Short, sourced briefings on privacy events that matter. Too significant for an alert, too recent for a full investigation. Updated as events develop.
The EFF published a detailed analysis showing that Google's own legal and policy staff warned that its cloud services "could be linked to the facilitation of human rights abuses" and could enable surveillance or militarised purposes — before Project Nimbus was signed. Google signed the $1.2 billion contract with Israel's government anyway.
The contract provides Israel's Ministry of Defense with large-scale data storage, image and video analysis, and AI model development tools — capabilities the EFF describes as "well suited for surveillance and military applications." Google cannot see how the tools are used on classified networks. Amazon, the other Nimbus contractor, completely ignored EFF's correspondence about these concerns.
The EFF invoked the precedent of Microsoft, whose technologies were documented being misused by the Israeli military in ways violating its own human rights commitments. The article argues that cloud systems enable customisation "often beyond the vendor's direct visibility" — meaning Google and Amazon can't verify their tools aren't being used in a military campaign marked by credible allegations of genocide and widespread civilian harm.
EFF's conclusion: "Waiting for definitive proof is not responsible risk management. It is willful blindness."
This directly connects to our Convergence page — specifically the Google + Pentagon entry. The same company that removed its AI Principles, fired employees who objected, and signed a classified Pentagon deal had its own staff warning about human rights risks before Project Nimbus. The UN Guiding Principles on Business and Human Rights are explicit: "The responsibility to respect human rights exists over and above compliance with national laws." Google's own lawyers flagged the risk. Google signed anyway. That is the definition of willful blindness — and it is exactly what the international law baseline on our Convergence page was built to document.
A contractor working for the NSW Reconstruction Authority uploaded sensitive personal data of 3,000 flood victims to ChatGPT without approval. The dataset contained over 12,000 rows including names, addresses, phone numbers, and health information — people at their most vulnerable, recovering from a natural disaster.
The breach occurred in March 2025. The NSW government waited six months before disclosing it publicly in October 2025. The data was uploaded to OpenAI's servers — a US company subject to the CLOUD Act — meaning Australian flood victims' health information crossed international borders through an AI chatbot, without their knowledge or consent.
A government contractor fed disaster victims' personal and health data into a commercial AI chatbot. The victims were flood survivors. They gave their information to get help rebuilding their lives. That information ended up on OpenAI's servers in the United States. Six months of silence. This is the intersection of government data handling, AI, and disaster response — three areas where trust is non-negotiable.
In January 2026, the OAIC conducted its inaugural compliance sweep — reviewing approximately 60 businesses across six sectors: rental/property, pharmacies, licensed venues, car rental, car dealerships, and pawnbrokers. Penalties up to AUD $66,000 per contravention.
This marks a shift from the OAIC's historical approach of education-first enforcement to proactive compliance checking. The sectors chosen are notable — rental platforms (like 2Apply), pharmacies handling health data, and licensed venues collecting ID. All sectors where consumers hand over sensitive information with no bargaining power.
The OAIC has historically never penalised a government agency and rarely pursued small-to-medium businesses. This sweep signals a new posture. The first civil penalty under the Privacy Act was issued in 2025 (Australian Clinical Labs, $5.8M). The statutory tort for privacy invasion took effect June 2025 — individuals can now sue for up to $478,550. The enforcement landscape in Australia shifted more in 2025-2026 than in the previous decade.
The Privacy Act 1988 received its most significant reforms since inception. Key changes rolling out through 2026:
Statutory tort for serious invasion of privacy (June 2025) — individuals can now sue for up to $478,550. First case: Kurraba Group v Williams (October 2025, NSW District Court, injunctive relief over private wedding photos).
Criminal doxxing offences — up to 7 years imprisonment.
Maximum corporate penalties now $50 million or 30% of adjusted turnover.
Children's Online Privacy Code — OAIC draft released March 2026, must be registered by December 2026. Requires best interests of children, parental consent for under-15s, data minimisation.
Automated decision-making transparency — from December 2026, all entities must disclose when they use AI that could significantly affect individuals.
Small business coverage — from July 2026, approximately 100,000 small businesses become regulated by the Privacy Act for the first time.
For the first time, Australians can sue for privacy invasion. Corporate penalties jumped to $50M or 30% of turnover. 100,000 small businesses that were previously exempt now have to comply. The Children's Code will force platforms to prove they're protecting kids, not just claiming to. And the automated decision-making disclosure means companies using AI to make decisions about you have to tell you. The enforcement gap we documented in every government investigation is starting to close.
On December 10, 2025, Australia became the first country in the world to ban children under 16 from social media platforms. Platforms face fines up to $49.5 million for non-compliance. Applies to Facebook, Instagram, Reddit, Snapchat, TikTok, X, Threads, Twitch, Kick, and YouTube.
The catch: age verification. The methods under consideration include biometric facial age estimation — scanning children's faces to prove they're old enough not to be scanned. The privacy solution requires a privacy invasion. The government that hasn't penalised a single government agency for privacy breaches is mandating facial scanning of children to protect their privacy.
The intent is real — children's safety on social media is a documented crisis (Roblox, Snapchat, and TikTok are on our Danger List). But biometric age verification creates a national database of children's faces to solve a problem caused by platforms collecting children's data. The cure may be worse than the disease. Who stores the biometric data? For how long? Under what security? The same government that uploaded flood victims' data to ChatGPT is building facial recognition infrastructure for children.
The J Group ransomware gang breached IKAD Engineering, an Australian defence supply chain contractor, and remained inside the network for five months. They described it as a "five-month staycation." 800GB of data exfiltrated including private defence contracts, manufacturing designs, employee records, and financial information.
Researchers found 70+ filenames referencing submarines or submarine programmes — Collins Class submarines, Hunter Class frigates, expressions of interest, tenders, and project correspondence. The initial access: an outdated VPN appliance with weak credentials and no multi-factor authentication.
IKAD CEO confirmed the breach but said only "non-sensitive project information" was affected. Security analysts disagreed — "even data not deemed sensitive can hold strategic value" for foreign intelligence.
Australia is building nuclear submarines under AUKUS. The defence supply chain handles data that foreign intelligence services actively target — ASIO has said so publicly. A contractor in that supply chain was compromised through an unpatched VPN with no MFA — the most basic security failure possible. The attackers lived inside the network for 150 days. Submarine programme data was in the exfiltrated files. The weakest link in national security was a VPN password.
At least 31,000 Australian banking passwords were exposed between 2021 and 2025 via infostealer malware: 14,000 from CBA, 7,000 from ANZ, 5,000 from NAB, and 4,000 from Westpac. The credentials were shared on Telegram channels and dark web forums.
Additionally, 240+ compromised third-party service credentials were found across all four banks: 100+ for ANZ, 70+ for NAB, 40+ for CBA, 30+ for Westpac. Separately, CBA reported a $1 billion AI-generated loan fraud by the "Penthouse Syndicate" using AI-fabricated documentation.
Australia's Big Four banks hold the financial data of virtually every Australian. 31,000 passwords on Telegram means 31,000 people whose bank accounts were accessible to anyone in the right chat room. The infostealer malware that harvested these credentials doesn't exploit bank security — it exploits users' devices. The banks' own security may be fine. Their customers' devices are not. And the $1B AI-generated loan fraud shows a new attack vector: AI is now good enough to fabricate the documents banks use to verify identity.
From November 30, 2026, private sector entities can apply to join the Australian Government Digital ID System. The Trust Exchange (TEx) will become the de facto method for Australians to prove identity online — banks, telcos, and other businesses using the same infrastructure as myGov and myGovID.
ANU and University of Melbourne researchers found a replay/phishing vulnerability in myGovID that could allow attackers to gain full access to linked government services by tricking users into confirming a 4-digit PIN on a replica website. Separate research found Australia's Digital ID scheme "falls short of global privacy standards" with concerns about cross-service data matching — no legislative impediment prevents the ATO using GovPass for cross-agency data matching.
We investigated Digital ID in depth at site/investigation/digital-id.html. The findings from that investigation — iProov UK biometrics, researchers saying "scrap it," $500M ATO fraud — are about to be extended to the private sector. Banks and telcos joining the system means a security vulnerability in Digital ID now affects your bank account, your phone service, and your government services simultaneously. The attack surface doesn't shrink as Digital ID expands. It multiplies.