AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
These offences have extraterritorial application, meaning that conduct undertaken outside Aus - tralia can still be charged and prosecuted under Australian law if: • the crime involves conduct both inside and outside Australia; • the crime results in harm within Australia; • the offender is an Australian citizen, or a cor - poration incorporated in Australia; or • the crime is related to another crime that occurred in Australia. Other legislation In addition to the above, the following existing and potential legislation is relevant to data trans - fers, including those that are cross-border. • In December 2024, the Digital ID Act and the Digital ID (Transitional and Consequential Provisions) Act 2024 (Cth) commenced that, inter alia, restrict an accredited entity on the collection, use and disclosure of biometrics and other personal information. The Digital ID Rules are to also address the storing and transfer of information outside Australia and are expected to take the form of blanket prohibitions, with an exemption application process. • The Australian Treasury’s action has stalled since 2023 when it announced that a formal ban on “screen scraping” or “digital data capture” (ie, collection of displayed data for various uses) in the banking sector was being considered. There are continuing concerns of the protection of screen scraped data, and how existing legislation applies to its handling or transfers. 3.6 Threat-Led Penetration Testing Threat-led penetration testing (TLPT) is the test - ing of systems by replicating the methods used
by actual threat actors against. Generally speak - ing, TLPT is not a requirement in Australia. Currently, only those critical infrastructure assets designated as a SoNS may be required to under - take: • a “cyber security exercise”, the purpose of which is to test the entity’s ability to respond appropriateness, preparedness to respond appropriately, and ability to mitigate the relevant impacts, and thereafter prepare an internal report, which can in turn, be audited; and • a vulnerability assessment, the purpose of which is to test system vulnerabilities to the relevant cybersecurity incident, and thereafter prepare a vulnerability assessment report. TLPT is also a component of regulatory guid - ance (eg, ASD’s best practices for deploying secure and resilient AI systems). On the flipside, unsolicited/unauthorised pene - tration testing activity could be captured by Sec - tion 478.1 of the Criminal Code, which provides for the offence of “[un]authorised access to, or modification of, restricted data”. 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation There is no specific legislation for cyber-resil - ience in Australia. However, cyber-resilience requirements have legislative status across various contexts, including: • the risk management programmes required by the legislation already discussed under the
24
CHAMBERS.COM
Powered by FlippingBook