Dude, Where’s My Data? The Effectiveness of Laws Governing Data Breaches in Australia

Main Article Content

Jack Hile https://orcid.org/0000-0002-8288-5388

Keywords

Data Breach, Privacy, General Data Protection Regulation, Legal Reform

Abstract

The increasing prevalence of large-scale data breaches prompted Australia to strengthen the Privacy Act by enacting the Privacy Amendment (Notifiable Data Breaches) Act to regulate the behaviour of entities entrusted with personal data. However, this paper argues that these legislative instruments are ineffective when dealing with data breaches and their associated problems. In supporting this conclusion, this paper first develops a criterion for effective data breach law, and then evaluates the Australian framework against this criterion to determine its operational effectiveness. In addition, this paper analyses practical developments in the area of data-breach law to garner insights as to how the Australian framework can be made more effective. Ultimately, this paper concludes that the Australian framework is ineffective when dealing with large-scale data breaches, and recommends future legislative amendment as a means of bolstering its effectiveness.

Downloads

Download data is not yet available.
Abstract 1283 | 381-PDF-v9n2pp47-68 Downloads 45

References

Abel, L. (2012). Turner v Rogers and the Right of Meaningful Access to the Courts. Denver University Law Review, 89(4), 805-823.
Aguirre, E., Mahr, D., Grewal, D., De Ruyter, K., & Wetzels, M. (2015). Unraveling the Personalization Paradox: The Effect of Information Collection and Trust-Building Strategies on Online Advertisement Effectiveness. Journal of Retailing, 91(1), 34-49. http://dx.doi.org/10.1016/j.jretai.2014.09.005
Alazab, M., Hong, S., & Ng, J. (2021). Louder bark with no bite: Privacy protection through the regulation of mandatory data breach notification in Australia. Future Generation Computer Systems, 116, 22-29. https://doi.org/10.1016/j.future.2020.10.017
Australian Broadcasting Corporation v Lenah Game Meats (2001) 208 CLR 199.
Australian Competition and Consumer Commission. (2019). Digital platforms inquiry - final report. Canberra: Commonwealth of Australia. Available at https://www.accc.gov.au/system/files/Digital%20platforms%20inquiry%20-%20final%20report.pdf
Australian Government. (2019). Regulating in the digital age: Government Response and Implementation Roadmap for the Digital Platforms Inquiry. Available at https://treasury.gov.au/sites/default/files/2019-12/Government-Response-p2019-41708.pdf
Australian Law Reform Commission. (2008). For your information: Australian privacy law and practice (108). Available at https://www.alrc.gov.au/publication/for-your-information-australian-privacy-law-and-practice-alrc-report-108/
Australian Law Reform Commission. (2014). Serious invasions of privacy in the digital era (123). Available at https://www.alrc.gov.au/wp-content/uploads/2019/08/final_report_123_whole_report.pdf
Bergelson, V. (2003). It’s Personal But Is It Mine? Toward Property Rights in Personal Information. University of California Davis Law Review, 37(2), 379-452.
Brooks, R. (1998). Deterring the Spread of Viruses Online: Can Tort Law Tighten the Net. Review of Litigation, 17(2), 343-392.
Bungard, M. (2020, September 7). Service NSW cyber attack: Data of 186,000 customers leaked. The Sydney Morning Herald. Available at https://www.smh.com.au/national/nsw/data-of-186-000-customers-leaked-in-service-nsw-cyber-attack-20200907-p55t7g.html
Campbell, J., Goldfarb, A., & Tucker, C. (2015). Privacy Regulation and Market Structure. Journal Of Economics & Management Strategy, 24(1), 47-73. https://doi.org/10.1111/jems.12079
Carbonara, E., Guerra, A., & Parisi, F. (2016). Sharing Residual Liability: The Cheapest Cost Avoider Revisited. The Journal Of Legal Studies, 45(1), 173-201. https://doi.org/10.1086/685498
Christiani, T. A. (2016). Normative and empirical research methods: Their usefulness and relevance in the study of law as an object. Procedia - Social and Behavioural Sciences, 219, 201-207. https://doi.org/10.1016/j.sbspro.2016.05.006
Coyne, A. (2015, July 17). Starved of funding, resources, OAIC is left to shrivel. IT News. Available at https://www.itnews.com.au/blogentry/starved-of-funding-resources-oaic-is-left-to-shrivel-405273
Daly, A. (2018). The introduction of data breach notification legislation in Australia: A comparative view. Computer Law & Security Review, 34(3), 477-495. https://doi.org/10.1016/j.clsr.2018.01.005
Dari-Mattiacci, G., & Garoupa, N. (2007). Least-Cost Avoidance: The Tragedy of Common Safety. Journal Of Law, Economics, And Organization, 25(1), 235-261. https://doi.org/10.1093/jleo/ewm052
Darmstadt Regional Court, 13 O 244/19, 26 May 2020
Dolbow, L. (2017). Introduction: The Power of New Data and Technology. Vanderbilt Law Review, 70(6), 1935-1938.
Düsseldorf Labor Court, 9 Ca 6557/18, 5 March 2020.
Frankfurt District Court, 385 C 155/19, 10 July 2020.
Geistfeld, M. (2017). Protecting Confidential Information Entrusted to Others in Business Transactions: Data Breaches, Identity Theft, and Tort Liability. Depaul Law Review, 66(2), 385-412. https://via.library.depaul.edu/law-review/vol66/iss2/4
Glickman, P., Glady, N. (2015, October 14). What’s the value of your data? TechCrunch. Available at https://techcrunch.com/2015/10/13/whats-the-value-of-your-data/
Goggin, G., Vromen, A., Weatherall, K., Martin, F., & Sunman, L. (2019). Data and digital rights: recent Australian developments. Internet Policy Review, 8(1). https://doi.org/10.14763/2019.1.1390
Jamison, S. (2019). Creating a National Data Privacy Law for the United States. Cybaris, An Intellectual Property Law Review, 10(2), 1-40. https://open.mitchellhamline.edu/cybaris/vol10/iss1/2.
Kecsmar, K. (2003). Contractual Solutions to the Transfer of Personal Data from Europe to Third Countries Without Providing an Adequate Level of Protection: Inventory. International Business Law Journal, 3, 269-284.
Kugler, L. (2018). The war over the value of personal data. Communications of the Association of Computing Machinery, 61(2), 17-19. https://doi.org/10.1145/3171580
Lim, L. (1999). Approaches to Liability for Breaches in Data Security. Macarthur Law Review, 3, 81-97. http://www.austlii.edu.au/au/journals/MacarthurLawRw/1999/8.html
Lindqvist, J. (2017). New challenges to personal data processing agreements: Is the GDPR fit to deal with contract, accountability and liability in a world of the Internet of things?. International Journal of Law and Information Technology, 26(1), 45-63. https://doi.org/10.1093/ijlit/eax024
Lynskey, O. (2017). The 'Europeanisation' of Data Protection Law. Cambridge Yearbook of European Legal Studies, 19, 252-286. https://doi.org/10.1017/cel.2016.15
Massey, R. (2010). Outsourcing – New Standard Contractual Clauses for the Transfer of Personal Data Outside the EU. Computer and Telecommunications Law Journal, 16(4), 88-89.
Meglio, M. (2020). Embracing Insecurity: Harm Reduction Through a No-Fault Approach to Consumer Data Breach Litigation. Boston College Law Review, 61(3), 1223-1269. Available at https://lawdigitalcommons.bc.edu/bclr/vol61/iss3/9
Mitrakas, A. (2011). Assessing liability arising from information security breaches in data privacy. International Data Privacy Law, 1(2), 129-136. https://doi.org/10.1093/idpl/ipr001
Morey, T., Forbath, T., & Schoop, A. (2015, May). Customer data: Designing for transparency and trust. Harvard Business Review. Available at https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust
Naldi, M., Flamini, M., & D’Acquisto, G. (2013). Liability for data breaches: A proposal for a revenue-based sanctioning approach. Network and System Security, 264-277. https://doi.org/10.1007/978-3-642-38631-2_20
Nieuwesteeg, B., & Faure, M. (2018). An analysis of the effectiveness of the EU data breach notification obligation. Computer Law and Security Review, 34(6), 1232-1246. https://doi.org/10.1016/j.clsr.2018.05.026
Office of the Australian Information Commissioner. (2019, July 13). Part 4: Notifiable Data Breach (NBD) Scheme. OAIC. Available at https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme/
Office of the Australian Information Commissioner. (2019, September 23). Digital Platforms Inquiry final report — submission to the Australian Government. OAIC. Available at https://www.oaic.gov.au/engage-with-us/submissions/digital-platforms-inquiry-final-report-submission-to-the-australian-government/
O'Dell, E. (2017). Compensation for breach of the General Data Protection Regulation. Dublin University Law Journal, 40(1), 97-164. https://doi.org/10.2139/ssrn.2992351
Palmer, D. (2021, March 22). Microsoft Exchange Server attacks: 'They're being hacked faster than we can count', says security company. ZDNet. https://www.zdnet.com/article/microsoft-exchange-server-attacks-theyre-being-hacked-faster-than-we-can-count-says-security-company/
Prins, C. (2006). When personal data, behavior and virtual identities become a commodity: Would a property rights approach matter?. SCRIPT-ed, 3(4), 270-303. https://doi.org/10.2966/scrip.030406.270
Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).
Purtova, N. (2010). Private law solutions in European data protection: Relationship to privacy, and waiver of data protection rights. Netherlands Quarterly of Human Rights, 28(2), 179-198. https://doi.org/10.1177/016934411002800203
Quinn, B., & Arthur, C. (2011, April 27). PlayStation network hackers access data of 77 million users. The Guardian. https://www.theguardian.com/technology/2011/apr/26/playstation-network-hackers-data
Raz, J. (2010). Responsibility and the negligence standard. Oxford Journal of Legal Studies, 30(1), 1-18. https://doi.org/10.1093/ojls/gqq002
Regulation (EU) 2016/679 of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) [2016] OJ L 119/1.
Reichel, J., & Chamberlain, J. (2019). The relationship between damages and administrative fines in the EU General Data Protection Regulation. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3447854
Ritter, J., & Mayer, A. (2018). Regulating data as property: A new construct for moving forward. Duke Law and Technology Review, 16(1), 220-277. Available at https://scholarship.law.duke.edu/dltr/vol16/iss1/7
Samuelson, P. (2000). Privacy as intellectual property?. Stanford Law Review, 52(5), 1125-1173. https://doi.org/10.2307/1229511
Selvadurai, N., Kisswani, N., & Khalaileh, Y. (2017). Strengthening data privacy: The obligation of organisations to notify affected individuals of data breaches. International Review of Law, Computers & Technology, 33(3), 271-284. https://doi.org/10.1080/13600869.2017.1379368
Sidgman, J., & Crompton, M. (2016). Valuing personal data to foster privacy: A thought experiment and opportunities for research. Journal of Information Systems, 30(2), 169-181. https://doi.org/10.2308/isys-51429
Smith, G., & Bloch, V. (2018, October 17). Where are all the data breach class actions in Australia? Allens Linklaters. Available at https://www.allens.com.au/insights-news/insights/2018/10/pulse-where-are-all-the-data-breach-class-actions-in/
Smethurst v Commissioner of Police [2020] HCA 14.
Smyth, S. (2013). Does Australia really need mandatory data breach notification laws – And if so, what kind. Journal of Law Information and Science, 22(2), 159-182. Available at http://www.austlii.edu.au/au/journals/JlLawInfoSci/2013/8.html
Solove, D., & Hoofnagle, C. (2006). A Model Regime of Privacy Protection. University of Illinois Law Review, 2, 357-404. Available at https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2080&context=faculty_publications
Spiekermann, S., & Korunovska, J. (2017). Towards a value theory for personal data. Journal of Information Technology, 32(1), 62-84. https://doi.org/10.1057/jit.2016.4
Steppe, R. (2017). Online price discrimination and personal data: A General Data Protection Regulation perspective. Computer Law & Security Review, 33(6), 768-785. https://doi.org/10.1016/j.clsr.2017.05.008
Stewart, A. (2001). Damages for mental distress following breaches of confidence: Preventing or compensating tears. European Intellectual Property Review, 23(6), 302-304.
Stewart, M. (2005). Calculating economic damages in intellectual property disputes: The role of market definition. The Computer and Internet Lawyer, 22(8), 21-28.
Swinhoe, D. (2020, April 17). The 15 biggest data breaches of the 21st century. CSO Online. Available at https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Szyd?o, M. (2017). The independence of data protection authorities in EU law: Between the safeguarding of fundamental rights and ensuring the integrity of the internal market. European Law Review, 42(3), 369-387.
Tâbušca, A., Tâbušca, S. M., Garais, G. E., & Enâceanu, A. E. (2018). Mobile apps and GDPR issues. Journal of Information Systems and Operations Management, 12(1), 77-88.
The Privacy Act 1988 (Cth).
Timmel, S. (2012). Privacy liability and new world risks. Franchising World, 44(12), 47-50.
Treaty on the Functioning of the European Union, opened for signature 7 February 1992, [2012] OJ C 326/47 (entered into force 1 November 1993).
Winder, D. (2019, August 20). Data breaches expose 4.1 billion records in first six months of 2019. Forbes. Available at https://www.forbes.com/sites/daveywinder/2019/08/20/data-breaches-expose-41-billion-records-in-first-six-months-of-2019/?sh=42806975bd54
Witzleb, N. (2009). Justifying gain-based remedies for invasions of privacy. Oxford Journal of Legal Studies, 29(2), 325-363. https://doi.org/10.1093/ojls/gqp005
Abel, L. (2012). Turner v Rogers and the Right of Meaningful Access to the Courts. Denver University Law Review, 89(4), 805-823.
Aguirre, E., Mahr, D., Grewal, D., De Ruyter, K., & Wetzels, M. (2015). Unraveling the Personalization Paradox: The Effect of Information Collection and Trust-Building Strategies on Online Advertisement Effectiveness. Journal of Retailing, 91(1), 34-49. http://dx.doi.org/10.1016/j.jretai.2014.09.005
Alazab, M., Hong, S., & Ng, J. (2021). Louder bark with no bite: Privacy protection through the regulation of mandatory data breach notification in Australia. Future Generation Computer Systems, 116, 22-29. https://doi.org/10.1016/j.future.2020.10.017
Australian Broadcasting Corporation v Lenah Game Meats (2001) 208 CLR 199.
Australian Competition and Consumer Commission. (2019). Digital platforms inquiry - final report. Canberra: Commonwealth of Australia. Available at https://www.accc.gov.au/system/files/Digital%20platforms%20inquiry%20-%20final%20report.pdf
Australian Government. (2019). Regulating in the digital age: Government Response and Implementation Roadmap for the Digital Platforms Inquiry. Available at https://treasury.gov.au/sites/default/files/2019-12/Government-Response-p2019-41708.pdf
Australian Law Reform Commission. (2008). For your information: Australian privacy law and practice (108). Available at https://www.alrc.gov.au/publication/for-your-information-australian-privacy-law-and-practice-alrc-report-108/
Australian Law Reform Commission. (2014). Serious invasions of privacy in the digital era (123). Available at https://www.alrc.gov.au/wp-content/uploads/2019/08/final_report_123_whole_report.pdf
Bergelson, V. (2003). It’s Personal But Is It Mine? Toward Property Rights in Personal Information. University of California Davis Law Review, 37(2), 379-452.
Brooks, R. (1998). Deterring the Spread of Viruses Online: Can Tort Law Tighten the Net. Review of Litigation, 17(2), 343-392.
Bungard, M. (2020, September 7). Service NSW cyber attack: Data of 186,000 customers leaked. The Sydney Morning Herald. Available at https://www.smh.com.au/national/nsw/data-of-186-000-customers-leaked-in-service-nsw-cyber-attack-20200907-p55t7g.html
Campbell, J., Goldfarb, A., & Tucker, C. (2015). Privacy Regulation and Market Structure. Journal Of Economics & Management Strategy, 24(1), 47-73. https://doi.org/10.1111/jems.12079
Carbonara, E., Guerra, A., & Parisi, F. (2016). Sharing Residual Liability: The Cheapest Cost Avoider Revisited. The Journal Of Legal Studies, 45(1), 173-201. https://doi.org/10.1086/685498
Christiani, T. A. (2016). Normative and empirical research methods: Their usefulness and relevance in the study of law as an object. Procedia - Social and Behavioural Sciences, 219, 201-207. https://doi.org/10.1016/j.sbspro.2016.05.006
Coyne, A. (2015, July 17). Starved of funding, resources, OAIC is left to shrivel. IT News. Available at https://www.itnews.com.au/blogentry/starved-of-funding-resources-oaic-is-left-to-shrivel-405273
Daly, A. (2018). The introduction of data breach notification legislation in Australia: A comparative view. Computer Law & Security Review, 34(3), 477-495. https://doi.org/10.1016/j.clsr.2018.01.005
Dari-Mattiacci, G., & Garoupa, N. (2007). Least-Cost Avoidance: The Tragedy of Common Safety. Journal Of Law, Economics, And Organization, 25(1), 235-261. https://doi.org/10.1093/jleo/ewm052
Darmstadt Regional Court, 13 O 244/19, 26 May 2020
Dolbow, L. (2017). Introduction: The Power of New Data and Technology. Vanderbilt Law Review, 70(6), 1935-1938.
Düsseldorf Labor Court, 9 Ca 6557/18, 5 March 2020.
Frankfurt District Court, 385 C 155/19, 10 July 2020.
Geistfeld, M. (2017). Protecting Confidential Information Entrusted to Others in Business Transactions: Data Breaches, Identity Theft, and Tort Liability. Depaul Law Review, 66(2), 385-412. https://via.library.depaul.edu/law-review/vol66/iss2/4
Glickman, P., Glady, N. (2015, October 14). What’s the value of your data? TechCrunch. Available at https://techcrunch.com/2015/10/13/whats-the-value-of-your-data/
Goggin, G., Vromen, A., Weatherall, K., Martin, F., & Sunman, L. (2019). Data and digital rights: recent Australian developments. Internet Policy Review, 8(1). https://doi.org/10.14763/2019.1.1390
Jamison, S. (2019). Creating a National Data Privacy Law for the United States. Cybaris, An Intellectual Property Law Review, 10(2), 1-40. https://open.mitchellhamline.edu/cybaris/vol10/iss1/2.
Kecsmar, K. (2003). Contractual Solutions to the Transfer of Personal Data from Europe to Third Countries Without Providing an Adequate Level of Protection: Inventory. International Business Law Journal, 3, 269-284.
Kugler, L. (2018). The war over the value of personal data. Communications of the Association of Computing Machinery, 61(2), 17-19. https://doi.org/10.1145/3171580
Lim, L. (1999). Approaches to Liability for Breaches in Data Security. Macarthur Law Review, 3, 81-97. http://www.austlii.edu.au/au/journals/MacarthurLawRw/1999/8.html
Lindqvist, J. (2017). New challenges to personal data processing agreements: Is the GDPR fit to deal with contract, accountability and liability in a world of the Internet of things?. International Journal of Law and Information Technology, 26(1), 45-63. https://doi.org/10.1093/ijlit/eax024
Lynskey, O. (2017). The 'Europeanisation' of Data Protection Law. Cambridge Yearbook of European Legal Studies, 19, 252-286. https://doi.org/10.1017/cel.2016.15
Massey, R. (2010). Outsourcing – New Standard Contractual Clauses for the Transfer of Personal Data Outside the EU. Computer and Telecommunications Law Journal, 16(4), 88-89.
Meglio, M. (2020). Embracing Insecurity: Harm Reduction Through a No-Fault Approach to Consumer Data Breach Litigation. Boston College Law Review, 61(3), 1223-1269. Available at https://lawdigitalcommons.bc.edu/bclr/vol61/iss3/9
Mitrakas, A. (2011). Assessing liability arising from information security breaches in data privacy. International Data Privacy Law, 1(2), 129-136. https://doi.org/10.1093/idpl/ipr001
Morey, T., Forbath, T., & Schoop, A. (2015, May). Customer data: Designing for transparency and trust. Harvard Business Review. Available at https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust
Naldi, M., Flamini, M., & D’Acquisto, G. (2013). Liability for data breaches: A proposal for a revenue-based sanctioning approach. Network and System Security, 264-277. https://doi.org/10.1007/978-3-642-38631-2_20
Nieuwesteeg, B., & Faure, M. (2018). An analysis of the effectiveness of the EU data breach notification obligation. Computer Law and Security Review, 34(6), 1232-1246. https://doi.org/10.1016/j.clsr.2018.05.026
Office of the Australian Information Commissioner. (2019, July 13). Part 4: Notifiable Data Breach (NBD) Scheme. OAIC. Available at https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme/
Office of the Australian Information Commissioner. (2019, September 23). Digital Platforms Inquiry final report — submission to the Australian Government. OAIC. Available at https://www.oaic.gov.au/engage-with-us/submissions/digital-platforms-inquiry-final-report-submission-to-the-australian-government/
O'Dell, E. (2017). Compensation for breach of the General Data Protection Regulation. Dublin University Law Journal, 40(1), 97-164. https://doi.org/10.2139/ssrn.2992351
Palmer, D. (2021, March 22). Microsoft Exchange Server attacks: 'They're being hacked faster than we can count', says security company. ZDNet. https://www.zdnet.com/article/microsoft-exchange-server-attacks-theyre-being-hacked-faster-than-we-can-count-says-security-company/
Prins, C. (2006). When personal data, behavior and virtual identities become a commodity: Would a property rights approach matter?. SCRIPT-ed, 3(4), 270-303. https://doi.org/10.2966/scrip.030406.270
Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).
Purtova, N. (2010). Private law solutions in European data protection: Relationship to privacy, and waiver of data protection rights. Netherlands Quarterly of Human Rights, 28(2), 179-198. https://doi.org/10.1177/016934411002800203
Quinn, B., & Arthur, C. (2011, April 27). PlayStation network hackers access data of 77 million users. The Guardian. https://www.theguardian.com/technology/2011/apr/26/playstation-network-hackers-data
Raz, J. (2010). Responsibility and the negligence standard. Oxford Journal of Legal Studies, 30(1), 1-18. https://doi.org/10.1093/ojls/gqq002
Regulation (EU) 2016/679 of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) [2016] OJ L 119/1.
Reichel, J., & Chamberlain, J. (2019). The relationship between damages and administrative fines in the EU General Data Protection Regulation. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3447854
Ritter, J., & Mayer, A. (2018). Regulating data as property: A new construct for moving forward. Duke Law and Technology Review, 16(1), 220-277. Available at https://scholarship.law.duke.edu/dltr/vol16/iss1/7
Samuelson, P. (2000). Privacy as intellectual property?. Stanford Law Review, 52(5), 1125-1173. https://doi.org/10.2307/1229511
Selvadurai, N., Kisswani, N., & Khalaileh, Y. (2017). Strengthening data privacy: The obligation of organisations to notify affected individuals of data breaches. International Review of Law, Computers & Technology, 33(3), 271-284. https://doi.org/10.1080/13600869.2017.1379368
Sidgman, J., & Crompton, M. (2016). Valuing personal data to foster privacy: A thought experiment and opportunities for research. Journal of Information Systems, 30(2), 169-181. https://doi.org/10.2308/isys-51429
Smith, G., & Bloch, V. (2018, October 17). Where are all the data breach class actions in Australia? Allens Linklaters. Available at https://www.allens.com.au/insights-news/insights/2018/10/pulse-where-are-all-the-data-breach-class-actions-in/
Smethurst v Commissioner of Police [2020] HCA 14.
Smyth, S. (2013). Does Australia really need mandatory data breach notification laws – And if so, what kind. Journal of Law Information and Science, 22(2), 159-182. Available at http://www.austlii.edu.au/au/journals/JlLawInfoSci/2013/8.html
Solove, D., & Hoofnagle, C. (2006). A Model Regime of Privacy Protection. University of Illinois Law Review, 2, 357-404. Available at https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2080&context=faculty_publications
Spiekermann, S., & Korunovska, J. (2017). Towards a value theory for personal data. Journal of Information Technology, 32(1), 62-84. https://doi.org/10.1057/jit.2016.4
Steppe, R. (2017). Online price discrimination and personal data: A General Data Protection Regulation perspective. Computer Law & Security Review, 33(6), 768-785. https://doi.org/10.1016/j.clsr.2017.05.008
Stewart, A. (2001). Damages for mental distress following breaches of confidence: Preventing or compensating tears. European Intellectual Property Review, 23(6), 302-304.
Stewart, M. (2005). Calculating economic damages in intellectual property disputes: The role of market definition. The Computer and Internet Lawyer, 22(8), 21-28.
Swinhoe, D. (2020, April 17). The 15 biggest data breaches of the 21st century. CSO Online. Available at https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Szyd?o, M. (2017). The independence of data protection authorities in EU law: Between the safeguarding of fundamental rights and ensuring the integrity of the internal market. European Law Review, 42(3), 369-387.
Tâbušca, A., Tâbušca, S. M., Garais, G. E., & Enâceanu, A. E. (2018). Mobile apps and GDPR issues. Journal of Information Systems and Operations Management, 12(1), 77-88.
The Privacy Act 1988 (Cth).
Timmel, S. (2012). Privacy liability and new world risks. Franchising World, 44(12), 47-50.
Treaty on the Functioning of the European Union, opened for signature 7 February 1992, [2012] OJ C 326/47 (entered into force 1 November 1993).
Winder, D. (2019, August 20). Data breaches expose 4.1 billion records in first six months of 2019. Forbes. Available at https://www.forbes.com/sites/daveywinder/2019/08/20/data-breaches-expose-41-billion-records-in-first-six-months-of-2019/?sh=42806975bd54
Witzleb, N. (2009). Justifying gain-based remedies for invasions of privacy. Oxford Journal of Legal Studies, 29(2), 325-363. https://doi.org/10.1093/ojls/gqp005