IPMojo

BOOK AN APPOINTMENT

Archives for May 2025

by

Age Check Please – Australia’s Social Media Age Trial Steps Up

If you thought “what’s your date of birth?” was just an annoying formality, think again. Australia is now deep into a world-first trial of age verification tech for social media — and the implications for platforms, privacy, and policy will be real.

It’s official: Australia is no longer just talking about age restrictions on social media — it’s testing them. In what’s being described as a world-first, the federal government earlier this year launched the Age Assurance Technology Trial, a trial of age assurance technologies across more than 50 platforms, including heavyweights like Meta, TikTok and Snapchat.

The idea? To test whether it’s technically (and legally) viable to verify a user’s age before they gain access to certain online services, especially platforms known to attract kids and teens.

The goal is to find out whether it’s possible — and proportionate — to verify a user’s age before letting them dive into algorithm-driven feeds, DMs, or digital chaos.

Now, as of mid-May, the trial is expanding — with school students in Perth and Canberra joining the test groups. The trial includes biometric screening (e.g. facial age estimation), document-based verification, and other machine-learning tools and tech designed to assess age and  detect users under 16 without necessarily collecting identifying information, in line with recommendations from the eSafety Commissioner and privacy reform proposals.

Initial results are reportedly encouraging, showing strong accuracy for detecting under-16 users. Some methods are accurate 90%+ of the time — but questions linger. How well do these tools work across diverse communities? How do they avoid discrimination? And perhaps most importantly: how do you balance age checks with user privacy?

But this isn’t just a tech exercise — it’s a law-and-policy warm-up. With the Children’s Online Privacy Code set to drop by 2026, and eSafety pushing hard for age-based restrictions, the real question is: can you implement age gates that are privacy-preserving, non-discriminatory, and not easily gamed by a teenager with a calculator and Photoshop?

It’s a tough balance. On one hand, there’s real concern about children’s exposure to online harms. On the other, age verification at scale risks blowing out privacy compliance, embedding surveillance tech, and excluding legitimate users who don’t fit biometric norms.

The final report lands in June 2025, and platforms should expect regulatory consequences soon after. If the trial proves age verification is accurate, scalable, and privacy-compatible, you can bet on mandatory age checks becoming law by the end of the year.

Bottom line? If your platform’s UX depends on open access and anonymity, start thinking now about how that survives an incoming legal obligation to know more about your users, and if not necessarily who they are, at least how young they actually are (as opposed to how old they might claim to be).

by

I Tort I Saw a Privacy Breach: Australia’s New Right to Sue

In barely a few weeks’ time, for the first time in Australian legal history, individuals will be able to sue for a serious invasion of privacy — with the new statutory tort coming into force on 10 June 2025.

It’s a landmark moment. While the Privacy Act has long offered regulatory protections (mainly enforced by the OAIC), this new law gives individuals a direct, personal legal remedy in court. If someone invades your privacy — by spying on you, hacking your data, or misusing personal information — you can now bring a tort claim for compensation, injunctions, apologies, or other relief.

But it’s not a free-for-all. Let’s unpack how it works.

What Exactly Do You Have to Prove?

To win a case under the new law, a plaintiff must establish five elements, all of which are based on ALRC recommendations:

  1. An invasion of privacy — either by intrusion upon seclusion (e.g. surveillance, unlawful entry, voyeurism) or misuse of private information (e.g. disclosing or using someone’s personal details without permission).

  2. A reasonable expectation of privacy — determined in context. This takes into account factors like place (e.g. home vs public), the sensitivity of the information, age or cultural background of the plaintiff, and whether they invited publicity.

  3. Intentional or reckless conduct — negligence isn’t enough. The defendant must have acted deliberately or with reckless disregard.

  4. A serious invasion — not just annoying or embarrassing. The harm must be objectively significant (e.g. likely to cause offence, distress or harm to dignity to a person of ordinary sensibilities).

  5. Public interest balancing — the court must be satisfied that the plaintiff’s right to privacy outweighs any public interest raised by the defendant (such as free expression, national security, or open justice).

You don’t need to prove economic loss or damage — it’s actionable without it. However, the nature and impact of the harm (e.g. emotional distress, reputational damage, or humiliation) will affect the seriousness of the invasion and any damages awarded.

Not Retrospective — and Watch the Clock

The new tort is not retrospective. That means you can’t sue for conduct that occurred before 10 June 2025, no matter how bad it was. The law only applies to invasions of privacy on or after the commencement date.

And there are strict time limits:

  • You must start proceedings within one year of becoming aware of the invasion, and in any event within three years of when it happened — whichever is earlier.

  • If the plaintiff was under 18 at the time, they can sue any time up until their 21st birthday.

  • In exceptional circumstances, the court can extend the period up to six years after the event — for instance, where trauma or lack of awareness delayed action.

What About Defences?

It’s not all a one-sided affair. There’s a structured list of statutory defences, including where:

  • The conduct was required or authorised by law

  • The plaintiff consented

  • It was necessary to prevent serious harm

  • The conduct was part of a lawful defence of person or property

There are also defamation-style defences for things like absolute privilege, publication of public documents, and fair reporting of public proceedings — and journalists enjoy an exemption when acting in a professional capacity under a recognised code of conduct.

Law enforcement and intelligence agencies are also exempt when acting within their lawful functions.

What Remedies Are Available?

The court can award compensation for emotional distress, injury to dignity, and reputational harm — capped at the same maximum as defamation damages (currently $478,550, indexed).

It can also award exemplary damages in egregious cases (like malicious distribution of private images), and make orders for apologies, corrections, injunctions, and destruction of material.

Importantly, apologies won’t count as admissions of guilt — so defendants can say sorry without conceding liability (though it might reduce damages).

What Now?

This is a big deal for Australian privacy law. The new statutory tort fills a long-standing gap between regulation and personal rights — and will likely open the door to more litigation, especially in areas like:

  • image-based abuse

  • unauthorised publication of intimate content

  • intrusive surveillance

  • data misuse or unethical tech deployment

For businesses, publishers, digital platforms and public institutions, now is the time to review policies, train staff, and sanity-check any borderline practices. Reckless handling of sensitive information — even without publication — could now be very costly.

Tune in next week for: a deep dive into the new Children’s Online Privacy Code. Because in 2025, even kids’ data isn’t child’s play.

by

Privacy 2.0: Why the Law Had to Change

It’s not every day a 1980s law gets a 2020s reboot — but that’s exactly what’s happening with Australia’s privacy regime.

After years of community anxiety, OAIC submissions, and a few too many headlines about mega-breaches, the Privacy Act 1988 (Cth) is finally stepping out of its shoulder-padded past and into the digital present.

The latest round of reform — passed at the end of 2024 and now live — marks the biggest shake-up to Australia’s privacy framework in over a decade … and while the updates aren’t a total rewrite, they’re a bold start. From new breach response tools to sharper enforcement powers, and from kids’ data codes to the long-awaited statutory tort of privacy invasion, this is no longer just a compliance issue for GCs. It’s a reputational and risk issue for boards — and a tech/design challenge for operational teams.

So why now? Because the old law just wasn’t cutting it anymore. The last major reform (the 13 APPs) happened in 2014. That was before TikTok existed. Before mass data scraping, AI-driven insurance risk profiling, and customer loyalty schemes that know your breakfast habits better than your spouse. Fast forward a decade, and we’re living in an environment where personal data isn’t just a risk category — it’s a currency, and one that criminals, governments, and companies alike are eager to trade.

Add to that the global pressure. Australia has fallen behind the GDPR club, and even the US (the privacy laggard) is now rolling out state-level data laws with real teeth. If we want to be taken seriously in trade deals, tech partnerships, or cross-border enforcement, our domestic rules have to look credible. That means: Transparency. Accountability. Teeth.

This 9-part twice-per-week Privacy 2.0 blog series will unpack the key changes — what’s landed, what’s coming, and what businesses need to do now (not in 2026, when the AI rules kick in). We’ll also ask the hard questions: is this regulation or reaction? Is it about protecting individuals — or just managing headlines? And what does it mean for those of us navigating the line between innovation and intrusion?

Tune in tomorrow for: an in-depth look at Australia’s new statutory tort of serious invasion of privacy, commencing on 10 June 2025.

by

Sad Bot, Caged Thought: The Global Crackdown on AI

We’re living through the Great AI Whiplash. After a few years of “move fast and break things” AI hype, the regulators have woken up — and they’re looking a little nervous.

Around the globe, lawmakers are scrambling to rein in artificial intelligence, fearing a digital Frankenstein’s monster. But the problem? No one can quite agree on which monster they’re dealing with — or how to shackle it without killing the spark that brought it to life.

Europe: The AI Act is Here, and It Means Business

The EU has locked in its AI Act, the world’s first major attempt at a cross-sector regulatory framework for artificial intelligence. It’s classic Brussels: tiered risk models, sweeping definitions, and enough compliance paperwork to make your chatbot cry. High-risk systems — think facial recognition or algorithmic credit scoring — face tight controls, while general-purpose models like ChatGPT must disclose training data, provide documentation, and prevent unlawful output.

It’s bold, it’s bureaucratic, and it’s already making developers nervous. The result? A brain drain of AI startups testing the waters elsewhere — or geofencing Europe altogether. You can regulate risk, but you can’t regulate innovation into existence.

UK: “Light Touch” with a Side of Confusion

Meanwhile, across the Channel, the UK wants to be the Goldilocks of AI regulation: not too hot, not too cold. The approach is “context-specific” — no overarching law, just guidance for existing regulators. But insiders say the result feels like regulatory hopscotch. Now, the House of Lords is up in arms over data mining for AI training. An amendment that would’ve required consent to scrape copyrighted works was shot down — despite a Beatles-backed campaign. A softer version might still pass.

So far, the UK’s trying to play tech cheerleader and cautious referee. But if everyone’s a stakeholder, who’s actually accountable?

US: States vs Feds, and the Lobbyists Are Winning

In Washington, it’s chaos as usual. President Biden’s Executive Order on AI was a decent start — calling for safeguards around national security and discrimination. But Congress? Still dithering. House Republicans recently tried to sneak a 10-year ban on state-level AI regulation into a tax bill (!), prompting a bipartisan outcry from attorneys general across 40 states. Why? Because the states are the ones doing the real work — regulating facial recognition, policing AI in employment, and pushing back on Big Tech’s black boxes.

Then there’s copyright: The U.S. Copyright Office is in a full existential crisis over whether AI-generated content can be protected and whether training data sourced from creative works amounts to fair use or industrial-scale infringement.

The Rest of Us

Australia, Canada, Singapore — all watching and waiting. Some are rolling out AI ethics frameworks. Others are updating privacy laws or leaning on competition watchdogs. Everyone’s talking transparency, risk, and bias. No one’s solved the training data problem. And no country has yet nailed a working model for how AI intersects with IP rights — especially when the training data is your music, your writing, or your likeness.

Author’s View – The Risk of Overcorrection

AI is scary, sure. But if you treat every algorithm like a grenade, you end up regulating fear, not function. Good regulation shouldn’t make developers hide or flee — it should set standards that encourage safe, creative, accountable use. The IP world knows this better than most: you can reward innovation and protect creators. But try to do both with clumsy laws or reactive bans, and you get what we’re seeing now — paralysis dressed as progress.

And so, here we are: a sad little AI bot, behind bars. Not because it committed a crime. But because the grown-ups can’t agree on the rules.

by

Fortescue vs Element Zero: When Iron Meets IP

In a drama more suited to Silicon Valley than the Pilbara, Fortescue Metals Group is facing off in court against Element Zero, a green-tech startup founded by two of its former senior executives.

The heart of the dispute? Allegations that the ex-Fortescue pair took proprietary technology and confidential know-how with them when they walked out the door — and used it to launch a direct competitor in the decarbonised iron ore space. Fortescue’s claim includes serious accusations of IP theft, misuse of confidential information, and a familiar subplot of boardroom ambition turned courtroom battle.

So far, so standard — but here’s where it gets interesting. Fortescue has been accused of using its size and resources to play the long game, including deploying delay tactics and procedural complexity to push the trial all the way to May 2026. Element Zero has cried foul, claiming it’s a classic case of litigation-as-strategy: slow down the underdog until their innovation pipeline or funding dries up. Whether or not that narrative sticks, it’s a reminder that in IP litigation — particularly in high-stakes tech or science-based fields — process can become a weapon as potent as any cause of action.

The technology at the centre of the case involves so-called “Electra” chemical processes that promise zero-emission iron production — IP that, if proven proprietary to Fortescue, could be worth billions. But this raises a fundamental legal question: what is proprietary in a technical process? And when can it be said to be owned by a company rather than the individuals who helped develop it — especially if no patent has (yet) been granted, and the invention is shrouded in secrecy? In Australia, trade secret protection requires not just that the information be confidential, but that reasonable steps were taken to maintain that confidentiality — and that’s often where cases fall down.

From a broader perspective, this case underscores a key lesson for companies working at the bleeding edge of tech or resource innovation: if your value is in your know-how, then lock it down. IP ownership clauses in employment contracts, internal controls on access, documentation of invention history, and even early patent filing (or defensive publication) can all tip the scales in your favour later. And for founders or executives planning to launch a spinoff? It pays to get early legal advice — because “we came up with it ourselves” won’t hold water if the tech smells a lot like your old job.

Whether this one ends with a licensing deal, an injunction, or just a big legal bill and a few scorched reputations, it’s a timely reminder that the path from lab bench to market often runs straight through the courtroom. In the IP space, fortune favours not just the bold — but the prepared.

by

Sportsgirl Got Sabred

Not a food fight this time, but there’s real passion in fashion in the recent spat between Sportsgirl and high end Sydney brand Maison de Sabre.

Sportsgirl has recently removed from sale some miniature wallets shaped like fruit after Maison de Sabre accused them of copying their products.

Maison de Sabre says that in 2023 it launched its now very popular fruit-shaped charms, which are quite distinctive.  More recently, Sportsgirl started selling miniature wallets, some of which are seen below side by side with the relevant Maison de Sabre products (obviously the Sportsgirl products don’t have “Maison de Sabre” printed on them).

   

Images: Courier Mail

Well, imagine that – Sportsgirl releases some products strikingly similar to Maison de Sabre’s best-sellers. No logos are copied, and the products aren’t passed off by Sportsgirl as being those of Maison de Sabre (we can assume Sportsgirl hung a Sportsgirl label on them), and Maison de Sabre is renowned for these designs. Is Sportsgirl legally in the wrong?

What About Copyright?

In Australia, copyright protects original artistic works. However, once a design is industrially applied—meaning it’s mass-produced—copyright protection typically doesn’t apply. So, if Maison de Sabre’s design has been sold widely, it’s likely not protected by copyright anymore.

Passing Off / Misleading or Deceptive Conduct?

Passing off occurs when one brand misrepresents its products as those of another, causing consumer confusion. But if Sportsgirl clearly branded the products and didn’t suggest any association with Maison de Sabre, it’s challenging to claim passing off.

For the same reasons, it could be difficult to establish misleading or deceptive conduct, or false representations, in breach of the Australian Consumer Law.

Registered Designs: Your Fashion Shield

The most robust protection for product designs in Australia is through registering the design. This grants exclusive rights to the visual appearance of a product.

If Maison de Sabre had registered its designs, it could take action against Sportsgirl for infringement.

⚖️ The Verdict

Without a registered design, and if there’s no misleading branding or consumer confusion, Sportsgirl’s original actions in releasing those products for sale might have been legally permissible (even if not a great look / ethically questionable).

Again, Sportsgirl has withdrawn those products now, so perhaps crisis averted for either party.

It’s still a stark reminder for designers: protect your creations proactively.