AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
6.2 Cybersecurity and AI At the time of writing, there is no AI-specific regulation on AI; however, there is a patchwork of laws regulating critical infrastructure, privacy, consumer protection, data security and more that all touch on aspects of AI development and use. Further, Australia has voluntary instruments, including: • ethical frameworks, including the Australia’s AI Ethics Principles, that has been supple - mented on 15 June 2023 by NAIC’s Imple - menting Australia’s AI Ethics principles: A selection of responsible AI practices and resources; and • a voluntary AI Safety Standard released on 5 September 2024, comprising practical guid - ance in the form of ten “AI guardrails”. Similarly, regulators ASD, in conjunction with foreign authorities such as the U.S. National Security Agency’s Artificial Intelligence Security Center, has published guidance on deploying, engaging with and developing AI systems. Fur - ther, the ASD has endorsed the Cybersecurity Performance Goals (CPGs) developed by the Cybersecurity and Infrastructure Security Agen - cy (CISA) and the National Institute of Standards and Technology (NIST). 6.3 Cybersecurity in the Healthcare Sector Reporting Obligations Certain data breaches relating to My Health Record information or the system itself are to be reported under Section 75 of the My Health Records Act (rather than through the NDB scheme under the Privacy Act).
My Health Records Act (see 6.3 Cybersecurity in the Healthcare Sector ). The ACSC provides an overarching definition for cybersecurity events in its Guidelines for Cyber Security Incidents. In these Guidelines, a cyber - security event is “an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security”. While there is no general legislative definition of a cybersecurity event, the SOCI Act, at Section 12M, provides a limited, more complex definition. Statutory tort Also, it is important to note here that the 2024 Privacy Amendment introduced a statutory tort for serious invasions of privacy, giving individu - als a route to seek redress for privacy harms in the courts. State and Territory Reporting Obligations There are also schemes at the state/territory level. For example, both NSW and Queensland had introduced mandatory notification of data breach schemes via, respectively, the Privacy and Personal Information Protection Amend - ment Act 2022 (NSW) (entered into force 28 November 2023) and Information Privacy and Other Legislation Amendment Act 2023 (Qld) (commencement date to be set by proclama - tion). These largely mirror the federal scheme. Other Reporting Obligations There is other relevant legislation for data pro - tection and reporting obligations, including in relation to certain health records (see 6.3 Cyber- security in the Healthcare Sector ), financial sec - tor ( 3. Financial Sector Operational Resilience ) and critical infrastructure assets ( 2. Critical Infrastructure Cybersecurity ).
27
CHAMBERS.COM
Powered by FlippingBook