On13 May 2025, the Office of the Australian Information Commissioner (OAIC) released its latest biannual report on the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1998 (Cth), covering the period from July to December 2024.

Statistics snapshot

• Total notifications: 595 breaches were reported – a 15% increase from the first half of 2024.
• Top sectors affected: Health service providers (20%) reported the most breaches, followed by Government (17%), Finance and Superannuation (9%), Legal, Accounting and Management Services (6%), and Retail (6%).
• Breach sources: Most breaches resulted from malicious or criminal attacks (69%), followed by human error (29%).
• Cyber incidents: 42% of reported breaches involved cyber security incidents. The leading attack method was phishing and credential theft (34%), followed by ransomware (24%).
• Impact scale: Most breaches affected 100 or fewer individuals. However, at least 10 incidents impacted over 100,000 people, with two large-scale breaches affecting up to 1 million.
• Data types: Contact information (82%) and identity information (63%) were the most frequently compromised categories of personal information.

Key takeaways

• Breach notifications on the rise: The 595 notifications received by the OAIC in the second half of 2024 contributed to a 25% year-on-year increase. Health service providers again reported the most breaches, likely reflecting both greater reporting awareness and the sector’s elevated risk profile, given the sensitivity of the data held and the prevalence of complex, legacy IT environments.
• Public sector still slower to respond: Despite some improvement, Australian Government agencies continue to take longer than the private sector to detect and report data breaches. In this reporting period, 66% took over 30 days to notify the OAIC. The OAIC emphasised the importance for agencies to hold personal information securely and have an action plan should a breach occur, particularly as individuals often have no choice but to provide personal information to access government services (see ‘OAIC stats show record year for data breaches’: www.oaic.gov.au/news/media-centre/oaic-stats-show-record-year-for-data-breaches).
• Impersonation-based attacks increasing: The latest reporting period saw a sharp rise in breaches involving social engineering and impersonation, particularly within the public sector. The Australian Government reported a 46% increase in such incidents compared to the first half of the year. In a recent blog post, the OAIC has flagged these methods as an area of growing concern, underscoring the need for improved awareness and preventative measures.

Consultation was recently sought from parents and children as part of the Office of the Australian Information Commissioner (OAIC)’s development of a new Children’s Online Privacy Code.

What is the Children’s Online Privacy Code?

In a suite of amendments to the Privacy Act 1988 (Cth) (Privacy Act) passed in December 2024 (See Privacy and Other Legislation Amendment Act 2024 (Cth) sch 1 pt 4), a mandate was introduced for the OAIC to develop a Children’s Online Privacy Code (COP Code) that will set out ‘how one or more of the Australian Privacy Principles (APPs) are to be applied or complied with in relation to the privacy of children’ (Explanatory Memorandum, Privacy and Other Legislation Amendment Bill 2024 (Cth)).

Acknowledging the significant public interest and community expectations in protecting the rights and safety of children, mandating the COP Code be developed by the OAIC is a deliberate step to ensure the COP Code is developed free from regulatory bias and conflicting commercial interests. The COP Code is also a positive act towards meeting Australia’s international obligations under Article 16 of the Convention on the Rights of the Child (Ibid).

Who will the COP Code Apply to?

Generally speaking, agencies or organisations with an annual turnover greater than $3M (subject to exceptions) are subject to the Privacy Act and labelled an ‘APP entity’. The COP Code will be enforceable upon APP entities that provide ‘a social media service, relevant electronic service or designated internet service’ that ‘is likely to be accessed by children’ and is ‘not providing a health service’ or otherwise specific entities otherwise specified in the COP Code (Privacy Act s 26GC(5)).

As a ‘child’ is defined to be anyone under the age of 18, the COP Code is likely to have a broad scope, potentially capturing a wide range of online services beyond the well-known social media platforms.

Penalties for Non-compliance

Since the COP Code will be released as a ‘registered APP code’ under the Privacy Act, breaches of the COP Code may constitute an interference with the privacy of an individual, the civil penalties for which could exceed $50M in serious and / or repeated circumstances.

Takeaways for Organisations

The introduction of the COP Code is likely to result in a significant shift in how organisations approach the handling of children’s personal information online. For many entities, particularly those whose digital services are accessible by users under 18, this could mean a substantial review and overhaul of existing privacy practices, data handling procedures, and user interface design to ensure compliance with child-centric privacy principles.

Importantly, it’s not only relevant for entities providing digital services. Organisations that use such services, including those in sectors like childcare and education, may also need to review procurement policies and audit platforms and tools currently in use to ensure they align with the COP Code’s requirements.

With the COP Code expected to be finalised and in force by December 2026, organisations should begin assessing their exposure and preparing for compliance now. Early engagement with the OAIC’s consultation process is also an important opportunity for organisations to contribute to the Code’s development and shape practical, workable obligations.

Following the current consultation, the draft code is expected to be released for public consultation in early 2026 which will provide another opportunity for organisations to share their feedback and also plan ahead for potential future obligations.

From 10 June 2025, serious invasions of privacy became legally actionable in Australia. This marks a major reform, introducing a new privacy tort that allows individuals to bring claims for either intrusions upon seclusion (such as unauthorised surveillance) or misuse of private information.

WK breaks down the tort in further detail including the elements, overlaps with defamation law and limitation periods here.

Significant changes to Queensland’s privacy legislation commenced on 1 July 2025, with the implementation of the Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act). These reforms aim to enhance the protection of personal information while improving transparency and accountability within Queensland Government agencies.

Introduction of the Mandatory Notification of Data Breaches Scheme

A central feature of the IPOLA Act is the establishment of the Mandatory Notification of Data Breaches (MNDB) scheme. From 1 July 2025, Queensland public sector agencies (excluding local governments, which have a deferred start date of 1 July 2026) will be required to notify affected individuals and the Office of Information Commissioner (OIC) when a data breach is likely to result in serious harm.

Under the MNDB scheme, agencies must

• Contain the breach and mitigate harm: Take immediate steps to contain the breach and reduce potential harm to individuals.
• Assess the breach: Determine whether the breach is an ‘eligible data breach’ (likely to result in serious harm).
• Notify affected individuals and the OIC: If an eligible data breach, promptly notify any affected individuals and the OIC.
• Maintain a data breach register: Keep a record of all data breaches, including those not deemed eligible, to monitor patterns and improve data protection measures.

Notably, the assessment and notification requirements are similar to the Notifiable Data Breach Scheme under the Privacy Act 1988 (Cth).

OIC Queensland has released guidelines to assist agencies in understanding and complying with the MNDB scheme.

Consolidated Queensland Privacy Principles (QPPs)

The IPOLA Act introduces a new, single set of Queensland Privacy Principles (QPPs) (replacing a prior set of dual principles). These are also similar to the Australian Privacy Principles under the Privacy Act 1988 (Cth).

The OIC has published guidelines to help agencies understand and implement the QPPs effectively.

Enhanced Powers for the Information Commissioner

The IPOLA Act enables the Information Commissioner to enforce compliance with privacy obligations. The Commissioner’s enhanced powers include:

• Investigative authority: The Commissioner can initiate investigations into potential privacy breaches or non-compliance with the IP Act.
• Issuance of compliance notices: The Commissioner can issue notices requiring agencies to take specific actions to comply with privacy obligations.
• Development of guidelines: The Commissioner can develop and publish guidelines to assist agencies in understanding and meeting their privacy responsibilities.

In 2024, the Western Australian (WA) Parliament passed the Privacy and Responsible Information Sharing Act 2024 (PRIS Act) and the Information Commissioner Act 2024 (IC Act), together representing a major reform of the state’s data governance and privacy frameworks (see Privacy and Responsible Information Sharing Act 2024 (WA)).

While the operative provisions of the PRIS Act will come into force on dates to be fixed by proclamation – it is anticipated the privacy provisions of the Act will commence in 2026.

Key Features of the Privacy and Responsible Information Sharing Act 2024

Statutory Privacy Principles

The PRIS Act introduces a set of statutory privacy principles that govern how public entities handle personal information. They apply to all Western Australian public entities, including departments, agencies, Ministers, Parliamentary Secretaries and contracted service providers (Privacy and Responsible Information Sharing Act 2024 (WA) s 6).

Under the PRIS Act, personal information must only be:

• collected where it is necessary for lawful functions.
• collected fairly and transparently.
• stored securely and protected from unauthorised access or misuse.
• accurate and up to date.
• used or disclosed for the original purpose of collection or another lawful purpose.

The Act also establishes individuals’ rights to access and request corrections to their personal information, which of course, only enhances transparency and accountability (Ibid s 10–12).

Complaint and Redress Mechanisms

Individuals who believe that their privacy has been interfered with can lodge complaints with the Information Commissioner. The Act outlines the process for handling complaints, including the Commissioner’s authority to investigate breaches, resolve disputes and issue compliance notices. This ensures a structured path for accountability and redress (Ibid s 45–55).

Regulated Information Sharing

A key part of the PRIS Act is the creation of a legal regime that supports and regulates the sharing of information across public sector entities. This is aimed at improving coordination, targeting services more effectively and pertinently, enabling data-driven decision-making.

Public entities are permitted to share information provided that:

• there is a clear & lawful purpose for sharing.
• appropriate safeguards are in place (such as data minimisation and de-identification where feasible).
• individuals’ privacy rights are respected.
• information sharing arrangements (ISAs) are formalised while detailing what data will be shared, for what purpose and under what conditions.

The Act encourages agencies to adopt a ‘privacy by design’ approach, ensuring that privacy is integrated into the design of data systems and services (Ibid n 4).

The legal fallout from CrowdStrike’s July 2024 roll-out of a deadly software update that crippled Windows systems world-wide continues.

In October 2024, Delta Air Lines (Delta) filed a lawsuit against CrowdStrike seeking losses of over US$500M after its systems were part of the estimated 8.5 million Windows machines taken effectively offline following a defective update pushed to machines running CrowdStrike’s Falcon products (Outage) (see Connor Jones, ‘Judge allows Delta’s lawsuit against CrowdStrike to proceed with millions in damages on the line’, The Register (21 May 2025)).

In particular, Delta set forth the following substantive claims: 1) Computer Trespass, 2) Trespass to Personality, 3) Breach of Contract, 4) Intentional Misrepresentation / Fraud by Omission and 5) Gross Negligence.

In May 2025, a US Judge ruled the airline can proceed to sue the cybersecurity company, mostly denying CrowdStrike’s motion to dismiss on the basis that Delta failed ‘to state a claim’. CrowdStrike’s general position was that the claims should be restricted by the terms of the contract under Georgia’s economic loss rule, which typically bars tort claims for purely financial damages stemming from a contractual relationship. The decision allows Delta to argue the Outage was directly to blame for the cancellation of over 7,000 flights, permitting all substantive claims to proceed, except for limiting the scope of claim (4) Intentional Misrepresentation.

Although a US case, the judgment could provide important guidance for organisations that provide and rely on similar cybersecurity / technology services and highlights the importance of understanding how liability is determined and attributed in negligence cases, whether in pursuit or defence of such claims.

Class Action Exposure in the Digital Supply Chain

Last month, the US District Court dismissed Delta Air Lines’ motion to dismiss a class action lawsuit arising from CrowdStrike’s 2024 “blue screens of death” outage (Bajra et al v. Delta Airlines, Inc. 1:24-cv-03477-MHC, (the Class Action Complaint).

“… the Plaintiffs bring this action in order to secure refunds for each and every similarly situated consumer Delta has wronged … as a direct and proximate result of the CrowdStrike outage”. — Class Action Complaint.

Their success in keeping the case alive provides further evidence of the class action risks on the horizon for all high-profile victims of cyber incidents or IT systems failures and the corresponding risks of technology / cybersecurity service providers being joined to those actions.

What began as a routine software update quickly escalated into a global operational crisis. The US District Court’s decision underscores that errors and omissions in IT deployments are no longer confined to operational risks—but carry significant corresponding liability and class action risk. It is abundantly clear that third-party technology service providers are exposed to parallel legal and regulatory risk travelling down the supply chain, from airlines to cybersecurity contractors. The Class Action Complaint’s emphasis on CrowdStrike’s “direct and proximate” role suggests the real possibility of Delta pressing a cross-claim against its vendor.

Although these risks have not yet come to fruition in the Australian class action landscape, the emergence of data breach class actions will, in particular, increase potential exposure for technology vendors. In a similar context, a Latitude Financial Services (Latitude) customer recently attempted to join DXC Technology and CrowdStrike to their $1 million compensation claim arising from the Latitude data breach in March 2023. The joinder bid, premised on CrowdStrike’s role as Latitude’s primary cybersecurity contractor, was ultimately dismissed on procedural grounds. Nonetheless, it spotlights a readiness by litigants to target specialist suppliers and growing legal exposure tied to third-party technology providers.

With Gordon Legal and Hayden Stephens & Associates probing a potential class action against Latitude over the theft of 7.9 million customer records, as well as the ongoing actions against Optus and Medibank (currently bogged down in procedural matters), IT vendors face a very real danger of being brought into class actions and similar proceedings.

In March 2025, the Digital Transformation Agency (DTA), in collaboration with the Australian Government Solicitor (AGS), released model contract clauses (Clauses) for use in ICT procurements involving systems that implement Artificial Intelligence (AI).

The new set of contract-friendly guidelines are designed to help government buyers and suppliers navigate the ever-evolving risks and responsibilities of working with AI. The Clauses reflect a growing recognition that AI procurement requires a tailored approach that balances innovation with accountability, safeguards and public trust. The Clauses primary objectives are to:

• mitigate operational and ethical risks associated with AI, such as bias, opacity, and unintended consequences,
• promote transparency and accountability, ensuring AI systems are auditable and explainable,
• align with national and international AI ethics principles, and
• ensure compliance with existing privacy, cybersecurity, and data governance laws.

The Clauses are drafted modularly for insertion into existing or new contracts, allowing government agencies to select and tailor only those provisions that are relevant to the specific nature, scope, and risk profile of the AI solution being procured.

Key Takeaways for Organisations

While originally designed for government procurement, the Clauses also serve as a useful reference for private sector organisations looking to develop or deliver AI-enabled products or contract with third parties to do so, in order to ensure responsible AI practices are incorporated into commercial contracts.

This includes a strong understanding of ethical obligations, such as Australia’s AI Ethics Principles, and the ability to demonstrate transparency regarding how AI systems function, how data is collected and used, and how decisions are made. Developers and sellers of AI-enabled systems should also implement, and be prepared to explain, risk management systems designed to alleviate the well-documented risks of AI (such as bias, confidentiality, accuracy and privacy).

The Federal Court of Australia has ordered the owner of a software patent, Advanced Technology Group (ATG), to provide security for costs in proceedings against Foxtel for alleged patent infringement (The Advanced Technology Group Pty Ltd v Foxtel Cable Television Pty Ltd [2025] FCA 408).

ATG alleges that Foxtel used its patented “Remote Content Download” technology to sell set-top boxes. ATG’s patent has since expired. Foxtel denies the allegations and has filed a cross-claim alleging that ATG’s patent is invalid.

In October 2023, Foxtel successfully applied for security for costs, which was granted on the basis that security would be paid in tranches. After ATG paid the first tranche, Foxtel applied to the Court to fix an amount for the second. ATG argued that it should be regarded as impecunious for the purposes of the application and that orders for further security would stultify the proceedings.

The Federal Court concluded there was no change in circumstances which would require it to depart from the previous orders, and that ATG had not provided sufficient evidence that further security would stultify the proceedings, given ATG reportedly holds $1.15m in intangible assets, in addition to the patent infringement claim itself, which ATG estimates is worth $12m.

In considering the availability of alternative funding sources, the Court declined to make findings about whether ATG’s solicitor, who acts on a ‘no win no fee’ basis and funded the first tranche of security, is a person who benefited from the litigation and therefore a potential source of funding. Instead, the Court found that ATG’s refusal to sell encumbered IP assets was inconsistent with ATG pursuing a high-value claim. The FCA ordered a second tranche of $260,000 in security be paid and directed ATG to pay 75% of Foxtel’s costs of the application.

Key Takeaways

• This case reinforces the principle that general assertions of impecuniosity are insufficient. An applicant must demonstrate that its proceedings would genuinely be stultified if security were ordered and provide clear evidence in support to avoid a security for costs order.
• The Federal Court confirmed that individuals or entities who stand to benefit from the litigation, such as directors, shareholders, or creditors, may reasonably be expected to contribute to the funding of the proceedings. If such parties have the means to assist, the applicant must explain why they cannot or will not do so.
• The judgment also reflects the Federal Court’s balancing of competing considerations of access to justice and protecting defendants from the risk of unrecoverable legal costs, particularly in complex and high-value litigation.
• Importantly, the case highlights that expired IP rights, such as expired patents, may still retain significant value where infringement claims remain unresolved beyond the date of the expired patent.

The Digital Transformation Agency (DTA) has released a Major Digital Reports Project (view here) setting out the progress and impact of key Government digital initiatives. The report sets out 110 active digital projects categorised into three tiers based on complexity, strategic important and risk. The projects span nine key sectors, including health and aged care, safety of Australians, resources and environment industry, infrastructure and business, agriculture and trade, social services, education and employment, government, and tax and superannuation.

Chris Fechner, CEO of the DTA, emphasised the importance of these initiatives, stating that “digital technologies underpin essential Australian Government services for people, businesses and communities.”

The report provides case studies to illustrate some of the enhancements to digital projects across key sectors, summarised below:

Passkey Technology in myGov

• myGov is now one of the first digital government platforms globally to adopt passkeys, significantly strengthening user protection and reducing the risk of credential based cyber threats.

National Anti-Scam Centre Safeguards

• The National Anti-Scam Centre Safeguard project has implemented automated data sharing via APIs, resulting in the takedown of over 5000 scam websites.

ATO Data Centre Transformation Project

• The Australian Taxation Office (ATO) has completed a Data Centre Transformation project to modernise and secure its digital infrastructure, leading to fewer service interruptions, improved access to services and protection against scams.

From 30 May 2025, organisations considered to be ‘reporting business entities’ are required to submit a report to the Australian Signals Directorate (ASD) following making a ransomware or cyber extortion payment. The report to the ASD must be submitted within 72 hours of making the payment or becoming aware of a payment having been made on its behalf.

The legislation captures both monetary and non-monetary benefits that are given or exchanged to an extorting entity as being ransomware or cyber extortion payments. For example, this may include the exchange of gifts, services or other benefits to an entity in respect of the demand.

The obligations are prescribed under the Cyber Security Act 2024 (Cth) (the Act) and the Cyber Security (Ransomware Payment Reporting) Rules 2025 (the Rules).

Who needs to comply?

The obligation applies to ‘reporting business entities’ which are organisations that meet the annual turnover threshold of AUD $3 million or who are a responsible entity for a critical infrastructure asset under the Security of Critical Infrastructure Act.

What information needs to be reported?

The ASD’s reporting form is now live here. The form aligns with Section 27 of the Act, and requests the following information:

1. Organisation details, include name, email address, organisation name, contract number, organisation address, ABN and website address.
2. Details about the cyber security incident including:
   • The date the incident occurred / is estimated to have occurred,
   • The date the entity became aware of the incident,
   • Whether it has impacted the infrastructure,
   • Whether it has impacted customers,
   • What variants of ransomware or malware were used (if any), and
   • What vulnerabilities were exploited in the entity’s systems (if any).
3. A section requesting information about demand made (monetary or non-monetary), payment information and confirmation of whether communication has been made with the extorting entity.
4. A non-compulsory section where reporting businesses can elect to provide additional information.

What happens if the report is not made within the prescribed 72-hour timeframe?

A failure to comply with the reporting obligations could incur a civil penalty of 60 penalty units which equates to $19,800. However, the Government has advised that it will be adopting an ‘education-first’ approach initially, with a focus on assisting and supporting entities to meet their legal obligations in the first six months before they will transition into a more active regulatory focus (view factsheet).

Organisations are recommended to carefully review the guidance and requirements if they are considering paying a ransom or extortion demand, to ensure the 72 hour time period is met.

Recent reforms to the Privacy Act 1988 (Cth), new cyber security legislation, and other regulatory developments have introduced a range of reporting obligations for APP entities – including mandatory reporting of ransomware payments. We recently prepared a quick guide covering key reporting timeframes, processes, and penalties for non-compliance. Click here to view.

Reforms under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) took effect on 4 April 2025, introducing expanded compliance obligations for critical infrastructure owners and operators.

Who’s in scope?

The updated SOCI Rules designate two new classes of assets as critical infrastructure:

• Critical data storage or processing assets: capturing systems that store or process “business critical data” on behalf of another entity.
• Critical telecommunications assets: extending the government’s regulatory oversight of services provided by major telcos, ISPs and other carriage service providers.

For many businesses (particularly cloud storage providers, data centre operators and SaaS platforms) – these changes could mark the first time they’ve had to consider obligations under the SOCI regime.

New risk management and rapid incident reporting obligations

Entities responsible for these newly captured assets must now comply with Part 2A of the SOCI Act, which requires the implementation of a Critical Infrastructure Risk Management Program (CIRMP), which must address material risks arising from:

• unauthorised access to or control of systems,
• impairment of availability, integrity, reliability or confidentiality,
• and physical or cyber threats that could impact asset continuity.

Notably, boards must approve and oversee the program, and directors may be held accountable for systemic failures to meet these obligations.

Responsible entities for an applicable critical infrastructure asset must report actual or imminent cyber security incidents to the Australian Cyber Security Centre:

• within 12 hours of becoming aware of the incident if it has had, or is having, a “significant impact” on the asset – including a material disruption on the provision or availability of essential goods or services,
• within 72 hours of becoming aware of the incident if it has had, or is having, a “relevant impact” on the availability, integrity or reliability, or the confidentiality of information about or stored on the asset.

Telco-specific directions regime now active

The reforms also expand the Commonwealth’s direct intervention powers over critical telecommunications assets. Under new provisions, the Minister for Home Affairs can:

• require an entity to cease using or supplying a particular carriage service where a national security risk is identified, and
• issue risk mitigation directions to address known vulnerabilities.

Penalties and enforcement

Failure to comply with SOCI obligations attracts civil penalties of up to $44,400 per contravention. SOCI laws also allow the Department of Home Affairs to:

• seek injunctions and enforceable undertakings,
• compel audits or technical assessments, and
• issue directions to rectify compliance breaches.

Key takeaways

The expansion of the SOCI regime reflects the Australian Government’s sharpened focus on cyber resilience across digital infrastructure, particularly where services are cloud-based, distributed, or foreign-hosted.

Businesses involved in data storage, hosting, or telecommunications should now:

• review whether they now fall within the definition of a “responsible entity” under the SOCI Act,
• assess the adequacy of existing cybersecurity governance and incident response capabilities, and
• prepare for increased regulatory scrutiny, including the potential for reporting obligations and an uptick in engagement with government regulators

The 2025–26 Federal Budget focused on building upon and strengthening existing cybersecurity initiatives. The Government reinforced its support for strengthening digital and cyber defenses of small businesses, with $60 million previously committed in the 2023–24 Budget (Budget Paper No. 1 available at: https://budget.gov.au/content/bp1/index.htm).

Support for cyber capabilities and resilience are woven into broader funding initiatives, including:

• $15–20 billion from the $330 billion allocated to the Defense Integrated Investment Program will be directed toward developing defensive and offensive cyber capabilities (view here),
• $44.6 million allocated to the Office of National Intelligence to implement key priorities stemming from the 2024 Independent Intelligence Review. The Review frequently references cyberthreats, their impacts, and the growing role of the Australian Signals Directorate in securing the country. The ASD is likely to receive additional funding through this investment (view here), and
• $5.3 million allocated to the Office of the Australian Information Commissioner to continue its oversight of Digital ID and Identity Verification Services (view here).

Following on from the Full Federal Court’s decision in the Optus data breach class action, the Federal Court has again found that forensic reports commissioned in the aftermath of a cyber incident may not attract legal professional privilege if the company seeks to leverage those reports for non-legal purposes, including to give comfort to customers and regulators. Click here to view our update.

As addressed in previous cyber bulletins, the New Zealand Banking Association (NZBA) has been under pressure from the government to implement measures to combat payment fraud. This was discussed in our December 2024 Cyber, Privacy & Technology Report. In response, the NZBA has now updated the Code of Banking Practice to include a voluntary redress mechanism for victims of fraud. These changes will come into force on 30 November 2025.

Under the revised Code, members will reimburse fraud victims up to NZD500,000 under a new voluntary reimbursement scheme (view here). The scheme applies in a limited set of circumstances – for example, where the fraud impacts a private individual who is deemed to have taken “reasonable care”.

The updated Code also introduces a range of supplementary measures to combat fraud, some of which are already widely implemented and in use:

• Implementation of mechanisms to identify high-risk transactions and unusual account activity, and the ability to delay and prevent payments.
• Pre-transaction warnings for certain payments.
• Confirmation that the name of the person they are paying matches the account number.
• A 24/7 reporting channel for customers to report scams.
• Information sharing with other banks to identify “mule” and other malicious accounts.

While a step in the right direction, the changes to the Code are relatively limited in practice. Whether the reimbursement regime makes a significant impact for many insureds remains to be seen. Given the range of caveats in place, we anticipate that most payments frauds will still fall to the victims and their insurers.

New Zealand’s annual Privacy Week ran from 12-16 May 2025. As part of the week, the Privacy Commissioner, Michael Webster, delivered an address on the state of privacy in New Zealand and key developments over the past year. These include:

• The Office of the Privacy Commissioner (OPC) received 1,003 complaints and 864 breach notifications over the past year. See more details in the OPC’s 2024 Annual Report here. The Commissioner observed that the majority of notified breaches were caused by malicious and intentional actions, including employee browsing.
• The Commissioner discussed key findings from the 2025 Privacy Survey, released in May (See here for the 2025 Privacy Survey). Notably, 82% of respondents expressed a desire for more control and choice over the collection and use of their person information, and 77% believed the Commissioner should have the power to ask a court to issue large fines for serious privacy breaches.
• The Commissioner also outlined key areas of focus for the coming year, including modernising the Privacy Act 2020 (the Act) in light of the significant technological advancements. This involves recommending a set of amendments to the Act, and engaging with indigenous communities to support the exercise of their privacy rights through collaboration and consultation.
• The OPC has identified three strategic areas of focus:
  • Firstly, to provide guidance and develop processes to support the implementation of legislative and regulatory privacy initiatives.
  • Secondly, engage with agencies to build their privacy capabilities and empower New Zealanders to assert their privacy rights.
  • Thirdly, focus their activities on the technological and digital innovations being adopted by organisations and businesses.
• To conclude his speech, the Commissioner emphasised that it is a false dichotomy to phrase privacy as being in opposition to public order or innovation. He clarified that the regulator’s view on these competing policies is not an “either/or” dichotomy. Instead, the objective is to protect privacy effectively while achieving other goals.

In light of the Commissioner’s speech, we expect the regulator to release further guidance to assist organisations’ compliance with the Act. We also anticipate a more proactive approach from the OPC in advocating for their enforcement power to be strengthened.

Another key focus of Privacy Week 2025 was Māori data sovereignty, a unique feature of New Zealand’s data protection and privacy landscape. Tahu Kukutai (Professor at University of Waikato, Te Ngira Institute for Population Research, author, and Māori data sovereignty expert) and Jesse Porter (a Senior Privacy Advisor at Oranga Tamariki) discussed Māori data sovereignty in a presentation titled “Māori Data Privacy – Time to Take it Seriously”.

The presentation offered an insightful look into the evolution of Māori data sovereignty and how Māori data rights may be viewed through a tikanga lens. Māori concepts of privacy and data protection can differ from traditional, individualistic, views of privacy protection under the Privacy Act 2020. While individual privacy remains a important consideration, Māori data sovereignty also recognises privacy as a collective right. There are statutory and case law precedents supporting this perspective. For example:

• Section 21(c) of the Privacy Act 2020 requires the Privacy Commissioner to take cultural perspectives on privacy into account when performing statutory functions.
• In Te Pou Matakana Limited v Attorney-General, the High Court determined that collective notions of privacy prevailed. In particular, the Court concluded that when exercising its powers to disclose information under the Health Information Privacy Act 2020 the Ministry of Health should do so in accordance with Te Tiriti o Waitangi (Te Tiriti) and its principles.

The presentation underscored the importance of considering Māori data sovereignty principles in a given context. A striking example referenced the recent bankruptcy of 23andMe in the United States, and the concerns around the handling and sale of users’ genetic data as a result. The speakers highlighted that this may raise interesting arguments around the interplay between the genetic data of an individual and the individual’s consent to participate in such procedures, and the collective right of relatives and ancestors to that (arguably shared) genetic data.

Thailand has introduced major enhancements to its cybercrime prevention framework, with new obligations for financial institutions and criminal offences targeting the misuse of personal data. There’s expanded reporting requirements for digital asset businesses, a new central cybercrime authority, and new criminal offences targeting data misuse and SIM trading. Click here to view.

In 2024, the Personal Data Protection Commission released a 13-page document (view here) setting out guidelines on children’s personal data rights in the digital environment, aimed at organisations providing services or products likely to be accessed by children.

The Guidelines do not modify the Personal Data Protection Act, but rather provide guidance on practical considerations organisations ought to take into account when considering their obligations under the PDPA.

For example:

• Notification: In communication with children regarding the consequences of their providing and withdrawing consent, organisations ought to use age-appropriate language and media to ensure that the key concepts are readily understandable by their audience.
• Consent: A child between 13-17 may give valid consent to the collection, use and disclosure of his/her data when the policies on the collection, use and disclosure of his/her data is readily understandable by them. If the organisation believes the child is unable to have the sufficient understanding notwithstanding that the child is above 13, consent should still be sought from a parent or guardian.
• Reasonable Purpose: Collecting children’s data in a way which would be harmful to the children would likely be deemed an unreasonable purpose and therefore in violation of the PDPA, as would using children’s data to target harmful or inappropriate content at the child.

Examples of reasonable purposes include: age verification and assurance to ensure that only age-appropriate content is made available to the child, using data of the child’s usage of the service such as search terms to direct the child to safety information.

• Accountability: Organisations ought to conduct data protection impact assessments to identify and address data risks posed to children who access their products or services. The Guidelines include a sample questionnaire for such impact assessments.
• Data Breach Notification: In notifying child data subjects of data breaches, organisations ought to proactively inform the child’s parents or guardians as well, such that the parents/guardians would be in a position to mitigate the harm of the breach. If this is not possible, the organisation ought to advise the child, in easily understandable language, to inform his/her parent/guardian of the data breach.

These Guidelines are likely to be of renewed interest given the rise in proliferation of deepfakes, identity theft and other malicious uses of data uploaded to social media by children and teenagers.