 and relevant parts of the Australian Security Intelligence Organisation Act 1979 (ASIO Act), and replace the current patchwork of laws with a single, streamlined and technology neutral Act. 11 An “optical surveillance device” means a device capable of being used to observe or record visually (whether for still or moving pictures) a person, place or activity: SDA, s 3. This definition is arguably wide enough to capture any devices that integrate FRT for the purpose of capturing facial images (such as CCTV). 12 “premises” includes land, a building, a part of a building, and any place (whether built or not). 13 SDA, s 5(1). 14 SDA, s 12(1) 15 SDA, s 3. 16 SDA, s 3. The definition of “private activity” also excludes activities that can be readily observed

18 THE BULLETIN April 2022

from a public place, and/or an activities carried on in circumstances where the person ought to reasonably expect that they may be observed by another person. 17 Nanosecond, [103] to [105] 18 Queensland Law Reform Commission, Review of Queensland’s laws relating to civil surveillance and the protection of privacy in the context of current and emerging technologies (Report No. 77, February 2020) <http://classic.austlii.edu.au/cgi-bin/sinodisp/ au/other/lawreform/QLRC/2020/77. html?stem=0&synonyms=0&query=sa%20 consol_act%20sda2016210%20s3; 19 Office of the Australian Information Commissioner, Submission No. D2018/009462 to Australian Human Rights Commission, Human Rights and Technology Issues Paper (19 October 2018) <https://www.oaic.gov.au/engage-with-us/ submissions/human-rights-and-technologyissues-paper-submission-to-the-australian-humanrights-commission> 20 APP Guidelines, Chapter B: Key Concepts, [B.27]. 21 APP Guidelines, Chapter B: Key Concepts [B.138]; Privacy Act, s 6(1) 22 Office of the Victorian Information Commissioner, Biometrics and Privacy, (Web page) < https://ovic.vic.gov.au/resource/biometricsand-privacy/>. 23 Types of Biometrics, Biometrics Institute (Web page) <https://www.biometricsinstitute.org/what-isbiometrics/types-of-biometrics/> 24 Above n 25. 25 Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54,[138] (Clearview). 26 International Organization for Standardisation, Standard ISO/IEC 2382-37: 2017(en), Standard 3.3.22 (Web page, 12 March 2021) < https:// www.iso.org/obp/ui/#iso:std:iso-iec:2382:-37:ed2:v1:en>. 27 Clearview, [127] 28 APP Guidelines, Chapter B: Key Concepts [B.2] to [B.9]; Privacy Act, s 6(1). APP entities generally include include Australian Government agencies and any organisation with an annual turnover of more than $3 million: [ 29 APP Guidelines, Chapter B: Key Concepts, [B.141] 30 APP 3.1 and APP 3.2 31 APP 3.5. 32 APP 3.3. 33 Privacy Act, s 6(1). 34 APP Guidelines, Chapter B: Key Concepts, [B.41]. 35 APP Guidelines Chapter B: Key Concepts, [B.35] 36 The five exceptions are contained at APP 3.4 37 Privacy Act, s 16A(1), Item 1. This is one of the seven “permitted general situations” provided for by s 16A. 38 Privacy Act, s 16A(1), Item 2. This is one of the seven “permitted general situations” provided for by s 16A. 39 ‘Enforcement body’ is defined in s 6(1) of the Privacy. It lists of series of specific bodies. The list includes Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties

or sanctions. Examples of Commonwealth enforcement bodies are the Australian Federal Police, Australian Crime Commission, the Integrity Commissioner, the Immigration Department, Australian Prudential Regulation Authority, Australian Securities and Investments Commission and AUSTRAC. 40 APP 3.4(d)(ii). 41 Australian Human Rights Commission, Human Rights and Technology (Final Report, March 2021), 112. 42 APP 6.1(a) 43 The ‘reasonably expects’ test is an objective one that has regard to what a reasonable person, who is properly informed, would expect in the circumstances. This is a question of fact in each individual case. It is the responsibility of the APP entity to be able to justify its conduct. Examples of where an individual may reasonably expect their personal information to be used or disclosed for a secondary purpose include where the entity has notified the individual of the particular secondary purpose under APP 5.1 (see Chapter 5 (APP 5) or the secondary purpose is a normal internal business practice: APP Guidelines, Chapter 6:APP6, [6.20]. 44 A directly related secondary purpose is one which is closely associated with the primary purpose, even if it is not strictly necessary to achieve that primary purpose: APP Guidelines, Chapter 6:APP6, [6.26]. 45 APP 6.2(c), APP 6.2(e) and APP 6.3 46 Australian Human Rights Commission, Human Rights and Technology (Final Report, March 2021) 114. 47 APP Guidelines, Chapter B: Key Concepts, [B.8]; Privacy Act, s 6(1). 48 Government of South Australia, Department of the Premier and Cabinet Circular, Information Privacy Principles Instruction PC012 (Webpage, 16 September 2013) <http://dpc.sa.gov.au/ premier-and-cabinet-circulars>. 49 Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54 50 Commissioner initiated investigation into 7-Eleven Stores Pty Ltd (Privacy) (Corrigendum dated 12 October 2021) [2021] AICmr 50 (7Eleven) 51 7Eleven, [89] 52 Above n1, 132. 53 Ibid. 54 in South Australia, the draft Civil Liability (Serious Invasions of Privacy) Bill 2021 (Privacy Bill) has been tabled for consideration in Parliament to establish a new statutory cause of action for serious invasions of privacy in South Australia, which is separate and distinct from the Privacy Act and APPs. The Privacy Bill will enable an individual to bring civil proceedings against a person who has invaded their privacy where there was a reasonable expectation of privacy, the invasion of privacy was serious and the conduct was undertaken intentionally. Consultation in respect of the Privacy Bill is still underway, but that consultation process will hopefully assist in identifying how the proposed statutory tort can be best utilised to address the gaps in the safeguards provided for in the current privacy and surveillance laws.

FEATURE

When held to ransom: Legal implications of ransomware attacks for legal practitioners and their clients BROOKE HALL-CARNEY, AMY COOPER-BOAST AND ELIZABETH CARROLL-SHAW, LK LAW

s ransomware attacks accelerate in scale, frequency and sophistication, they pose a risk both to legal practitioners and their clients. It is not only government, critical infrastructure and large corporates falling victim: over 60% of Australia’s small to medium businesses have now experienced a cybersecurity incident.1 The professional services sector is emerging as a ransomware target2 – perceived as data-rich and motivated to protect client confidentiality or privilege. In a quickly evolving regulatory and threat landscape, it is critical for practitioners to understand the legal implications of ransomware incidents for their practices and for their clients.

THE NATURE OF THE THREAT Ransomware involves the use of malicious software to infiltrate and lock data or systems and demand payment for their release. Simpler models of attack involve cybercriminals encrypting files and demanding payment (typically in cryptocurrency) for a decryption key. The past year saw a rise in ‘double’ and ‘triple’ extortions.3 With ransomware victims choosing to restore data from back-ups rather than pay a ransom, or being unable to pay where uninsured or under-insured, cybercriminals have pivoted to exfiltration (covert extraction) of data. After exfiltration, two ransom demands follow – the first in exchange for unlocking the system or data; the second in exchange for not selling the data on the dark web, or releasing it publicly. A third ransom demand may be made directly to the victim’s clients or suppliers, whose confidential information was compromised – or, alternatively, the threat

of compromising clients or suppliers is used as leverage against the victim. A market for Ransomware-as-a-Service (RaaS) has emerged, with developers offering malware as a product for sale to hackers for a fee or a commission paid from the ransom.

PAYING CYBERCRIMINALS The Australian Cyber Security Centre (ACSC) is the Federal Government’s lead agency for cybersecurity. The ACSC’s position on ransomware payments is clear: payments are never condoned, do not guarantee a return of stolen data or system access, and perpetuate a vicious circle by funding cybercriminals. Some organisations adopt a policy to never pay; for others, where health or safety is put at risk, payment is more readily justified. A 2021 global survey indicates that of those attacked, a quarter paid the ransom, with the average ransom rising by 63% year-onyear.4 Ransoms are highest in the AsiaPacific, averaging US$2.35 million.5 In practice, a victim’s options when faced with a ransomware demand are influenced by complex factors: the severity of the attack; the sensitivity of compromised data; the extent to which data has been exfiltrated; the feasibility, time and cost of either data restoration (from back-ups) or decryption; business continuity; reputational, ethical, financial and insurance considerations; and the risk that paying a ransom will attract future attacks. Victims must also grapple with the legality of paying a ransom. Ransomware payments are not specifically prohibited under Australian law. A payment could,

however, offend anti-money laundering and counter-terrorism financing legislation where a victim holds sufficient knowledge as to the cybercriminal’s identity and possible use of the funds.6 If an illegal payment was made, a defence may arise in circumstances of duress, sudden or extraordinary emergency or self-defence (of persons or property). Paying a ransom would also constitute an offence under Australian law if made to persons or entities proscribed by UN or Australian sanctions, or in contravention of sanction laws.7 A defence arises for bodies corporate who prove they undertook reasonable precautions and due diligence to avoid a contravention.

WHO TO NOTIFY Ransomware victims will need to consider their communications with affected persons, insurers and stakeholders. They may be required to disclose the incident under third party contracts. A cybercrime police report can be made via the ACSC. Various notification regimes also operate: • Organisations with an annual turnover exceeding $3 million (amongst others) must report ‘eligible data breaches’ and notify affected individuals under the Privacy Act 1988 (Cth). • Responsible entities for specified critical infrastructure assets will be required to report cybersecurity incidents.8 • Reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) have suspicious matter reporting obligations. April 2022 THE BULLETIN

FEATURE

•

ASX-listed entities should consider their continuous disclosure obligations. Disclosure may also be required in an entity’s financial reports. Financial institutions must report ‘material information security incidents’ under APRA Prudential Standard CPS 234. Mandatory notification schemes apply in the health, defence, aviation and maritime transport sectors. Organisations may be required to liaise with other sector-specific regulators. Australian businesses with international establishments or activities may have reporting obligations under foreign laws and regulations, such as the EU or UK General Data Protection Regulation.

RANSOMWARE REFORM Regardless of the outcome of the Federal election, further ransomware reform is imminent, with both major parties releasing competing ransomware strategies.9 Two Opposition bills have proposed mandatory reporting of ransomware payments. The Federal Government has foreshadowed mandatory reporting of ransomware incidents. At the time of writing, both regimes are proposed to apply to businesses with an annual turnover of $10 million or more.10 On 17 February, 2022, the Federal Government introduced the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (Cth). This Bill criminalises ransomware activities, RaaS and cyber-attacks on critical infrastructure, but

20 THE BULLETIN April 2022

does not introduce criminal or accessorial liability for making ransomware payments. By contrast, the Opposition has called for regulation of payments through measures such as government pre-approval.11

LIABILITY FOR ORGANISATIONS AND DIRECTORS A high alert issued by the ACSC in February, 2022 requested all Australian organisations to ‘urgently’ adopt an enhanced cybersecurity posture, as geopolitical tensions rose with the attack on Ukraine.12 Businesses may be exposed to ransomware attacks through their own security lapses or through supply chain vulnerabilities. In addition to theft or destruction of data and physical assets, reputational damage and financial losses, a ransomware attack can expose a business to litigation risk. Claims may be brought by clients or suppliers whose sensitive data has been stolen or leaked, or by contractors impacted by business disruptions. It is incumbent on organisations to consider mitigation measures such as: • Enhanced cybersecurity controls.13 • Staff education and simulations. • Contractual protections, such as cybersecurity requirements for suppliers and tailored force majeure clauses. • Multi-disciplinary response and continuity plans. • Cyber insurance (noting that it can be difficult to acquire, expensive and subject to exclusions and may cede control to an insurer). • Secure and regular back-ups and offline or ‘cold’ storage – key tools in avoiding

many ransomware payments. Back-ups will not, however, solve the dilemma of particularly sensitive data under threat of public release; albeit neither will be paying the ransom, with any degree of certainty. Although it has discussed mandatory or voluntary cybersecurity governance standards for large businesses,14 the Federal Government has not, to date, enacted any personal director liability for inadequate cyber protections. However, a director’s duty to act with care, skill and diligence will be breached by failing to prevent conduct carrying a foreseeable risk of harm to the interests of the company.15 Having regard to the deteriorating cyber threat environment, it is increasingly likely that courts will consider inadequate cybersecurity measures to pose a foreseeable risk of harm. ASIC has also recently emphasised the active role it expects from directors in managing cyber risk.16 Last year, ASIC commenced its first action against an entity for cybersecurity shortfalls. The entity, which is alleged to have breached financial services licensee obligations, experienced ransomware and other attacks.17

PITFALLS FOR LEGAL PRACTITIONERS Perhaps unsurprisingly, the legal profession is an attractive target for ransomware due to the valuable and sensitive nature of information held on behalf of clients. Most ransomware attacks in Australia are reported in the legal, accounting and management services

FEATURE

sector. Ransomware attacks may target legal practices directly, or may seek to exploit interdependencies with professional networks and service providers. As well as notification obligations and exposure to loss and liability, legal practitioners must consider their professional responsibilities. A failure to implement appropriate protections may result in breaches of fiduciary, tortious and contractual duties to clients; a breach of the South Australian Legal Practitioners’ Conduct Rules requiring maintenance of client confidence and competent, diligent delivery of legal services; and claims of unsatisfactory professional conduct or professional misconduct. Any ransomware payment would also require careful ethical navigation. Case examples highlight pitfalls of ransomware and other cyber-attacks for lawyers and their clients: • Law practices should ensure that important information, such as client data, retainer agreements and costs disclosures, is protected and backed-up.19 • Ransomware attacks can compromise data relevant to proceedings, causing evidentiary and discovery issues.20 This can lead to loss of evidence, and cost and difficulties in restoring files (if restoration is possible). Where litigation is anticipated or on foot, it is vital to ensure that relevant documents are securely backed-up. • A UK firm’s failure to implement multi-factor authentication, patches and encryption, whose sensitive court bundles were released on the dark web 18

•

by ransomware criminals, led to a £98,000 regulatory penalty.21 Legal professional privilege is not an actionable legal right. It cannot found an application to claw back or prevent the use of privileged documents where they are stolen from a law firm’s computer system and publicly disseminated.22 The impact of a cyber-attack can be farreaching, as illustrated by the law firm subject to the Panama Papers data spill. The infiltration of Mossack Fonseca’s systems and release of confidential documents led to severe reputational and financial consequences for the firm, and its closure two years later. B

Endnotes 1 This article is current as at 11 March 2022. Cyber Security Industry Advisory Committee, Locked Out: Tackling Australia’s ransomware threat (March 2021) p.2. 2 Australian Cyber Security Centre, Annual Cyber Threat Report 2020 – 2021 (15 September 2021), p.21, Figure 8. 3 Australian Cyber Security Centre, 2021 Trends Show Increased Globalized Threat of Ransomware (10 February 2022). 4 Crowdstrike, 2021 Global Security Attitude Survey, p.10. 5 Ibid. 6 Criminal Code Act 1995 (Cth), Criminal Code Part 5.3, Division 103 and Part 10.2, Division 400. 7 Charter of the United Nations Act 1945 (Cth) ss. 21 and 27 and Autonomous Sanctions Act 2011 (Cth) s.16. 8 Under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth), once the rules ‘switching on’ these obligations are registered and a three-month grace period has passed. 9 Department of Home Affairs, Ransomware Action

Plan (October 2021); Federal Labor, Beyond the Blame Game: Time for a National Ransomware Strategy (February 2021). 10 See the Opposition’s Ransomware Payments Bill 2021 (Cth) and Ransomware Payments Bill (No 2) 2021 (Cth) and Department of Home Affairs’ medial release, New plan to protect Australians against ransomware (13 October 2021). The Opposition’s proposal would additionally apply to Government entities. 11 Federal Labor, Beyond the Blame Game: Time for a National Ransomware Strategy (February 2021), pp.14 – 16. 12 Australian Cyber Security Centre, Australian organisations should urgently adopt an enhanced cyber security posture (23 February 2022; updated 4 March 2022). 13 This ought to include, as a baseline, the ACSC’s ‘Essential Eight’ strategies: see <https://www. cyber.gov.au/acsc/view-all-content/essentialeight>. 14 Department of Home Affairs, Strengthening Australia’s cyber security regulations and incentives: An initiative of Australia’s Cyber Security Strategy 2020 (July 2021); industry consultation closed in August 2021. 15 ASIC v Cassimatis (2016) 336 ALR 209. 16 ASIC Chair Joseph Longo, ‘ASIC’s corporate governance priorities and the year ahead’ (Speech delivered at the AICD Australian Governance Summit, Melbourne Convention Centre, 3 March 2022). 17 ASIC v RI Advice Group Pty Ltd [2021] FCA 1193. 18 Office of the Australian Information Commissioner, Notifiable Data Breaches Report: July to December 2021 (22 February 2022), pp. 23 – 26. 19 Leung v Fordyce (t/a Pmf Legal Trading) [2019] NSWSC 18. 20 In the matter of Beverage Freight Services Pty Ltd [2020] NSWSC 509; Cargill Australia Limited v Viterra Malt Pty Ltd (No. 28) [2022] VSC 13. 21 Information Commissioner’s Office (UK), Monetary Penalty Notice issued under Data Protection Act 2018 to Tuckers Solicitors LLP (28 February 2022). 22 Glencore International AG v Commissioner of Taxation (2019) 265 CLR 646.

April 2022 THE BULLETIN

CLOUD COMPUTING

An analysis of the Law Society of South Australia’s Cloud Computing Guidelines MARK FERRARETTO, SOLICITOR, EZRA LEGAL

What We Will Cover In this first article we’ll give a broad overview of what lies ahead, and then explore issues relating to governance of cloud computing. Firstly, we will discuss key points from the Guidelines and then discuss how I approach the analysis.

guiding practitioners through the evaluation and adoption of cloud systems. Overall, in my view, they paint a cautionary tale. The Guidelines cover a raft of issues, but they can be grouped into these broad categories: 1. Governance; 2. Confidentiality; 3. Data security; and 4. Data resilience. The Guidelines’ dealings with governance refer mainly to issues around data sovereignty and the governing jurisdiction of a cloud service’s terms of service. Data sovereignty raises issues of the underlying laws of a sovereign state that protect (or otherwise) your data. Ideally, practitioners would want their data located in Australia so that their data is protected by Australian law, which if nothing else, is a known quantity. Governing jurisdiction clauses in terms of service raise issues regarding the ease (or otherwise) of asserting a party’s legal rights. The Guidelines unsurprisingly deal extensively with confidentiality. Confidentiality stems from the risk of third party access to data but extends past this because, as we shall see, third parties always have access to our data regardless of whether it is in the cloud or on-premises. The confidentiality issue becomes a question of regulation of third-party access to a degree that satisfies practitioners’ obligations under the Australian Solicitor Conduct Rules.2 Data security is self-explanatory and has long been a concern of those looking to migrate to the cloud. As will be demonstrated, data security is also a significant issue with on-premises systems. Data resilience refers to several aspects. The most obvious being availability of data (ie: how often does a service crash). Less obvious are issues around incident management and data portability, data portability being the ability to extract data out of a cloud service if desired.

The Cloud Computing Guidelines As I’ve said, the Cloud Computing Guidelines are drafted with a view to

Analysis The aim of my analysis is to apply the abstract concepts in the Guidelines

he Law Society publishes Cloud Computing Guidelines1 which quite rightly guide legal practitioners through the various risks and issues associated with adoption of cloud services. What the Cloud Computing Guidelines neglect to mention, however, is that these same risks and issues also apply to on premises services. When evaluating cloud services, legal practitioners should evaluate the risk profile of cloud systems against the risk profile of adopting (or remaining with) on premises computer systems. This article and the next four that follow it analyse a set of cloud services commonly used in the legal profession against the Cloud Computing Guidelines and compares these services against on premises services. Before we get under way however, I should disclose a bias. I am a big fan of cloud services. The convenience of having information at your fingertips is simply too attractive. I constantly demonstrate to friends and colleagues how I can write on a tablet and have my writing magically appear on my desktop and on my phone at the same time. The accessibility that cloud services provide can lead to a great increase in productivity. Cloud services do pose unique challenges, data sovereignty and data security being but two. However, cloud services have evolved significantly over the last five years, to say nothing of the last 10 to 15 years. In my view, there are many contexts where using cloud services for data storage should now be considered best practice for law firms. Thus endeth my declaration of bias.

22 THE BULLETIN April 2022

to the practical context of cloud services commonly used by legal practitioners. To that end, I have decided to analyse the Guidelines against a set of popular cloud services and also against an onpremises context. The could services to be analysed are: • Dropbox (the consumer version);3 • Dropbox Business;4 • Google Workspace;5 • Microsoft 365;6 • LEAP;7 and • Actionstep.8 It is worth stating that there are many other cloud services, large and small, that are available to legal practitioners. My intention is to focus on the more prominent services that many practitioners consider adopting or have already adopted. It is also worth stating that this analysis is not a substitute for performing your own due diligence!

GOVERNANCE Two main points in the Cloud Computing Guidelines relate to governance – data sovereignty and jurisdictional issues. Let’s deal with data sovereignty first. Data Sovereignty As discussed above, data sovereignty relates to the location of data. The location of data is important as different countries prescribe different legal protections to data stored in them. Protections vary widely from country to country. Also, sovereign data protection may only extend to the citizens of a country. For example, data stored in the US may not be subject to the constitutional protections afforded to US citizens. Cloud services may store data across many countries. As cloud services usually store multiple copies of customer data (for resilience), it’s possible that information stored with a cloud service could fall under multiple widely-varying data legislation. Google, for example, stores its Google Workspace data in 18 different countries across the world, from the USA to Finland to Indonesia.9

CLOUD COMPUTING

TABLE 1 GOVERNANCE DATA SOVEREIGNTY Dropbox Dropbox Business

(Location of data) ‘All around the world’ File data in Australia, metadata and ‘Paper’ data in the US

GOVERNING JURISDICTION USA USA

Google Workspace

Worldwide

USA

Microsoft 365

Australia

USA

LEAP

Australia

Actionstep

Australia

On Premises

Australia

Ideally, as practitioners, we would want our data stored in Australia so that it falls under the protections of Australian law which, although may not the most protective laws, at least are well-known and understood. So, we will assess data sovereignty by asking the question: ‘Can my data be stored exclusively in Australia?’ Governing Jurisdiction Governing jurisdictional issues arise as most cloud service providers are based outside of Australia and usually require their customers to agree to have their agreements governed under foreign, predominantly US, laws. For Australians this predominantly raises a convenience and cost issue as any dispute needs to be litigated overseas. It also subjects agreements to foreign laws that may not contain the same level of consumer protection as Australian law. Data sovereignty and governing jurisdiction are clearly not issues in an on-premises environment. Data on premises is stored in Australia. For firms that outsource their IT support, they do so with local firms and these agreements are governed under Australian law. In contrast, these issues do arise with cloud services, particularly so with consumer services, such as Dropbox. The consumer Dropbox stores its data ‘around the world’10, giving a user no control over where their data resides. Dropbox’s business offering is better, allowing file storage to be limited to Australia, but file

metadata and other products, such as its ‘Paper’ product, remain located in the US.11 Google’s Workspace business offering gives no option to nominate where data is to reside. A Workspace subscriber must accept that their data will reside in any of the 18 locations where Google has data centres.12 Microsoft 365 allows its customers to specify that all data, including email, file storage, SharePoint and Teams data, be located in Australia.13 Both LEAP14 and Actionstep15 also locate data exclusively in Australia. Most of the cloud services reviewed contain jurisdictional clauses that govern agreements under US law. The Dropbox Business terms also impose a mandatory arbitration process.16 The only exceptions for the services reviewed are LEAP and Actionstep which are governed under NSW law17 (for LEAP) and ‘Australian law’18 according to Actionstep’s terms. The Verdict Clearly the on-premises solution wins out in this category. Data sitting in a practice’s office will be located in and governed by the jurisdiction a practitioner is most comfortable with. The practice management systems also do well in this category. The big cloud providers are all based in the US so while some, such as Microsoft, allow for location of data in Australia, terms are still governed by US Law. On-premises wins this round. In the next article we discuss confidentiality. B

Endnotes 1 ‘Cloud Computing Guidelines’ (Law Society of South Australia, February 2016) <https:// www.lawsocietysa.asn.au/pdf/EP_Cloud%20 Computing%20Guidelines.pdf>. 2 ‘Australian Solicitors’ Conduct Rules (SA) 2011 V3 with Commentary’ (Law Society of South Australia, 1 July 2015) <https:// www.lawsocietysa.asn.au/pdf/Australian%20 Solicitors’%20Conduct%20Rules%20(SA)%20 2011%20V3%20with%20commentary.pdf>. 3 ‘Dropbox’, Dropbox <https://www.dropbox. com/> In this paper ‘Dropbox’ means the consumer version of Dropbox (which has a free offering) and ‘Dropbox Business’ means the business offering (which has no free offering). 4 ‘Secure Team Collaboration - Dropbox Business’, Dropbox <https://www.dropbox.com/ business>. 5 Google, ‘Google Workspace | Business Apps & Collaboration Tools’, Google <https://workspace. google.com/intl/en_au/>. 6 ‘Compare All Microsoft 365 Plans | Microsoft’ <https://www.microsoft.com/en-au/ microsoft-365/business/compare-all-microsoft365-business-products>. 7 ‘Legal Practice Management Software | LEAP Legal Software’, LEAP AU <https://www.leap. com.au>. 8 ‘Actionstep - Legal Practice Management Software’ <https://www.actionstep.com/>. 9 Google, ‘Global Locations - Regions & Zones’, Google Cloud <https://cloud.google.com/about/ locations>. 10 Dropbox, ‘Privacy Policy’, Dropbox <https:// www.dropbox.com/privacy>. 11 Dropbox, ‘Dropbox Business Security, A Dropbox Whitepaper’ 13 <https://www. dropbox.com/static/business/resources/ Security_Whitepaper.pdf>. 12 Google (n 9). 13 Microsoft, ‘Privacy & Security Terms’, Microsoft | Licensing <https://www. microsoft.com/licensing/terms/product/ PrivacyandSecurityTerms/all>. 14 LEAP, ‘LEAP Information Security Policy | LEAP Legal Software’, LEAP AU <https:// www.leap.com.au/information-security-policy/>. 15 Actionstep, ‘Tems of Use’, Actionstep [9.4] <https://www.actionstep.com/legal/>. 16 Dropbox, ‘Business Agreement’, Dropbox [13.2], [13.3] <https://www.dropbox.com/business_ agreement>. 17 This was confirmed to me by email in 1 February 2022 from a LEAP representative. 18 Actionstep (n 15) [10.5].

April 2022 THE BULLETIN

FEATURE

CANCELLATION COURT! DJOKOVIC RALLIED TO SECURE RELEASE BEFORE THE MINISTERIAL DISCRETIONS PROVED A WINNER CHRIS JOHNSTON AND ROSA TORREFRANCA, IMMIGRATION LAWYERS, WORK VISA LAWYERS

he two recent Djokovic visa cancellations and appeals have provided insight into non-character related cancellation powers under the Migration Act 1958. The Federal Circuit Court and Family Court of Australia have established an online public file for the Djokovic matter.1 This was done with a view to the public interest and provides a great opportunity to view the inner workings of the courts, for law students or anyone interested, to view a range of relevant documents including primary documents from the Department of Home Affairs (DHA) and Tennis Australia, the lodgements with full grounds, the parties’ submissions and the decisions. From a detailed analysis of the files, we will discuss the turning points of the cases and lessons to be learned for visa holders trying to enter Australia.

THE FIRST DJOKOVIC CANCELLATION: IN IMMIGRATION CLEARANCE AT THE MELBOURNE AIRPORT BEFORE ENTERING AUSTRALIA Novak Djokovic was granted a 408 Temporary Activity Sports Stream visa, on 19 November, 2021.2 We will detail the timing and content of interactions between Djokovic and the Delegate of the Minister of Immigration, because these events subsequently proved to be significant: • Djokovic arrived by plane at the Melbourne Airport just before midnight on 5 January, 2022.3 • He was interviewed between 00.21 and 00.52 am by a Delegate, with some brief breaks.4

24 THE BULLETIN April 2022

•

Djokovic was given a Notice of Intention to Cancel (NOITC) at or about 4.11am, 6 January, 2022. • He asked for time to rest and to “talk to [his] solicitor again.” And asked for this time to be up until 8.00 or 8.30. • The Delegate checked with his superiors and then said that Djokovic would be given more time. • He was interviewed by the DHA officer from 6.07 am and the decision to cancel was made at 7.29 • Djokovic was notified of the Decision to cancel at 7.42 am. The DHA decision record provides that the grounds for cancellation: “Under the Biosecurity Act 2015, there are requirements for entry into Australian Territory. These requirements include that international travellers make a declaration as to their vaccination status (vaccinated, unvaccinated, or medically contraindicated). … Previous infection with COVID-19 is not considered a medical contraindication for COVID-19 vaccination in Australia. Subject to Section 116(1) of the Migration Act 1958, the Minister may cancel a visa if he or she is satisfied that; (e) the presence of its holder in Australia is or may be, or would or might be a, a risk to: i. the health, safety or good order of the Australian community or a segment of the Australian community… Based on the above information, I am satisfied there are grounds to consider cancelling the visa holder’s subclass GG 408 visa.”5 Following the cancellation, Djokovic was taken to immigration detention at the Park Hotel, where a number of asylum seekers in long term detention are also held.

APPEAL TO THE FEDERAL CIRCUIT COURT (FCC) Arguments made before the FCC As Djokovic did not make it through immigration clearance, he did not ‘enter Australia’, the 408 visa was cancelled prior to entry. As such, merits review at the Administrative Appeals Tribunal (AAT) was not available and his appeal options were limited to the Federal Circuit Court. An appeal of the cancellation decision was lodged on the 6 January, 2022. The applicant’s Representatives6 submitted that there were a “variety of jurisdictional errors”. These grounds included: • Failure to give the required notice under section 119(1), (Ground 1A). • Error in purported formation of state of satisfaction in the Decision to cancel (Ground 1B) • Errors in failing to consider the applicant’s medical contraindication (Ground 1C) The applicant’s representative made arguments for why Djokovic had provided evidence for a “medical contraindication”. Under the Biosecurity Determination made under the Biosecurity Act 2015. • Failure to consider representation made by Djokovic (Ground 2A) and illogicality and/or unreasonableness in relation to extenuating circumstances (Ground 2B) • Procedural unfairness (Ground 3A) and unreasonableness in process (3B) preceding the cancellation. The representatives for the DHA submitted that all the grounds should be rejected, with detailed arguments on medical exemptions. In relation to ground (1A) claiming the NOITC was affected by error, the

FEATURE

representatives for the Minister wrote: “That unfortunate typo misquoting the provision in one spot is unfortunate but immaterial.”7 The representatives submitted Djokovic’s claimed medical contraindication did not meet the requirements under the ATAGI Exemption Guidance (Ground 1C).8 In relation to the ground of illogicality, the representatives warn against the slide into impermissible merits review, citing Minister for Immigration and Citizenship v SZJSS (2010) 243 CLR 164 at [30].9 This argument proved to be of great significance in the second Djokovic cancellation and appeal. In relation to the claim of lack of procedural fairness (Ground 3A) the representatives provided: “Here, there is no evidence from the applicant’s lawyers about what they would or could have done between 7.42am and 8.30am, whom he had contacted previously.”10 In their conclusion, the Minister’s representatives made the following point, quoted below, that if the Court makes a decision in favour of the applicant, then the Minister has other cancellation powers under the Act: “if this Court were to make orders in the applicant’s favour, it would then be for the respondent to administer the Act in accordance with law. That may involve the delegate deciding whether to make another cancellation decision, but there are also other powers in the Act, as the Court would be aware.”11

FCC FINDS IN FAVOUR OF DJOKOVIC (FIRST DECISION) The Federal Circuit Court hearing was before Judge Kelly on the 10 January,

2022. The hearing was video cast to the public, but was oversubscribed, and continually crashed. Judge Kelly was clearly unimpressed by many elements of the cancellation and provided some damning comments during the hearing. Judge Kelly said: “Here, a professor and an eminently qualified physician have produced and provided to the applicant a medical exemption,” “Further to that, that medical exemption and the basis on which it was given, was separately given by a further independent expert specialist panel established by the Victorian state government.”12 Judge Kelly went on to ask: “What more could this man have done?”13 In relation to the submission by the Respondents, suggesting that even if Djokovic had access to a lawyer at the later stages at the Airport and given the opportunity to respond, that a lawyer could not help him. Judge Kelly commented: “What they are saying is, ‘Getting in touch with your lawyers is not really going to help any of us. Why don’t we get it done?’”14 Judge Kelly found in favour of the applicant in the form of an Order.15 The Order was based the unreasonableness of the cancellation process which was Ground 3B.16 Judge Kelly did not publish a detailed decision and so there was no insight in the grounds based on medical contraindication. The Order contained a notation which stated: “The respondent concedes that the delegate’s decision to proceed with the interview and make a decision to cancel

the applicant’s visa pursuant to s 116 of the Migration Act 1958 (Cth) was unreasonable in circumstances where: 1. at 5:20am on 6 January 2022 the applicant was told that he could have until 8.30am to provide comments in response to a Notice of Intention to Consider Cancellation under s 116 of the Migration Act 1958 (Cth); 2. instead, the applicant’s comments were then sought at about 6:14am. 3. the delegate’s decision to cancel the applicant’s visa was made at 7.42am; 4. the applicant was thus denied until 8.30am to make comments; 5. had the applicant been allowed until 8:30am, he could have consulted others and made further submissions to the delegate about why his visa should not be cancelled.”17 The Order was that the decision to cancel be quashed18 and that Djokovic be released immediately from immigration detention.19

FIRST CANCELLATION AND SUCCESSFUL APPEAL: LESSONS TO BE LEARNT Djokovic and any person entering Australia on a visa should take a number of steps to have been better prepared for a potential interview at the airport. These could have included: • Ensuring all information provided to the DHA or the Department of Foreign Affairs and Trade (DFAT) is accurate, including the information relating to travel and medical history and criminal history (including previous convictions) • Arriving at a time when he could more easily be represented, rather than at around midnight. April 2022 THE BULLETIN

FEATURE

•

Having a full set of his supporting documents available to him at the airport. Having an Immigration Lawyer at the airport or at least on call at the time of arrival, so that they could have assisted him with his opportunity to respond. In circumstances where someone has had their visa cancelled in immigration clearance, the possibility of a successful appeal of an airport cancellation to the FCC has been demonstrated by Judge Kelly’s order. The process of cancellation and the reasonableness of denying access to a lawyer are areas of potential jurisdictional error.

DJOKOVIC PREPARING TO PLAY AND WAITING FOR A FURTHER DECISION After Djokovic’s successful appeal, there were four days of waiting to see if there would be a second cancellation. During this time, there was a high level of scrutiny in the media in relation to Djokovic’s actions in the weeks leading up to his travelling to Australia.20 These articles raised issues which could have been grounds for a further cancellation. The issues included whether he had been accurate in his travel declaration form that was completed prior to entering Australia. Further issues emerged in relation to Djokovic’s actions immediately following his finding out that he had contracted Covid in mid-December, 2021. It was reported that he attended public events like the commemoration of his personal stamp in Serbia and a basketball match in Barcelona after testing positive for COVID-19.21 As these details emerged in the media Djokovic made statements in his social media saying that there had been errors.22 Djokovic was likely attempting to reduce the chance of a cancellation under s116(1AB) for providing incorrect information.

THE SECOND DJOKOVIC CANCELLATION: BACK TO DETENTION AND FULL FEDERAL COURT APPEAL The second decision relates to what is often called the God powers of the Minister of Immigration.

26 THE BULLETIN April 2022

At the 10 January, 2022 hearing of Djokovic’s application to quash the 6 January, 2022 decision of the Delegate of the Minister to cancel his visa, counsel for the Minister for Home Affairs informed the Court that the Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs (Minister) would be considering whether or not to exercise the Minister’s personal power to cancel a visa under s133C(3) of the Migration Act.23 The relevant part of s133C(3) reads:

133C Minister’s personal powers to cancel visas on section 116 grounds Action by Minister—natural justice does not apply (3) The Minister may cancel a visa held by a person if: i. the Minister is satisfied that a ground for cancelling the visa under section 116 exists; and (b) the Minister is satisfied that it would be in the public interest to cancel the visa. Note: The Minister’s power to cancel a visa under this subsection is subject to section 117 (see subsection (9) of this section). (4) The rules of natural justice, and the procedures set out in Subdivisions E and F, do not apply to a decision under subsection (3). As mentioned above, the delegate of the Minister cancelled Djokovic’s visa pursuant to Section 116(1)I(i) of the Migration Act 1958(Cth), which reads: 116 Power to cancel 1. Subject to subsections (2) and (3), the Minister may cancel a visa if he or she is satisfied that: … I the presence of its holder in Australia is or may be, or would or might be, a risk to: i. the health, safety or good order of the Australian community or a segment of the Australian community; … The power given to the Minister under s133C(3) is personal and cannot be delegated. It is also clear under s133C(4) that the Minister in exercising the power is not required to afford ‘natural justice’ to the visa holder. It will be recalled that natural justice was the reason why the Minister’s

delegate’s decision made on 6 January, 2022 was quashed by the Court. The procedure adopted by the delegate was unreasonable.24 So it came to pass that late on 14 January, 2022 (a Friday) as foreshadowed by the Minister’s counsel, the Minister exercised his power to cancel Djokovic’s visa under the above-mentioned section. Djokovic had the resources to mobilise a legal team to work late on a Friday night in order to file an urgent application seeking interim relief and for judicial review. The following day (Saturday), the matter was transferred from the Federal Circuit and Family Court to the Federal Court. The Chief Justice directed that the original jurisdiction be exercised by a Full Court. On the Sunday, a day before the start of the Australian Open, Djokovic was in court but probably not the court he thought he would be attending when he arrived in Australia late on 5 January, 2022. The matter was heard by Allsop CJ, Besanko and O’Callaghan JJ. The Court on the same day of the hearing dismissed Djokovic’s application, with costs.

Djokovic’s grounds Djokovic’s legal team put forward three grounds25: 1. That the Minister’s decision had binary legal outcomes, that is, not to cancel and let Djokovic stay in Australia or cancel his visa, detain him and remove him from Australia. They argued that it was unreasonable for the Minister to only consider the effect of his presence in Australian but not the effect if Djokovic gets deported. The Minister’s decision is therefore affected by jurisdictional error. 2. They submitted that the Minister cited no evidence that supported his findings that Djokovic’s presence in Australia may “foster anti-vaccination sentiment” and therefore he cannot make the finding that Djokovic may be a risk to the health of the Australian community, that he is a risk to the good order of the Australian community and that it would be in the public interest to cancel Djokovic’s visa. 3. It was also argued that the Minister

FEATURE

did not seek Djokovic’s view on vaccination, instead the Minister relied on an interview conducted in April 2020 wherein Djokovic said that he was “opposed to vaccination”. It was noted that at the time of this interview, COVID-19 vaccines were not yet available and that Djokovic later clarified his position that he was “no expert”, “would keep an open mind” and would want to have an “option to choose what’s best for my body.”26 The Court dismissed all three grounds.

Reasons of the ruling The crux of this matter turns on the “satisfaction” of the Minister as provided for by s 133C(3)(a) of the Act that there is a ground for cancelling the visa under s116(1)(e)(i) of the Act and the Minister is satisfied that it would be in the public interest to cancel the visa (s133C(4). As ruled by the Court, “[t]he satisfaction of the Minister is not an unreviewable personal state of mind. The law is clear as to what is required. If, upon review by a court, the satisfaction is found to have been reached unreasonably or was not capable of having been reached on proper material or lawful grounds, it will be taken not to be a lawful satisfaction for the purpose of the statute”27:

The Court further ruled in paragraphs 25 to 26 and 28, so long as the Minister in exercising his power to cancel the visa “do so based on some evidence, rather than no evidence or no material, unless the finding is made in accordance with the Minister’s personal or specialised knowledge or by reference to that which is commonly known”: The High Court (Keane, Gordon, Edelman, Steward and Gleeson JJ) in Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs v Viane [2021] HCA 41; 395 ALR 403 and does “not act dishonestly, capriciously or arbitrarily”, then the “Courts of law cannot and ought not interfere” : Starke J in Boucaut Bay Company Ltd (in Liq) v Commonwealth [1927] HCA 59; 40 CLR 98 The Minister in cancelling Djokovic’s visa provided a 10-page Statement of Reasons. The Minister did not have the obligation to provide the statement of reasons28 but perhaps in anticipation of a legal challenge and the publicity of the case, did so. In the Minister’s Statement of Reasons, the Minister noted among others, that: 1. Djokovic is a high-profile personality; 2. who is unvaccinated; 3. has publicly declared that he was opposed to being vaccinated; 4. Djokovic has disregarded precautionary

requirements to stop the spread of COVID-19 by attending an interview and photoshoot after receiving his positive COVID-19 test result.29 The Minister in his reasons noted the Djokovic’s presence in Australia may foster anti-vaccination sentiment and may persuade the undecided against getting the COVID-19 vaccine or the booster at the time when there is a surge in the number of COVID-19 infections in Australia.30 Djokovic’s arguments failed because as the Court ruled the legal requirement was whether the Minister is “satisfied” that the “presence” of the visa holder may be a risk to the health, safety or good order of the Australian community. The Minister is not required to consider the effects of deporting the visa holder.31 The Court also ruled that it was open for the Minister to find that it was perceived by the public that Djokovic was not in favour of vaccinations and not necessarily about Djokovic’s views. Further, it was noted that it was not that Djokovic’s actions and statements were/are a threat to public health, safety or good order but it is his presence in Australia may be, or would or might be, a risk to the health, safety or good order of the Australian community or a segment of the Australian community.

YOUR fertility, YOUR way Intelligent science, caring for YOUR fertility, in South Australia Can you see children in your future but you aren’t ready yet? It’s YOUR timeframe.

The benefit of time – is the time to pursue your dream career, to meet the right partner, or to pursue your family when you feel ready – all with the peace of mind that you’ll be able to start your family when YOU feel it’s right. The main options for preserving fertility is to freeze eggs, sperm or embryos. For women, we offer state of the art freezing techniques, giving you the best opportunity for pregnancy later. For men, we freeze a sample of your semen for later use. Call us and we can support your decision making.

Own YOUR future | 08 8100 2900

April 2022 THE BULLETIN

FEATURE

Therefore, all the Minister has to show is that he is satisfied that Djokovic is a possible influence, a hero for anti-vaxxers.

THE MINISTER’S “GOD-LIKE” POWERS The Court’s decision highlights the powers vested on the Minister of Home Affairs which has been described as “god-like”. To give us an idea of how broad and substantial the powers of the Minister are, a report, “Playing God, The Immigration Minister’s Unrestrained Power”32 published by Liberty Victoria in 2017 noted that the Minister for Immigration and Border Protection (as the Minister was then known) has the most discretionary powers of any Cabinet Minister. The Minister for Immigration is responsible for the administration of 20 Acts but has 47 ‘national interest’ or ‘public interest’ powers. Compare this to the Prime Minister who is responsible for 43 acts but only has 3 ‘national interest’ or ‘public interest’ powers.33 It may be a surprise for most Australians to know that the Minister for Immigration has powers that are not subject to natural justice. Quoting the Liberty Victoria’s report: “The concept of natural justice is so fundamental to Australian law that the courts have repeatedly held that it cannot be excluded from such a decision without ’plain words of necessary intendment’, a ‘clear manifestation’ of the legislature’s intention to deny it. Without such plain words, legislation will always be read to include natural justice and decisions must be made in accordance with its requirements.” 34 Section 133(C) of the Migration Act is just one of the many powers conferred upon the Minister for Immigration. While the exercise of the power is reviewable, the threshold for the court to overrule the Minister’s decision is low as can be seen in Djokovic’s case.

WHY DID DJOKOVIC LEAVE SO PROMPTLY AFTER THE SECOND CANCELLATION? The timing of the second cancellation meant that there was not enough time to effectively mount a legal challenge to the decision of the full Federal Court. The 2022 Australian Open was to

28 THE BULLETIN April 2022

commence the day after the decision of the court. There are cost implications in relation to having been held in immigration detention and also in relation to be being deported35. Further time in immigration detention would also have undermined Djokovic’s ability to maintain his physical fitness. With potential cost implications and the possibility of prolonged detention, it is not surprising that Djokovic left promptly.

FUTURE IMPACTS FOR DJOKOVIC FROM THE VISA CANCELLATION Djokovic faces is three-year bar pursuant to public interest criteria (PIC) 4013 and 4014 in Schedule 4 of the Migration Regulations 1994 from applying for a further Australian visa due to the cancellation under s116. He could also face problems from public interest criteria 4020 related to providing false or misleading information, which applies to most Australian visas, including the subclass 408 Sports Stream visa. If Djokovic wants to play the 2023 Australian Open, he will need to successfully be granted a 408 visa. There is significant potential for information provided as part of his most recent 408, to be found to be misleading. This includes his Australian Travel Declaration in which he said he had not travelled in the 14 days prior to his flight to Australia.36 There is, allegedly potential evidence to suggest Djokovic did travel during that time. There is a permanent residency visa called the Distinguished Talent Visa, which allows for people in professions, sports and the arts to apply for permanent residency. The criteria includes that the person must be able to demonstrate that they are at the top of the field and that they could easily obtained employment within Australia. Having struggled to meet the requirements for a temporary visa to enter Australia, Djokovic could potentially apply to become an Australian permanent resident through a Distinguished Talent Visa. But the question is would he want to?

IMPLICATIONS FOR HIGH PROFILE VISITORS TO AUSTRALIA WHO MAY POSE A RISK? The Full Federal Court decision raises

the question - Are the powers of the Minister of Immigration too wide? The God powers of the Minister under the Migration Act 1958 in s116(e) i are not restrained to be exercised in favour of health issues such as in a pandemic. The speculative and low level of potential risk is “may be, our would or might be, a risk to” provides great power to define the future risk. The type of risk is to “the health, safety or good order of the Australian community or a segment of the Australian community”. We have just seen an example of “health”, but “safety” is a wide concept and “good order” similarly vague. Is being able to cancel someone’s visa based on something that might or may happen representing the best the interests of Australia? There may be other public figures that could arrive to work in Australia and have their visa cancelled due to the possibility of arousing a strong public response in relation to a particular issue. For example, could Greta Thunberg represent a risk to Australia’s good order, if she “may” inspire many young people to go to environmental protests? The next high profile visa cancellation could be just around the corner. Prime Minister Scott Morrison responded to a question about Kanye West by saying: “the rules are you’ve got to be fully vaccinated.”37

WHAT ARE THE PRACTICAL LESSONS FROM THE SECOND CANCELLATION USING THE MINISTERIAL POWERS? The involvement of the world’s number one tennis player is unusual but visa cancellations are actually fairly common in migration law. 1. Timing Do not be fooled by the quick results in Djokovic. The speed as to when the case was listed and when the decision was handed out. This does not reflect the reality in immigration cases where normally matters takes months even years to be resolved. The Biloela family, the Sri Lankan Tamil family who has been in detention since 2018, is a case in point.

FEATURE

2. Re-cancellation The re-cancellation of Djokovic’s visa raises the question of why appeal? It is often difficult to justify to a potential client the expense and time involved in challenging a cancellation at the Federal Circuit Court. When even if successful the Minister may and often does step in and cancel the person’s visa again. What is the point in appealing when the Minister can re-cancel the visa under s133C. The Minister can also cancel visas not just on the grounds stated in s 116 (1) but also on character grounds under s 501 of the Migration Act. As discussed above, how about other “high-profile” candidates or visa holders? Could their visa also be cancelled on the ground that they pose a risk to Australia’s “public order”. 3. Costs involved in appealing to the Federal Court The second Djokovic application to the full Federal Circuit Court was “dismissed with costs, which was to be agreed or failing agreement assessed”. Djokovic, being the world’s number tennis player with millions of dollars in career earnings can without a doubt afford to pay these costs. However, potential clients who are also thinking of challenging the Minister’s decision to cancel should also be warned about the costs involved. Visa holders are often not aware that they are not only liable for their own costs (the court application fees, lawyers and barristers fees, etc) but are also at risk of having to pay the costs of the Minister which could be potentially substantial if they lose. 4. High-profile visa holders beware The Full Federal Court decision underlines the Minister’s wide discretionary power under s133C. High profile personalities planning to come to Australia should think carefully if their profiles and views could lead to being cancelled. 5. Risk to all visa holders The risk of having a visa cancelled is not just for temporary visa holders but also for permanent visa holders. Those that hold permanent resident visas should consider applying for Australian citizenship to avoid any visa cancellation. B

Endnotes 1 Federal Circuit and Family Court of Australia, Novak Djokovic Online File, https://www.fcfcoa. gov.au/migration-law/online-file/djokovic at 30 January 2022. 2 OP Holdenson QC, N M Wood SC, N Dradojlovic, J E Hartley, (The Applicant’s representatives) Applicant’s outline of submissions, 8 Jan 2022, p35, in Federal Circuit and Family Court of Australia, Novak Djokovic Online File, https://www.fcfcoa.gov.au/migration-law/ online-file/djokovic at 30 January 2022. 2 [1]. 3 Ibid, 1 [1]. 4 Ibid, 100 [26]. 5 Delegates Decision to Cancel under section 116 of the Migration Act 1958, Sudhir R, Position Number 60063579, 06 January 2022, 7.29am 6 OP Holdenson QC, N M Wood SC, N Dradojlovic, J E Hartley, (The Applicant’s representatives) Applicant’s outline of submissions, 8 Jan 2022, p35, in Federal Circuit and Family Court of Australia, Novak Djokovic Online File, https://www.fcfcoa.gov.au/migrationlaw/online-file/djokovic at 30 January 2022. 7 Ibid, at 23 [3]. 8 Christopher Tran and Naomi Wootton, (The Respondent’s representatives) Respondent’s outline of submissions, 9 Jan 2022, p35, in Federal Circuit and Family Court of Australia, Novak Djokovic Online File, https://www.fcfcoa. gov.au/migration-law/online-file/djokovic at 12 February 2022 30-53 [5-9] 9 Ibid, 63 [10], Citing See Minister for Immigration and Citizenship v SZJSS (2010) 243 CLR 164 at [30] (the Court, referring with approval to observations of Basten JA with whom Allsop P (as his Honour then was) agreed in Swift v SAS Trustee Corporation [2010] NSWCA 182 at [45]); Carrascalao v Minister for Immigration and Border Protection (2017) 252 FCR 352 at [32] (the Court). 10 Ibid, para 15 [3]. 11 Ibid, 76, [12]. 12 Karen Sweeney, Judge: ‘What more could Djokovic do?’, (Web Article, 10 January 2022) https:// indaily.com.au/news/national/2022/01/10/ judge-what-more-could-djokovic-do/. 13 Ibid. 14 Aaron Patrick, Djokovic scored a judge who’s a fan, of his case, Australian Financial Review, 10 January 2022, (Web Article) https://www.afr.com/workand-careers/workplace/djokovic-scores-a-judgewho-s-a-fan-of-his-case-20220110-p59n1e. 15 Order of Kelly J, in Novak Djokovic v Minister for Home Affairs (Federal Circuit Court, MlG35/2022, 10 January 20220. 16 Ibid, Notation, [2]. 17 Ibid, [2]. 18 Ibid, 1 [1]. 19 Ibid, 3 [1]. 20 Georgia Hitch and Stephanie Borys, ABC News, Questions raised over Novak Djokovic travel declaration on entry form to Australia (Web Article, 12 January 2022) <https://www.abc.net.au/news/202201-11/questions-novak-djokovic-travel-entryform-australia/100750334> ; See also ESPN, New wrinkle: Travel declaration made by top-ranked tennis star Novak Djokovic raising questions about his compliance with Australia’s COVID-19 rules (Web Article 11 January 2022) https://www.espn. com.au/tennis/story/_/id/33039293/prime-

ministers-australia-serbia-speak-phone-novakdjokovic-disputed-visa. 21 Tumaini Carayol and Christopher Knaus, The Guardian, Djokovic pictured maskless at public event one day after positive Covid test (Web Article 9 January 2022) https://www.theguardian.com/ sport/2022/jan/08/novak-djokovic-reliedon-december-covid-infection-for-vaccineexemption-court-documents-reveal 22 Djokernole (Instagram, 12 January 2022) < https://www.instagram.com/p/ CYnO7cDqbdj/> ; See also AlJeezera, Full text of Novak Djokovic statement on his COVID-19 ‘errors’ (Web Article 12 January 2022) https://www. aljazeera.com/sports/2022/1/12/full-text-ofnovak-djokovic-statement-on-his-covid-19-errors 23 Order of Judge A Kelly, in Novak Djokovic v Minister for Home Affairs (Federal Circuit Court, MlG35/2022, 10 January 2022, Notation; see also Djokovic v Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs [2022] FCFC 3 [6]. 24 Novak Djokovic v Minister for Home Affairs (Federal Circuit Court, MlG35/2022, 10 January 20220. 25 Applicant’s Application, 6 Jan 2022, pp4- 7, in Federal Circuit and Family Court of Australia, Novak Djokovic Online File, https://www.fcfcoa. gov.au/migration-law/online-file/djokovic at 12 February 2022; See also Djokovic v Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs [2022] FCFC 3 [69] 26 Djokovic v Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs [2022] FCFC 3 [72]( Allsop CJ, Besanko and O’Callaghan JJ). 27 Ibid [21]. 28 Ibid [103]. 29 Ibid [44-68]. 30 Ibid. 31 Ibid [95]. 32 Liberty Victoria’s Rights Advocacy Project, Playing God, The Immigration Minister’s Unrestrained Power (2017) 33 Ibid, 4-5 34 Liberty Victoria’s Rights Advocacy Project, Playing God, The Immigration Minister’s Unrestrained Power (2017) 9 quoting Plaintiff M61/2010E v Commonwealth (2010) 243 CLR 319, 352 [74] (French CJ, Gummow, Hayne, Heydon, Crennan, Kiefel and Bell JJ) (‘Offshore Processing Case’) , Kioa v West (1985) 159 CLR 550, 584 (Mason J) and 610 (Brennan J) 35 For example, NZ born AARON GRAHAM who was a former bikie, had his visa cancelled three times, Graham v Minister for Immigration and Border Protection [2018] FCA 1012; see also 9News, NZ-born bikie’s visa cancelled again (Web Article, 6 September 2017) < https:// www.9news.com.au/national/nz-bikiedeportation-attempt-quashed/9cd633a3-dbc8404c-8e06-5c1b34762343> 36 Australian Travel Declaration for Novak Djokovic, Affidavit of Natalie Bannister filed 8 January 2022, p35 37 Eden Gillespie, Kanye West warned he must have two vaccine doses ahead of concert tour in Australia, (2022), SBS, https://www.sbs.com.au/news/kanye-westwarned-he-must-have-two-vaccine-doses-aheadof-concert-tour-in-australia/2313cfbe-4e4a-4cedb51f-cc8d32e865fc, at 29 January 2022.

April 2022 THE BULLETIN

CYBERSECURITY

Governing cybersecurity: Critical infrastructure, spies and consumers ROBERT CHALMERS, LECTURER, COLLEGE OF BUSINESS, GOVERNMENT AND LAW, FLINDERS UNIVERSITY

ybersecurity issues are running hot. Hacking is becoming more pervasive and impactful, naturally following the expansion of computing into every aspect of our lives. Now our ‘Internet of Things’ (IoT) devices, wearables and other consumer devices are part of the “attack surface” that we project into the world. Businesses and organisations are devoting significant effort to managing the risks in response to constant probing for vulnerability and attacks seizing up their systems or stealing and exposing their information (and that of their consumers and partners). Lawyers are called on to advise and assist in relation to prevention, recovery and associated contracts and litigation, but they themselves (and the IT providers they rely on) are hardly immune to these same problems.1 Governments too are subject to intrusions, from state and non-state actors. They have also been issuing more strident calls for individuals and organisations to protect themselves and steadily introducing additional legislative controls to try to regulate cyber risks. Further reforms are now proposed in fields including private and public infrastructure, electronic surveillance and consumer protection. What are these, what impact will they have on the law, and what do they tell us about future trends?

‘ALL YOUR BASE ARE BELONG TO US’2 Much of the current legislative push comes from the Department of Home Affairs, which has been steadily layering up controls and powers in recent years. One of its priorities is to increase the security and resilience of critical infrastructure and systems of national significance. Following the introduction of the Security of Critical Infrastructure Act 2018 (Cth) and the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act), consultations have recently closed on

30 THE BULLETIN April 2022

exposure draft of further amendments: the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022. You would be forgiven for thinking that the scope of ‘critical infrastructure and systems of national significance’ might be fairly restricted. However it is expansive: the SLACI Act expanded the coverage of the framework from four to eleven sectors (communications, data storage or processing, financial services and markets, water and sewerage, energy, healthcare and medical, higher education and research, food and grocery, transport, space technology, defence industry) and 22 asset classes. So huge swathes of the economy are covered and now obliged to report cyber incidents and give owner and operator information to the Register of Critical Infrastructure Assets. The new Bill would enact a framework for risk management programs, declarations of systems of national significance and further enhance obligations on cyber security.

SPIES LIKE US Electronic surveillance is also lined up for further reform, adding to already considerable changes in recent years. The legislation in this area is extensive and includes the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), the Surveillance Devices Act 2004 (Cth) (SD Act), the Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act), the Telecommunications Act 1997 (Cth), and elements of state and territory laws. Powers for electronic surveillance have been steadily growing, and this increase has often been linked to the need to counter the growing sophistication of technologies in communication and cryptography. As the recent discussion paper itself said: [t]o keep pace with technology and the criminals who seek to exploit it, the Government has amended the TIA Act more than 100 times,

with most amendments occurring in the past 15 years. As a result, the powers currently in the TIA Act, SD Act and parts of the ASIO Act and Telecommunications Act span more than 1,000 pages of legislation and contain more than 35 different warrants and authorisations.3 Government is proposing further powers for the Australian Federal Police and the Australian Criminal Intelligence Commission ‘to combat dark web and anonymising technologies’ and is considering repeal of the legislation referred to above, replacing it with ‘one single Act that is clearer, more coherent and better adapted to the modern world’.4 It points to similar reforms in the UK and NZ: also members (along with the US and Canada) of the so called “5 eyes” security alliance. Expect an exposure draft in late 2022.

PROTECTING THE CYBER CONSUMER In the brave new world of pervasive computing, everything is connected. In response fields of regulation once separate and more static are being drawn together and subjected to a much higher rate of change. National security, privacy, digital identity, rights to personal communication, and consumer protection converge, but are also in tension. One example where these issues converge is in IoT devices: everything from wearables5 to home infotainment hubs, robotic vacuum cleaners6, toys and surveillance cams (with sometimes the latter two being one and the same). 7 In support of this over the last few years government has been considering and implementing various measures. In 2020 it introduced a Voluntary Code of Practice: Securing the Internet of Things for Consumers’.8 This covers smart products such as lights, TVs, watches, baby monitors, and connecting routers and sets out 13 principles for manufacturers

CYBERSECURITY

to abide by, based on consultations led by the Department of Home Affairs and the Australian Signals Directorate. Further research in 2021 indicated difficulties in implementing the voluntary, principlesbased guidance. Firms called for clearer guidance and internationally aligned standards, but even simple measures such as vulnerability disclosure policies were not being adopted. Government is now considering moving from voluntary to mandatory cyber security standards for smart devices and/or cyber security labelling.9 With the exception of the Privacy reforms dealt with below, specific reform detail has not yet been tabled. However, it seems very likely that additional measures will be introduced. Government specifically flagged it was considering changes to the Australian Consumer Law to enhance consumer guarantees and bring clearer application to digital products, and many of these IoT devices are connected to, or sold and supported by, the digital platforms that are the subject of broader enquiries and activities by the Australian Competition and Consumer Commission.10 Turning to the subject of privacy reform, late in 2021 the Government unveiled an exposure draft for a new Online Privacy Bill,11 which would enable binding online privacy codes applicable to digital platforms, in addition to strengthening general penalties12 and enforcement under the Privacy Act 1988 (Cth). The online privacy codes could go beyond standard privacy code measures and introduce more granular consent requirements and age verification measures, as well as the capacity for consumers to withdraw consent. Government has also released a discussion paper contemplating additional reforms based on international data and consumer protection law, including the European General Data Protection Regulation.13

There has been extensive academic exploration of the trends and possible direction for regulation of IoT devices, which provides guidance as to likely options, and further suggests additional regulation is likely.14

A CYBER EYE TO THE FUTURE The immediate future looks even more crowded with reform than the recent past. Even if there is then a lull on some of those fronts, other related fields are already the subject of regulatory attention: not least that of digital identity. This connects to issues of age verification, recently introduced director ID, and broader government and private developments in pursuit of a ‘Trusted Digital Identity Framework’.15 It is important that in designing appropriate regulatory frameworks we are not distracted by the ever shifting sands of technical standards, but rather maintain a clear focus on the underpinning principles and human rights that need to be maintained. Lawyers have a critical and ongoing role to play in securing that future and designing appropriate regulatory frameworks. Turning a blind eye to cyber issues as simply ‘technical’ matters is not an option. B Endnotes 1 For example, Allens and the Australian Securities and Investments Commission were both hit by a cyber-attack mediated by software they were reliant on: The Australian Financial Review (online, 25 January 2021) <https://www.afr.com/politics/ federal/asic-says-it-was-hit-by-cyber-attack20210125-p56wsc>. 2 Internet ‘engrish’ meme derived from a computer game involving battles with cyborgs, used here with reference to the extension of regulation over a very broad field. 3 Department of Home Affairs, Reform of Australia’s electronic surveillance framework (online, 2021 Discussion Paper) 5 <https://www.homeaffairs. gov.au/reports-and-pubs/files/electronicsurveillance-framework-discussion-paper.pdf>. 4 Ibid 4.

5 In this regard note the security breaches connected to the Strava app: Thomas Brewster, ‘Why Strava’s Fitness Tracking Should Really Worry You’ (online, 29 January 2018) Forbes <https://www.forbes. com/sites/thomasbrewster/2018/01/29/stravafitness-data-location-privacy-scare/?>. 6 Note that the terms of service for ‘roomba’ vacuum cleaners permit them to map your home and send this data to irobot: <https://www. irobot.com.au/legal/privacy-policy>. 7 Amelia Tait, ‘Are smart toys spying on children?’ The New Statesman (online, 6 December 2016) <https://www.newstatesman.com/sciencetech/2016/12/are-smart-toys-spying-onchildren>. 8 Department of Home Affairs, Voluntary Code of Practice - Securing the Internet of Things for Consumers <https://www.homeaffairs.gov.au/reports-andpublications/submissions-and-discussion-papers/ code-of-practice>. 9 Department of Home Affairs, Strengthening Australia’s cyber security regulations and incentives An initiative of Australia’s Cyber Security Strategy 2020 <https://www.homeaffairs.gov.au/reports-andpublications/submissions-and-discussion-papers/ cyber-security-regulations-incentives>. 10 ACCC, Digital Platforms <https://www.accc.gov. au/focus-areas/digital-platforms>. 11 Attorney General’s Department, Online Privacy Bill Exposure Draft <https://consultations.ag.gov. au/rights-and-protections/online-privacy-billexposure-draft/>. 12 up to 10% of an organisation’s turnover. 13 Attorney General’s Department, Privacy Act Review – Discussion paper <https://consultations.ag.gov. au/rights-and-protections/privacy-act-reviewdiscussion-paper/>. 14 See e.g. Jeannie Marie Paterson, Yvette Maker ‘AI in the Home: Artificial Intelligence and Consumer Protection’ - to be published in Ernest Lim and Phillip Morgan (eds), The Cambridge Handbook of Private Law and Artificial Intelligence (Cambridge University Press, Forthcoming) and available at <https://papers.ssrn.com/sol3/papers. cfm?abstract_id=3973179>; Kayleen Manwaring, Roger Clarke, ‘Is your television spying on you? The Internet of Things needs more than self-regulation’ Computers and Law: Journal for the Australian and New Zealand Societies for Computers and the Law (2021) 93, 31-36 available at <http:// www8.austlii.edu.au/cgi-bin/viewdoc/au/ journals/ANZCompuLawJl/2021/9.html>. 15 Australian Government, Trusted Digital Identity Framework (TDIF) <https://www.digitalidentity. gov.au/privacy-and-security/trusted-digitalidentity-framework-tdif>.

April 2022 THE BULLETIN

FEATURE

Tour de France: Avoiding the domino effect in the peloton ANNEMARIE GOODWIN, SPORTS LAWYER

his article aims to minimise crashes at Tour de France. This article identifies a link between crashes and spectator inference, physical contact during sprint finishes and detour disqualifications. Cycling is a dangerous sport. Crashes are inevitable. The law must still try to minimise crashes, avoiding the domino effect in the peloton.

SPECTATOR INTERFERENCE Should spectator interference be tolerated at Tour de France? No. This is highlighted by an incident at 2021 Tour de France. A fan stepped onto the road, with their back to the oncoming peloton. The fan held up a sign (which contained a message for relatives) to the TV cameras. The fan was not cheering on cyclists. They were trying to get themselves on TV. Cyclist Tony Martin crashed into the sign. This caused a domino effect in the peloton. The result was arguably the worst crash in Tour de France history. 26 cyclists were injured.1 French police arrested the fan over this incident.2 The fan was charged with reckless endangerment and involuntarily causing injuries. Maximum punishment was one year in prison and $15000 EU fine. Due to their mental health, the fan was issued a $1200 EU fine. The result was to deter spectators from causing crashes at Tour de France in the future. Race organisers decided not to take legal action against the fan. Injured cyclist Marc Soler considered suing the fan.3 A harsh fine and/or criminal charges is appropriate. The fan deliberately chose to obstruct the road, causing widespread harm. The winner of Tour de France should not be whichever cyclist is lucky enough to avoid being knocked down

32 THE BULLETIN April 2022

by a roadside fan. The winner should be the cyclist with the most strength and skill. Does responsibility to prevent spectator interference rest with race organiser ASO (Armaury Sport Organisation), the UCI (Union Cycliste International), French police or the spectators themselves? Eliminating spectator interference is a shared responsibility between ASO, the UCI, French police and roadside fans. ASO, the UCI and French police are already doing everything possible to prevent spectator interference. ASO and the UCI do not have the unlimited funds required to place barriers along the entire Tour de France route. French police do monitor roadside fans. At the 2021 Tour de France, French police arrested the spectator who caused Tony Martin’s crash. Given the ratio of French police to roadside fans, it is unreasonable to make French police solely responsible for eliminating spectator interference. In other sports like tennis, security can permanently eject a disruptive fan from the stadium. If French police eject a disruptive fan from one section of the race route then the fan can re-enter at another section of the race route. The UCI regulations should be urgently redrafted to address spectator interference at Tour de France. A new law is required which imposes heavy fines and/or criminal charges on fans who cause crashes. Spectator interference must be defined very broadly to include any act. Examples do not just include the fan making contact with a cyclist. Examples also include an object held by a fan (sign, camera strap etc) and smoke from a flare held by a fan making contact with a cyclist. The law

should apply regardless of whether the spectator interference is accidental or intentional. All that is required by way of evidence is video footage of the incident. Proceeds of the fine should be passed onto the cyclist, to compensate for any loss. Heavy fines and/or criminal charges should eliminate spectator interference. A ban on roadside fans at Tour de France is not a viable option. Their presence cheers up cyclists and enhances TV coverage for viewers. In other sports like tennis there is distance between a fan and their favourite athlete. Close proximity between a fan and their favourite rider makes cycling a great spectator sport.

PHYSICAL CONTACT Should a cyclist be punished for deliberate physical contact in a sprint finish? Yes. There have been several relegations for repeated headbutting in a sprint finish, including Fernando Gaviria and Andre Greipel at 2018 Tour de France4 and Caleb Ewan at 2019 Tour Down Under.5 These decisions show accidental physical contact is acceptable in a sprint finish but clearly deliberate physical contact is not. Some commentators claim deliberate physical contact during a sprint finish is simply part of the sport.6 The fact that a practice has existed for a long time does not automatically mean it is the best practice. Cycling is dangerous enough without cyclists deliberately knocking their opponents in the rush to the finish line. Cycling is not a contact sport like boxing. The Tour de France winner should not be whichever cyclist in the peloton is best at knocking their opponents out the way.

FEATURE

The Tour de France winner should be the cyclist with the most strength and skill. The 2019 Tour Down Under highlight was arguably Elia Viviani’s Stage 1 win.7 A viewer can watch this sprint finish several times without becoming bored. The win was a result of strength and skill. No physical contact required.

DETOUR DISQUALIFICATIONS Should a cyclist be disqualified for a mid-race detour? No. The UCI introduced detour disqualifications in 2014.8 The reason for this rule is that detours can endanger roadside fans. They might also give a cyclist an unfair advantage over the rest of the peloton. The UCI Regulations offer punishments which include disqualification or a time penalty. The UCI Regulations also state race organisers will help minimise detours by marking the race route (using barriers or tape) where it is alongside a sidewalk, pavement or cycle path. Some commentators claim cyclists have been racing on sidewalks which do not form part of the official race route for so long it is simply part of the sport.9 The fact that a practice has existed for a long time does not automatically mean it is the best practice. Some team managers believe barriers, not disqualification, should be used to prevent cyclists from detouring off the official race route. It is better to deter detours through time penalties or disqualification than barriers, which cost money. The UCI Regulations on detours are correct. UCI officials still need to use common sense. In most detour cases, disqualification is not appropriate. Most detours are too trivial to impact on the overall race result. If they do

then UCI officials should simply impose a time penalty to address the advantage a detour has given a cyclist over the rest of the peloton. Most detours are made to avoid a mass crash in the peloton. Cyclists should be encouraged to Ride defensively without fear of disqualification. Only if the detour is not made to avoid a mass crash in the peloton and endangers roadside fans is disqualification appropriate. There have been two significant detour cases. Peter Sagan’s detour at 2018 Amstel Gold and Luke Rowe’s detour at 2018 Tour of Flanders.10 Sagan’s detour did not endanger fans. Rowe’s detour did. What if a detour avoids a mass crash in the peloton but also endangers roadside fans? How does the UCI morally evaluate if cyclist or fan safety is more important? These examples provide guidance on how UCI officials should assess a detour.

CONCLUSION This article finds solutions to minimise crashes at Tour de France, eliminate spectator inference and deliberate physical contact between cyclists in a sprint finish, and allow cyclists to detour without disqualification if the reason is to avoid a mass crash in the peloton. These solutions avoid the domino effect in the peloton. B

Endnotes 1 James Matthey, ‘Shocking list emerges after idiot fan causes horrifying Tour de France crash’, 27/6/21, news.com.au https://www.news.com. au/sport/cycling/shocking-list-emerges-afteridiot-fan-causes-horrifying-tour-de-france-crash/ news-story/0204e2f318b44d013c02fc8d37389397

2 Chris Marshall-Bell, ‘Tour de France organisers will not sue fan who caused mass pile-up on stage one’, Cycling Weekly, 2/7/21 https://www.cyclingweekly.com/news/tour-defrance-organisers-will-not-sue-fan-who-causedmass-pile-up-on-stage-one 3 Alasdair Fotheringham, ‘Injured Soler considers legal action against fan who triggered Tour de France crash’, Cycling News, 1/7/21 https://www.cyclingnews.com/news/injuredsoler-considers-legal-action-against-fan-whotriggered-tour-de-france-crash/ 4 ‘Headbutts see relegations as sprinters melt down’, 15/7/18, SBS https://www.sbs.com.au/ cyclingcentral/article/2018/07/15/headbuttssee-relegations-sprinters-melt-down 5 Matt de Neef, ‘Double drama at Tour Down Under: Bevin Crashes, Ewan Relegated’, [1617], 19/1/19, Cycling Tips https://cyclingtips. com/2019/01/double-drama-at-the-tour-downunder-bevin-crashes-ewan-relegated/ 6 ‘Controversy and Crashes TDU 5th stage’, 19/1/19, SBS https://www.sbs.com.au/ cyclingcentral/article/2019/01/19/controversyand-crashes-tdu-fifth-stage 7 Chris Marshall-Bell, ‘Elia Viviani wins Tour Down Under Stage 1 after superb late sprint’, 15/1/19, Cycling News https://www. cyclingweekly.com/news/racing/elia-vivianiwins-tour-stage-one-superb-late-sprint-404926 8 UCI Cycling Regulations – Part 2 Road Races – Article 2.2.015, 2.2.025 and 2.12.007 [7.6]. https://www.uci.org/inside-uci/constitutionsregulations/regulations 9 Patrick Fletcher, Sadhbh O’Shea, ‘Officials ready to disqualify riders using sidewalks’, [13-15], 31/3/17, Cycling News http://www.cyclingnews. com/news/tour-of-flanders-officials-ready-todisqualify-riders-using-sidewalks/ 10 Richard Windsor, ‘UCI must be consistent’, 19/4/19, Cycling Weekly http://www. cyclingweekly.com/news/racing/uci-mustconsistent-tiesj-benoot-critical-governing-bodybike-path-rules-376869 About the author Annemarie Goodwin is a Sports Lawyer who specialises in tennis and cycling.

April 2022 THE BULLETIN

TAX FILES

Trust distribution alerts JOHN TUCKER, DW FOX TUCKER LAWYERS

n 23 February, 2022 the Commissioner of Taxation issued a number of publications, some still drafts, that will impact on decisions regarding trust distributions that are required to be made by 30 June, 2022. Of the publications, three are concerned with reimbursements agreements under s100A of the Income Tax Assessment Act 1936, and the remaining one is concerned with Division 7A and its application to unpaid trust distributions from a trust to a company. The only publication of immediate effect is Taxpayer Alert TA 2022/1. In this Alert the Commissioner advised that his office is reviewing trust arrangements where trust income is appointed between members of a family group, including children over 18 years of age, but it appears in substance that the parents exercise control over and enjoy the benefit of the income. An example given of the circumstances being reviewed is where expenses benefitting the child are, in the Commissioner’s view, “properly understood to be parental expenses”, referring to costs of their upbringing as a minor, or for “the kinds of ongoing financial support parents would ordinarily provide for their children”. Allied with these circumstances is where the appointed income is seen to be “more properly explained by the tax outcomes detailed”, such as accessing the tax-free thresholds, than by “ordinary familial considerations”. The quoted expressions are imprecise. Some insight into them is contained in a list of features that the arrangements under review will, or mostly will, display. Among these are an application of the income distributed to meet expenses of the parents, possibly recorded as

34 THE BULLETIN April 2022

beneficiary loans from the trustee to the parents, which the children then actually, or purportedly, direct to be repaid. Also these might include expenses in the upbringing of the child, such as school fees or living at home expenses (as opposed to meeting reasonable rent for living away from home or car expenses), where there is no expectation of these being repaid by the children from any source of income other than the trust distributions. Tax Alerts are used by the Commissioner to express “concerns” generally on the basis of his assertion of perceived unlawful tax avoidance. Given the penalties applicable to any arrangement found to be that and the cost of any attempt to dispute such a perception, the expression of such concerns generally suffices to deter all from risking a challenge to the concerns stated by the Commissioner. In TA 2022/1, apart from the spectre of tax avoidance, the Commissioner also raises sham, sections 100A, 95A(1) and 97(1) of the 1936 Assessment Act, but only by reference and without any supporting explanation. With these sorts of arrangements being quite common, and the need by 30 June, 2022 for trustees to make decisions about the distribution of trust income, this Alert will, for many, require careful consideration. Of note in the concerns listed in the Tax Alert is mention of section 100A and that the arrangements described may constitute a “reimbursement agreement” for its purposes. Section 100A was introduced into the 1936 Act targeted against trust stripping, a practice, at its simplest, of vesting net income, otherwise taxable, in a beneficiary

who assumed all liability for tax on it and gave a non-assessable payment to another, usually another beneficiary or their related entity, in return. The section was however drafted in wider terms than if just focussed on this practice. It applies to any trust distribution that arises from a ‘reimbursement agreement’. There have been indications among tax practitioners that the Commissioner has held concerns about even such arrangements as a distribution being determined in favour of a beneficiary, not paid, and treated as owing, being encompassed by the wording of s100A. While the Commissioner has engaged in confidential consultation regarding these issues, for many months tax advisors have been waiting on the Commissioner to publish for public consultation a foreshadowed Taxation Ruling on this provision, which has now been done as draft Taxation Ruling TR2022/D1 and draft Practical Compliance Guide PCG 2022/D1, both of which were published contemporaneously with TA 2022/1. The single way out of s100A is the definition of ‘agreement’ which specifically excludes an agreement ‘entered into in the course of ordinary family or commercial dealing’. These words are the subject of discussion in draft ruling TR 2022/ D1. They have recently received judicial consideration in a judgement1, now under appeal by the Commissioner, in their application to a particular fact situation. While illustrative, the judgement stops short of any attempt to provide an expose on the universal application of the provisions, and it is unclear what reliance the Commissioner will place on the judgement given his appeal and the more

TAX FILES

limited views expressed in the drafting ruling. In TR 2022/D1 the Commissioner asserts that the word ‘family’ refers just to natural persons, and he draws a distinction between what is ordinary and what is common, with a focus on whether the arrangement is “capable of explanation as achieving normal or regular familial or commercial ends”. For a dealing to be an ordinary commercial dealing the Commissioner requires it to advance the respective interests and commercial objects of the parties. If there are present in the agreement features which, to the Commissioner, appear tax driven, he says these will be relevant to the objective enquiry whether the agreement is entered into in the course of ordinary dealing. The potential impact of the Commissioner’s views is very wide

reaching. Advisors will need to consider TR2022/1 (when issued) very carefully with respect to the determination of trust distributions and the actions required to be taken in consequence of particular determinations. All this most likely before 30 June 2022. The final publication is draft Taxation Determination TD 2022/D1 entitled “Income Tax: Division 7A: When will an unpaid present entitlement or amount held on sub-trust become the provision of ‘financial accommodation’”, which was released contemporaneously with a web page publication entitled ‘Unpaid Present Entitlement’ (with reference to Division 7A of ITAA 1936 relating to deemed dividends). The point of this draft determination is to warn that arrangements to distribute a share of net income to a company, not pay it and purport to hold it on a sub-trust, will

need to comply with the Commissioner’s stipulation for a sub-trust if they are not to be deemed ‘financial accommodation’ and result in a deemed dividend from the company to the trust. In this way, the determination looks at arrangements similar to those of concern under s100A, albeit with a view to Division 7A (given that the beneficiary is a company) rather than s100A. As mentioned, the Tax Alert is of immediate effect. The Ruling and Guidance are to apply on publication (once finalised) and the Determination (once finalised) from and after 1 July 2022. Tax Files is contributed by members of the Taxation Committee of the Business Law Section of the Law Council of South Australia B Endnotes 1 By Logan J in Guardian AIT Pty Ltd ATF Australian Investment Trust v FCT [2021] FCA 1619

We Are Forensic Experts In • Engineering Analysis & Reconstruction

• Failure Analysis & Safety Solutions

• Traffic Crashes & Road Safety

• Physical, Crash, Incident & Vehicle Dynamic Handling Testing

• Workplace or Mining Incidents • Reporting & Experts Court Testimony

Delta V Experts

DELTA-V EXPERTS

• Clarifies the facts in a situation

• Strengthens your communication

• Scientifically substantiates the evidence

• Diverse experience and expertise

03 9481 2200

www.dvexperts.net

9 Springbank Street, Tullamarine, 3043 April 2022 THE BULLETIN

DIALOGUE

A roundup of recent Society meetings & conferences ROSEMARY PRIDMORE, EXECUTIVE OFFICER 9 December 2021 National statutory tort for invasion of privacy ec Sandford participated for the Society in an online roundtable meeting convened by the LCA to discuss its approach to a national statutory tort for invasion of privacy.

15 December 2021 The Honourable Connie Bonaros MLC and the Honourable Frank Pangallo MLC Society representatives Bec Sandford, Justin Stewart-Rattray (President-Elect) and Nathan Ramos (Policy Coordinator) met with SA Best MLCs in relation to the Society’s Key Election Issues for the 2022, via videoconference. 17 December 2021 2022 Law Council of Australia President – At a videoconference meeting with Tass Liveris, Bec Sandford and Stephen Hodder discussed the issues Mr Liveris intends to focus on during his presidency of the LCA in 2022. 27 January 2022 The Honourable Robert Simms MLC Justin Stewart-Rattray, 2022 President and Nathan Ramos met with the Honourable Robert Simms MLC in relation to the Society’s Key Election Issues. 2 February 2022 Disability access to the Courts In response to concerns raised by the Society via its Equality, Diversity and Inclusion Committee, Justin StewartRattray, Mark Douglas (Chair of the

36 THE BULLETIN April 2022

EDI Committee) and Michael Esposito (Communications Manager) met with the Honourable Justice Bampton and Con Koutsounis, Senior Facilities Officer of the Courts Administration Authority in relation to disability access to the Courts. 15 February 2022 The Honourable Frank Pangallo MLC At the instigation of SA Best, Justin Stewart-Rattray and Nathan Ramos met with the Honourable Frank Pangallo MLC and his advisers to discuss elements of a State election submission by the Police Association of SA. 23 February 2022 Legal Services Commission Justin Stewart-Rattray and Stephen Hodder attended a meeting of the Legal Services Commission (LSC), at the LSC’s invitation. They congratulated Peter Slattery upon his appointment as Chair of the LSC, advised of the Society’s Key Election issues relating to funding and raised a number of issues (including at the suggestion of the Criminal Law Committee). 24 February 2022 Federal Circuit and Family Court CEO and Principal Registrar and Deputy Principal Registrar The Co-Chairs of the Family Law Committee, Ryan Thomas and Daphne Moshos and former Co-Chair of the Committee Jane Miller joined Justin Stewart-Rattray at a meeting with the CEO and Principal Registrar, David Pringle and Deputy Principal Registrar, Virginia Wilson of the FCFCOA.

A number of issues of interest were discussed and well received and open lines of communication were established. It is expected the Court will publish a summary or update relating to the problems experienced since September 2021 when the new court system was introduced and what has been done to date to try and rectify them. 3 March 2022 Joint Rules Advisory Committee Various issues and suggestions for amendments to the Uniform Civil Rules were the subject of consideration at a meeting of the Joint Rules Advisory Committee that was attended by Justin Stewart-Rattray, Alexander Lazarevich and Philip Adams. 18 and 19 March 2022 Quarterly meetings of Law Council (LCA) Directors, Conference of Law Societies, CEOs of Law Societies; and joint CEOs Justin Stewart-Rattray (as President and also as Society appointed Director of the LCA) and Stephen Hodder variously participated in the above quarterly meetings, which were held via videoconference. Key topics of discussion included the implementation of the new Australian Solicitors’ Conduct Rules; the results of a survey by the Law Society of NSW of the impact of COVID on the justice system; the LCA’s “Call to Parties” advocacy document for the upcoming Federal election; and mandatory reporting of the misconduct of other lawyers under consideration in Victoria. B

WELLBEING & RESILIENCE

Doomscrolling: What is it and how can we stop it? AMY NIKOLOVSKI, MANAGING PARTNER, DBH LAWYERS AND MEMBER, WELLBEING AND RESILIENCE COMMITTEE

read a quote recently (on social media I confess) that said, “Millennials have had to deal with 9/11, two global financial crises, a pandemic, unaccountable natural disasters and now World War 3 all before we turn 40”, and well, it really hit me in the feels. Because it seems at the moment, every time you turn on the TV another terrible thing occurs. These last two- and a-bit years have been particularly hard and if you are anything like me, you have found yourself addicted to “doomscrolling.” So, what is it? According to Urban Dictionary “Doomscrolling is when you keep scrolling through all of your social media feeds, looking for the most recent upsetting news about the latest catastrophe,” this in turn triggers the release of stress hormones that can affect both your mental and physical health. The COVID-19 pandemic was thought to start the term, with it trending on Twitter in 2020, now doomscrolling has become a part of many of our daily routines. The constant consumption of bad news can lead to catastrophising or focusing on the negative aspects of the world around you in a way that makes it more and more difficult to notice the positive. The behaviour can be addictive comparative to a car crash where you are watching something, and you just cannot look away. Are you a doomscroller like me? If so, here are some tips to stop (and I will attempt to take my own advice):

MAKE MORNINGS SACRED Stop using your phone as your alarm, this will in turn stop you from automatically checking social media feeds first thing when you wake up in the morning, which will in turn hopefully set you off on the right foot.

PUT THE PHONE DOWN Every time I get a notification, I cannot help myself, pick it up, and check my phone, I think often I don’t even realise how often I’m doing it. Put your phone in another room and take a break from the world, we do not have to be available 24/7. Also, if you have an iPhone (I would assume android would have the same capacity) check your screen time (go to settings and screen time) you may be disgusted at how much time you are on your phone.

LIMIT SOCIAL MEDIA APPS ON YOUR PHONE While you are in your settings put a limit on how much time you can access social media, this may in turn get you out of that TikTok or Facebook rabbit hole you fell down by alerting you to how

much time you have actually spent that day already.

FIND ANOTHER ACTIVITY TO REPLACE DOOMSCROLLING Enjoy this beautiful Autumn weather, go for a walk, pick up a book, play with your kids, do something for you in that time. Replace doomscrolling with something that delivers that kick of adrenalin/cortisol for good rather than bad. The world at the moment seems like a very scary place, but there are ways we can take back control. If you feel like you may have lost control, there is no shame in admitting you need help. Reach out to Law Care, Dr Jill, your workplace EAP or any other resources to get you out of the funk you may be in at the moment with what feels like never ending bad news being thrown on a daily basis. April 2022 THE BULLETIN

FAMILY LAW CASE NOTES

Family Law Case Notes CRAIG NICOL AND KELEIGH ROBINSON, THE FAMILY LAW BOOK

CHILDREN – FATHER UNSUCCESSFULLY APPEALS ORDER AUTHORISING MOTHER TO VACCINATE CHILD AGAINST COVID-19

n Dacombe & Paddison [2021] FedCFamC1A 103 (23 December, 2021) Austin J (sitting in the appellate jurisdiction of the Federal Circuit and Family Court of Australia) summarily dismissed a father’s appeal against a consent order, which authorised the mother to arrange vaccinations of the parties’ daughter. The Court said (from [8]): “An appeal may be summarily dismissed if the appellant has no reasonable prospect of successfully prosecuting it (s 46(2)) [ed. Of the Federal Circuit and Family Court of Australia Act 2021 (Cth)], even if it is not hopeless or bound to fail (s 46(3)) ( … ) [10] The father’s first contention – that he did not consent to the order – is false. … [11] While it was the legal practitioners who confirmed the parties’ agreement, the father did not demur when the primary judge was informed of the compromise. … [12] When the primary judge sought to formulate an order to properly reflect the parties’ agreement, the father even helped with the drafting ( … ) [14] [The father] … only disagreed with any form of government-imposed immunisation or treatment for the child, but the appealed order did not deal with any form of immunisation or treatment mandated by government because the parties agreed the child should be immunised ( … ) [16] … Ground 1 of the father’s appeal depends entirely upon his false contention that he did not consent to the appealed

38 THE BULLETIN April 2022

order. He did and now he cannot appeal the order on merit in the teeth of such consent. … [17] … [Section] 51(xxiiiA) of the Constitution enables the parliament to make laws about the provision of medical and dental services (but not so as to authorize any form of civil conscription) ( … ) [21] … [T]he Constitutional impediment only affects the validity of federal legislation which enables the civil conscription of medical and dental services, upon which field the Family Law Act does not play. An order made under the … Act which ensures a child’s receipt of … medical treatment is not caught by the prohibition ( … )”

PROPERTY – APPLICANT’S EQUITABLE TRUST CLAIM FAILS AS PURCHASES WERE GIFTS – RESPONDENT’S CLAIM FAILS AS THERE WAS NO DE FACTO RELATIONSHIP In H, AW v K, S [2021] SASC 128 (11 November, 2021) Bochner J of the Supreme Court of South Australia dismissed all applications after a four year relationship between a dual citizen of Australia and the USA (the applicant) and a single mother who lived in Adelaide (the respondent). The applicant sought a declaration that the respondent’s vehicle and bank balances were held on trust for him ([4]). The respondent argued the dealings were gifts and [she] sought a declaration that the parties were in a de facto relationship. The Court said (from [52]): “The applicant agreed that [his] … communication [to the respondent] amounted to representations that he would provide for her … He denied …

that the provision of financial support … or … any other gifts to her would be unconditional. ( … ) [59] … [T]he parties did not acquire any assets together … The respondent never visited the applicant’s house …, nor was she invited to do so. ( … ) [151] The applicant came to Adelaide [where the Respondent lived] between five and nine times each year during the relationship. The length of the visits varied, from less than twenty-four hours, to seven days ( … ) [193] … I consider that the parties’ relationship was not that of a couple living together on a genuine domestic basis. The evidence does not demonstrate ‘the merger of two individual lives into life as a couple’ … [I]t demonstrates two individuals living their separate lives and coming together seven or eight times each year for some shared time. It my view it is the time that was shared, rather than the lives.” As to the trust claim, the Court said (from [214]): “ … [T]his evidence leads me to the conclusion that the moneys given to the respondent … were a gift. … [A]ny statements made by the applicant that the moneys should be used for rent, clothes and other expenses were no more than indicative of his motive … They did not serve to impress the funds with a trust.”

CHILDREN – HAGUE CHILD ABDUCTION CONVENTION – ORDER FOR PRODUCTION OF SOLICITOR’S FILE SET ASIDE, GIVEN ITS IRRELEVANCE TO HABITUAL RESIDENCE In Sterling [2022] FedCFamC1A 3 (27 January, 2022), the Full Court (Austin,

FAMILY LAW CASE NOTES

Berman & Harper JJ) allowed an appeal from a decision of Williams J, where a mother had travelled to Germany with the parties’ daughter for a holiday, but then communicated to the father that she would not return to Australia and unsuccessfully sought parenting orders in a German Court. The German Court applied the Hague Convention on the Civil Aspects of International Child Abduction and found that the daughter was habitually resident in Australia and that Australian courts had exclusive jurisdiction. The father then successfully applied for orders for the return of the child, for which the father engaged a German lawyer. Before the child’s return, the father issued parenting proceedings in Australia, where the Court scheduled a discrete hearing as to whether the Court had jurisdiction pursuant to s 111CD of the Act. In those proceedings, the mother contended that the father had waived privilege to his German solicitors’ file, whereas Williams J ordered that it be produced. The father appealed, to which the Full Court said (from [23]): “The application of ss 111CD(1)(a), 111CD(1)(b) or 111CD(1)(f) depends upon whether or not the child is habitually resident in either Australia or Germany ( … ) [25] Given the singular contentious issue affecting the exercise of Australian jurisdiction was the identification of the child’s place of habitual residence, it begged the question of how the file of the father’s German lawyer could be relevant ( … ) [32] As an entirely factual question,

the determination of the child’s place of habitual residence could not conceivably be materially influenced by any communication between the father and his German lawyer concerning the prior German proceedings. ( … ) [34] Regardless of whether the father waived his legal professional privilege by his conduct, which is another issue by which the parties were distracted, there was no need to compel his surrender of the confidentiality he reposed in the lawyer/client communications.”

PROPERTY – CONTRIBUTIONS ASSESSMENT OF 65 PER CENT IN FAVOUR OF THE WIFE CONTAINED ERROR AS TRAILING COMMISSIONS REMAINED A JOINT CONTRIBUTION In Candle & Falkner [2021] FedCFamC1A 102 (23 December, 2021), the Full Court (McClelland DCJ, Berman & Harper JJ) allowed an appeal from a decision of Foster J in a case involving a 13 year marriage where the parties established and operated a residential home lending business (C Pty Ltd). After litigation, in 2010 the husband received a payout from a third party on the condition that he resign as director, after which the wife was sole director and conducted operations of the company. The Court assessed the wife’s contributions at 65 per cent, finding that from 2010 onwards, the wife had “overwhelmingly contributed to the evolution of the current asset pool through her ongoing management of C Pty Ltd” ([38]). The husband appealed.

The Full Court said (from [82]): “We are … persuaded that the primary judge failed to take account of relevant contributions of the husband. [83] It was common ground that C Pty Ltd was a joint enterprise of the parties from inception until March 2010, when the husband ceased to be a director. … [T]he business of C Pty Ltd produced an income stream for the benefit of the parties from trailing commissions, which continued for an average of five to six years. It followed that some trailing commissions continued past 2010, and thus some of the income produced by C Pty Ltd post-2010 must be seen as the result of the parties’ joint efforts in the business before 2010 ( … ) [90] The husband argued that the ultimate result of 65 per cent to the wife could only be justified by ignoring the husband’s contributions to the business of C Pty Ltd … after December 2010 ( … ) [92] … [H]is Honour assessed contributions by reference to his detailed findings about the course of contributions … The problem is that nowhere in those paragraphs is there any mention of specific contributions by the husband to C Pty Ltd … after 2010. Consequently, we are unable to conclude his Honour took those contributions into account, despite, or even because of, the reference to [the husband’s] ‹minimal contributions’ in … the reasons. … [93] Once it is accepted that the primary judge failed to take account of contributions by the husband to C Pty Ltd … even if more modest than those of the wife, the percentage assessment of 65 per cent in favour of the wife is unsafe and cannot stand.” B April 2022 THE BULLETIN

RISK WATCH

Control your trolls: Protecting your practice on social media practitioners KATE MARCUS, RISK & CLAIMS SOLICITOR, LAW CLAIMS

aw Practices should be alert to the risks of maintaining a social media presence. With the ever-changing needs of communication and marketing, social media - whether it be through Meta, Facebook, You Tube, WhatsApp. Twitter, Instagram, Pinterest, Snapchat to name but a few - is a tool which many Law Practices are utilising. However, care needs to be taken. Whilst last year’s High Court decision of Fairfax Media Publications Pty Ltd & Ors v Voller [2021] HCA 27 was of particular relevance to media outlets operating social media pages, the implications of the judgment extend beyond traditional media organisations. Following a news story about Mr Voller and his incarceration in a juvenile detention centre in the Northern Territory, a number of allegedly defamatory comments were made by third parties on the appellants’ Facebook pages. Each of the appellants were media companies with newspaper and/or television stations and each operated a public Facebook page where third-party Facebook users could make comments. Mr Voller issued proceedings alleging that the appellants were liable for defamation as the publishers of those comments. By majority the High Court held that, subject to any applicable defences, defamation operates as a tort of strict liability and intention to publish the specific content is therefore not required in order to render someone liable as a publisher of defamatory content. The liability of a publisher depends on whether, by facilitating and encouraging the relevant communication, it “participated” in the communication. By creating a public Facebook page and posting contents on that page, the appellants facilitated, encouraged and thereby assisted in the publication of comments from third-parties. Accordingly, the appellants were held to be the publishers of the third-party comments.

40 THE BULLETIN April 2022

Implications for Law Practices The ramifications of the judgment extend beyond Facebook and media outlets. It highlights that organisations which maintain their own websites and social media pages are exposed to risk. This includes law firms. If you have a social media page upon which third-party users can post comments, care must be taken. By providing such a forum, there is a risk that the law firm could be found to be a publisher for the purposes of defamation law. What can you do? It is often difficult to disable comments on social media sites but it is worth considering whether it is necessary for the public to comment on your business pages or posts. While larger organisations may have the infrastructure to monitor sites constantly and remove offending posts almost immediately, smaller organisations will need to take extra precautions and be highly vigilant. Bear in mind that posts can “go viral” in a matter of minutes. It is now possible with Facebook, for example, to disable posting to your business page by the public. Law Practices with social media presence are encouraged to 1. consider whether to disable posting/ commentary altogether

2. rigorously monitor and moderate the site(s) 3. immediately remove any comment or image which may (even remotely) cause offence. If you are not in a position to constantly monitor your social media sites, query if your needs are better met by disabling comments or by having a website that does not provide for third party comments. Practitioners also need to be alert to the fact that defamatory posts on social media may not be covered by your Practice’s professional indemnity insurance. Coverage will depend on the nature of the social media involved and the nature of the posts themselves. General defamatory posts may not be sufficiently connected with the “legal practice” so as to fall within cover. If defamatory statements have a real link to the actual work undertaken by the practice, then there may be cover under the policy. However, each situation depends heavily on its individual facts and it is not possible to be definite about coverage in the absence of all relevant facts and details. It is therefore essential that Law Practices tread carefully and consider all the implications of their social media presence.

BOOKSHELF

ASSAF’S WINDING UP IN INSOLVENCY Abstract from LexisNexis

F Assaf SC 3rd ed LexisNexis 2021 HB $235

Assaf ’s Winding Up in Insolvency is a practitioner-focused reference text providing comprehensive treatment of all aspects of winding up in insolvency. Formerly known as Statutory Demands and Winding Up in Insolvency, this new text has been completely rewritten, updated and expanded. The work discusses in detailed and scholarly fashion all requirements of winding up in insolvency including establishing insolvency, practical issues

relating to issuing and setting aside statutory demands, making and opposing winding up applications and includes guidance on the recent labyrinthine amendments made to the Corporations Act by the Corporations Amendment (Corporate Insolvency Reforms) Act, 2020 and temporary amendments made in response to the Covid-19 pandemic. In addition, the book discusses cross-border aspects of winding-up in insolvency and the winding up of Part 5.7 bodies. Complete with precedents, this work is an essential reference text for all legal practitioners.

LAW OF CHARITY Abstract from LexisNexis

GE dal Pont 3rd ed LexisNexis 2021 PB $300.00

Cited frequently in decisions in superior courts across Australia, including in the High Court of Australia, Law of Charity is a highlevel work focusing on the law that governs and regulates the application of money or property for charitable purposes. Providing coverage of Australian law and, for chiefly comparative purposes, salient aspects of charity law in other common law jurisdictions … this work is an

exposition of the law pertaining to charitable objects, also encompassing the history of charity law, the privileges extended to charity and matters of jurisdiction vis-à-vis charity law. It concludes with a set of chapters dedicated to the reform of this area of law. Law of Charity is the ideal companion to Taxation of Charities and Not-for-profits, which is the essential resource for those who need to master nonprofit tax issues or provide sound professional advice to the sector.

WORKPLACE BULLYING Abstract from LexisNexis

J Catanzariti & K Egan 2nd ed LexisNexis 2021 PB $14000

With the addition of bullying provisions in the Fair Work Act 2009 (Cth), workplace bullying was finally acknowledged by the law. The Fair Work Commission was conferred a wide range of powers to deal with complaints about workplace bullying. Naturally, many employers took an interest in the legal ramifications of this burgeoning area of law. Aside from the legal risks, workplace bullying has the capacity to inflict great psychological harm upon its victims.

The second edition of Workplace Bullying explores, in greater depth, the psychological aspect of such bullying and its damaging effects. Workplace Bullying offers advice on how a toxic workplace environment can be prevented from forming. It provides a practical guide to victims of workplace bullying regarding how they can recover and build resilience, and an overview of new legal developments in this evolving area of law

FAMILY PROVISION IN AUSTRALIA Abstract from LexisNexis Family Provision in Australia is a frequently cited text in various court judgments across all states and territories, including the High Court and Federal Court of Australia as well as the

Court of Appeal-Civil Division and Chancery Division of England and Wales. It includes a comprehensive checklist, case tables, forms, precedents and extracts of relevant state and territory legislation.

J de Groot & B Nickel 6th ed LexisNexis 2021 PB $260.00

April 2022 THE BULLETIN

GAZING IN THE GAZETTE

3 FEB 2021 – 2 MAR 2022 ACTS PROCLAIMED Statutes Amendment (Fund Selection and Other Superannuation Matters) Act 2021 (No 16 of 2021) Commencement Part 2: 30 November 2022 Gazetted: 3 February 2022, Gazette No. 7 of 2022 Statutes Amendment (Child Sexual Abuse) Act 2021 (No 57 of 2021) Commencement: 1 June 2022 Gazetted: 17 February 2022, Gazette No. 9 of 2022

A MONTHLY REVIEW OF ACTS, APPOINTMENTS, REGULATIONS AND RULES COMPILED BY MASTER ELIZABETH OLSSON OF THE DISTRICT COURT OF SOUTH AUSTRALIA

Statutes Amendment (Local Government Review) Act 2021 (No 26 of 2021), Commencement s 126 but only insofar as it inserts ss 262G and 262J into Local Government Act 1999: 17 February 2022 Gazetted: 17 February 2022, Gazette No. 9 of 2022

RULES Legal Practitioners Act 1981 Rules of the Legal Practitioners Education and Admission Council 2018 Gazetted: 17 February 2022, Gazette No. 9 of 2022

ACTS ASSENTED TO Nil

APPOINTMENTS Nil

REGULATIONS PROMULGATED (3 FEBRUARY 2022 – 2 MARCH 2022) REGULATION NAME

REG NO. DATE GAZETTED

Southern State Superannuation (Fund Selection and Other Matters) Amendment Regulations 2022

7 of 2022

3 February 2022, Gazette No. 7 of 2022

Child Safety (Prohibited Persons) Amendment Regulations 2022

8 of 2022

3 February 2022, Gazette No. 7 of 2022

Youth Justice Administration Amendment Regulations 2022

9 of 2022

3 February 2022, Gazette No. 7 of 2022

Road Traffic (Miscellaneous) (Road Closing and Exemptions for Events) Amendment Regulations 2022

10 of 2022 10 February 2022, Gazette No. 8 of 2022

Harbors and Navigation (Miscellaneous) Amendment Regulations 2022

11 of 2022 10 February 2022, Gazette No. 8 of 2022

Summary Offences (Vehicle Immobilisation Device) Amendment Regulations 2022

12 of 2022 10 February 2022, Gazette No. 8 of 2022

Freedom of Information (Exempt Agency) (Public Advocate) Amendment Regulations 2022

13 of 2022 17 February 2022, Gazette No. 9 of 2022

Guardianship and Administration (Fee Notices) Amendment Regulations 2022

14 of 2022 17 February 2022, Gazette No. 9 of 2022

Mental Health (Fee Notices) Amendment Regulations 2022

15 of 2022 17 February 2022, Gazette No. 9 of 2022

Health Practitioner Regulation National Law (South Australia) (Telepharmacy) Amendment Regulations 2022

16 of 2022 17 February 2022, Gazette No. 9 of 2022

Fisheries Management (General) (Hand Fish Spear and Spear Gun) Amendment Regulations 2022

17 of 2022 17 February 2022, Gazette No. 9 of 2022

Fisheries Management (Demerit Points) (Hand Fish Spear and Spear Gun) Amendment Regulations 2022

18 of 2022 17 February 2022, Gazette No. 9 of 2022

Land Acquisition (Miscellaneous) Amendment Regulations 2022

19 of 2022 17 February 2022, Gazette No. 9 of 2022

42 THE BULLETIN April 2022

CLASSIFIEDS

VALUATIONS MATRIMONIAL

Banking Expert

INSURANCE

Lending & recovery decisions, including: Banking Code issues, finance availability, capacity to settle, and loan enforcement.

TAX REALIGNMENT

Geoff Green 0404 885 062

INSOLVENCY

Details of qualifications and experience, including giving evidence in the FCA, VSC and SICC, via:

DECEASED ESTATES

FURNITURE ANTIQUES, COLLECTIONS BUSINESS ASSETS MACHINERY MOTOR VEHICLES CARS, BOATS, PLANES

CITY & COUNTRY ROGER KEARNS Ph: 08 8342 4445 FAX: 08 8342 4446 MOB: 0418 821 250 E: auctions@senet.com.au Certified Practising Valuer NO.346 Auctioneers & Valuers Association of Australia

BankingExpertWitness.com.au

VALUER Commercial & Residential Real Estate Matrimonial Deceased Estates Rentals etc. Experienced Court Expert Witness

Liability limited by a scheme approved under Professional Standards Legislation

JANET HAWKES

Business valuations Simple, clear, unbiased advice, without fear or favour.

t. +61 8 431 80 82 Hugh McPharlin FCA

d m e w

Andrew Hill Investigations

ABN 68 573 745 238 Investigating: • workplace conduct • fraud • unprofessional conduct • probity Support services: Andrew Hill • forensic computing analysis • transcription services • information sessions, particularly for HR practitioners on the investigative process • policy development. PO Box 3626

m. 401 712 908 +61+61 8 8139 1130

+61 419 841 780 e. ahi@andrewhillinvestigations.com.au hmcpharlin@nexiaem.com.au nexiaem.com.au

NORWOOD SA t. 5067 +61

8 431 80 82 m. +61 401 712 908 e. ahi@andrewhillinvestigations.com.au Fellow AIPI

Consulting Engineers Australian Technology Pty Ltd for expert opinion on: • Vehicle failure and accidents • Vehicle design • Industrial accidents • Slips and falls • Occupational health and safety • Statistical analysis W. Douglass R. Potts MAOQ, FRAI, FSAE-A, FIEAust, CPEng, CEng, FIMechE

8271 4573 0412 217 360

Cert. Practising Valuer, AAPI 0409 674 122 janet@gaetjens.com.au

wdrpotts@gmail.com

Licensed Investigation Agents & Process Servers Servicing the Mid North, Yorke & Eyre Peninsula`s and Outback of South Australia with: • Process Serving • Property Lockouts • Investigations • Missing Persons

OUTBACK BUSINESS SERVICES

P.O. Box 591, PORT AUGUSTA. 5700 P: 0418 838 807 info@outbackbusinessservices.com.au

Family Law - Melbourne

CONSULTING ACTUARIES

LawCare

The LawCare Counselling Service is for members of the profession or members of their immediate family whose lives may be adversely affected by personal or professional problems. If you have a problem, speak to the LawCare counsellor Dr Jill before it overwhelms you. Dr Jill is a medical practitioner highly qualified to treat social and psychological problems, including alcoholism and drug abuse. The Law Society is pleased to be able to cover the gap payments for two consultations with Dr Jill per patient per financial year. All information divulged to the LawCare counsellor is totally confidential. To contact Dr Jill 08 8110 5279 7 days a week LawCare is a member service made possible by the generous support of Arthur J. Gallagher

The Litigation Assistance Fund (LAF) is a non-profit charitable trust for which the Law Society acts as trustee. Since 1992 it has provided funding assistance to approximately 1,500 civil claimants. LAF receives applications for funding assistance from solicitors on behalf of civil claimants seeking compensation/ damages who are unable to meet the fees and/or disbursements of prosecuting their claim. The applications are subjected to a means test and a merits test. Two different forms of funding exist – Disbursements Only Funding (DOF) and Full Funding. LAF funds itself by receiving a relatively small portion of the monetary proceeds (usually damages) achieved by the claimants whom it assists. Claimants who received DOF funding repay the amount received, plus an uplift of 100% on that amount. Claimants who received Full Funding repay the amount received, plus 15% of their damages. This ensures LAF’s ability to continue to provide assistance to claimants. LAF recommends considering whether applying to LAF is the best course in the circumstances of the claim. There may be better methods of obtaining funding/ representation. For example, all Funding Agreements with LAF give LAF certain rights including that funding can be withdrawn and/or varied. For further information, please visit the Law Society’s website or contact Annie MacRae on 8229 0263.

Marita Bajinskis

formerly of Howe Martin & Associates is a Principal at Blackwood Family Lawyers in Melbourne Marita is an Accredited Family Law Specialist and can assist with all family law matters including: • • • •

matrimonial and de facto property settlements superannuation children’s issues

3/224 Queen Street Melbourne VIC 3000 T: 03 8672 5222

Marita.Bajinskis@ blackwoodfamilylawyers.com.au www.blackwoodfamilylawyers.com.au

FOR PROFESSIONAL ACTUARIAL ADVICE ON - Personal Injury - Workers Compensation - Value Of Superannuation Contact

Deborah Jones, Geoff Keen or Victor Tien 08 8232 1333 contact@brettandwatson.com.au www.brettandwatson.com.au

Ground Floor 157 Grenfell Street Adelaide SA 5000 April 2022 THE BULLETIN

We manage one of SA’s largest social media accounts. boylen.com.au

P (08) 8233 9433

The Bulletin - Law Society of South Australia

Articles inside

Risk Watch: Control Your Trolls Protecting Your Practice on Social Media practitioners – By Kate Marcus

Gazing in the Gazette

Family Law Case Notes

Wellbeing & Resilience Doomscrolling: What is it and how

Tax Files: Trust Distribution Alerts

Tour de France 2021: Avoiding the Domino Effect in the Peloton

Governing Cybersecurity: critical infrastructure, spies & consumers

An Analysis of the Law Society’s Cloud Computing Guidelines

Legal implications of ransomware attacks for legal practitioners and their

Facial recognition technology the law: Are existing privacy &

President’s Message

Djokovic rallied to secure release before the ministerial discretions proved a winner

It’s time to get our heads out of the sand and into the cloud

From the Editor