LSB April 2022 LR

THE
BULLETIN
THE LAW SOCIETY OF SA JOURNAL
VOLUME 44 – ISSUE 3 – APRIL 2022
CYBER SECURITY

The Legal Practice
Productivity Solution
Law firms using LEAP enjoy all the benefits of a state-of-the-art practice
management system, as well as legal accounting, document assembly &
management, and legal publishing assets all in one integrated solution.
Document Assembly
& Management
Legal
Accounting
Practice
Management
Legal
Publishing
leap.com.au

This issue of The Law Society of South Australia: Bulletin is
cited as (2020) 44 (3) LSB(SA). ISSN 1038-6777
CONTENTS
CYBERSECURITY FEATURES & NEWS REGULAR COLUMNS
6 It’s time to get our heads out of the
sand and into the cloud
By Alexandra Douvartzidis & Alexandra
Harris
12 Facial recognition technology &
the law: Are existing privacy &
surveillance laws fit for purpose?
By Caitlin Surman
19 Legal implications of ransomware
attacks for legal practitioners and their
clients – By Brooke Hall-Carney, Amy
Coper-Boast & Elizabeth Carroll-Shaw
22 An Analysis of the Law Society’s
Cloud Computing Guidelines
By Mark Ferraretto
30 Governing Cybersecurity: critical
infrastructure, spies & consumers
By Robert Chalmers
18 Djokovic rallied to secure release
before the ministerial discretions
proved a winner
By Chris Johnston & Rosa Torrefranca
32 Tour de France 2021: Avoiding the
Domino Effect in the Peloton
By Annemarie Goodwin
4 President’s Message
5 From the Editor
34 Tax Files: Trust Distribution Alerts
By John Tucker
37 Wellbeing & Resilience:
Doomscrolling: What is it and how
can we stop it? – By Amy Nikolovski
38 Family Law Case Notes
By Craig Nichol & Keleigh Robinson
40 Risk Watch: Control Your Trolls:
Protecting Your Practice on Social
Media – By Kate Marcus
41 Bookshelf
Compiled by Lorna Hartwell
42 Gazing in the Gazette
Compiled by Master Elizabeth Olsson
Executive Members
President:
J Stewart-Rattray
President-Elect: J Marsh
Vice President: A Lazarevich
Vice President: M Tilmouth
Treasurer:
F Bell
Immediate Past
President:
R Sandford
Council Member: M Mackie
Council Member: E Shaw
Metropolitan Council Members
T Dibden
M Tilmouth
A Lazarevich M Mackie
E Shaw
J Marsh
C Charles
R Piccolo
M Jones
D Colovic
E Fah
N Harb
L MacNichol L Polson
M Young
Country Members
S Minney
(Northern and Western Region)
P Ryan
(Central Region)
J Kyrimis
(Southern Region)
Junior Members
A Douvartzidis
A Kenny
Ex Officio Members
The Hon K Maher, Prof V Waye,
Prof T Leiman
Assoc Prof C Symes
KEY LAW SOCIETY CONTACTS
Chief Executive
Stephen Hodder
stephen.hodder@lawsocietysa.asn.au
Executive Officer
Rosemary Pridmore
rosemary.pridmore@lawsocietysa.asn.au
Chief Operations Officer
Dale Weetman
dale.weetman@lawsocietysa.asn.au
Member Services Manager
Michelle King
michelle.king@lawsocietysa.asn.au
Director (Ethics and Practice)
Rosalind Burke
rosalind.burke@lawsocietysa.asn.au
Director (Law Claims)
Kiley Rogers
krogers@lawguard.com.au
Manager (LAF)
Annie MacRae
annie.macrae@lawsocietysa.asn.au
Programme Manager (CPD)
Natalie Mackay
Natalie.Mackay@lawsocietysa.asn.au
Programme Manager (GDLP)
Desiree Holland
Desiree.Holland@lawsocietysa.asn.au
THE BULLETIN
Editor
Michael Esposito
bulletin@lawsocietysa.asn.au
Editorial Committee
A Bradshaw P Wilkinson
S Errington D Sheldon
J Arena D Weekley
B Armstrong D Misell
M Ford
The Law Society Bulletin is published
monthly (except January) by:
The Law Society of South Australia,
Level 10-11, 178 North Tce, Adelaide
Ph: (08) 8229 0200
Fax: (08) 8231 1929
Email: bulletin@lawsocietysa.asn.au
All contributions letters and enquiries
should be directed to
The Editor, The Law Society Bulletin,
GPO Box 2066,
Adelaide 5001.
Views expressed in the Bulletin
advertising material included are
not necessarily endorsed by The
Law Society of South Australia.
No responsibility is accepted by the
Society, Editor, Publisher or Printer
for accuracy of information or errors
or omissions.
PUBLISHER/ADVERTISER
Boylen
GPO Box 1128 Adelaide 5001
Ph: (08) 8233 9433
Email: admin@boylen.com.au
Studio Manager: Madelaine Raschella
Elliott
Layout: Henry Rivera
Advertising
Email: sales@boylen.com.au

FROM THE EDITOR
IN THIS ISSUE
User awareness vital
in the fight against
cyber crime
MICHAEL ESPOSITO, EDITOR
When a video emerged online of
Ukrainian President Voldymyr
Zelenskiy seemingly telling his soldiers
to lay down their weapons and return
home, it signalled a new frontier of
the information war, or to put it more
accurately, the disinformation war.
For the video was in fact a “deep
fake”. A deep fake is a video that replaces
a person’s face with a computer-generated
likeness of that face, for the purpose of
making it look like the person said or did
something that they didn’t actually do.
Fortunately, the quality of the Zelenskyy
deep fake was not convincing enough, and
was swiftly debunked, but with the pace
of technology, we may only be a few years
away from not being able to tell a real video
from a deep fake, the consequences of
which cannot be fully fathomed.
Anyone who has had any experience
of social media, especially during
the past two years, would have some
awareness of the toxic effect the spread
of disinformation can have on public
discourse, personal relationships, and
democracy.
Disinformation is also a cybersecurity
issue. Users are targeted via phishing scams
– correspondence which looks authentic
but designed to give hackers access to
personal and valuable information.
Like deep fakes, these scams are
becoming more sophisticated and realistic.
No doubt many of us have received
emails from so-called clients, or text
messages about delivery packages (no
doubt preying on the covid-inspired
online shopping boom) asking us
to follow a link or provide personal
information.
It is more important than ever for
businesses to ensure they have robust
cybersecurity systems in place. Reviewing
and upgrading cybersecurity infrastructure
is worth the investment, as the costs of a
cyber attack could be catastrophic.
As important as cybersecurity
technology is user awareness training, as
cyber attacks, such as phishing, rely on
human weakness to succeed.
It is why I consider this cybersecurity
edition of The Bulletin to be such an
important one. It contains a number of
articles with great practical advice about
how to protect valuable data and minimise
the risk of debilitating cyber attacks.
As cyber attacks continue to become
more prevalent and damaging, it is just not
viable to think “it won’t happen to me”.
It most likely will, and the extent of the
impact on you and your firm will largely
depend on how seriously you took your
cybersecurity. B
FACIAL RECOGNITION TECHNOLOGY
Do our privacy laws measure up?
RANSWOMWARE ATTACKS
Legal implications for lawyers
DJOKOVIC V AUSTRALIA
Ministerial powers to cancel visas
12
19
24
4
THE BULLETIN April 2022

PRESIDENT’S MESSAGE
New conduct rules apply
to all SA practitioners
JUSTIN STEWART-RATTRAY
The Society implemented new
legal profession rules for SA legal
practitioners on 1 January 2022. The
new South Australian Legal Practitioners
Conduct Rules (SALPCR), which
replace the SA version of the Australian
Solicitors Conduct Rules, provide a
comprehensive set of legal profession
rules which bind all SA legal practitioners
including those who choose to practise
exclusively as barristers.
The SALPCR are the product of a
review carried out by the Society as to
the content and application of the legal
profession rules in SA. Consideration of
content included participation in the Law
Council of Australia’s (LCA) review and
redrafting of the Australian Solicitors
Conduct Rules. For that review, the
Society contributed to some important
changes to the rules especially those
relating to conflict of interest and sexual
harassment and discrimination.
In reviewing the application of the
old rules one of the main issues was to
ensure that the rules are expressed in such
a way to make it clear that they apply to,
and have disciplinary ramifications for, all
SA legal practitioners regardless of the
context in which they practise.
The changes to the structure and
terminology used in the SALPCR ensure
that they harmonise with the disciplinary
provisions of the Legal Practitioners Act,
especially with section 70 which provides
that conduct consisting of a contravention
of the legal profession rules is capable of
constituting unsatisfactory professional
conduct or professional misconduct. As
section 70 does not exclude any class of
practitioner from its ambit, and we have a
fused profession in South Australia, it was
decided necessary to amend the structure
and terminology of the legal profession
rules adopted by the Society (noting that
the definition of “legal profession rules” is
“the Society’s professional conduct rules”)
to properly reflect those elements.
The Society consulted closely with
the SA Bar Association and the Legal
Profession Conduct Commissioner in the
development of the new rules.
The SALPCR now consists of two
sections, Part A and Part B.
Part A consists of a new South
Australian version of the Australian
Solicitors Conduct Rules (ASCR) which
replaces the word “solicitor” with “legal
practitioner” and incorporates amendments
which were the outcome of the LCA’s
review such as the new rule 11A (which
provides for specific conflict of interest
requirements for practitioners providing
short term legal assistance) and the
revised rule 42 (which deals with sexual
harassment and discrimination). The rules
in Part A apply to all SA legal practitioners
other than those to whom Part B applies.
Although they do contain some SAexclusive
content (see rule 16A), Part A
uses the same numbering as the LCA’s
Australian Solicitors Conduct Rules for
consistency and ease of cross-referencing.
Part B applies to South Australian
legal practitioners who hold a Category
BA practising certificate or who have
otherwise elected to practise exclusively as
a barrister by qualifying for the barrister
contribution under the South Australian
Professional Indemnity Insurance Scheme.
It comprises an amended version of
the South Australian Bar Association
Rules which are constructed to provide
a rule regime that specifically applies
to practitioners who choose to wholly
practise as barristers.
Detailed information about new Rule
11A and the amendments to Rule 42 will
be published in the May edition of The
Bulletin. B
April 2022 THE BULLETIN 5

CYBER ATTACKS
IT’S TIME TO GET OUR HEADS OUT
OF THE SAND AND INTO THE CLOUD
ALEXANDRA DOUVARTZIDIS, ASSOCIATE AT HWL EBSWORTH LAWYERS AND MEMBER LEGAL TECHNOLOGY COMMITTEE, AND
ALEXANDRA HARRIS, SENIOR ASSOCIATE AT TINDALL GASK BENTLEY LAWYERS AND MEMBER, LEGAL TECHNOLOGY COMMITTEE
Data breaches and cyber-attacks
are occurring on a more frequent
basis in Australia. Recently, the South
Australian Government was the victim of
a ransomware cyber-attack in November,
2021. The government first disclosed the
extent of the data breach in November,
when it said at least 38,000 employees had
their records stolen and, in some cases,
published on the dark web. It was later
revealed that the breach impacted almost
80,000 employees. 1
The South Australian Government
is not the only victim of large cyberattacks.
From other State Governments
attacks amassing hundreds of thousands,
to CANVA’s breach in 2019 impacting
approximately 139 million of its users, 2
cyber-attacks are almost a part of
everyday life. Even though the Australian
Government is revising its cybersecurity
frameworks and policies, businesses,
including law firms, cannot exclusively
rely on the government for protections
against cyber-attacks. 3
It has become increasingly essential
for lawyers and law firms to understand,
embrace and implement emerging legal
technologies in their individual practice
and overarching firm policies, not only
to improve efficiencies and work flow
generally, but also to protect clients’
and their own sensitive information.
6
THE BULLETIN April 2022
It is somewhat obvious that law firms
will competitively benefit from keeping up
to date with technology and integrating it
into their everyday practice. Every day we
are seeing an increasing number of firms
and courts around Australia move away
from traditional paper storage to cloudbased
storage and document management
systems.
What isn’t as obvious is the concept
that being a ‘tech savvy’ lawyer, or at the
very least keeping up to date with the latest
technological advancements potentially
falls under the overarching ethical
obligations that lawyers must abide by.
This article considers a common type
of cyber-attack in detail, the risks and
consequences for practitioners, and how
practitioners can avoid cyber-attacks.
We also consider what steps practitioners
should take if an attack occurs, and what
are the general benefits of increasing
your overall knowledge of technology in
everyday practice.
WHAT IS A “CYBER-ATTACK” AND WHAT
ARE THE COMMON TYPES?
A cyber-attack is when cybercriminals
through the use of a computer launches
an attack to disable systems, steal and/
or destroy data and information, or use
a breached computer system to launch
additional attacks. Cybercriminals use
different methods to launch a cyberattack
that includes malware, phishing,
ransomware, or other methods. 4 Criminally
motivated persons generally launch
cyber-attacks in order to seek financial
gain through the theft of actual monies
and/or data information that they can
hold ‘ransom’ and seek payment for the
return or destruction of the information
held. Occasionally, an attack is launched
for the purposes of merely disrupting a
company’s system, 5 or for a multitude of
other reasons.
From ransomware to malware, the
types of cyber-attacks individuals and
companies face today are endless. For the
purposes of this article, we focus on the
key cyber-attack method of ‘phishing’
commonly faced by practitioners.
Phishing is where cybercriminals send
fraudulent messages in an attempt to steal
confidential information, such as banking
logins, credit card details, business login
credentials or passwords/passphrases. 6
Phishing, unlike hacking, relies on a person
voluntarily providing information. 7
‘Spear phishing’ for example, is when
messages sent to target specific individuals
and/or organisations. 8 It is not uncommon
for more sophisticated messages to contain
material that is true (or appears likely to be
true) to make them seem more genuine. 9

CYBER ATTACKS
Spear phishing often uses a method
called ‘social engineering’ for its success.
Social engineering is a way to manipulate
people into taking action by fashioning
very realistic ‘bait’ or messages. It usually
involves a great deal of research by the
cybercriminals to target its victims. 10
The message itself will usually lead
the unsuspecting recipient to a fake
website full of malware, which is an
intrusive software effectively designed
to destroy computer systems. 11
The technique of spear phishing
is one of the key factors leading to
successful cyber-attacks commonly
known as a ‘business email compromise’
(BEC). One example of a BEC is where
cybercriminals will, using spear phishing
techniques, target companies who use
online invoicing methods. The sting
involves gaining remote access to a
business’ (or customer / client) email and
lying in wait for the perfect opportunity
to strike. 12
They will usually ‘keep watch’ for a
while (typically with the use of malicious
software mentioned above) and get a feel
for the type of emails and invoices being
sent.
When the opportunity arises, they
intercept the invoice, manually change the
bank account details and redirect it to the
victim for payment.
Common examples involve businesses
sending an invoice for payment (that is
shortly after intercepted) and there have
also been reports of real estate agencies
sending trust account details over email
which have resulted in significant house
deposits being lost to criminals in an
instant.
It is devastating, and all too easily
avoided with the right knowledge and
use of technology.
Bank details should never be
exchanged via email, as doing so leaves
the sender vulnerable to a third party
intercepting the email and editing the bank
details so that monies are transferred to
a third party account. Once this happens,
it is very difficult and near impossible to
retrieve the lost money.
It is not uncommon to receive a
scam email that is tailored to your firm.
For example, you may receive an email
from a prospective client. They may
include a link which requires you to
click to access their ‘documents’ (for
example, they may include a link which
appears to be Dropbox or a similar
application). They may also appear to be
a co-worker, such as a senior practitioner
delegating tasks, using your co-workers
name and the firms signature template
to appear more realistic.
Equally concerning, and often less
easy to identify, is when a scammer sends
an email or message which appears to be
from your own firm’s IT department
(or another department). They may send
a message appearing to be from your own
company’s IT helpdesk asking you to
click on a link and change your password
because of a ‘new policy’.
According to Scamwatch, BEC scams
caused the highest losses across all scam
types in 2019 costing businesses $132
million, according to the ACCC’s Targeting
Scams report.
Scamwatch alone received almost 6,000
reports from businesses in 2019 with $5.3
million in reported losses. False billing was
the most commonly reported type of scam
which includes BEC scams. 13
WHAT ARE THE RISKS AND
CONSEQUENCES FOR LAWYERS IF A
CYBER-ATTACK OCCURS?
Practitioners must realise the integral
role played by technology in the legal
profession and the consequences for
practitioners when a cyber-attack occurs.
Practitioners store and use personal
and commercially sensitive information
about their clients. If a law firm is the
victim of a cyber-attack the consequences
can be overwhelming for both the clients
and the practice itself. Overall, failing to
April 2022 THE BULLETIN 7

CYBER ATTACKS
be cautious of the risks and incorporating
the use of technology into everyday
practice could ultimately result in a
breach of conduct and/or a practitioners’
obligations.
For example, a cyber-attack may
amount to breach of the South Australian
Legal Practitioners Conduct Rules (the Rules),
which sets out, amongst other things, that
one of the fundamental duties of legal
practitioners is to deliver legal services
competently, diligently and as promptly
as reasonably possible, and to ensure they
avoid any compromise to their integrity
and professional independence. 14 The
Rules also require practitioners to ensure
that they do not disclose any information
which is confidential to a client and is
acquired during the client’s engagement. 15
The bottom line: as a practitioner, you
are responsible for keeping your client’s
information safe.
Even if sensitive information isn’t
impacted during a cyber-attack, the
consequences of an attack could affect
the ongoing operations of the firm. For
example, a major law firm was attacked
by through a malware system, which
compromised its operations for days.
The firm had limited to no access to its
computers or emails. It was recorded
that the firm had to spend approximately
15,000 hours in overtime for its IT
employees to address the issues. 16
SO, HOW CAN YOU AVOID A CYBER-
ATTACK?
Practitioners should always be vigilant
with their communications and use of
technology, including computers and
mobiles. Here are some tips prepared by
the Australian Cyber Security Centre 17 and
8
THE BULLETIN April 2022
the Law Society 18 on how to reduce the
risk of a cyber-attack:
• Do not open any attachments or click
on any links arising from emails where
the sender is unknown. These links
may redirect to a file or a malicious
login page which can control your
computer or capture your login details.
• Before you click a link (in an email
or on social media, instant messages,
other web pages, or other means),
hover over that link to see the actual
web address it will take you to (usually
shown at the bottom of the browser
window). If you do not recognise or
trust the address, try searching for
relevant key terms in a web browser.
This way you can find the article, video
or web page without directly clicking
on the suspicious link.
• Even if the sender appears to be/
or is known, it is prudent to check
with the sender confirming the
email is genuine. Targeted attacks by
professional computer hackers can
easily masquerade and camouflage
their emails to appear genuine. Emailed
directions with respect to money and
trust transactions should always be
confirmed verbally.
• If you’re not sure, talk through the
suspicious message with a co-worker,
or check its legitimacy by contacting
the relevant business or organisation
(using contact details sourced from the
official company website).
• Install anti-virus software on all
devices and set it to automatically apply
updates and conduct regular scans.
• Account details for payment should
always be provided verbally, or via
a written document such as a bill
or retainer letter, and should not be
included in the body of an email. Such
details can be easily modified through
cyber-attack techniques. If the bill
or retainer letter containing the bank
details is sent via email, it should be
done so using the proper encryption
software to ensure that third parties
cannot gain access.
• Educate your clients about cyberattacks
and advise them to contact
you immediately if they receive any
in-genuine, weird or fake emails.
Such emails may take the form of a
request to pay money, receive details,
or upload/downloading files. If you
become aware of such activity, you
should advise the client to refrain from
opening any further emails.
• Have sufficient cyber-crime insurance
schemes in place.
• Implement a cyber-attack procedure
and plan for typical and worst-case
scenarios.
The Australian Cyber Security Centre
has also developed the ‘essential eight’
mitigation strategies to help avoid cyber
security incidents. 19 In summary, the
mitigation strategies suggest:
• Application Whitelisting: The
practice of specifying a list of
approved software applications or
executable files that are permitted to
be present and active on a computer
system.
• Patch Applications: Application
patch management is the process
of testing, acquiring, and installing
patches (code changes) on computer
systems to avoid vulnerabilities.
• User Application Hardening:
Disable any unnecessary applications

Calls to the Australian Cyber Security
Hotline in 2021 increased by almost
310% from the previous year.
Professional services are among
the top 3 sectors reporting cyber
security incidents in 2021
ACSC Annual Cyber Threat Report
The legal profession is often targeted for the sensitive client data they hold.
It is no longer a matter of if but when your organisation will be subject to a
cyber intrusion attempt. With the onset of the Covid-19 global pandemic and
the increasing shift to flexible workplace arrangements many organisations are
inadvertently leaving themselves vulnerable to a cyber incident.
Do you have the security in place to combat such a threat?
Contact one of our security experts today for an obligation free discussion about
your network security.
Mention this ad and receive a complimentary dark web scan of your domain,
usernames and passwords and an external vulnerability report of your primary site.
since 1999
empower | connect | protect
Lettscom was established in Adelaide in 1999 and
remains proudly South Australian owned and operated.
Supporting businesses on a local, national, and global
level for 23 years.
Call: 08 8177 5600
Email: security@lettscom.com.au
Web: lettscom.com.au

CYBER ATTACKS
and features that are likely to increase
risks (Such as Java, Office Suite Macro
Scripts, etc).
• Restrict Administrative Privileges:
Restrict access to administrative
accounts and operating systems based
on user duties. Re-validate access to
systems regularly.
• Multi-Factor Authentication: Multifactor
authentication (MFA) is a security
measure that requires two or more
proofs of identity to grant you access.
• Maintain Daily Backups: Undertaking
daily backups of your system to ensure
a copy of all of the data is saved in the
event of a data breach.
YOU’VE HAD A CYBER-ATTACK, WHAT DO
YOU NEED TO DO?
If your cyber-attack has potentially led
to sensitive and confidential information
being stolen, destroyed, and/or altered,
it is important the breach is reported
through the appropriate channels.
Remember, even in circumstances
where information may not have been
impacted in some way, practitioners
should report a cyber-attack, Practitioners
should consider whether to report to the
following entities:
• South Australian Police
• Australian Cybercrime Online
Reporting Network
• The South Australian Law Society
• Scam Watch
• Consumer & Business Services
Further, if the cyber-attack has resulted
in a data breach (meaning when personal
information is accessed or disclosed
without authorisation or alternatively
is lost), then under the Notifiable Data
Breaches scheme, an organisation or
agency that must comply with Australian
privacy law has to tell the affected party
if a data breach is likely to cause them
serious harm. 20
An organisation or agency who has
existing obligations under the Privacy Act
must also report any serious data breach to
the Office of the Australian Information
Commissioner.
This includes Australian Government
10
THE BULLETIN April 2022
agencies, businesses and not-for profit
organisations that have an annual turnover
of more than AU$3 million, private sector
health service providers, credit reporting
bodies, credit providers, entities that
trade in personal information and tax file
number (TFN) recipients. 21
Generally, an organisation or agency
(which has an obligation under the Privacy
Act to report) has 30 days to assess
whether a data breach is likely to result in
serious harm. 22
When a data breach occurs, an
organisation or agency must endeavour
to reduce the chance that an individual
experiences harm. If they’re successful,
and the data breach is not likely to result
in serious harm, the organisation or agency
is not obligated to advise the individual
about the data breach.
Should we apply this approach
to the concept of maintaining client
confidentiality – i.e., take it a step further
and notify the party whose confidentiality
has been breached as soon as practicable?
Some would say yes, and indeed many law
firms are erring on the side of caution and
creating internal policies dealing with this
very issue.
For example, sending an email to the
wrong recipient is all too easily done. It
may be prudent to set up internal firm
policy (as indicated above) providing some
guidance around how individuals in the
firm should respond to such an error. A
simple step by step process may look like:
• Contact the unintended recipient
immediately and request that they
destroy the email; and
• Contact the affected individual whose
confidentiality has been breached
and explain the situation, including
if applicable confirmation that the
content has been destroyed by the
unintended recipient.
WHAT ARE SOME OTHER BENEFITS FOR
BEING “TECH-SAVVY”?
Being “tech-savvy” is not just important
to avoid the risk of a cyber-attack.
Practitioners ought to frequently turn their
minds to the vast array of technology
available to them and query how they can
utilise it in their everyday practice for the
ultimate benefit of their clients’.
Embracing technology and the law
can result in quicker more cost-effective
communication, security and freedoms to
work outside of the four walls of the office.
For example, we have long embraced
the use of email communications with
clients (and others) as a main type of
communication in practice. Emails enable
effective and fast communications.
Today, the majority of practitioners will
often communicate through email more
than utilise phone calls. Not only are we
communicating through emails, we are
creating a written record at the same time.
Technology surrounding security
measures (such as firewalls and other
protection software) allow businesses
such as law firms to protect and maintain
client confidentiality as well as protect
transactions surrounding trust monies
and associated transactions.
The use of cloud storage and
document management systems (if used
safely), can streamline significant tasks
such as electronic discovery (eDiscovery).
eDiscovery systems will often allow firms
to create ‘shortcuts’ to streamline the review
of documents. For example, eDiscovery
systems provide tools to analyse documents
to reduce the overall volume to be reviewed
and/or discovered. Most systems, amongst
other things, offer duplicate detection to
group textually similar documents together
to help the review process more efficient.
Digital technology also enables us to
practice the law outside of the traditional
office environment which is increasingly
relevant in our post COVID-19 world.
Through virtual meetings and negotiations
to video court appearances, being able to
adopt to these modern practices can only
serve to benefit a practitioner (and their
clients). The flexibility to practice from any
location is priceless, but we must ensure
that appropriate measures are put in place
to maintain cyber security. Having an
understanding of the risks and identifying
how to mitigate those is a good starting
point. B

CYBER ATTACKS
Endnotes
1 ‘Personal details of up to 80,000 SA government
employees accessed in cyber attack,’ Stacey
Pestrin and Eugene Boisvert (10 December
2021) https://www.abc.net.au/news/2021-12-
10/thousands-of-sa-government-employeesaffected-by-cyber-attack/100690564
2 Canva criticised after data breach exposed 139m
user details, Paul Smith (26 May 2019) https://
www.afr.com/technology/canva-criticised-
after-data-breach-exposed-139m-user-details-
20190526-p51r8i
3 Australian Cyber Security Centre, Common cyber
threats, (accessed: 25 February 2022), https://
www.cyber.gov.au/acsc/view-all-content/ism
4 Ibid.
5 ‘What is a cyber-attack?’, IBM https://www.ibm.
com/au-en/topics/cyber-attack (accessed:
25 February 2022).
6 Above n3.
7 Ibid; ‘What is phishing? How this cyber attack
works and how to prevent it’, Josh Fruhlinger
(4 September 2020), https://www.csoonline.
com/article/2117843/what-is-phishing-howthis-cyber-attack-works-and-how-to-prevent-it.
html
8 ‘What is Spear Phishing?’, Kasperksy, (Accessed:
24 February 2022), https://www.kaspersky.com.
au/resource-center/definitions/spear-phishing
9 Ibid.
10 ‘How Spear Phishing Makes BEC Attacks So
Effective’, The PhishLabs Team, (2 August 2019)
https://www.phishlabs.com/blog/how-spearphishing-makes-bec-attacks-so-effective/
11 ‘What is malware?’, Joseph Regan & Ivan Belcic,
(15 February 2022) https://www.avg.com/en/
signal/what-is-malware
12 Australian Cyber Security Centre, Business Email
Compromise, https://www.cyber.gov.au/learn/
threats/business-email-compromise
13 ACCC Scamwatch, Business email compromise
scams cost Australians $132 million, (23 June 2020),
https://www.scamwatch.gov.au/news-alerts/
business-email-compromise-scams-costaustralians-132-million
14 South Australian Legal Practitioners Conduct Rules,
rule 4.1.3.
15 Ibid, rule 9.
16 Law Protect, What are the main cyber risks for lawyers
today? https://lawprotect.com.au/what-arecyber-risks-for-lawyers-today/
17 Above n3.
18 The Law Society of South Australia, Cyber
Security, https://www.lawsocietysa.asn.au/Public/
Publications/Resources/CyberSecurity.aspx
19 Australian Cyber Security Centre, Essential
Eight Maturity Model, (October 2021) https://
www.cyber.gov.au/acsc/view-all-content/
publications/essential-eight-maturity-model
20 Australian Government Office of the Australian
Information Commissioner, What is a notifiable
data breach?, https://www.oaic.gov.au/privacy/
data-breaches/what-is-a-notifiable-data-breach
21 Australian Government Office of the Australian
Information Commissioner, Notifiable Data Breach
Scheme (February 2022), https://www.oaic.gov.
au/privacy/guidance-and-advice/data-breachpreparation-and-response/part-4-notifiabledata-breach-ndb-scheme#:~:text=The
Privacy
Act requires certain,or after 22 February 2018.or
after 22 February 2018.”
22 Ibid.
TECHNOLOGY MANAGED
Is your business cyber-secure?
Your cyber-security posture needs to be strong if you want to remain protected and
operational. We’re well versed in data protection and can support your business with
cyber-security built into a technology solution that works for your business.
Quickly minimize your cyber-risk
One provider for all your technology needs
Affordable and scalable solutions
Abrahem El-Sayed - Technology Sales Manager
0423 868 560 abrahem.elsayed@efex.com.au
GET A
FREE
ASSESSMENT
THINKEX HOLDINGS PTY LTD ABN 28 625 658 568

FEATURE
FACIAL RECOGNITION TECHNOLOGY
AND THE LAW: ARE EXISTING
PRIVACY AND SURVEILLANCE
LAWS FIT FOR PURPOSE?
CAITLIN SURMAN, SENIOR ASSOCIATE, HWL EBSWORTH
Over the past few years, the
development and use of Facial
Recognition Technology (FRT) throughout
Australia has grown exponentially but has
been accompanied by widespread concerns
about the capacity of existing legislative
frameworks to regulate it appropriately,
as well as a lack of specific legislation
regulating its use.
While lawmakers grapple with what that
new legislative framework might look like,
this article considers how Australia’s existing
privacy and surveillance laws deal with FRT,
including whether those laws adequately
safeguard the use of FRT, and options for
future reforms to these frameworks.
WHAT IS FRT AND HOW IS IT USED?
FRT involves the automated
extraction, digitisation and comparison
of spatial and geometric distribution of
facial features. Using an algorithm, FRT
compares an image of a face with an
image stored in a database, in order to
identify a match. 1
FRT is deployed in two main ways,
being:
1. ‘one-to-one’ FRT, which is used to
verify the identity of an individual by
checking one image against a single,
respective image to determine if they
are the same person. 2 It is often utilised
in a controlled environment where the
lighting is sufficient and the subject is
in an optimal position to facilitate a
successful comparison, 3 and its most
common application is unlocking a
smartphone;
2. ‘one-to-many’, which is used to identify
an unknown individual by comparing a
select image against a large database; 4
12
THE BULLETIN April 2022
This article focuses on ‘one-to-many’
FRT, which seeks to match a single facial
image with a different facial image of
the same individual that has been stored
in a large database. It therefore relies
on a much larger dataset to conduct a
comparison, whilst the facial image being
compared against the dataset is often taken
from ‘the wild’ (eg CCTV surveillance) and
is of lower quality. 5 As a result, identifying
a person using ‘one-to-many’ FRT is more
difficult and prone to false matches and
misidentification. 6
In Australia, FRT is often used by
banks and telecommunications companies
for identity verification purposes, 7 and is
used extensively by immigration authorities
to verify the identity of passport holders
at international borders/airports, as well as
by law enforcement agencies throughout
Australia for crime prevention and suspect
identification purposes. Locally, SAPOL
fully implemented its own FRT system
(called ‘NEC NeoFace system’) in the
Adelaide CBD in 2019, which integrates
FRT with CCTV, ATM, and some social
media footage. 8 In November 2021, the
Adelaide City Council announced plans
to roll out an updated City Safe CCTV
Network that will involve the introduction
of facial and number plate recognition. 9
EXISTING SURVEILLANCE LAWS
Application to FRT
There is no Commonwealth legislation
that regulates the use of surveillance
devices. 10 Instead, this is currently
governed by state and territory legislation.
The relevant piece of legislation in South
Australia is the Surveillance Devices Act 2016
(SA) (SDA).
The SDA prohibits:
1. the knowing installation, use
or maintenance of an ‘optical
surveillance device’ 11 by a person on
a ‘premises’ 12 that visually records or
observes a ‘private activity’ without
the express or implied consent of all
the key parties; 13 and
2. the knowing use, communication or
publication of information or material
derived from the use of an optical
surveillance device. 14
The regulation of an optical surveillance
device under the SDA is linked to the
concept of a ‘private activity’, meaning an
activity carried on in circumstances that may
reasonably be taken to indicate that one or
all of the parties do not want the activity to
be observed by others. 15 Accordingly, the
SDA might prohibit FRT in circumstances
where it is used for covert optical
surveillance (unless an exception applies).
The definition of ‘private activity’
excludes activities carried on in a public
place. 16 Accordingly, public authorities
can use devices with FRT to monitor the
activities of the general public in public
spaces, or semi-public spaces, without
breaching the SDA.
Even if a person or government
authority is prohibited from using a device
to monitor FRT by the SDA, section 5(4)
of the SDA sets out several exceptions to
the general rule. These exceptions include
where the use of the optical surveillance
device is reasonably necessary for the
protection of the ‘lawful interests’ of
that person, or if the use of the device
is in connection with the execution
of a ‘surveillance device warrant’ or
‘surveillance device (emergency) authority’.

Transparent IT
Support and
Managed Services
that deliver peace
of mind.
At Inter Intra, we are at war with business
disruption. We act as your sentinel by providing
transparent IT support through managed
services, giving you peace of mind to focus on
future-proofing and growing your business.
Your business is only as good as the IT
infrastructure that supports it. Set your business
up with the right technology foundations to
guarantee success and prosperity.
• Years of experience supporting
the legal sector with their IT
infrastructure needs, and line of
business applications.
• Essential 8 Cyber benchmarking
• IT Managed Services
• Trusted local IT partner, for many
SA based companies
Are you ready to start your
IT Support journey?
Running your business is enough of a challenge these
days. Don’t let managing your IT infrastructure become a
burden. At Inter Intra, we set your business up with the right
technology foundations to guarantee success in the future.
Give us a call today for a free consultation.
Phone
1300 080 000
(+61) 1300 080 000 (International inquires)
Address
Level 17 45 Grenfell Street,
Adelaide 5000
www.interintra.com.au
April 2022 THE BULLETIN 13

FEATURE
The term ‘lawful interest’ is not
defined by the SDA but the concept was
given judicial consideration in Nanosecond
Corporation Pty Ltd v Glen Carron Pty Ltd
(2018) 132 SASR 63 (Nanosecond) where
Doyle J held that the recording of a private
conversation ‘just in case’ it might prove
advantageous in future civil litigation is not
enough for the purpose of establishing a
lawful interest. The Court is more likely
to find that a recording has been made
in the protection of a person’s lawful
interests where the conversation relates to
an allegation of a serious crime or resisting
such an allegation, or where a dispute has
‘crystallised into a real and identifiable
concern about the imminent potential for
significant harm to the commercial or legal
interests of a person. 17 Whilst Nanosecond
concerned the use of a listening device,
the same principles arguably apply to
the recording of a private activity via an
optical surveillance device with FRT.
A further exception is contained in
section 6(2) of the SDA, which provides
that the prohibition on the use of an
optical surveillance device does not apply
if the use of the device is in the ‘public
interest’. The term ‘public interest’ is not
defined by the SDA. 18
EXISTING PRIVACY LAWS
Application to FRT
Although the thirteen Australian
Privacy Principles (APPs) in Schedule
1 to the Privacy Act 1988 (Cth) (Privacy
Act) are intended to be technology neutral
14
THE BULLETIN April 2022
so as to preserve their relevance and
applicability to changing technologies, 19
questions remain as to whether the APPs
and Privacy Act sufficiently protect privacy
where FRT is deployed.
Australian privacy law treats biometric
information as personal information. 20 In
particular, ‘Biometric information’ that is
to be used for the purpose of ‘automated
biometric verification’ or ‘biometric
identification’, or ‘biometric templates’,
is a type of ‘sensitive information’ for the
purposes of the Privacy Act 1988 (Cth) and
Australian Privacy Principles. 21
‘Biometric information’ is not defined
by the Privacy Act or APPs, but it is
generally regarded as being information
that relates to a person’s physiological
or biological characteristics that are
persistent and unique to the individual
(including their facial features, iris or hand
geometry), 22 and which can therefore be
used to validate their identity. 23
The terms ‘automated biometric
verification’ or ‘biometric identification’
are not defined by the Privacy Act or the
APPs either. However, the Biometrics
Institute defines ‘biometrics’ as
encompassing a variety of technologies in
which unique attributes of people are used
for identification and authentication, 24
while the OAIC (Office of the Australian
Information Commissioner) has indicated
(in effect) that a technology will be
‘automated’ if it is based on an algorithm
developed through machine learning
technology. 25
A ‘biometric template’ is a
mathematical or digital representation of
an individual’s biometric information. 26
Machine learning algorithms then use the
biometric template to match it with other
biometric information for verification or
identification purposes. 27
Given the breadth of the definitions
of ‘biometric information’, ‘automatic
biometric verification’, ‘biometric
identification’ and ‘biometric template’,
the majority of biometric information
captured by FRT is likely to fall within the
protections of the Privacy Act and APPs,
and the safeguards contained in Privacy
Act and APPs will therefore apply to any
biometric information collected by any
FRT deployed by an ‘APP entity’. 28
Current Safeguards
As a form of ‘sensitive information’,
biometric information is afforded a
higher level of privacy protection under
the Privacy Act and APPs than other
personal information in recognition
that its mishandling can have adverse
consequences for an individual, 29 meaning
that an APP entity that collects and uses
a person’s biometric information via FRT
must adhere to stricter requirements.
Consent
The key requirements are contained
in APP 3, which (in effect) provides that
an APP entity may only solicit and collect
a person’s biometric information if the
information is reasonably necessary for
one or more of the APP entity’s functions

Boost your bottom-line
Collaborative cloud matter management with Microsoft Office and
Outlook integration, automate workflow and documents, manage
emails, tasks, and calendars in one place.
Book a demonstration at www.cabenet.com.au

FEATURE
or activities, 30 the biometric information
has been collected by ‘lawful and fair
means’, 31 and the person consents to the
collection of their biometric information
(unless an exception applies). 32
Consent for the purpose of the
Privacy Act and APPs can be either
‘express consent’ or ‘implied consent’. 33
As a general rule, an APP entity should
seek express consent to the collection of
sensitive information (including biometric
information) as the potential privacy
impact is greater. 34 In either case, however,
an individual must be adequately informed
before giving consent. 35
The Privacy Act and APPs contain five
exceptions to the requirement for an APP
entity to obtain a person’s consent prior to
collecting sensitive information (including
biometric information). 36 The exceptions
are broad and include:
1. where it is unreasonable or
impracticable to obtain a person’s
consent to the collection, and the APP
entity reasonably believes the collection
is necessary to lessen or prevent a
serious threat to the life, health or
safety of any individual, or to public
health or safety; 37
2. where the APP entity has reason
to suspect that unlawful activity, or
misconduct of a serious nature, that
relates to the APP entity’s functions or
activities has been, is being, or may be
engaged in and reasonably believes that
the collection is necessary in order for
the entity to take appropriate action in
relation to the matter; and 38
3. where an ‘enforcement body’ 39
reasonably believes that collecting the
information is reasonably necessary
for, or directly related to, one or more
of the body’s functions or activities. 40
Use & Disclosure of Biometric information
As a type of sensitive information,
special requirements also apply to the use
and disclosure of biometric information
after it has been collected via FRT. APP6
provides that an APP entity can only
use or disclose biometric information
for the original/primary purpose for
which it was collected. For example, if a
company collects the image of a person’s
face for the purpose of unlocking their
smartphone, the company would not
(without consent) be permitted to use the
individual’s face for an unrelated purpose,
such as to build a database of people
16
THE BULLETIN April 2022
whose information could then be sold to
a third party for marketing purposes. 41
Biometric information can only be
used or disclosed for a secondary purpose
if an exception contained in APP 6.1
applies. Those exceptions include where
the individual has consented to that
secondary use or disclosure, 42 or where an
individual would ‘reasonably expect’ 43 the
entity to use or disclose the information
for that secondary purpose and the
secondary purpose is directly related 44 to
the primary purpose of collection. There
are also specific exceptions which enable
an APP entity to share a person’s personal
information (including their biometric
information) with enforcement bodies. 45
CONCERNS WITH EXISTING LAWS
Concerns with surveillance laws
Given how broad the legislated
exceptions are, concerns have arisen that
relying on these exceptions to justify
the use of devices integrating FRT
disproportionately affects a person’s
privacy. The decision in Nanosecond curtails
any such invasion to a limited extent by
ensuring that the ‘lawful interest’ exception
cannot be relied on to use FRT to visually
monitor a person in anticipation that they
might do something that might impinge
upon a person’s lawful interest. However,
more clear statutory limits as to what
constitutes a ‘lawful interest’ would be
helpful while the case law evolves.
Similarly, a key concern raised in respect
of FRT and the public interest exception
is that its widespread use in public places
is not necessary or proportionate to a goal
of crime prevention or public safety, and
that the use of FRT therefore improperly
invades a person’s privacy. 46 Options to
prevent any unnecessary incursions on a
person’s privacy could include to require
that the optical surveillance be ‘reasonably
necessary’ to protect the public interest, and
to introduce a list of non-exclusive statutory
considerations that must be taken into
account when undertaking that assessment.
Concerns with privacy laws
Scope
The Privacy Act and APPs are federal
laws that only apply to organisations and
agencies deploying FRT that fall within
the definition of an ‘APP entity’. The
definition of an ‘APP entity’ does not
include state and territory authorities or
agencies, or organisations with an annual
turnover of less than $3 million. 47 Whilst
some jurisdictions have their own specific
privacy legislation that steps in to help
safeguard a person’s privacy where FRT is
used, there are other jurisdictions where
no specific privacy legislation exists at all
(including South Australia).
In South Australia, the State public
sector is required to comply with South
Australian Information Privacy Principles
(IPPs). 48 However, the IPPs do not extend
to biometric information, and there is no
other legal framework which holds those
agencies, authorities and organisations that
fall outside the scope of the Privacy Act
and APPs to account in SA.
No true consent
In the past year, the OAIC has issued
two rulings in which it determined that
the collection of biometric information by
two separate companies (Clearview AI 49
and 7Eleven 50 ) contravened the consent
requirements of the Privacy Act and
APPs, demonstrating that whilst the OAIC
is conscious of the privacy issues posed by
FRT, the consent model under the current
privacy regime is ill-equipped for FRT.
The Privacy Act and APPs strictly
require that APP entities collecting
biometric information via FRT should
obtain express consent, but the nature
of FRT means that it is not practical (or
often possible) to obtain true, express
consent from individuals whose biometric
information might be captured by FRT.
Whilst obtaining express consent is
arguably more realistic where ‘one-toone’
FRT is being utilised for a specific
purpose in a controlled environment, it
is hard to imagine a scenario where an
APP entity deploying ‘one-to-many’ FRT
would (or could) take steps to obtain
express consent from every person
whose biometric information they might
capture. Accordingly, an APP entity that
deploys FRT will usually need to infer a
person’s consent to the collection of their
biometric information by FRT.
Even though inferred consent is an
option, it is difficult for APP entities
deploying FRT to provide people
with enough information about how
FRT collects and uses their biometric
information before FRT captures their
image. This means that most people
captured by FRT will not have been
properly informed about what they were

FEATURE
consenting to. Further, an individual will
not often have the ability to refuse to
provide their consent to the use of FRT,
and may feel compelled to provide it due
to the inconvenience of not doing so, or
due to their lack of bargaining power. For
example, although 7Eleven displayed a
notice at the entrance to its stores to alert
customers that they would be subject to
FRT when they entered the store, 51 and
sought to a infer that any customer who
then chose to enter the store has provided
consent, it is arguable that the customer
had no choice (particularly if there were no
convenient alternatives available to them).
Breadth of exceptions
Another criticism levelled at the Privacy
Act and APPs is that the exemptions to the
consent requirements of APP 3, and the
single purpose requirement of APP6, are
too broad and do not sufficiently protect
people against invasions of privacy. The
exemptions provided for in the Privacy
Act which allow for the collection and
use/disclosure of sensitive information
(including biometric information) without
consent have been made on the basis of
balancing individual interests against those
of collective security. 52 However, this
balancing approach has arguably resulted
in individual privacy being ‘traded off ’
against the wider community interests
of preventing, detecting and prosecuting
crime’. 53
WHERE TO FROM HERE?
The issues identified in this article
suggest a review and assessment of
existing privacy and surveillance laws is
needed to address the unique challenges
posed by biometric technologies. It is clear
that while existing privacy and surveillance
laws place a number of safeguards on the
use of FRT in private enterprise, there is
a gap in the regulation of the use of FRT
by government authorities (particularly
in South Australia). This is particularly
concerning when FRT is used by
government authorities to make decisions
that might infringe on an individual’s
human rights in the context of policing
and law enforcement.
In March, 2021, the Australian
Humans Rights Commission released
the Human Rights and Technology Final
Report 2021, which made a number of
recommendations for the regulation of
FRT, including the introduction of tailored
legislation that regulates the use of FRT,
and the introduction of a statutory cause
of action for serious invasions of privacy. 54
These recommendations have been
made at the same time that the privacy
law regime in Australia is undergoing a
comprehensive review. Accordingly, it is
hoped that those reviews can result in the
incorporation of additional, more tailored
safeguards to help balance the benefits
flowing from the use of FRT against its
risks to personal privacy. B
Auctioneers & Valuers
MGS (SA) is South Australia’s most experienced industrial auctioneers and valuers with
over 40 years in the industry. Our expertise is second to none. Servicing Corporate
Australia, Insolvency Practitioners, Legal Professionals, Accountants and Government.
Jack Ruby’s Bar
Providing an unparalleled solution Basement, 89 for King asset William Street, management, Adelaide SA valuations or disposal.
Auctioneers & Valuers of Plant & Equipment for:
• Business Restructuring
• Succession Planning
• Acquisition & Disposal
• Insolvency & Legal Disputes
www.mgs.net.au
Mason Gray Strange Auctions (SA) Pty Ltd |
P 8444 9111 | 370-378 Torrens Road, Kilkenny, SA 5009

FEATURE
Endnotes
1 Monique Mann* And Marcus Smith, ‘Automated
Facial Recognition Technology: Recent
Developments And Approaches To Oversight’
(2017) 40(1) UNSW Law Journal 121, 122.
2 This involves a computer checking whether a
single facial image matches a different facial
image of the same person: Australian Human
Rights Commission, Human Rights and Technology
(Final Report, March 2021) 113.
3 Eifeh Strom, ‘Facing challenges in face
recognition: one-to-one vs. one-to-many’, Asmag
(Web page, 19 September 2016)
4 Philip Brey, ‘Ethical Aspects of Facial Recognition
Systems in Public Places’ (2004) 2 Journal of
Information, Communication and Ethics in Society 97, 98
5 Seth Lazar, Clair Benn and Mario Gunther,
‘Large-scale facial recognition is incompatible
with a free society’, The Conversation (Web page, 10
July 2020)< https://theconversation.com/largescale-facial-recognition-is-incompatible-with-afree-society-126282
6 Australian Human Rights Commission,
Human Rights and Technology (Final Report,
March 2021) 113.
7 Liz Campbell, ‘Why regulating facial recognition
technology is so problematic - and necessary,
The Conversation (Web Page, 26 November 2018)
8 ‘South Australia Police tap NEC for facial recognition
edge over criminals’, NEC Organisation (Web page,
1 August 2016) .
9 Malcolm Sutton, ‘Facial recognition technology
put on hold in Adelaide amidst privacy concerns’,
ABC News (Web page, 10 November 2021)
10 Note that the Commonwealth Government
has committed to reforming Australia’s laws
governing electronic surveillance, and recently
released a Discussion Paper “Reform of
Australia’s electronic surveillance framework”
which seeks input in respect of its proposal to
repeal the Telecommunications (Interception and
Access) Act 1979 (TIA Act), Surveillance Devices
Act 2004 and relevant parts of the Australian
Security Intelligence Organisation Act 1979
(ASIO Act), and replace the current patchwork
of laws with a single, streamlined and technology
neutral Act.
11 An “optical surveillance device” means a device
capable of being used to observe or record
visually (whether for still or moving pictures) a
person, place or activity: SDA, s 3. This definition
is arguably wide enough to capture any devices
that integrate FRT for the purpose of capturing
facial images (such as CCTV).
12 “premises” includes land, a building, a part of a
building, and any place (whether built or not).
13 SDA, s 5(1).
14 SDA, s 12(1)
15 SDA, s 3.
16 SDA, s 3. The definition of “private activity” also
excludes activities that can be readily observed
from a public place, and/or an activities carried
on in circumstances where the person ought to
reasonably expect that they may be observed by
another person.
17 Nanosecond, [103] to [105]
18 Queensland Law Reform Commission,
Review of Queensland’s laws relating to civil
surveillance and the protection of privacy
in the context of current and emerging
technologies (Report No. 77, February 2020)
.
23 Types of Biometrics, Biometrics Institute (Web page)
24 Above n 25.
25 Commissioner initiated investigation into
Clearview AI, Inc. (Privacy) [2021] AICmr
54,[138] (Clearview).
26 International Organization for Standardisation,
Standard ISO/IEC 2382-37: 2017(en), Standard
3.3.22 (Web page, 12 March 2021) < https://
www.iso.org/obp/ui/#iso:std:iso-iec:2382:-37:ed-
2:v1:en>.
27 Clearview, [127]
28 APP Guidelines, Chapter B: Key Concepts [B.2]
to [B.9]; Privacy Act, s 6(1). APP entities generally
include include Australian Government agencies
and any organisation with an annual turnover of
more than $3 million: [
29 APP Guidelines, Chapter B: Key Concepts,
[B.141]
30 APP 3.1 and APP 3.2
31 APP 3.5.
32 APP 3.3.
33 Privacy Act, s 6(1).
34 APP Guidelines, Chapter B: Key Concepts,
[B.41].
35 APP Guidelines Chapter B: Key Concepts, [B.35]
36 The five exceptions are contained at APP 3.4
37 Privacy Act, s 16A(1), Item 1. This is one of the
seven “permitted general situations” provided for
by s 16A.
38 Privacy Act, s 16A(1), Item 2. This is one of the
seven “permitted general situations” provided for
by s 16A.
39 ‘Enforcement body’ is defined in s 6(1) of the
Privacy. It lists of series of specific bodies. The
list includes Commonwealth, State and Territory
bodies that are responsible for policing, criminal
investigations, and administering laws to protect
the public revenue or to impose penalties
or sanctions. Examples of Commonwealth
enforcement bodies are the Australian Federal
Police, Australian Crime Commission, the
Integrity Commissioner, the Immigration
Department, Australian Prudential Regulation
Authority, Australian Securities and Investments
Commission and AUSTRAC.
40 APP 3.4(d)(ii).
41 Australian Human Rights Commission, Human
Rights and Technology (Final Report, March 2021),
112.
42 APP 6.1(a)
43 The ‘reasonably expects’ test is an objective one
that has regard to what a reasonable person,
who is properly informed, would expect in the
circumstances. This is a question of fact in each
individual case. It is the responsibility of the APP
entity to be able to justify its conduct. Examples
of where an individual may reasonably expect
their personal information to be used or disclosed
for a secondary purpose include where the entity
has notified the individual of the particular
secondary purpose under APP 5.1 (see Chapter
5 (APP 5) or the secondary purpose is a normal
internal business practice: APP Guidelines,
Chapter 6:APP6, [6.20].
44 A directly related secondary purpose is one which
is closely associated with the primary purpose,
even if it is not strictly necessary to achieve
that primary purpose: APP Guidelines, Chapter
6:APP6, [6.26].
45 APP 6.2(c), APP 6.2(e) and APP 6.3
46 Australian Human Rights Commission, Human
Rights and Technology (Final Report, March 2021)
114.
47 APP Guidelines, Chapter B: Key Concepts, [B.8];
Privacy Act, s 6(1).
48 Government of South Australia, Department of
the Premier and Cabinet Circular, Information
Privacy Principles Instruction PC012 (Webpage,
16 September 2013) .
49 Commissioner initiated investigation into
Clearview AI, Inc. (Privacy) [2021] AICmr 54
50 Commissioner initiated investigation into
7-Eleven Stores Pty Ltd (Privacy) (Corrigendum
dated 12 October 2021) [2021] AICmr 50
(7Eleven)
51 7Eleven, [89]
52 Above n1, 132.
53 Ibid.
54 in South Australia, the draft Civil Liability (Serious
Invasions of Privacy) Bill 2021 (Privacy Bill) has
been tabled for consideration in Parliament to
establish a new statutory cause of action for
serious invasions of privacy in South Australia,
which is separate and distinct from the Privacy
Act and APPs. The Privacy Bill will enable an
individual to bring civil proceedings against a
person who has invaded their privacy where
there was a reasonable expectation of privacy, the
invasion of privacy was serious and the conduct
was undertaken intentionally. Consultation in
respect of the Privacy Bill is still underway, but
that consultation process will hopefully assist
in identifying how the proposed statutory tort
can be best utilised to address the gaps in the
safeguards provided for in the current privacy
and surveillance laws.
18
THE BULLETIN April 2022

FEATURE
When held to ransom: Legal
implications of ransomware attacks
for legal practitioners and their clients
BROOKE HALL-CARNEY, AMY COOPER-BOAST AND ELIZABETH CARROLL-SHAW, LK LAW
As ransomware attacks accelerate in
scale, frequency and sophistication,
they pose a risk both to legal practitioners
and their clients. It is not only government,
critical infrastructure and large corporates
falling victim: over 60% of Australia’s
small to medium businesses have now
experienced a cybersecurity incident. 1
The professional services sector is emerging
as a ransomware target 2 – perceived as
data-rich and motivated to protect client
confidentiality or privilege. In a quickly
evolving regulatory and threat landscape, it
is critical for practitioners to understand the
legal implications of ransomware incidents
for their practices and for their clients.
THE NATURE OF THE THREAT
Ransomware involves the use of
malicious software to infiltrate and lock
data or systems and demand payment for
their release. Simpler models of attack
involve cybercriminals encrypting files
and demanding payment (typically in
cryptocurrency) for a decryption key.
The past year saw a rise in ‘double’
and ‘triple’ extortions. 3 With ransomware
victims choosing to restore data from
back-ups rather than pay a ransom, or
being unable to pay where uninsured
or under-insured, cybercriminals have
pivoted to exfiltration (covert extraction)
of data. After exfiltration, two ransom
demands follow – the first in exchange
for unlocking the system or data; the
second in exchange for not selling the data
on the dark web, or releasing it publicly.
A third ransom demand may be made
directly to the victim’s clients or suppliers,
whose confidential information was
compromised – or, alternatively, the threat
of compromising clients or suppliers is
used as leverage against the victim.
A market for Ransomware-as-a-Service
(RaaS) has emerged, with developers
offering malware as a product for sale to
hackers for a fee or a commission paid
from the ransom.
PAYING CYBERCRIMINALS
The Australian Cyber Security Centre
(ACSC) is the Federal Government’s lead
agency for cybersecurity. The ACSC’s
position on ransomware payments is
clear: payments are never condoned, do
not guarantee a return of stolen data or
system access, and perpetuate a vicious
circle by funding cybercriminals. Some
organisations adopt a policy to never pay;
for others, where health or safety is put at
risk, payment is more readily justified. A
2021 global survey indicates that of those
attacked, a quarter paid the ransom, with
the average ransom rising by 63% year-onyear.
4 Ransoms are highest in the Asia-
Pacific, averaging US$2.35 million. 5
In practice, a victim’s options when
faced with a ransomware demand are
influenced by complex factors: the
severity of the attack; the sensitivity of
compromised data; the extent to which
data has been exfiltrated; the feasibility,
time and cost of either data restoration
(from back-ups) or decryption; business
continuity; reputational, ethical, financial
and insurance considerations; and the risk
that paying a ransom will attract future
attacks.
Victims must also grapple with the
legality of paying a ransom. Ransomware
payments are not specifically prohibited
under Australian law. A payment could,
however, offend anti-money laundering
and counter-terrorism financing legislation
where a victim holds sufficient knowledge
as to the cybercriminal’s identity and
possible use of the funds. 6 If an illegal
payment was made, a defence may arise
in circumstances of duress, sudden or
extraordinary emergency or self-defence
(of persons or property).
Paying a ransom would also constitute
an offence under Australian law if made
to persons or entities proscribed by UN or
Australian sanctions, or in contravention
of sanction laws. 7 A defence arises
for bodies corporate who prove they
undertook reasonable precautions and
due diligence to avoid a contravention.
WHO TO NOTIFY
Ransomware victims will need
to consider their communications
with affected persons, insurers and
stakeholders. They may be required to
disclose the incident under third party
contracts. A cybercrime police report
can be made via the ACSC.
Various notification regimes also
operate:
• Organisations with an annual turnover
exceeding $3 million (amongst others)
must report ‘eligible data breaches’ and
notify affected individuals under the
Privacy Act 1988 (Cth).
• Responsible entities for specified
critical infrastructure assets will be
required to report cybersecurity
incidents. 8
• Reporting entities under the Anti-Money
Laundering and Counter-Terrorism Financing
Act 2006 (Cth) have suspicious matter
reporting obligations.
April 2022 THE BULLETIN 19

FEATURE
• ASX-listed entities should consider
their continuous disclosure obligations.
Disclosure may also be required in an
entity’s financial reports.
• Financial institutions must report
‘material information security
incidents’ under APRA Prudential
Standard CPS 234.
• Mandatory notification schemes
apply in the health, defence, aviation
and maritime transport sectors.
Organisations may be required to liaise
with other sector-specific regulators.
• Australian businesses with international
establishments or activities may have
reporting obligations under foreign
laws and regulations, such as the EU or
UK General Data Protection Regulation.
RANSOMWARE REFORM
Regardless of the outcome of the
Federal election, further ransomware
reform is imminent, with both major
parties releasing competing ransomware
strategies. 9
Two Opposition bills have proposed
mandatory reporting of ransomware
payments. The Federal Government has
foreshadowed mandatory reporting
of ransomware incidents. At the time
of writing, both regimes are proposed
to apply to businesses with an annual
turnover of $10 million or more. 10
On 17 February, 2022, the Federal
Government introduced the Crimes
Legislation Amendment (Ransomware
Action Plan) Bill 2022 (Cth). This Bill
criminalises ransomware activities, RaaS and
cyber-attacks on critical infrastructure, but
20 THE BULLETIN April 2022
does not introduce criminal or accessorial
liability for making ransomware payments.
By contrast, the Opposition has called for
regulation of payments through measures
such as government pre-approval. 11
LIABILITY FOR ORGANISATIONS AND
DIRECTORS
A high alert issued by the ACSC in
February, 2022 requested all Australian
organisations to ‘urgently’ adopt an enhanced
cybersecurity posture, as geopolitical
tensions rose with the attack on Ukraine. 12
Businesses may be exposed to ransomware
attacks through their own security lapses or
through supply chain vulnerabilities.
In addition to theft or destruction
of data and physical assets, reputational
damage and financial losses, a ransomware
attack can expose a business to litigation
risk. Claims may be brought by clients
or suppliers whose sensitive data has
been stolen or leaked, or by contractors
impacted by business disruptions.
It is incumbent on organisations to
consider mitigation measures such as:
• Enhanced cybersecurity controls. 13
• Staff education and simulations.
• Contractual protections, such as
cybersecurity requirements for suppliers
and tailored force majeure clauses.
• Multi-disciplinary response and
continuity plans.
• Cyber insurance (noting that it can
be difficult to acquire, expensive and
subject to exclusions and may cede
control to an insurer).
• Secure and regular back-ups and offline
or ‘cold’ storage – key tools in avoiding
many ransomware payments. Back-ups
will not, however, solve the dilemma
of particularly sensitive data under
threat of public release; albeit neither
will be paying the ransom,
with any degree of certainty.
Although it has discussed mandatory
or voluntary cybersecurity governance
standards for large businesses, 14 the
Federal Government has not, to date,
enacted any personal director liability
for inadequate cyber protections.
However, a director’s duty to act with
care, skill and diligence will be breached
by failing to prevent conduct carrying a
foreseeable risk of harm to the interests
of the company. 15 Having regard to the
deteriorating cyber threat environment,
it is increasingly likely that courts will
consider inadequate cybersecurity
measures to pose a foreseeable risk of
harm. ASIC has also recently emphasised
the active role it expects from directors in
managing cyber risk. 16
Last year, ASIC commenced its first
action against an entity for cybersecurity
shortfalls. The entity, which is alleged to
have breached financial services licensee
obligations, experienced ransomware and
other attacks. 17
PITFALLS FOR LEGAL PRACTITIONERS
Perhaps unsurprisingly, the legal
profession is an attractive target for
ransomware due to the valuable and
sensitive nature of information held
on behalf of clients. Most ransomware
attacks in Australia are reported in the
legal, accounting and management services

FEATURE
sector. 18 Ransomware attacks may target
legal practices directly, or may seek to
exploit interdependencies with professional
networks and service providers.
As well as notification obligations
and exposure to loss and liability,
legal practitioners must consider their
professional responsibilities. A failure to
implement appropriate protections may
result in breaches of fiduciary, tortious
and contractual duties to clients; a breach
of the South Australian Legal Practitioners’
Conduct Rules requiring maintenance of
client confidence and competent, diligent
delivery of legal services; and claims of
unsatisfactory professional conduct or
professional misconduct. Any ransomware
payment would also require careful ethical
navigation.
Case examples highlight pitfalls of
ransomware and other cyber-attacks for
lawyers and their clients:
• Law practices should ensure that
important information, such as client
data, retainer agreements and costs
disclosures, is protected and backed-up. 19
• Ransomware attacks can compromise
data relevant to proceedings, causing
evidentiary and discovery issues. 20 This
can lead to loss of evidence, and cost
and difficulties in restoring files (if
restoration is possible). Where litigation
is anticipated or on foot, it is vital to
ensure that relevant documents are
securely backed-up.
• A UK firm’s failure to implement
multi-factor authentication, patches
and encryption, whose sensitive court
bundles were released on the dark web
by ransomware criminals, led to
a £98,000 regulatory penalty. 21
• Legal professional privilege is not an
actionable legal right. It cannot found
an application to claw back or prevent
the use of privileged documents
where they are stolen from a law
firm’s computer system and publicly
disseminated. 22
• The impact of a cyber-attack can be farreaching,
as illustrated by the law firm
subject to the Panama Papers data spill.
The infiltration of Mossack Fonseca’s
systems and release of confidential
documents led to severe reputational
and financial consequences for the firm,
and its closure two years later. B
Endnotes
1 This article is current as at 11 March 2022.
Cyber Security Industry Advisory Committee,
Locked Out: Tackling Australia’s ransomware threat
(March 2021) p.2.
2 Australian Cyber Security Centre, Annual Cyber
Threat Report 2020 – 2021 (15 September 2021),
p.21, Figure 8.
3 Australian Cyber Security Centre, 2021 Trends
Show Increased Globalized Threat of Ransomware
(10 February 2022).
4 Crowdstrike, 2021 Global Security Attitude Survey,
p.10.
5 Ibid.
6 Criminal Code Act 1995 (Cth), Criminal Code Part
5.3, Division 103 and Part 10.2, Division 400.
7 Charter of the United Nations Act 1945 (Cth) ss. 21
and 27 and Autonomous Sanctions Act 2011 (Cth)
s.16.
8 Under Part 2B of the Security of Critical
Infrastructure Act 2018 (Cth), once the rules
‘switching on’ these obligations are registered
and a three-month grace period has passed.
9 Department of Home Affairs, Ransomware Action
Plan (October 2021); Federal Labor, Beyond
the Blame Game: Time for a National Ransomware
Strategy (February 2021).
10 See the Opposition’s Ransomware Payments Bill
2021 (Cth) and Ransomware Payments Bill (No
2) 2021 (Cth) and Department of Home Affairs’
medial release, New plan to protect Australians
against ransomware (13 October 2021). The
Opposition’s proposal would additionally apply
to Government entities.
11 Federal Labor, Beyond the Blame Game: Time for
a National Ransomware Strategy (February 2021),
pp.14 – 16.
12 Australian Cyber Security Centre, Australian
organisations should urgently adopt an enhanced cyber
security posture (23 February 2022; updated 4
March 2022).
13 This ought to include, as a baseline, the ACSC’s
‘Essential Eight’ strategies: see .
14 Department of Home Affairs, Strengthening
Australia’s cyber security regulations and incentives:
An initiative of Australia’s Cyber Security Strategy
2020 (July 2021); industry consultation closed in
August 2021.
15 ASIC v Cassimatis (2016) 336 ALR 209.
16 ASIC Chair Joseph Longo, ‘ASIC’s corporate
governance priorities and the year ahead’ (Speech
delivered at the AICD Australian Governance
Summit, Melbourne Convention Centre, 3 March
2022).
17 ASIC v RI Advice Group Pty Ltd [2021] FCA 1193.
18
Office of the Australian Information
Commissioner, Notifiable Data Breaches Report: July
to December 2021 (22 February 2022), pp. 23 – 26.
19 Leung v Fordyce (t/a Pmf Legal Trading) [2019]
NSWSC 18.
20 In the matter of Beverage Freight Services Pty Ltd
[2020] NSWSC 509; Cargill Australia Limited v
Viterra Malt Pty Ltd (No. 28) [2022] VSC 13.
21 Information Commissioner’s Office (UK),
Monetary Penalty Notice issued under Data
Protection Act 2018 to Tuckers Solicitors LLP (28
February 2022).
22 Glencore International AG v Commissioner of
Taxation (2019) 265 CLR 646.
April 2022 THE BULLETIN 21

CLOUD COMPUTING
An analysis of the Law Society of South
Australia’s Cloud Computing Guidelines
MARK FERRARETTO, SOLICITOR, EZRA LEGAL
The Law Society publishes Cloud
Computing Guidelines 1 which quite
rightly guide legal practitioners through
the various risks and issues associated
with adoption of cloud services. What
the Cloud Computing Guidelines neglect
to mention, however, is that these same
risks and issues also apply to on premises
services. When evaluating cloud services,
legal practitioners should evaluate the risk
profile of cloud systems against the risk
profile of adopting (or remaining with) on
premises computer systems.
This article and the next four that follow
it analyse a set of cloud services commonly
used in the legal profession against the
Cloud Computing Guidelines and compares
these services against on premises services.
Before we get under way however, I
should disclose a bias. I am a big fan of
cloud services. The convenience of having
information at your fingertips is simply
too attractive. I constantly demonstrate
to friends and colleagues how I can write
on a tablet and have my writing magically
appear on my desktop and on my phone
at the same time. The accessibility that
cloud services provide can lead to a great
increase in productivity. Cloud services do
pose unique challenges, data sovereignty
and data security being but two. However,
cloud services have evolved significantly
over the last five years, to say nothing of
the last 10 to 15 years. In my view, there
are many contexts where using cloud
services for data storage should now be
considered best practice for law firms.
Thus endeth my declaration of bias.
What We Will Cover
In this first article we’ll give a broad
overview of what lies ahead, and then
explore issues relating to governance of
cloud computing.
Firstly, we will discuss key points from
the Guidelines and then discuss how I
approach the analysis.
The Cloud Computing Guidelines
As I’ve said, the Cloud Computing
Guidelines are drafted with a view to
22 THE BULLETIN April 2022
guiding practitioners through the evaluation
and adoption of cloud systems. Overall, in
my view, they paint a cautionary tale. The
Guidelines cover a raft of issues, but they
can be grouped into these broad categories:
1. Governance;
2. Confidentiality;
3. Data security; and
4. Data resilience.
The Guidelines’ dealings with
governance refer mainly to issues around
data sovereignty and the governing
jurisdiction of a cloud service’s terms of
service. Data sovereignty raises issues of
the underlying laws of a sovereign state that
protect (or otherwise) your data. Ideally,
practitioners would want their data located
in Australia so that their data is protected
by Australian law, which if nothing else, is
a known quantity. Governing jurisdiction
clauses in terms of service raise issues
regarding the ease (or otherwise) of
asserting a party’s legal rights.
The Guidelines unsurprisingly
deal extensively with confidentiality.
Confidentiality stems from the risk of
third party access to data but extends
past this because, as we shall see, third
parties always have access to our data
regardless of whether it is in the cloud
or on-premises. The confidentiality issue
becomes a question of regulation of
third-party access to a degree that satisfies
practitioners’ obligations under the
Australian Solicitor Conduct Rules. 2
Data security is self-explanatory
and has long been a concern of those
looking to migrate to the cloud. As will
be demonstrated, data security is also a
significant issue with on-premises systems.
Data resilience refers to several aspects.
The most obvious being availability of
data (ie: how often does a service crash).
Less obvious are issues around incident
management and data portability, data
portability being the ability to extract data
out of a cloud service if desired.
Analysis
The aim of my analysis is to apply
the abstract concepts in the Guidelines
to the practical context of cloud services
commonly used by legal practitioners.
To that end, I have decided to analyse
the Guidelines against a set of popular
cloud services and also against an onpremises
context. The could services
to be analysed are:
• Dropbox (the consumer version); 3
• Dropbox Business; 4
• Google Workspace; 5
• Microsoft 365; 6
• LEAP; 7 and
• Actionstep. 8
It is worth stating that there are many
other cloud services, large and small,
that are available to legal practitioners.
My intention is to focus on the more
prominent services that many practitioners
consider adopting or have already adopted.
It is also worth stating that this analysis is
not a substitute for performing your own
due diligence!
GOVERNANCE
Two main points in the Cloud
Computing Guidelines relate to governance
– data sovereignty and jurisdictional issues.
Let’s deal with data sovereignty first.
Data Sovereignty
As discussed above, data sovereignty
relates to the location of data. The location
of data is important as different countries
prescribe different legal protections to data
stored in them. Protections vary widely from
country to country. Also, sovereign data
protection may only extend to the citizens
of a country. For example, data stored in the
US may not be subject to the constitutional
protections afforded to US citizens.
Cloud services may store data across
many countries. As cloud services usually
store multiple copies of customer data (for
resilience), it’s possible that information
stored with a cloud service could fall under
multiple widely-varying data legislation.
Google, for example, stores its Google
Workspace data in 18 different countries
across the world, from the USA to Finland
to Indonesia. 9

CLOUD COMPUTING
TABLE 1 GOVERNANCE
DATA SOVEREIGNTY
(Location of data)
GOVERNING JURISDICTION
Dropbox ‘All around the world’ USA
Dropbox Business
Ideally, as practitioners, we would
want our data stored in Australia so that
it falls under the protections of Australian
law which, although may not the most
protective laws, at least are well-known
and understood.
So, we will assess data sovereignty
by asking the question: ‘Can my data be
stored exclusively in Australia?’
Governing Jurisdiction
Governing jurisdictional issues arise
as most cloud service providers are based
outside of Australia and usually require
their customers to agree to have their
agreements governed under foreign,
predominantly US, laws. For Australians
this predominantly raises a convenience
and cost issue as any dispute needs to
be litigated overseas. It also subjects
agreements to foreign laws that may
not contain the same level of consumer
protection as Australian law.
Data sovereignty and governing
jurisdiction are clearly not issues in an
on-premises environment. Data on
premises is stored in Australia. For firms
that outsource their IT support, they do so
with local firms and these agreements are
governed under Australian law.
In contrast, these issues do arise
with cloud services, particularly so with
consumer services, such as Dropbox. The
consumer Dropbox stores its data ‘around
the world’ 10 , giving a user no control
over where their data resides. Dropbox’s
business offering is better, allowing file
storage to be limited to Australia, but file
File data in Australia, metadata
and ‘Paper’ data in the US
USA
Google Workspace Worldwide USA
Microsoft 365 Australia USA
LEAP Australia Australia
Actionstep Australia Australia
On Premises Australia Australia
metadata and other products, such as its
‘Paper’ product, remain located in the US. 11
Google’s Workspace business offering
gives no option to nominate where data
is to reside. A Workspace subscriber must
accept that their data will reside in any of
the 18 locations where Google has data
centres. 12
Microsoft 365 allows its customers to
specify that all data, including email, file
storage, SharePoint and Teams data, be
located in Australia. 13 Both LEAP 14 and
Actionstep 15 also locate data exclusively in
Australia.
Most of the cloud services reviewed
contain jurisdictional clauses that govern
agreements under US law. The Dropbox
Business terms also impose a mandatory
arbitration process. 16 The only exceptions
for the services reviewed are LEAP and
Actionstep which are governed under
NSW law 17 (for LEAP) and ‘Australian
law’ 18 according to Actionstep’s terms.
The Verdict
Clearly the on-premises solution wins out
in this category. Data sitting in a practice’s
office will be located in and governed
by the jurisdiction a practitioner is most
comfortable with. The practice management
systems also do well in this category. The
big cloud providers are all based in the US
so while some, such as Microsoft, allow for
location of data in Australia, terms are still
governed by US Law.
On-premises wins this round.
In the next article we discuss
confidentiality. B
Endnotes
1 ‘Cloud Computing Guidelines’ (Law Society
of South Australia, February 2016) .
2 ‘Australian Solicitors’ Conduct Rules (SA)
2011 V3 with Commentary’ (Law Society
of South Australia, 1 July 2015) .
3 ‘Dropbox’, Dropbox In this paper ‘Dropbox’ means the
consumer version of Dropbox (which has a free
offering) and ‘Dropbox Business’ means the
business offering (which has no free offering).
4 ‘Secure Team Collaboration - Dropbox
Business’, Dropbox .
5 Google, ‘Google Workspace | Business Apps &
Collaboration Tools’, Google .
6 ‘Compare All Microsoft 365 Plans | Microsoft’
.
7 ‘Legal Practice Management Software | LEAP
Legal Software’, LEAP AU .
8 ‘Actionstep - Legal Practice Management
Software’ .
9 Google, ‘Global Locations - Regions & Zones’,
Google Cloud .
10 Dropbox, ‘Privacy Policy’, Dropbox .
11 Dropbox, ‘Dropbox Business Security, A
Dropbox Whitepaper’ 13 .
12 Google (n 9).
13 Microsoft, ‘Privacy & Security Terms’,
Microsoft | Licensing .
14 LEAP, ‘LEAP Information Security Policy |
LEAP Legal Software’, LEAP AU .
15 Actionstep, ‘Tems of Use’, Actionstep [9.4]
.
16 Dropbox, ‘Business Agreement’, Dropbox [13.2],
[13.3] .
17 This was confirmed to me by email in 1 February
2022 from a LEAP representative.
18 Actionstep (n 15) [10.5].
April 2022 THE BULLETIN 23

FEATURE
CANCELLATION COURT! DJOKOVIC
RALLIED TO SECURE RELEASE
BEFORE THE MINISTERIAL
DISCRETIONS PROVED A WINNER
CHRIS JOHNSTON AND ROSA TORREFRANCA, IMMIGRATION LAWYERS, WORK VISA LAWYERS
The two recent Djokovic visa
cancellations and appeals have
provided insight into non-character related
cancellation powers under the Migration
Act 1958.
The Federal Circuit Court and Family
Court of Australia have established an
online public file for the Djokovic matter. 1
This was done with a view to the public
interest and provides a great opportunity
to view the inner workings of the courts,
for law students or anyone interested,
to view a range of relevant documents
including primary documents from the
Department of Home Affairs (DHA)
and Tennis Australia, the lodgements
with full grounds, the parties’ submissions
and the decisions.
From a detailed analysis of the files, we
will discuss the turning points of the cases
and lessons to be learned for visa holders
trying to enter Australia.
THE FIRST DJOKOVIC CANCELLATION:
IN IMMIGRATION CLEARANCE AT THE
MELBOURNE AIRPORT BEFORE ENTERING
AUSTRALIA
Novak Djokovic was granted a 408
Temporary Activity Sports Stream visa,
on 19 November, 2021. 2 We will detail
the timing and content of interactions
between Djokovic and the Delegate of
the Minister of Immigration, because
these events subsequently proved to be
significant:
• Djokovic arrived by plane at the
Melbourne Airport just before
midnight on 5 January, 2022. 3
• He was interviewed between 00.21
and 00.52 am by a Delegate, with
some brief breaks. 4
24 THE BULLETIN April 2022
• Djokovic was given a Notice of
Intention to Cancel (NOITC) at or
about 4.11am, 6 January, 2022.
• He asked for time to rest and to “talk
to [his] solicitor again.” And asked for
this time to be up until 8.00 or 8.30.
• The Delegate checked with his
superiors and then said that Djokovic
would be given more time.
• He was interviewed by the DHA
officer from 6.07 am and the decision
to cancel was made at 7.29
• Djokovic was notified of the Decision
to cancel at 7.42 am.
The DHA decision record provides
that the grounds for cancellation:
“Under the Biosecurity Act 2015, there
are requirements for entry into Australian
Territory. These requirements include that
international travellers make a declaration
as to their vaccination status (vaccinated,
unvaccinated, or medically contraindicated).
… Previous infection with COVID-19 is
not considered a medical contraindication
for COVID-19 vaccination in Australia.
Subject to Section 116(1) of the
Migration Act 1958, the Minister may cancel
a visa if he or she is satisfied that; (e) the
presence of its holder in Australia is or
may be, or would or might be a, a risk to:
i. the health, safety or good order of the
Australian community or a segment of
the Australian community…
Based on the above information, I am
satisfied there are grounds to consider
cancelling the visa holder’s subclass GG
408 visa.” 5
Following the cancellation, Djokovic
was taken to immigration detention at the
Park Hotel, where a number of asylum
seekers in long term detention are also
held.
APPEAL TO THE FEDERAL CIRCUIT
COURT (FCC)
Arguments made before the FCC
As Djokovic did not make it through
immigration clearance, he did not ‘enter
Australia’, the 408 visa was cancelled prior
to entry. As such, merits review at the
Administrative Appeals Tribunal (AAT)
was not available and his appeal options
were limited to the Federal Circuit Court.
An appeal of the cancellation decision
was lodged on the 6 January, 2022. The
applicant’s Representatives 6 submitted
that there were a “variety of jurisdictional
errors”. These grounds included:
• Failure to give the required notice
under section 119(1), (Ground 1A).
• Error in purported formation of state
of satisfaction in the Decision to cancel
(Ground 1B)
• Errors in failing to consider the
applicant’s medical contraindication
(Ground 1C)
The applicant’s representative made
arguments for why Djokovic had provided
evidence for a “medical contraindication”.
Under the Biosecurity Determination
made under the Biosecurity Act 2015.
• Failure to consider representation
made by Djokovic (Ground 2A) and
illogicality and/or unreasonableness in
relation to extenuating circumstances
(Ground 2B)
• Procedural unfairness (Ground 3A)
and unreasonableness in process (3B)
preceding the cancellation.
The representatives for the DHA
submitted that all the grounds should
be rejected, with detailed arguments on
medical exemptions.
In relation to ground (1A) claiming
the NOITC was affected by error, the

FEATURE
representatives for the Minister wrote:
“That unfortunate typo misquoting the
provision in one spot is unfortunate but
immaterial.” 7
The representatives submitted
Djokovic’s claimed medical
contraindication did not meet the
requirements under the ATAGI
Exemption Guidance (Ground 1C). 8
In relation to the ground of illogicality,
the representatives warn against the slide
into impermissible merits review, citing
Minister for Immigration and Citizenship v SZJSS
(2010) 243 CLR 164 at [30]. 9 This argument
proved to be of great significance in the
second Djokovic cancellation and appeal.
In relation to the claim of lack of
procedural fairness (Ground 3A) the
representatives provided: “Here, there is
no evidence from the applicant’s lawyers
about what they would or could have done
between 7.42am and 8.30am, whom he
had contacted previously.” 10
In their conclusion, the Minister’s
representatives made the following point,
quoted below, that if the Court makes a
decision in favour of the applicant, then
the Minister has other cancellation powers
under the Act:
“if this Court were to make orders in
the applicant’s favour, it would then be
for the respondent to administer the Act
in accordance with law. That may involve
the delegate deciding whether to make
another cancellation decision, but there are
also other powers in the Act, as the Court
would be aware.” 11
FCC FINDS IN FAVOUR OF DJOKOVIC
(FIRST DECISION)
The Federal Circuit Court hearing
was before Judge Kelly on the 10 January,
2022. The hearing was video cast to
the public, but was oversubscribed, and
continually crashed.
Judge Kelly was clearly unimpressed
by many elements of the cancellation and
provided some damning comments during
the hearing.
Judge Kelly said:
“Here, a professor and an eminently
qualified physician have produced and
provided to the applicant a medical
exemption,”
“Further to that, that medical exemption
and the basis on which it was given, was
separately given by a further independent
expert specialist panel established by the
Victorian state government.” 12
Judge Kelly went on to ask: “What
more could this man have done?” 13
In relation to the submission by the
Respondents, suggesting that even if
Djokovic had access to a lawyer at the
later stages at the Airport and given the
opportunity to respond, that a lawyer could
not help him. Judge Kelly commented:
“What they are saying is, ‘Getting in
touch with your lawyers is not really going
to help any of us. Why don’t we get it
done?’” 14
Judge Kelly found in favour of the
applicant in the form of an Order. 15 The
Order was based the unreasonableness
of the cancellation process which was
Ground 3B. 16
Judge Kelly did not publish a detailed
decision and so there was no insight in the
grounds based on medical contraindication.
The Order contained a notation which
stated:
“The respondent concedes that the
delegate’s decision to proceed with the
interview and make a decision to cancel
the applicant’s visa pursuant to s 116
of the Migration Act 1958 (Cth) was
unreasonable in circumstances where:
1. at 5:20am on 6 January 2022 the
applicant was told that he could have
until 8.30am to provide comments in
response to a Notice of Intention to
Consider Cancellation under s 116 of
the Migration Act 1958 (Cth);
2. instead, the applicant’s comments were
then sought at about 6:14am.
3. the delegate’s decision to cancel the
applicant’s visa was made at 7.42am;
4. the applicant was thus denied until
8.30am to make comments;
5. had the applicant been allowed until
8:30am, he could have consulted others
and made further submissions to the
delegate about why his visa should not
be cancelled.” 17
The Order was that the decision to
cancel be quashed 18 and that Djokovic be
released immediately from immigration
detention. 19
FIRST CANCELLATION AND SUCCESSFUL
APPEAL: LESSONS TO BE LEARNT
Djokovic and any person entering
Australia on a visa should take a number
of steps to have been better prepared for a
potential interview at the airport.
These could have included:
• Ensuring all information provided
to the DHA or the Department of
Foreign Affairs and Trade (DFAT) is
accurate, including the information
relating to travel and medical history
and criminal history (including previous
convictions)
• Arriving at a time when he could more
easily be represented, rather than at
around midnight.
April 2022 THE BULLETIN 25

FEATURE
• Having a full set of his supporting
documents available to him at the
airport.
Having an Immigration Lawyer at the
airport or at least on call at the time of
arrival, so that they could have assisted
him with his opportunity to respond.
In circumstances where someone has
had their visa cancelled in immigration
clearance, the possibility of a successful
appeal of an airport cancellation to the
FCC has been demonstrated by Judge
Kelly’s order. The process of cancellation
and the reasonableness of denying
access to a lawyer are areas of potential
jurisdictional error.
DJOKOVIC PREPARING TO PLAY AND
WAITING FOR A FURTHER DECISION
After Djokovic’s successful appeal,
there were four days of waiting to see if
there would be a second cancellation.
During this time, there was a high
level of scrutiny in the media in relation
to Djokovic’s actions in the weeks leading
up to his travelling to Australia. 20 These
articles raised issues which could have
been grounds for a further cancellation.
The issues included whether he had been
accurate in his travel declaration form that
was completed prior to entering Australia.
Further issues emerged in relation to
Djokovic’s actions immediately following
his finding out that he had contracted
Covid in mid-December, 2021. It was
reported that he attended public events
like the commemoration of his personal
stamp in Serbia and a basketball match
in Barcelona after testing positive for
COVID-19. 21
As these details emerged in the media
Djokovic made statements in his social
media saying that there had been errors. 22
Djokovic was likely attempting to
reduce the chance of a cancellation
under s116(1AB) for providing incorrect
information.
THE SECOND DJOKOVIC CANCELLATION:
BACK TO DETENTION AND FULL FEDERAL
COURT APPEAL
The second decision relates to what
is often called the God powers of the
Minister of Immigration.
26 THE BULLETIN April 2022
At the 10 January, 2022 hearing of
Djokovic’s application to quash the 6
January, 2022 decision of the Delegate
of the Minister to cancel his visa, counsel
for the Minister for Home Affairs
informed the Court that the Minister for
Immigration, Citizenship, Migrant Services
and Multicultural Affairs (Minister) would
be considering whether or not to exercise
the Minister’s personal power to cancel
a visa under s133C(3) of the Migration
Act. 23 The relevant part of s133C(3) reads:
133C Minister’s personal powers to
cancel visas on section 116 grounds
Action by Minister—natural justice does not
apply
(3) The Minister may cancel a visa held by a
person if:
i. the Minister is satisfied that a
ground for cancelling the visa
under section 116 exists; and
(b) the Minister is satisfied that it would be
in the public interest to cancel the visa.
Note: The Minister’s power to cancel a
visa under this subsection is subject to
section 117 (see subsection (9) of this
section).
(4) The rules of natural justice, and the
procedures set out in Subdivisions E
and F, do not apply to a decision under
subsection (3).
As mentioned above, the delegate of
the Minister cancelled Djokovic’s visa
pursuant to Section 116(1)I(i) of the
Migration Act 1958(Cth), which reads:
116 Power to cancel
1. Subject to subsections (2) and (3), the
Minister may cancel a visa if he or she
is satisfied that:
…
I the presence of its holder in Australia is or
may be, or would or might be, a risk to:
i. the health, safety or good order
of the Australian community
or a segment of the Australian
community; …
The power given to the Minister
under s133C(3) is personal and cannot be
delegated.
It is also clear under s133C(4) that the
Minister in exercising the power is not
required to afford ‘natural justice’ to the
visa holder. It will be recalled that natural
justice was the reason why the Minister’s
delegate’s decision made on 6 January,
2022 was quashed by the Court. The
procedure adopted by the delegate was
unreasonable. 24
So it came to pass that late on 14
January, 2022 (a Friday) as foreshadowed
by the Minister’s counsel, the Minister
exercised his power to cancel Djokovic’s
visa under the above-mentioned section.
Djokovic had the resources to mobilise
a legal team to work late on a Friday night
in order to file an urgent application seeking
interim relief and for judicial review.
The following day (Saturday), the matter
was transferred from the Federal Circuit
and Family Court to the Federal Court.
The Chief Justice directed that the original
jurisdiction be exercised by a Full Court.
On the Sunday, a day before the start
of the Australian Open, Djokovic was
in court but probably not the court he
thought he would be attending when
he arrived in Australia late on 5 January,
2022. The matter was heard by Allsop CJ,
Besanko and O’Callaghan JJ.
The Court on the same day of the
hearing dismissed Djokovic’s application,
with costs.
Djokovic’s grounds
Djokovic’s legal team put forward
three grounds 25 :
1. That the Minister’s decision had binary
legal outcomes, that is, not to cancel
and let Djokovic stay in Australia or
cancel his visa, detain him and remove
him from Australia. They argued that
it was unreasonable for the Minister
to only consider the effect of his
presence in Australian but not the
effect if Djokovic gets deported. The
Minister’s decision is therefore affected
by jurisdictional error.
2. They submitted that the Minister cited
no evidence that supported his findings
that Djokovic’s presence in Australia
may “foster anti-vaccination sentiment”
and therefore he cannot make the
finding that Djokovic may be a risk to
the health of the Australian community,
that he is a risk to the good order of
the Australian community and that it
would be in the public interest to cancel
Djokovic’s visa.
3. It was also argued that the Minister

FEATURE
did not seek Djokovic’s view on
vaccination, instead the Minister relied
on an interview conducted in April
2020 wherein Djokovic said that he
was “opposed to vaccination”.
It was noted that at the time of this
interview, COVID-19 vaccines were
not yet available and that Djokovic later
clarified his position that he was “no
expert”, “would keep an open mind” and
would want to have an “option to choose
what’s best for my body.” 26
The Court dismissed all three grounds.
Reasons of the ruling
The crux of this matter turns on the
“satisfaction” of the Minister as provided
for by s 133C(3)(a) of the Act that there
is a ground for cancelling the visa under
s116(1)(e)(i) of the Act and the Minister
is satisfied that it would be in the public
interest to cancel the visa (s133C(4).
As ruled by the Court, “[t]he
satisfaction of the Minister is not an
unreviewable personal state of mind. The
law is clear as to what is required. If, upon
review by a court, the satisfaction is found
to have been reached unreasonably or was
not capable of having been reached on
proper material or lawful grounds, it will
be taken not to be a lawful satisfaction for
the purpose of the statute” 27 :
The Court further ruled in paragraphs
25 to 26 and 28, so long as the Minister in
exercising his power to cancel the visa “do
so based on some evidence, rather than no
evidence or no material, unless the finding
is made in accordance with the Minister’s
personal or specialised knowledge or
by reference to that which is commonly
known”: The High Court (Keane,
Gordon, Edelman, Steward and Gleeson
JJ) in Minister for Immigration, Citizenship,
Migrant Services and Multicultural Affairs v
Viane [2021] HCA 41; 395 ALR 403 and
does “not act dishonestly, capriciously
or arbitrarily”, then the “Courts of law
cannot and ought not interfere” : Starke
J in Boucaut Bay Company Ltd (in Liq) v
Commonwealth [1927] HCA 59; 40 CLR 98
The Minister in cancelling Djokovic’s
visa provided a 10-page Statement of
Reasons. The Minister did not have the
obligation to provide the statement of
reasons 28 but perhaps in anticipation of
a legal challenge and the publicity of the
case, did so.
In the Minister’s Statement of Reasons,
the Minister noted among others, that:
1. Djokovic is a high-profile personality;
2. who is unvaccinated;
3. has publicly declared that he was
opposed to being vaccinated;
4. Djokovic has disregarded precautionary
requirements to stop the spread of
COVID-19 by attending an interview
and photoshoot after receiving his
positive COVID-19 test result. 29
The Minister in his reasons noted
the Djokovic’s presence in Australia may
foster anti-vaccination sentiment and may
persuade the undecided against getting the
COVID-19 vaccine or the booster at the
time when there is a surge in the number
of COVID-19 infections in Australia. 30
Djokovic’s arguments failed because as
the Court ruled the legal requirement was
whether the Minister is “satisfied” that the
“presence” of the visa holder may be a
risk to the health, safety or good order of
the Australian community. The Minister
is not required to consider the effects of
deporting the visa holder. 31
The Court also ruled that it was
open for the Minister to find that it was
perceived by the public that Djokovic
was not in favour of vaccinations and not
necessarily about Djokovic’s views.
Further, it was noted that it was not
that Djokovic’s actions and statements
were/are a threat to public health, safety
or good order but it is his presence in
Australia may be, or would or might be,
a risk to the health, safety or good order
of the Australian community or a
segment of the Australian community.
YOUR fertility, YOUR way
Intelligent science, caring for
YOUR fertility, in South Australia
Can you see children in your
future but you aren’t ready yet?
It’s YOUR timeframe.
The benefit of time – is the time to pursue
your dream career, to meet the right partner,
or to pursue your family when you feel ready
– all with the peace of mind that you’ll be able
to start your family when YOU feel it’s right.
The main options for preserving fertility is to
freeze eggs, sperm or embryos. For women,
we offer state of the art freezing techniques,
giving you the best opportunity for pregnancy
later. For men, we freeze a sample of your
semen for later use. Call us and we can
support your decision making.
Own YOUR future | 08 8100 2900
April 2022 THE BULLETIN 27

FEATURE
Therefore, all the Minister has to show
is that he is satisfied that Djokovic is a
possible influence, a hero for anti-vaxxers.
THE MINISTER’S “GOD-LIKE” POWERS
The Court’s decision highlights
the powers vested on the Minister of
Home Affairs which has been described
as “god-like”.
To give us an idea of how broad and
substantial the powers of the Minister are, a
report, “Playing God, The Immigration Minister’s
Unrestrained Power” 32 published by Liberty
Victoria in 2017 noted that the Minister
for Immigration and Border Protection
(as the Minister was then known) has the
most discretionary powers of any Cabinet
Minister. The Minister for Immigration is
responsible for the administration of 20
Acts but has 47 ‘national interest’ or ‘public
interest’ powers. Compare this to the Prime
Minister who is responsible for 43 acts
but only has 3 ‘national interest’ or ‘public
interest’ powers. 33
It may be a surprise for most
Australians to know that the Minister
for Immigration has powers that are not
subject to natural justice.
Quoting the Liberty Victoria’s report:
“The concept of natural justice is so
fundamental to Australian law that the courts
have repeatedly held that it cannot be excluded
from such a decision without ’plain words of
necessary intendment’, a ‘clear manifestation’
of the legislature’s intention to deny it. Without
such plain words, legislation will always be read
to include natural justice and decisions must be
made in accordance with its requirements.” 34
Section 133(C) of the Migration Act
is just one of the many powers conferred
upon the Minister for Immigration. While
the exercise of the power is reviewable,
the threshold for the court to overrule the
Minister’s decision is low as can be seen in
Djokovic’s case.
WHY DID DJOKOVIC LEAVE SO PROMPTLY
AFTER THE SECOND CANCELLATION?
The timing of the second cancellation
meant that there was not enough time to
effectively mount a legal challenge to the
decision of the full Federal Court.
The 2022 Australian Open was to
28 THE BULLETIN April 2022
commence the day after the decision of
the court.
There are cost implications in relation
to having been held in immigration
detention and also in relation to be being
deported 35 .
Further time in immigration detention
would also have undermined Djokovic’s
ability to maintain his physical fitness.
With potential cost implications and the
possibility of prolonged detention, it is not
surprising that Djokovic left promptly.
FUTURE IMPACTS FOR DJOKOVIC FROM
THE VISA CANCELLATION
Djokovic faces is three-year bar
pursuant to public interest criteria (PIC)
4013 and 4014 in Schedule 4 of the
Migration Regulations 1994 from applying
for a further Australian visa due to the
cancellation under s116.
He could also face problems from
public interest criteria 4020 related to
providing false or misleading information,
which applies to most Australian visas,
including the subclass 408 Sports Stream
visa. If Djokovic wants to play the
2023 Australian Open, he will need to
successfully be granted a 408 visa. There
is significant potential for information
provided as part of his most recent 408, to
be found to be misleading. This includes
his Australian Travel Declaration in which
he said he had not travelled in the 14 days
prior to his flight to Australia. 36 There is,
allegedly potential evidence to suggest
Djokovic did travel during that time.
There is a permanent residency visa
called the Distinguished Talent Visa, which
allows for people in professions, sports and
the arts to apply for permanent residency.
The criteria includes that the person must
be able to demonstrate that they are at the
top of the field and that they could easily
obtained employment within Australia.
Having struggled to meet the
requirements for a temporary visa to
enter Australia, Djokovic could potentially
apply to become an Australian permanent
resident through a Distinguished Talent
Visa. But the question is would he want to?
IMPLICATIONS FOR HIGH PROFILE VISITORS
TO AUSTRALIA WHO MAY POSE A RISK?
The Full Federal Court decision raises
the question - Are the powers of the
Minister of Immigration too wide?
The God powers of the Minister
under the Migration Act 1958 in s116(e)
i are not restrained to be exercised in
favour of health issues such as in a
pandemic.
The speculative and low level of
potential risk is “may be, our would or
might be, a risk to” provides great power
to define the future risk.
The type of risk is to “the health,
safety or good order of the Australian
community or a segment of the Australian
community”.
We have just seen an example of
“health”, but “safety” is a wide concept
and “good order” similarly vague.
Is being able to cancel someone’s visa
based on something that might or may
happen representing the best the interests
of Australia?
There may be other public figures that
could arrive to work in Australia and have
their visa cancelled due to the possibility
of arousing a strong public response in
relation to a particular issue. For example,
could Greta Thunberg represent a risk
to Australia’s good order, if she “may”
inspire many young people to go to
environmental protests?
The next high profile visa cancellation
could be just around the corner. Prime
Minister Scott Morrison responded to a
question about Kanye West by saying:
“the rules are you’ve got to be fully
vaccinated.” 37
WHAT ARE THE PRACTICAL LESSONS
FROM THE SECOND CANCELLATION USING
THE MINISTERIAL POWERS?
The involvement of the world’s
number one tennis player is unusual
but visa cancellations are actually fairly
common in migration law.
1. Timing
Do not be fooled by the quick results
in Djokovic. The speed as to when the
case was listed and when the decision
was handed out. This does not reflect
the reality in immigration cases where
normally matters takes months even years
to be resolved. The Biloela family, the
Sri Lankan Tamil family who has been in
detention since 2018, is a case in point.

FEATURE
2. Re-cancellation
The re-cancellation of Djokovic’s visa
raises the question of why appeal?
It is often difficult to justify to a
potential client the expense and time
involved in challenging a cancellation at the
Federal Circuit Court.
When even if successful the Minister
may and often does step in and cancel the
person’s visa again.
What is the point in appealing when
the Minister can re-cancel the visa under
s133C. The Minister can also cancel visas
not just on the grounds stated in s 116 (1)
but also on character grounds under s 501
of the Migration Act.
As discussed above, how about other
“high-profile” candidates or visa holders?
Could their visa also be cancelled on the
ground that they pose a risk to Australia’s
“public order”.
3. Costs involved in appealing to the
Federal Court
The second Djokovic application to the
full Federal Circuit Court was “dismissed
with costs, which was to be agreed or
failing agreement assessed”. Djokovic,
being the world’s number tennis player with
millions of dollars in career earnings can
without a doubt afford to pay these costs.
However, potential clients who are
also thinking of challenging the Minister’s
decision to cancel should also be warned
about the costs involved. Visa holders are
often not aware that they are not only liable
for their own costs (the court application
fees, lawyers and barristers fees, etc) but
are also at risk of having to pay the costs
of the Minister which could be potentially
substantial if they lose.
4. High-profile visa holders beware
The Full Federal Court decision
underlines the Minister’s wide discretionary
power under s133C. High profile
personalities planning to come to Australia
should think carefully if their profiles and
views could lead to being cancelled.
5. Risk to all visa holders
The risk of having a visa cancelled is
not just for temporary visa holders but
also for permanent visa holders. Those
that hold permanent resident visas should
consider applying for Australian citizenship
to avoid any visa cancellation. B
Endnotes
1 Federal Circuit and Family Court of Australia,
Novak Djokovic Online File, https://www.fcfcoa.
gov.au/migration-law/online-file/djokovic at 30
January 2022.
2 OP Holdenson QC, N M Wood SC, N Dradojlovic, J
E Hartley, (The Applicant’s representatives) Applicant’s
outline of submissions, 8 Jan 2022, p35, in Federal
Circuit and Family Court of Australia, Novak Djokovic
Online File, https://www.fcfcoa.gov.au/migration-law/
online-file/djokovic at 30 January 2022. 2 [1].
3 Ibid, 1 [1].
4 Ibid, 100 [26].
5 Delegates Decision to Cancel under section 116
of the Migration Act 1958, Sudhir R, Position
Number 60063579, 06 January 2022, 7.29am
6 OP Holdenson QC, N M Wood SC, N
Dradojlovic, J E Hartley, (The Applicant’s
representatives) Applicant’s outline of
submissions, 8 Jan 2022, p35, in Federal Circuit
and Family Court of Australia, Novak Djokovic
Online File, https://www.fcfcoa.gov.au/migrationlaw/online-file/djokovic
at 30 January 2022.
7 Ibid, at 23 [3].
8 Christopher Tran and Naomi Wootton, (The
Respondent’s representatives) Respondent’s
outline of submissions, 9 Jan 2022, p35, in
Federal Circuit and Family Court of Australia,
Novak Djokovic Online File, https://www.fcfcoa.
gov.au/migration-law/online-file/djokovic at 12
February 2022 30-53 [5-9]
9 Ibid, 63 [10], Citing See Minister for Immigration
and Citizenship v SZJSS (2010) 243 CLR 164
at [30] (the Court, referring with approval to
observations of Basten JA with whom Allsop P
(as his Honour then was) agreed in Swift v SAS
Trustee Corporation [2010] NSWCA 182 at [45]);
Carrascalao v Minister for Immigration and Border
Protection (2017) 252 FCR 352 at [32] (the Court).
10 Ibid, para 15 [3].
11 Ibid, 76, [12].
12 Karen Sweeney, Judge: ‘What more could Djokovic
do?’, (Web Article, 10 January 2022) https://
indaily.com.au/news/national/2022/01/10/
judge-what-more-could-djokovic-do/.
13 Ibid.
14 Aaron Patrick, Djokovic scored a judge who’s a fan, of
his case, Australian Financial Review, 10 January
2022, (Web Article) https://www.afr.com/workand-careers/workplace/djokovic-scores-a-judgewho-s-a-fan-of-his-case-20220110-p59n1e.
15 Order of Kelly J, in Novak Djokovic v Minister
for Home Affairs (Federal Circuit Court,
MlG35/2022, 10 January 20220.
16 Ibid, Notation, [2].
17 Ibid, [2].
18 Ibid, 1 [1].
19 Ibid, 3 [1].
20 Georgia Hitch and Stephanie Borys, ABC News,
Questions raised over Novak Djokovic travel declaration
on entry form to Australia (Web Article, 12 January
2022)
; See also ESPN,
New wrinkle: Travel declaration made by top-ranked
tennis star Novak Djokovic raising questions about his
compliance with Australia’s COVID-19 rules (Web
Article 11 January 2022) https://www.espn.
com.au/tennis/story/_/id/33039293/prime-
ministers-australia-serbia-speak-phone-novak-
djokovic-disputed-visa.
21 Tumaini Carayol and Christopher Knaus, The
Guardian, Djokovic pictured maskless at public
event one day after positive Covid test (Web Article 9
January 2022) https://www.theguardian.com/
sport/2022/jan/08/novak-djokovic-reliedon-december-covid-infection-for-vaccineexemption-court-documents-reveal
22 Djokernole (Instagram, 12 January 2022)
< https://www.instagram.com/p/
CYnO7cDqbdj/> ; See also AlJeezera, Full text of
Novak Djokovic statement on his COVID-19 ‘errors’
(Web Article 12 January 2022) https://www.
aljazeera.com/sports/2022/1/12/full-text-ofnovak-djokovic-statement-on-his-covid-19-errors
23 Order of Judge A Kelly, in Novak Djokovic v
Minister for Home Affairs (Federal Circuit Court,
MlG35/2022, 10 January 2022, Notation; see
also Djokovic v Minister for Immigration, Citizenship,
Migrant Services and Multicultural Affairs [2022]
FCFC 3 [6].
24 Novak Djokovic v Minister for Home Affairs (Federal
Circuit Court, MlG35/2022, 10 January 20220.
25 Applicant’s Application, 6 Jan 2022, pp4- 7, in
Federal Circuit and Family Court of Australia,
Novak Djokovic Online File, https://www.fcfcoa.
gov.au/migration-law/online-file/djokovic at 12
February 2022; See also Djokovic v Minister for
Immigration, Citizenship, Migrant Services and
Multicultural Affairs [2022] FCFC 3 [69]
26 Djokovic v Minister for Immigration, Citizenship,
Migrant Services and Multicultural Affairs [2022]
FCFC 3 [72]( Allsop CJ, Besanko and
O’Callaghan JJ).
27 Ibid [21].
28 Ibid [103].
29 Ibid [44-68].
30 Ibid.
31 Ibid [95].
32 Liberty Victoria’s Rights Advocacy Project,
Playing God, The Immigration Minister’s Unrestrained
Power (2017)
33 Ibid, 4-5
34 Liberty Victoria’s Rights Advocacy Project,
Playing God, The Immigration Minister’s Unrestrained
Power (2017) 9 quoting Plaintiff M61/2010E
v Commonwealth (2010) 243 CLR 319, 352 [74]
(French CJ, Gummow, Hayne, Heydon, Crennan,
Kiefel and Bell JJ) (‘Offshore Processing Case’)
, Kioa v West (1985) 159 CLR 550, 584 (Mason J)
and 610 (Brennan J)
35 For example, NZ born AARON GRAHAM
who was a former bikie, had his visa cancelled
three times, Graham v Minister for Immigration
and Border Protection [2018] FCA 1012; see
also 9News, NZ-born bikie’s visa cancelled again
(Web Article, 6 September 2017) < https://
www.9news.com.au/national/nz-bikie-
deportation-attempt-quashed/9cd633a3-dbc8-
404c-8e06-5c1b34762343>
36 Australian Travel Declaration for Novak
Djokovic, Affidavit of Natalie Bannister filed 8
January 2022, p35
37 Eden Gillespie, Kanye West warned he must have two
vaccine doses ahead of concert tour in Australia, (2022),
SBS, https://www.sbs.com.au/news/kanye-westwarned-he-must-have-two-vaccine-doses-aheadof-concert-tour-in-australia/2313cfbe-4e4a-4cedb51f-cc8d32e865fc,
at 29 January 2022.
April 2022 THE BULLETIN 29

CYBERSECURITY
Governing cybersecurity: Critical
infrastructure, spies and consumers
ROBERT CHALMERS, LECTURER, COLLEGE OF BUSINESS, GOVERNMENT AND LAW, FLINDERS UNIVERSITY
Cybersecurity issues are running hot.
Hacking is becoming more pervasive
and impactful, naturally following the
expansion of computing into every
aspect of our lives. Now our ‘Internet
of Things’ (IoT) devices, wearables and
other consumer devices are part of the
“attack surface” that we project into the
world. Businesses and organisations are
devoting significant effort to managing the
risks in response to constant probing for
vulnerability and attacks seizing up their
systems or stealing and exposing their
information (and that of their consumers
and partners). Lawyers are called on to
advise and assist in relation to prevention,
recovery and associated contracts and
litigation, but they themselves (and the IT
providers they rely on) are hardly immune
to these same problems. 1
Governments too are subject to
intrusions, from state and non-state actors.
They have also been issuing more strident
calls for individuals and organisations
to protect themselves and steadily
introducing additional legislative controls
to try to regulate cyber risks. Further
reforms are now proposed in fields
including private and public infrastructure,
electronic surveillance and consumer
protection. What are these, what impact
will they have on the law, and what do they
tell us about future trends?
‘ALL YOUR BASE ARE BELONG TO US’ 2
Much of the current legislative push
comes from the Department of Home
Affairs, which has been steadily layering up
controls and powers in recent years. One
of its priorities is to increase the security
and resilience of critical infrastructure
and systems of national significance.
Following the introduction of the Security
of Critical Infrastructure Act 2018 (Cth) and
the Security Legislation Amendment (Critical
Infrastructure) Act 2021 (Cth) (SLACI Act),
consultations have recently closed on
30 THE BULLETIN April 2022
exposure draft of further amendments: the
Security Legislation Amendment (Critical
Infrastructure Protection) Bill 2022.
You would be forgiven for thinking
that the scope of ‘critical infrastructure
and systems of national significance’
might be fairly restricted. However it is
expansive: the SLACI Act expanded the
coverage of the framework from four
to eleven sectors (communications, data
storage or processing, financial services
and markets, water and sewerage, energy,
healthcare and medical, higher education
and research, food and grocery, transport,
space technology, defence industry) and
22 asset classes. So huge swathes of the
economy are covered and now obliged
to report cyber incidents and give owner
and operator information to the Register
of Critical Infrastructure Assets. The new
Bill would enact a framework for risk
management programs, declarations of
systems of national significance and further
enhance obligations on cyber security.
SPIES LIKE US
Electronic surveillance is also lined
up for further reform, adding to already
considerable changes in recent years. The
legislation in this area is extensive and
includes the Telecommunications (Interception
and Access) Act 1979 (Cth) (TIA Act), the
Surveillance Devices Act 2004 (Cth) (SD
Act), the Australian Security Intelligence
Organisation Act 1979 (Cth) (ASIO Act),
the Telecommunications Act 1997 (Cth),
and elements of state and territory laws.
Powers for electronic surveillance have
been steadily growing, and this increase has
often been linked to the need to counter
the growing sophistication of technologies
in communication and cryptography. As
the recent discussion paper itself said:
[t]o keep pace with technology and the criminals
who seek to exploit it, the Government has
amended the TIA Act more than 100 times,
with most amendments occurring in the past
15 years. As a result, the powers currently
in the TIA Act, SD Act and parts of the
ASIO Act and Telecommunications Act span
more than 1,000 pages of legislation and
contain more than 35 different warrants and
authorisations. 3
Government is proposing further
powers for the Australian Federal Police
and the Australian Criminal Intelligence
Commission ‘to combat dark web
and anonymising technologies’ and is
considering repeal of the legislation referred
to above, replacing it with ‘one single Act
that is clearer, more coherent and better
adapted to the modern world’. 4 It points
to similar reforms in the UK and NZ: also
members (along with the US and Canada)
of the so called “5 eyes” security alliance.
Expect an exposure draft in late 2022.
PROTECTING THE CYBER CONSUMER
In the brave new world of pervasive
computing, everything is connected. In
response fields of regulation once separate
and more static are being drawn together
and subjected to a much higher rate of
change. National security, privacy, digital
identity, rights to personal communication,
and consumer protection converge, but
are also in tension. One example where
these issues converge is in IoT devices:
everything from wearables 5 to home
infotainment hubs, robotic vacuum
cleaners 6 , toys and surveillance cams (with
sometimes the latter two being one and
the same). 7
In support of this over the last few
years government has been considering
and implementing various measures. In
2020 it introduced a Voluntary Code of
Practice: Securing the Internet of Things
for Consumers’​. 8 This covers smart
products such as lights, TVs, watches,
baby monitors, and connecting routers and
sets out 13 principles for manufacturers

CYBERSECURITY
to abide by, based on consultations led by
the Department of Home Affairs and the
Australian Signals Directorate. Further
research in 2021 indicated difficulties in
implementing the voluntary, principlesbased
guidance. Firms called for clearer
guidance and internationally aligned
standards, but even simple measures
such as vulnerability disclosure policies
were not being adopted. Government
is now considering moving from
voluntary to mandatory cyber security
standards for smart devices and/or cyber
security labelling. 9 With the exception
of the Privacy reforms dealt with below,
specific reform detail has not yet been
tabled. However, it seems very likely that
additional measures will be introduced.
Government specifically flagged it was
considering changes to the Australian
Consumer Law to enhance consumer
guarantees and bring clearer application
to digital products, and many of these
IoT devices are connected to, or sold and
supported by, the digital platforms that
are the subject of broader enquiries and
activities by the Australian Competition
and Consumer Commission. 10
Turning to the subject of privacy
reform, late in 2021 the Government
unveiled an exposure draft for a new
Online Privacy Bill, 11 which would
enable binding online privacy codes
applicable to digital platforms, in addition
to strengthening general penalties 12
and enforcement under the Privacy Act
1988 (Cth). The online privacy codes
could go beyond standard privacy code
measures and introduce more granular
consent requirements and age verification
measures, as well as the capacity for
consumers to withdraw consent.
Government has also released a discussion
paper contemplating additional reforms
based on international data and consumer
protection law, including the European
General Data Protection Regulation. 13
There has been extensive academic
exploration of the trends and possible
direction for regulation of IoT devices,
which provides guidance as to likely
options, and further suggests additional
regulation is likely. 14
A CYBER EYE TO THE FUTURE
The immediate future looks even more
crowded with reform than the recent past.
Even if there is then a lull on some of
those fronts, other related fields are already
the subject of regulatory attention: not
least that of digital identity. This connects
to issues of age verification, recently
introduced director ID, and broader
government and private developments
in pursuit of a ‘Trusted Digital Identity
Framework’. 15
It is important that in designing
appropriate regulatory frameworks we
are not distracted by the ever shifting
sands of technical standards, but rather
maintain a clear focus on the underpinning
principles and human rights that need to
be maintained. Lawyers have a critical and
ongoing role to play in securing that future
and designing appropriate regulatory
frameworks. Turning a blind eye to cyber
issues as simply ‘technical’ matters is not
an option. B
Endnotes
1 For example, Allens and the Australian Securities
and Investments Commission were both hit by
a cyber-attack mediated by software they were
reliant on: The Australian Financial Review (online,
25 January 2021) .
2 Internet ‘engrish’ meme derived from a computer
game involving battles with cyborgs, used here
with reference to the extension of regulation over
a very broad field.
3 Department of Home Affairs, Reform of Australia’s
electronic surveillance framework (online, 2021
Discussion Paper) 5 .
4 Ibid 4.
5 In this regard note the security breaches connected
to the Strava app: Thomas Brewster, ‘Why Strava’s
Fitness Tracking Should Really Worry You’ (online,
29 January 2018) Forbes .
6 Note that the terms of service for ‘roomba’
vacuum cleaners permit them to map your home
and send this data to irobot: .
7 Amelia Tait, ‘Are smart toys spying on children?’
The New Statesman (online, 6 December 2016)
.
8 Department of Home Affairs, Voluntary Code of
Practice - Securing the Internet of Thing​s for Consumers​
.
9 Department of Home Affairs, Strengthening
Australia’s cyber security regulations and incentives
An initiative of Australia’s Cyber Security Strategy 2020
.
10 ACCC, Digital Platforms .
11
Attorney General’s Department, Online Privacy
Bill Exposure Draft .
12 up to 10% of an organisation’s turnover.
13
Attorney General’s Department, Privacy Act Review
– Discussion paper .
14
See e.g. Jeannie Marie Paterson, Yvette Maker ‘AI
in the Home: Artificial Intelligence and Consumer
Protection’ - to be published in Ernest Lim and
Phillip Morgan (eds), The Cambridge Handbook of
Private Law and Artificial Intelligence (Cambridge
University Press, Forthcoming) and available
at ; Kayleen Manwaring,
Roger Clarke, ‘Is your television spying on
you? The Internet of Things needs more than
self-regulation’ Computers and Law: Journal for the
Australian and New Zealand Societies for Computers
and the Law (2021) 93, 31-36 available at .
15 Australian Government, Trusted Digital Identity
Framework (TDIF) .
April 2022 THE BULLETIN 31

FEATURE
Tour de France: Avoiding the
domino effect in the peloton
ANNEMARIE GOODWIN, SPORTS LAWYER
This article aims to minimise crashes at
Tour de France. This article identifies
a link between crashes and spectator
inference, physical contact during sprint
finishes and detour disqualifications. Cycling
is a dangerous sport. Crashes are inevitable.
The law must still try to minimise crashes,
avoiding the domino effect in the peloton.
SPECTATOR INTERFERENCE
Should spectator interference be
tolerated at Tour de France? No. This is
highlighted by an incident at 2021 Tour
de France. A fan stepped onto the road,
with their back to the oncoming peloton.
The fan held up a sign (which contained a
message for relatives) to the TV cameras.
The fan was not cheering on cyclists. They
were trying to get themselves on TV. Cyclist
Tony Martin crashed into the sign. This
caused a domino effect in the peloton. The
result was arguably the worst crash in Tour
de France history. 26 cyclists were injured. 1
French police arrested the fan over this
incident. 2 The fan was charged with reckless
endangerment and involuntarily causing
injuries. Maximum punishment was one
year in prison and $15000 EU fine. Due
to their mental health, the fan was issued
a $1200 EU fine. The result was to deter
spectators from causing crashes at Tour
de France in the future. Race organisers
decided not to take legal action against the
fan. Injured cyclist Marc Soler considered
suing the fan. 3 A harsh fine and/or criminal
charges is appropriate. The fan deliberately
chose to obstruct the road, causing
widespread harm. The winner of Tour de
France should not be whichever cyclist is
lucky enough to avoid being knocked down
32 THE BULLETIN April 2022
by a roadside fan. The winner should be the
cyclist with the most strength and skill.
Does responsibility to prevent spectator
interference rest with race organiser ASO
(Armaury Sport Organisation), the UCI
(Union Cycliste International), French
police or the spectators themselves?
Eliminating spectator interference is a
shared responsibility between ASO, the
UCI, French police and roadside fans. ASO,
the UCI and French police are already
doing everything possible to prevent
spectator interference. ASO and the UCI
do not have the unlimited funds required
to place barriers along the entire Tour de
France route. French police do monitor
roadside fans. At the 2021 Tour de France,
French police arrested the spectator who
caused Tony Martin’s crash. Given the
ratio of French police to roadside fans,
it is unreasonable to make French police
solely responsible for eliminating spectator
interference. In other sports like tennis,
security can permanently eject a disruptive
fan from the stadium. If French police
eject a disruptive fan from one section of
the race route then the fan can re-enter at
another section of the race route.
The UCI regulations should be urgently
redrafted to address spectator interference
at Tour de France. A new law is required
which imposes heavy fines and/or criminal
charges on fans who cause crashes.
Spectator interference must be defined
very broadly to include any act. Examples
do not just include the fan making contact
with a cyclist. Examples also include an
object held by a fan (sign, camera strap
etc) and smoke from a flare held by a fan
making contact with a cyclist. The law
should apply regardless of whether the
spectator interference is accidental or
intentional. All that is required by way of
evidence is video footage of the incident.
Proceeds of the fine should be passed
onto the cyclist, to compensate for any
loss. Heavy fines and/or criminal charges
should eliminate spectator interference. A
ban on roadside fans at Tour de France is
not a viable option. Their presence cheers
up cyclists and enhances TV coverage for
viewers. In other sports like tennis there is
distance between a fan and their favourite
athlete. Close proximity between a fan and
their favourite rider makes cycling a great
spectator sport.
PHYSICAL CONTACT
Should a cyclist be punished for
deliberate physical contact in a sprint finish?
Yes. There have been several relegations
for repeated headbutting in a sprint finish,
including Fernando Gaviria and Andre
Greipel at 2018 Tour de France 4 and Caleb
Ewan at 2019 Tour Down Under. 5 These
decisions show accidental physical contact
is acceptable in a sprint finish but clearly
deliberate physical contact is not.
Some commentators claim deliberate
physical contact during a sprint finish is
simply part of the sport. 6 The fact that
a practice has existed for a long time
does not automatically mean it is the best
practice. Cycling is dangerous enough
without cyclists deliberately knocking their
opponents in the rush to the finish line.
Cycling is not a contact sport like boxing.
The Tour de France winner should not
be whichever cyclist in the peloton is best
at knocking their opponents out the way.

FEATURE
The Tour de France winner should be the
cyclist with the most strength and skill.
The 2019 Tour Down Under highlight
was arguably Elia Viviani’s Stage 1 win. 7 A
viewer can watch this sprint finish several
times without becoming bored. The win
was a result of strength and skill. No
physical contact required.
DETOUR DISQUALIFICATIONS
Should a cyclist be disqualified for a
mid-race detour? No. The UCI introduced
detour disqualifications in 2014. 8 The reason
for this rule is that detours can endanger
roadside fans. They might also give a
cyclist an unfair advantage over the rest of
the peloton. The UCI Regulations offer
punishments which include disqualification
or a time penalty. The UCI Regulations
also state race organisers will help minimise
detours by marking the race route (using
barriers or tape) where it is alongside a
sidewalk, pavement or cycle path.
Some commentators claim cyclists have
been racing on sidewalks which do not form
part of the official race route for so long it
is simply part of the sport. 9 The fact that a
practice has existed for a long time does not
automatically mean it is the best practice.
Some team managers believe barriers, not
disqualification, should be used to prevent
cyclists from detouring off the official
race route. It is better to deter detours
through time penalties or disqualification
than barriers, which cost money. The UCI
Regulations on detours are correct. UCI
officials still need to use common sense. In
most detour cases, disqualification is not
appropriate. Most detours are too trivial to
impact on the overall race result. If they do
then UCI officials should simply impose
a time penalty to address the advantage
a detour has given a cyclist over the rest
of the peloton. Most detours are made to
avoid a mass crash in the peloton. Cyclists
should be encouraged to Ride defensively
without fear of disqualification. Only if the
detour is not made to avoid a mass crash in
the peloton and endangers roadside fans is
disqualification appropriate.
There have been two significant detour
cases. Peter Sagan’s detour at 2018 Amstel
Gold and Luke Rowe’s detour at 2018
Tour of Flanders. 10 Sagan’s detour did not
endanger fans. Rowe’s detour did.
What if a detour avoids a mass crash
in the peloton but also endangers roadside
fans? How does the UCI morally evaluate
if cyclist or fan safety is more important?
These examples provide guidance on how
UCI officials should assess a detour.
CONCLUSION
This article finds solutions to minimise
crashes at Tour de France, eliminate
spectator inference and deliberate physical
contact between cyclists in a sprint finish,
and allow cyclists to detour without
disqualification if the reason is to avoid a
mass crash in the peloton. These solutions
avoid the domino effect in the peloton. B
Endnotes
1 James Matthey, ‘Shocking list emerges after idiot
fan causes horrifying Tour de France crash’,
27/6/21, news.com.au https://www.news.com.
au/sport/cycling/shocking-list-emerges-afteridiot-fan-causes-horrifying-tour-de-france-crash/
news-story/0204e2f318b44d013c02fc8d37389397
2 Chris Marshall-Bell, ‘Tour de France organisers
will not sue fan who caused mass pile-up on stage
one’, Cycling Weekly, 2/7/21
https://www.cyclingweekly.com/news/tour-defrance-organisers-will-not-sue-fan-who-causedmass-pile-up-on-stage-one
3 Alasdair Fotheringham, ‘Injured Soler considers
legal action against fan who triggered Tour de
France crash’, Cycling News, 1/7/21
https://www.cyclingnews.com/news/injuredsoler-considers-legal-action-against-fan-whotriggered-tour-de-france-crash/
4 ‘Headbutts see relegations as sprinters melt
down’, 15/7/18, SBS https://www.sbs.com.au/
cyclingcentral/article/2018/07/15/headbuttssee-relegations-sprinters-melt-down
5 Matt de Neef, ‘Double drama at Tour Down
Under: Bevin Crashes, Ewan Relegated’, [16-
17], 19/1/19, Cycling Tips https://cyclingtips.
com/2019/01/double-drama-at-the-tour-downunder-bevin-crashes-ewan-relegated/
6 ‘Controversy and Crashes TDU 5 th stage’,
19/1/19, SBS https://www.sbs.com.au/
cyclingcentral/article/2019/01/19/controversyand-crashes-tdu-fifth-stage
7 Chris Marshall-Bell, ‘Elia Viviani wins Tour
Down Under Stage 1 after superb late sprint’,
15/1/19, Cycling News https://www.
cyclingweekly.com/news/racing/elia-vivianiwins-tour-stage-one-superb-late-sprint-404926
8 UCI Cycling Regulations – Part 2 Road Races –
Article 2.2.015, 2.2.025 and 2.12.007 [7.6].
https://www.uci.org/inside-uci/constitutionsregulations/regulations
9 Patrick Fletcher, Sadhbh O’Shea, ‘Officials ready
to disqualify riders using sidewalks’, [13-15],
31/3/17, Cycling News http://www.cyclingnews.
com/news/tour-of-flanders-officials-ready-todisqualify-riders-using-sidewalks/
10 Richard Windsor, ‘UCI must be consistent’,
19/4/19, Cycling Weekly http://www.
cyclingweekly.com/news/racing/uci-mustconsistent-tiesj-benoot-critical-governing-bodybike-path-rules-376869
About the author
Annemarie Goodwin is a Sports Lawyer who
specialises in tennis and cycling.
April 2022 THE BULLETIN 33

TAX FILES
Trust distribution alerts
JOHN TUCKER, DW FOX TUCKER LAWYERS
On 23 February, 2022 the
Commissioner of Taxation issued a
number of publications, some still drafts,
that will impact on decisions regarding
trust distributions that are required to be
made by 30 June, 2022.
Of the publications, three are
concerned with reimbursements
agreements under s100A of the Income Tax
Assessment Act 1936, and the remaining
one is concerned with Division 7A and its
application to unpaid trust distributions
from a trust to a company.
The only publication of immediate
effect is Taxpayer Alert TA 2022/1. In
this Alert the Commissioner advised that
his office is reviewing trust arrangements
where trust income is appointed between
members of a family group, including
children over 18 years of age, but it
appears in substance that the parents
exercise control over and enjoy the benefit
of the income.
An example given of the
circumstances being reviewed is where
expenses benefitting the child are, in the
Commissioner’s view, “properly understood
to be parental expenses”, referring to costs
of their upbringing as a minor, or for “the
kinds of ongoing financial support parents
would ordinarily provide for their children”.
Allied with these circumstances is
where the appointed income is seen to
be “more properly explained by the tax
outcomes detailed”, such as accessing
the tax-free thresholds, than by “ordinary
familial considerations”.
The quoted expressions are imprecise.
Some insight into them is contained in
a list of features that the arrangements
under review will, or mostly will, display.
Among these are an application of the
income distributed to meet expenses
of the parents, possibly recorded as
34 THE BULLETIN April 2022
beneficiary loans from the trustee to the
parents, which the children then actually,
or purportedly, direct to be repaid. Also
these might include expenses in the
upbringing of the child, such as school
fees or living at home expenses (as
opposed to meeting reasonable rent for
living away from home or car expenses),
where there is no expectation of these
being repaid by the children from any
source of income other than the trust
distributions.
Tax Alerts are used by the
Commissioner to express “concerns”
generally on the basis of his assertion
of perceived unlawful tax avoidance.
Given the penalties applicable to any
arrangement found to be that and the
cost of any attempt to dispute such
a perception, the expression of such
concerns generally suffices to deter all
from risking a challenge to the concerns
stated by the Commissioner.
In TA 2022/1, apart from the spectre
of tax avoidance, the Commissioner
also raises sham, sections 100A, 95A(1)
and 97(1) of the 1936 Assessment Act,
but only by reference and without any
supporting explanation.
With these sorts of arrangements
being quite common, and the need by 30
June, 2022 for trustees to make decisions
about the distribution of trust income,
this Alert will, for many, require careful
consideration.
Of note in the concerns listed in the
Tax Alert is mention of section 100A
and that the arrangements described may
constitute a “reimbursement agreement”
for its purposes.
Section 100A was introduced into the
1936 Act targeted against trust stripping,
a practice, at its simplest, of vesting net
income, otherwise taxable, in a beneficiary
who assumed all liability for tax on it and
gave a non-assessable payment to another,
usually another beneficiary or their related
entity, in return.
The section was however drafted in
wider terms than if just focussed on this
practice. It applies to any trust distribution
that arises from a ‘reimbursement
agreement’.
There have been indications among
tax practitioners that the Commissioner
has held concerns about even such
arrangements as a distribution being
determined in favour of a beneficiary,
not paid, and treated as owing, being
encompassed by the wording of s100A.
While the Commissioner has engaged
in confidential consultation regarding
these issues, for many months tax advisors
have been waiting on the Commissioner
to publish for public consultation a
foreshadowed Taxation Ruling on this
provision, which has now been done as
draft Taxation Ruling TR2022/D1 and
draft Practical Compliance Guide PCG
2022/D1, both of which were published
contemporaneously with TA 2022/1.
The single way out of s100A is the
definition of ‘agreement’ which specifically
excludes an agreement ‘entered into in the
course of ordinary family or commercial
dealing’.
These words are the subject of
discussion in draft ruling TR 2022/
D1. They have recently received judicial
consideration in a judgement 1 , now under
appeal by the Commissioner, in their
application to a particular fact situation.
While illustrative, the judgement stops
short of any attempt to provide an
expose on the universal application of the
provisions, and it is unclear what reliance
the Commissioner will place on the
judgement given his appeal and the more

TAX FILES
limited views expressed in the drafting
ruling.
In TR 2022/D1 the Commissioner
asserts that the word ‘family’ refers just to
natural persons, and he draws a distinction
between what is ordinary and what is
common, with a focus on whether the
arrangement is “capable of explanation
as achieving normal or regular familial or
commercial ends”.
For a dealing to be an ordinary
commercial dealing the Commissioner
requires it to advance the respective
interests and commercial objects of
the parties. If there are present in
the agreement features which, to the
Commissioner, appear tax driven, he says
these will be relevant to the objective
enquiry whether the agreement is entered
into in the course of ordinary dealing.
The potential impact of the
Commissioner’s views is very wide
reaching. Advisors will need to consider
TR2022/1 (when issued) very carefully
with respect to the determination of trust
distributions and the actions required to
be taken in consequence of particular
determinations. All this most likely before
30 June 2022.
The final publication is draft Taxation
Determination TD 2022/D1 entitled
“Income Tax: Division 7A: When will an
unpaid present entitlement or amount
held on sub-trust become the provision
of ‘financial accommodation’”, which
was released contemporaneously with a
web page publication entitled ‘Unpaid
Present Entitlement’ (with reference
to Division 7A of ITAA 1936 relating
to deemed dividends). The point of
this draft determination is to warn that
arrangements to distribute a share of
net income to a company, not pay it and
purport to hold it on a sub-trust, will
need to comply with the Commissioner’s
stipulation for a sub-trust if they are not
to be deemed ‘financial accommodation’
and result in a deemed dividend from
the company to the trust. In this way,
the determination looks at arrangements
similar to those of concern under s100A,
albeit with a view to Division 7A (given
that the beneficiary is a company) rather
than s100A.
As mentioned, the Tax Alert is
of immediate effect. The Ruling and
Guidance are to apply on publication
(once finalised) and the Determination
(once finalised) from and after 1 July 2022.
Tax Files is contributed by members of the
Taxation Committee of the Business Law Section
of the Law Council of South Australia B
Endnotes
1 By Logan J in Guardian AIT Pty Ltd ATF
Australian Investment Trust v FCT [2021]
FCA 1619
We Are Forensic Experts In
• Engineering Analysis & Reconstruction
• Traffic Crashes & Road Safety
• Workplace or Mining Incidents
• Reporting & Experts Court Testimony
Delta V Experts
• Clarifies the facts in a situation
• Scientifically substantiates the evidence
• Failure Analysis & Safety Solutions
• Physical, Crash, Incident & Vehicle
Dynamic Handling Testing
DELTA-V EXPERTS
• Strengthens your communication
• Diverse experience and expertise
03 9481 2200 www.dvexperts.net 9 Springbank Street, Tullamarine, 3043
April 2022 THE BULLETIN 35

DIALOGUE
A roundup of recent
Society meetings &
conferences
ROSEMARY PRIDMORE, EXECUTIVE OFFICER
9 December 2021
National statutory tort for invasion of
Bprivacy
ec Sandford participated for the
Society in an online roundtable
meeting convened by the LCA to discuss
its approach to a national statutory tort for
invasion of privacy.
15 December 2021
The Honourable Connie Bonaros MLC
and the Honourable Frank Pangallo
MLC
Society representatives Bec Sandford,
Justin Stewart-Rattray (President-Elect)
and Nathan Ramos (Policy Coordinator)
met with SA Best MLCs in relation to the
Society’s Key Election Issues for the 2022,
via videoconference.
17 December 2021
2022 Law Council of Australia
President –
At a videoconference meeting with
Tass Liveris, Bec Sandford and Stephen
Hodder discussed the issues Mr Liveris
intends to focus on during his presidency
of the LCA in 2022.
27 January 2022
The Honourable Robert Simms MLC
Justin Stewart-Rattray, 2022 President
and Nathan Ramos met with the
Honourable Robert Simms MLC in relation
to the Society’s Key Election Issues.
2 February 2022
Disability access to the Courts
In response to concerns raised by
the Society via its Equality, Diversity and
Inclusion Committee, Justin Stewart-
Rattray, Mark Douglas (Chair of the
36 THE BULLETIN April 2022
EDI Committee) and Michael Esposito
(Communications Manager) met with the
Honourable Justice Bampton and Con
Koutsounis, Senior Facilities Officer of
the Courts Administration Authority in
relation to disability access to the Courts.
15 February 2022
The Honourable Frank Pangallo MLC
At the instigation of SA Best, Justin
Stewart-Rattray and Nathan Ramos met
with the Honourable Frank Pangallo MLC
and his advisers to discuss elements of
a State election submission by the Police
Association of SA.
23 February 2022
Legal Services Commission
Justin Stewart-Rattray and Stephen
Hodder attended a meeting of the Legal
Services Commission (LSC), at the LSC’s
invitation. They congratulated Peter
Slattery upon his appointment as Chair
of the LSC, advised of the Society’s Key
Election issues relating to funding and
raised a number of issues (including
at the suggestion of the Criminal Law
Committee).
24 February 2022
Federal Circuit and Family Court CEO
and Principal Registrar and Deputy
Principal Registrar
The Co-Chairs of the Family Law
Committee, Ryan Thomas and Daphne
Moshos and former Co-Chair of the
Committee Jane Miller joined Justin
Stewart-Rattray at a meeting with the CEO
and Principal Registrar, David Pringle
and Deputy Principal Registrar, Virginia
Wilson of the FCFCOA.
A number of issues of interest were
discussed and well received and open lines
of communication were established. It is
expected the Court will publish a summary
or update relating to the problems
experienced since September 2021 when
the new court system was introduced and
what has been done to date to try and
rectify them.
3 March 2022
Joint Rules Advisory Committee
Various issues and suggestions for
amendments to the Uniform Civil Rules
were the subject of consideration at a
meeting of the Joint Rules Advisory
Committee that was attended by Justin
Stewart-Rattray, Alexander Lazarevich and
Philip Adams.
18 and 19 March 2022
Quarterly meetings of Law Council
(LCA) Directors, Conference of Law
Societies, CEOs of Law Societies; and
joint CEOs
Justin Stewart-Rattray (as President
and also as Society appointed Director
of the LCA) and Stephen Hodder
variously participated in the above
quarterly meetings, which were held via
videoconference. Key topics of discussion
included the implementation of the new
Australian Solicitors’ Conduct Rules; the
results of a survey by the Law Society of
NSW of the impact of COVID on the
justice system; the LCA’s “Call to Parties”
advocacy document for the upcoming
Federal election; and mandatory reporting
of the misconduct of other lawyers under
consideration in Victoria. B

WELLBEING & RESILIENCE
Doomscrolling: What is it
and how can we stop it?
AMY NIKOLOVSKI, MANAGING PARTNER, DBH LAWYERS AND MEMBER, WELLBEING AND RESILIENCE COMMITTEE
read a quote recently (on social media I
I confess) that said, “Millennials have had
to deal with 9/11, two global financial crises,
a pandemic, unaccountable natural disasters
and now World War 3 all before we turn
40”, and well, it really hit me in the feels.
Because it seems at the moment, every
time you turn on the TV another terrible
thing occurs. These last two- and a-bit
years have been particularly hard and if
you are anything like me, you have found
yourself addicted to “doomscrolling.”
So, what is it?
According to Urban Dictionary
“Doomscrolling is when you keep scrolling through
all of your social media feeds, looking for the most
recent upsetting news about the latest catastrophe,”
this in turn triggers the release of stress
hormones that can affect both your mental
and physical health.
The COVID-19 pandemic was
thought to start the term, with it trending
on Twitter in 2020, now doomscrolling
has become a part of many of our daily
routines. The constant consumption of
bad news can lead to catastrophising or
focusing on the negative aspects of the
world around you in a way that makes
it more and more difficult to notice the
positive. The behaviour can be addictive -
comparative to a car crash where you are
watching something, and you just cannot
look away.
Are you a doomscroller like me? If
so, here are some tips to stop (and I will
attempt to take my own advice):
MAKE MORNINGS SACRED
Stop using your phone as your
alarm, this will in turn stop you from
automatically checking social media
feeds first thing when you wake up in the
morning, which will in turn hopefully set
you off on the right foot.
PUT THE PHONE DOWN
Every time I get a notification, I cannot
help myself, pick it up, and check my
phone, I think often I don’t even realise
how often I’m doing it. Put your phone in
another room and take a break from the
world, we do not have to be available 24/7.
Also, if you have an iPhone (I would
assume android would have the same
capacity) check your screen time (go to
settings and screen time) you may be
disgusted at how much time you are on
your phone.
LIMIT SOCIAL MEDIA APPS ON YOUR
PHONE
While you are in your settings put a
limit on how much time you can access
social media, this may in turn get you out
of that TikTok or Facebook rabbit hole
you fell down by alerting you to how
much time you have actually spent that day
already.
FIND ANOTHER ACTIVITY TO REPLACE
DOOMSCROLLING
Enjoy this beautiful Autumn weather,
go for a walk, pick up a book, play with
your kids, do something for you in
that time. Replace doomscrolling with
something that delivers that kick of
adrenalin/cortisol for good rather than bad.
The world at the moment seems like
a very scary place, but there are ways we
can take back control. If you feel like you
may have lost control, there is no shame in
admitting you need help. Reach out to Law
Care, Dr Jill, your workplace EAP or any
other resources to get you out of the funk
you may be in at the moment with what
feels like never ending bad news being
thrown on a daily basis.
April 2022 THE BULLETIN 37

FAMILY LAW CASE NOTES
Family Law Case Notes
CRAIG NICOL AND KELEIGH ROBINSON, THE FAMILY LAW BOOK
CHILDREN – FATHER UNSUCCESSFULLY
APPEALS ORDER AUTHORISING MOTHER
TO VACCINATE CHILD AGAINST COVID-19
In Dacombe & Paddison [2021]
FedCFamC1A 103 (23 December, 2021)
Austin J (sitting in the appellate jurisdiction
of the Federal Circuit and Family Court
of Australia) summarily dismissed a
father’s appeal against a consent order,
which authorised the mother to arrange
vaccinations of the parties’ daughter.
The Court said (from [8]):
“An appeal may be summarily
dismissed if the appellant has no
reasonable prospect of successfully
prosecuting it (s 46(2)) [ed. Of the Federal
Circuit and Family Court of Australia Act
2021 (Cth)], even if it is not hopeless or
bound to fail (s 46(3)) ( … )
[10] The father’s first contention – that
he did not consent to the order – is false. …
[11] While it was the legal practitioners
who confirmed the parties’ agreement, the
father did not demur when the primary
judge was informed of the compromise. …
[12] When the primary judge sought to
formulate an order to properly reflect the
parties’ agreement, the father even helped
with the drafting ( … )
[14] [The father] … only disagreed
with any form of government-imposed
immunisation or treatment for the child,
but the appealed order did not deal with
any form of immunisation or treatment
mandated by government because
the parties agreed the child should be
immunised ( … )
[16] … Ground 1 of the father’s appeal
depends entirely upon his false contention
that he did not consent to the appealed
38 THE BULLETIN April 2022
order. He did and now he cannot appeal
the order on merit in the teeth of such
consent. …
[17] … [Section] 51(xxiiiA) of the
Constitution enables the parliament to make
laws about the provision of medical and
dental services (but not so as to authorize
any form of civil conscription) ( … )
[21] … [T]he Constitutional
impediment only affects the validity of
federal legislation which enables the civil
conscription of medical and dental services,
upon which field the Family Law Act does
not play. An order made under the …
Act which ensures a child’s receipt of …
medical treatment is not caught by the
prohibition ( … )”
PROPERTY – APPLICANT’S EQUITABLE
TRUST CLAIM FAILS AS PURCHASES WERE
GIFTS – RESPONDENT’S CLAIM FAILS AS
THERE WAS NO DE FACTO RELATIONSHIP
In H, AW v K, S [2021] SASC 128 (11
November, 2021) Bochner J of the Supreme
Court of South Australia dismissed all
applications after a four year relationship
between a dual citizen of Australia and the
USA (the applicant) and a single mother
who lived in Adelaide (the respondent).
The applicant sought a declaration that
the respondent’s vehicle and bank balances
were held on trust for him ([4]).
The respondent argued the dealings
were gifts and [she] sought a declaration that
the parties were in a de facto relationship.
The Court said (from [52]):
“The applicant agreed that [his] …
communication [to the respondent]
amounted to representations that he
would provide for her … He denied …
that the provision of financial support
… or … any other gifts to her would be
unconditional. ( … )
[59] … [T]he parties did not acquire
any assets together … The respondent
never visited the applicant’s house …, nor
was she invited to do so. ( … )
[151] The applicant came to Adelaide
[where the Respondent lived] between
five and nine times each year during the
relationship. The length of the visits
varied, from less than twenty-four hours,
to seven days ( … )
[193] … I consider that the parties’
relationship was not that of a couple living
together on a genuine domestic basis. The
evidence does not demonstrate ‘the merger
of two individual lives into life as a couple’
… [I]t demonstrates two individuals living
their separate lives and coming together
seven or eight times each year for some
shared time. It my view it is the time that
was shared, rather than the lives.”
As to the trust claim, the Court said
(from [214]):
“ … [T]his evidence leads me to the
conclusion that the moneys given to
the respondent … were a gift. … [A]ny
statements made by the applicant that the
moneys should be used for rent, clothes
and other expenses were no more than
indicative of his motive … They did not
serve to impress the funds with a trust.”
CHILDREN – HAGUE CHILD ABDUCTION
CONVENTION – ORDER FOR PRODUCTION
OF SOLICITOR’S FILE SET ASIDE, GIVEN ITS
IRRELEVANCE TO HABITUAL RESIDENCE
In Sterling [2022] FedCFamC1A 3 (27
January, 2022), the Full Court (Austin,

FAMILY LAW CASE NOTES
Berman & Harper JJ) allowed an appeal
from a decision of Williams J, where a
mother had travelled to Germany with the
parties’ daughter for a holiday, but then
communicated to the father that she would
not return to Australia and unsuccessfully
sought parenting orders in a German Court.
The German Court applied the
Hague Convention on the Civil Aspects of
International Child Abduction and found that
the daughter was habitually resident in
Australia and that Australian courts had
exclusive jurisdiction. The father then
successfully applied for orders for the
return of the child, for which the father
engaged a German lawyer.
Before the child’s return, the father
issued parenting proceedings in Australia,
where the Court scheduled a discrete
hearing as to whether the Court had
jurisdiction pursuant to s 111CD of the Act.
In those proceedings, the mother
contended that the father had waived
privilege to his German solicitors’ file,
whereas Williams J ordered that it be
produced. The father appealed, to which
the Full Court said (from [23]):
“The application of ss 111CD(1)(a),
111CD(1)(b) or 111CD(1)(f) depends
upon whether or not the child is
habitually resident in either Australia
or Germany ( … )
[25] Given the singular contentious
issue affecting the exercise of Australian
jurisdiction was the identification of the
child’s place of habitual residence,
it begged the question of how the file
of the father’s German lawyer could be
relevant ( … )
[32] As an entirely factual question,
the determination of the child’s place of
habitual residence could not conceivably
be materially influenced by any
communication between the father and
his German lawyer concerning the prior
German proceedings. ( … )
[34] Regardless of whether the father
waived his legal professional privilege by
his conduct, which is another issue by
which the parties were distracted, there
was no need to compel his surrender
of the confidentiality he reposed in the
lawyer/client communications.”
PROPERTY – CONTRIBUTIONS
ASSESSMENT OF 65 PER CENT IN FAVOUR
OF THE WIFE CONTAINED ERROR AS
TRAILING COMMISSIONS REMAINED A
JOINT CONTRIBUTION
In Candle & Falkner [2021]
FedCFamC1A 102 (23 December, 2021),
the Full Court (McClelland DCJ, Berman
& Harper JJ) allowed an appeal from a
decision of Foster J in a case involving
a 13 year marriage where the parties
established and operated a residential
home lending business (C Pty Ltd). After
litigation, in 2010 the husband received a
payout from a third party on the condition
that he resign as director, after which the
wife was sole director and conducted
operations of the company.
The Court assessed the wife’s
contributions at 65 per cent, finding
that from 2010 onwards, the wife had
“overwhelmingly contributed to the
evolution of the current asset pool
through her ongoing management of C
Pty Ltd” ([38]). The husband appealed.
The Full Court said (from [82]):
“We are … persuaded that the primary
judge failed to take account of relevant
contributions of the husband.
[83] It was common ground that C Pty
Ltd was a joint enterprise of the parties
from inception until March 2010, when the
husband ceased to be a director. … [T]he
business of C Pty Ltd produced an income
stream for the benefit of the parties from
trailing commissions, which continued for
an average of five to six years. It followed
that some trailing commissions continued
past 2010, and thus some of the income
produced by C Pty Ltd post-2010 must
be seen as the result of the parties’ joint
efforts in the business before 2010 ( … )
[90] The husband argued that the
ultimate result of 65 per cent to the wife
could only be justified by ignoring the
husband’s contributions to the business of
C Pty Ltd … after December 2010 ( … )
[92] … [H]is Honour assessed
contributions by reference to his detailed
findings about the course of contributions
… The problem is that nowhere in those
paragraphs is there any mention of
specific contributions by the husband to
C Pty Ltd … after 2010. Consequently, we
are unable to conclude his Honour took
those contributions into account, despite,
or even because of, the reference to [the
husband’s] ‹minimal contributions’ in …
the reasons. …
[93] Once it is accepted that the
primary judge failed to take account of
contributions by the husband to C Pty Ltd
… even if more modest than those of the
wife, the percentage assessment of 65 per
cent in favour of the wife is unsafe and
cannot stand.” B
April 2022 THE BULLETIN 39

RISK WATCH
Control your trolls: Protecting
your practice on social media
KATE MARCUS, RISK & CLAIMS SOLICITOR, LAW CLAIMS
Law Practices should be alert to the
risks of maintaining a social media
presence. With the ever-changing needs
of communication and marketing, social
media - whether it be through Meta,
Facebook, You Tube, WhatsApp. Twitter,
Instagram, Pinterest, Snapchat to name but
a few - is a tool which many Law Practices
are utilising. However, care needs to be
taken.
Whilst last year’s High Court decision
of Fairfax Media Publications Pty Ltd & Ors
v Voller [2021] HCA 27 was of particular
relevance to media outlets operating social
media pages, the implications of the
judgment extend beyond traditional media
organisations.
Following a news story about Mr
Voller and his incarceration in a juvenile
detention centre in the Northern Territory,
a number of allegedly defamatory
comments were made by third parties
on the appellants’ Facebook pages. Each
of the appellants were media companies
with newspaper and/or television stations
and each operated a public Facebook
page where third-party Facebook users
could make comments. Mr Voller issued
proceedings alleging that the appellants
were liable for defamation as the
publishers of those comments.
By majority the High Court held
that, subject to any applicable defences,
defamation operates as a tort of
strict liability and intention to publish
the specific content is therefore not
required in order to render someone
liable as a publisher of defamatory
content. The liability of a publisher
depends on whether, by facilitating and
encouraging the relevant communication,
it “participated” in the communication.
By creating a public Facebook page
and posting contents on that page, the
appellants facilitated, encouraged and
thereby assisted in the publication of
comments from third-parties. Accordingly,
the appellants were held to be the
publishers of the third-party comments.
Implications for Law Practices
The ramifications of the judgment
extend beyond Facebook and media
outlets. It highlights that organisations
which maintain their own websites and
social media pages are exposed to risk.
This includes law firms.
If you have a social media page upon
which third-party users can post comments,
care must be taken. By providing such a
forum, there is a risk that the law firm could
be found to be a publisher for the purposes
of defamation law.
What can you do?
It is often difficult to disable comments
on social media sites but it is worth
considering whether it is necessary for the
public to comment on your business pages
or posts. While larger organisations may
have the infrastructure to monitor sites
constantly and remove offending posts
almost immediately, smaller organisations
will need to take extra precautions and be
highly vigilant. Bear in mind that posts can
“go viral” in a matter of minutes. It is now
possible with Facebook, for example, to
disable posting to your business page by
the public.
Law Practices with social media
presence are encouraged to
1. consider whether to disable posting/
commentary altogether
2. rigorously monitor and moderate the
site(s)
3. immediately remove any comment or
image which may (even remotely) cause
offence.
If you are not in a position to
constantly monitor your social media sites,
query if your needs are better met by
disabling comments or by having a website
that does not provide for third party
comments.
Practitioners also need to be alert
to the fact that defamatory posts on
social media may not be covered by
your Practice’s professional indemnity
insurance. Coverage will depend on
the nature of the social media involved
and the nature of the posts themselves.
General defamatory posts may not be
sufficiently connected with the “legal
practice” so as to fall within cover. If
defamatory statements have a real link to
the actual work undertaken by the practice,
then there may be cover under the
policy. However, each situation depends
heavily on its individual facts and it is not
possible to be definite about coverage
in the absence of all relevant facts and
details. It is therefore essential that Law
Practices tread carefully and consider all
the implications of their social media
presence.
40
THE BULLETIN April 2022

BOOKSHELF
F Assaf SC
3 rd ed LexisNexis 2021
HB $235
ASSAF’S WINDING UP IN INSOLVENCY
Abstract from LexisNexis
Assaf’s Winding Up in Insolvency is a
practitioner-focused reference text providing
comprehensive treatment of all aspects of
winding up in insolvency. Formerly known
as Statutory Demands and Winding Up in
Insolvency, this new text has been completely
rewritten, updated and expanded. The work
discusses in detailed and scholarly fashion all
requirements of winding up in insolvency
including establishing insolvency, practical issues
relating to issuing and setting aside statutory
demands, making and opposing winding up
applications and includes guidance on the
recent labyrinthine amendments made to the
Corporations Act by the Corporations Amendment
(Corporate Insolvency Reforms) Act, 2020 and
temporary amendments made in response to
the Covid-19 pandemic. In addition, the book
discusses cross-border aspects of winding-up
in insolvency and the winding up of Part 5.7
bodies. Complete with precedents, this work is an
essential reference text for all legal practitioners.
GE dal Pont
3 rd ed LexisNexis 2021
PB $300.00
LAW OF CHARITY
Abstract from LexisNexis
Cited frequently in decisions in superior
courts across Australia, including in the High
Court of Australia, Law of Charity is a highlevel
work focusing on the law that governs and
regulates the application of money or property
for charitable purposes. Providing coverage
of Australian law and, for chiefly comparative
purposes, salient aspects of charity law in other
common law jurisdictions … this work is an
exposition of the law pertaining to charitable
objects, also encompassing the history of
charity law, the privileges extended to charity
and matters of jurisdiction vis-à-vis charity law.
It concludes with a set of chapters dedicated to
the reform of this area of law. Law of Charity
is the ideal companion to Taxation of Charities
and Not-for-profits, which is the essential
resource for those who need to master nonprofit
tax issues or provide sound professional
advice to the sector.
J Catanzariti & K Egan
2 nd ed LexisNexis 2021
PB $14000
WORKPLACE BULLYING
Abstract from LexisNexis
With the addition of bullying provisions in
the Fair Work Act 2009 (Cth), workplace bullying
was finally acknowledged by the law. The
Fair Work Commission was conferred a wide
range of powers to deal with complaints about
workplace bullying. Naturally, many employers
took an interest in the legal ramifications of this
burgeoning area of law. Aside from the legal
risks, workplace bullying has the capacity to
inflict great psychological harm upon its victims.
The second edition of Workplace
Bullying explores, in greater depth, the
psychological aspect of such bullying and its
damaging effects. Workplace Bullying offers
advice on how a toxic workplace environment
can be prevented from forming. It provides
a practical guide to victims of workplace
bullying regarding how they can recover and
build resilience, and an overview of new legal
developments in this evolving area of law
FAMILY PROVISION IN AUSTRALIA
Abstract from LexisNexis
Family Provision in Australia is a frequently
cited text in various court judgments across all
states and territories, including the High Court
and Federal Court of Australia as well as the
Court of Appeal-Civil Division and Chancery
Division of England and Wales. It includes a
comprehensive checklist, case tables, forms,
precedents and extracts of relevant state and
territory legislation.
J de Groot & B Nickel
6 th ed LexisNexis 2021
PB $260.00
April 2022 THE BULLETIN 41

GAZING IN THE GAZETTE
3 FEB 2021 – 2 MAR 2022
A MONTHLY REVIEW OF ACTS, APPOINTMENTS,
REGULATIONS AND RULES COMPILED BY MASTER ELIZABETH
OLSSON OF THE DISTRICT COURT OF SOUTH AUSTRALIA
ACTS PROCLAIMED
Statutes Amendment (Fund Selection and
Other Superannuation Matters) Act 2021
(No 16 of 2021) Commencement Part 2:
30 November 2022
Gazetted: 3 February 2022,
Gazette No. 7 of 2022
Statutes Amendment (Child Sexual Abuse) Act
2021 (No 57 of 2021)
Commencement: 1 June 2022
Gazetted: 17 February 2022,
Gazette No. 9 of 2022
Statutes Amendment (Local Government Review)
Act 2021 (No 26 of 2021), Commencement
s 126 but only insofar as it inserts ss 262G
and 262J into Local Government Act 1999:
17 February 2022
Gazetted: 17 February 2022,
Gazette No. 9 of 2022
ACTS ASSENTED TO
Nil
APPOINTMENTS
Nil
RULES
Legal Practitioners Act 1981
Rules of the Legal Practitioners Education
and Admission Council 2018
Gazetted: 17 February 2022,
Gazette No. 9 of 2022
REGULATIONS PROMULGATED (3 FEBRUARY 2022 – 2 MARCH 2022)
REGULATION NAME REG NO. DATE GAZETTED
Southern State Superannuation (Fund Selection and Other Matters) Amendment Regulations 2022 7 of 2022 3 February 2022, Gazette No. 7 of 2022
Child Safety (Prohibited Persons) Amendment Regulations 2022 8 of 2022 3 February 2022, Gazette No. 7 of 2022
Youth Justice Administration Amendment Regulations 2022 9 of 2022 3 February 2022, Gazette No. 7 of 2022
Road Traffic (Miscellaneous) (Road Closing and Exemptions for Events) Amendment Regulations 2022 10 of 2022 10 February 2022, Gazette No. 8 of 2022
Harbors and Navigation (Miscellaneous) Amendment Regulations 2022 11 of 2022 10 February 2022, Gazette No. 8 of 2022
Summary Offences (Vehicle Immobilisation Device) Amendment Regulations 2022 12 of 2022 10 February 2022, Gazette No. 8 of 2022
Freedom of Information (Exempt Agency) (Public Advocate) Amendment Regulations 2022 13 of 2022 17 February 2022, Gazette No. 9 of 2022
Guardianship and Administration (Fee Notices) Amendment Regulations 2022 14 of 2022 17 February 2022, Gazette No. 9 of 2022
Mental Health (Fee Notices) Amendment Regulations 2022 15 of 2022 17 February 2022, Gazette No. 9 of 2022
Health Practitioner Regulation National Law (South Australia) (Telepharmacy) Amendment Regulations 2022 16 of 2022 17 February 2022, Gazette No. 9 of 2022
Fisheries Management (General) (Hand Fish Spear and Spear Gun) Amendment Regulations 2022 17 of 2022 17 February 2022, Gazette No. 9 of 2022
Fisheries Management (Demerit Points) (Hand Fish Spear and Spear Gun) Amendment Regulations 2022 18 of 2022 17 February 2022, Gazette No. 9 of 2022
Land Acquisition (Miscellaneous) Amendment Regulations 2022 19 of 2022 17 February 2022, Gazette No. 9 of 2022
42
THE BULLETIN April 2022

CLASSIFIEDS
VALUATIONS
MATRIMONIAL
DECEASED ESTATES
INSURANCE
TAX REALIGNMENT
INSOLVENCY
FURNITURE
ANTIQUES, COLLECTIONS
BUSINESS ASSETS
MACHINERY
MOTOR VEHICLES
CARS, BOATS, PLANES
CITY & COUNTRY
ROGER KEARNS
Ph: 08 8342 4445
FAX: 08 8342 4446
MOB: 0418 821 250
E: auctions@senet.com.au
Certified Practising Valuer NO.346
Auctioneers & Valuers Association
of Australia
Banking
Expert
Lending & recovery decisions,
including: Banking Code issues,
finance availability, capacity to
settle, and loan enforcement.
Geoff Green 0404 885 062
Details of qualifications and
experience, including giving evidence
in the FCA, VSC and SICC, via:
BankingExpertWitness.com.au
VALUER
Commercial & Residential
Real Estate
Matrimonial
Deceased Estates
Rentals etc.
Experienced Court
Expert Witness
Liability limited by a scheme approved under
Professional Standards Legislation
JANET HAWKES
Cert. Practising Valuer, AAPI
0409 674 122
janet@gaetjens.com.au
Business
valuations
Simple, clear,
unbiased advice,
without fear or
favour.
t. +61 8 431 80 82
Hugh McPharlin FCA
d m. +61 +61 8 8139 401 712 1130 908
m e. +61 ahi@andrewhillinvestigations.com.au
419 841 780
e hmcpharlin@nexiaem.com.au
w nexiaem.com.au
Consulting Engineers
Australian Technology Pty Ltd
for expert opinion on:
• Vehicle failure and accidents
• Vehicle design
• Industrial accidents
• Slips and falls
• Occupational health and safety
• Statistical analysis
W. Douglass R. Potts
MAOQ, FRAI, FSAE-A, FIEAust,
CPEng, CEng, FIMechE
8271 4573
0412 217 360
wdrpotts@gmail.com
Andrew Hill Investigations
Investigating:
ABN 68 573 745 238
• workplace conduct
• fraud
• unprofessional conduct
• probity
Support services:
• forensic computing analysis
• transcription services
• information sessions, particularly
for HR practitioners on the
investigative process
• policy development.
PO Box 3626
Andrew Hill
Andrew Hill
Investigations
NORWOOD SA t. 5067 +61 8 431 80 82
m. +61 401 712 908
e. ahi@andrewhillinvestigations.com.au
Fellow AIPI
Licensed Investigation Agents
& Process Servers
Servicing the Mid North, Yorke &
Eyre Peninsula`s and Outback of
South Australia with:
• Process Serving
• Property Lockouts
• Investigations
• Missing Persons
OUTBACK BUSINESS SERVICES
P.O. Box 591,
PORT AUGUSTA. 5700
P: 0418 838 807
info@outbackbusinessservices.com.au
LawCare
The LawCare Counselling
Service is for members of
the profession or members
of their immediate family
whose lives may be adversely
affected by personal or
professional problems.
If you have a problem, speak
to the LawCare counsellor
Dr Jill before it overwhelms you.
Dr Jill is a medical practitioner
highly qualified to treat social
and psychological problems,
including alcoholism and drug
abuse.
The Law Society is pleased to
be able to cover the gap
payments for two consultations
with Dr Jill per patient per
financial year.
All information divulged to the
LawCare counsellor is totally
confidential.
To contact Dr Jill 08 8110 5279
7 days a week
LawCare is a member service
made possible by the generous
support of Arthur J. Gallagher
The Litigation Assistance Fund (LAF) is a
non-profit charitable trust for which the
Law Society acts as trustee. Since 1992
it has provided funding assistance to
approximately 1,500 civil claimants.
LAF receives applications for funding
assistance from solicitors on behalf of
civil claimants seeking compensation/
damages who are unable to meet the
fees and/or disbursements of prosecuting
their claim. The applications are
subjected to a means test and a merits
test. Two different forms of funding exist –
Disbursements Only Funding (DOF) and
Full Funding.
LAF funds itself by receiving a relatively
small portion of the monetary proceeds
(usually damages) achieved by the
claimants whom it assists. Claimants who
received DOF funding repay the amount
received, plus an uplift of 100% on that
amount. Claimants who received Full
Funding repay the amount received, plus
15% of their damages. This ensures LAF’s
ability to continue to provide assistance
to claimants.
LAF recommends considering whether
applying to LAF is the best course in the
circumstances of the claim. There may be
better methods of obtaining funding/
representation. For example, all Funding
Agreements with LAF give LAF certain
rights including that funding can be
withdrawn and/or varied.
For further information, please visit
the Law Society’s website or contact
Annie MacRae on 8229 0263.
Family Law - Melbourne
Marita Bajinskis
formerly of
Howe Martin & Associates
is a Principal at
Blackwood Family Lawyers
in Melbourne
Marita is an Accredited Family
Law Specialist and can assist with
all family law matters including:
• matrimonial and de facto
• property settlements
• superannuation
• children’s issues
3/224 Queen Street
Melbourne VIC 3000
T: 03 8672 5222
Marita.Bajinskis@
blackwoodfamilylawyers.com.au
www.blackwoodfamilylawyers.com.au
CONSULTING
ACTUARIES
FOR PROFESSIONAL
ACTUARIAL ADVICE ON
- Personal Injury -
- Workers Compensation -
- Value Of Superannuation -
Contact
Deborah Jones, Geoff Keen
or Victor Tien
08 8232 1333
contact@brettandwatson.com.au
www.brettandwatson.com.au
Ground Floor
157 Grenfell Street
Adelaide SA 5000
April 2022 THE BULLETIN 43

We manage one of SA’s largest
social media accounts.
boylen.com.au
P (08) 8233 9433