Key developments in the area of Technology, Media and Telecommunications (TMT) over the past two months are summarised below.
Optus fined for misleading consumers
On 22 May 2018, the Federal Court of Australia imposed a pecuniary penalty of $1.5m on Optus Internet Pty Ltd arising out of misleading notifications provided to customers regarding their switch to the National Broadband Network: Australian Competition and Consumer Commission v Optus Internet Pty Ltd  FCA 777. Over a period of 18 months, Optus had advised customers that their Optus Internet service would be disconnected on a specific date or within a specific period and that it would be necessary to acquire NBN based services from Optus Internet in order to continue receiving home telephone and/or internet. Following the commencement of proceedings by the Australian Competition and Consumer Commission, Optus admitted that its notifications contravened sections 18 and 29(1)(m) of the Australian Consumer Law on the basis that they were misleading or deceptive in relation to the supply of services. Specifically, it was conceded that customers had fixed term contracts which could not be cancelled before the end of the term, and there was no requirement for NBN services to be acquired through Optus as opposed to other retail service providers.
Online advertiser fined for unconscionable conduct
On 28 May 2018, the Federal Court of Australia imposed substantial penalties on an online advertising company and its sole director for unconscionable conduct in the conduct of its sales strategy: Australian Competition and Consumer Commission v ABG Pages Pty Ltd  FCA 764. The respondent conceded that it had engaged in unconscionable conduct by misleading potential customers as to the number and nature of the businesses which advertised on its directory, for engaging in high-pressure sales tactics and by failing to explain to potential customers that the stated duration of the contract would automatically renew unless they gave written notice before a specified number of days prior to an unspecified renewal date. Rangiah J imposed pecuniary penalties totalling $300,000 on the company, $40,000 on the director and $25,000 jointly and severally on both respondents. Other orders included a 5 year injunction on the company and the director from making similar representations, a requirement for the company and the director to undergo a compliance program and a disqualification of the director from managing a corporation for 5 years.
Privacy Commissioner clarifies scope of APP 6.2
On 29 May 2018, the Office of the Australian Information Commissioner issued a statement regarding the right of a government department to release personal information in order to correct the record following public criticism by an individual. The Commissioner’s decision related to the release by Centrelink of personal information about a journalist who had published an opinion piece criticising the Centrelink debt recovery system for seeking recovery of a debt which she did not owe. The Privacy Commissioner accepted Centrelink’s contention that its disclosure n rebuttal fell within Australian Privacy Principle 6.2(a) on the basis that it was a secondary purpose which an individual in the complainant’s position should have “reasonably expected”. Citing the APP Guidelines which in turn reflected a previous determination by in L v Commonwealth Agency  PrivCmrA14, the Commissioner concluded that “a person who complains publically about an agency in relation to their circumstances (for example, to the media) is considered to be reasonably likely to be aware that the agency may respond publically – and in a way that reveals personal information relevant to the issues they have raised”. The decision has caused a degree of consternation amongst privacy advocates.
Domain companies fined for ACL breaches
On 14 June 2018, the Federal Court ordered that two domain companies pay combined penalties of $1.95 million for breaches of the Australian Consumer Law. The Court found that Domain Corp Pty Ltd and Domain Name Agency Pty Ltd had, over a period of approximately 18 months, sent out approximately 300,000 unsolicited notices to businesses which had the appearance of renewal invoices for an existing domain name. In fact, the notices involved the registration of a new domain name at a cost of between $249 –$275 each. The Court found that Australian businesses and organisations had paid approximately $2.3 million to the respondents during the period in question as a result of receiving the notices. The Court imposed 3 year injunctions against each domain company and a 5 year injunction against the sole director of both companies who was found to have been knowingly concerned with the corporations’ conduct. The sole director was also disqualified from managing a corporation for 5 years and ordered to pay costs to the ACCC.
Apple US fined for misleading Australian consumers
On 18 June 2018, the Federal Court ordered Apple Inc. (Apple US) to pay $9 million in penalties for making false or misleading representations to customers with faulty iPhones and iPads about their rights under the Australian Consumer Law. Proceedings had been instituted by the ACCC following an investigation of complaints relating to “error 53” which disabled some iPhones and iPads after owners downloaded an update. Apple US advised its Australian customers that they were no longer eligible for a remedy if their device had been repaired by a third party. This statement contravened section 64 of the Australian Consumer Law which prohibits the exclusion of consumer guarantees. Of equal significance to overseas suppliers was the Court’s declaration that Apple US, as a multi-national parent company, was responsible for the conduct of its Australian subsidiary.
Cabinet information exempt from GIPA Act disclosure
On 28 June 2018, the NSW Civil and Administrative Tribunal affirmed and applied the principle that, for the purposes of the Government Information (Public Access) Act 2009 (NSW), Cabinet material is to be considered differently to other information under the Act: Park vs Transport for NSW (No. 2)  NSW CATAD 134. The proceedings related to a request for specific information on the Sydney Light Rail Project, in respect of which the respondent declined to release certain documents which it contended fell within the definition of “Cabinet information”. The Tribunal declined to consider whether the public interest favoured disclosure or non-disclosure. Senior member McAteer followed the reasoning in D’Adam vs NSW Treasury  NSWCATAD 68 who had observed that “a special and very different decision-making matrix” applied to Cabinet information, with the respondent only required to establish that there were reasonable grounds for asserting that the information constitutes “Cabinet or Executive Council information” and thereby establishing the presumption of an overriding public interest against disclosure. Where the respondent establishes on reasonable grounds that the documents fall within this category, the Tribunal is not required, and has no authority, to apply a public interest test.
Global Data Protection Regulation (GDPR) commences
On 25 May 2018, the European Union’s General Data Protection Regulation (“GDPR”) came into effect. Its primary objective is to harmonise data protection laws across the EU. In the process, existing EU data protection laws have been updated, and Australian organisations with European connections may in some circumstances be required to adjust their existing privacy practices in order to comply. To a certain extent, Australian businesses will met the GDPR requirements if they comply with the Australian Privacy Principles but there is nevertheless a gap in areas relating to accountability and governance, consent, mandatory data breach notification, the right of erasure, data portability and the right to object. For more detailed information, see the article on our website, Impact of the EU Global Data Protection Regulation in Australia.
New Credit Reporting Code released
On 27 June 2018, the Australian Information Commissioner approved the Privacy (Credit Reporting) Code 2014 (Version 2). The existing Code, Version 1.2, was repealed and replaced by the new Version 2, with effect from 1 July 2018. The Credit Reporting Code is a requirement of Part IIIB Division 3 of the Privacy Act 1988, and must set out how the provisions of Part IIIA are to be applied or complied with. The Code does not, however, encompass all aspects of Part IIIA and accordingly compliance with the Code alone will not achieve full compliance with the credit reporting requirements set out in the Privacy Act. The new Code essentially introduces only minor and technical variations to the previous Code, implementing recommendations and observations made in the Review of Privacy (Credit Reporting) Code 2014 (V1.2) Report dated 8 December 2017 which was commissioned from PricewaterhouseCoopers.
Revenge porn reforms in Western Australia
On 28 June 2018, the Criminal Law Amendment (Intimate Images) Bill 2018 WA was introduced by the Western Australian Attorney-General in the Legislative Assembly. The Bill seeks to amend the Criminal Code by introducing offences of distributing an intimate image and threatening to distribute an intimate image. An “intimate image” is broadly defined and extends to images in digital form, either online or on a hardware storage device and in any other technological format which may exist now or in the future. The new offence is punishable by a term of imprisonment of up to 3 years. A range of defences exist, including distribution for a “media activity purpose”, whereby the image is distributed for a media activity purpose without the intention of causing harm to the person depicted and in the reasonable belief that the distribution is in the public interest.
Restrictions on misuse of national security information increased
On 29 June 2018, the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 (Cth) came into effect. The legislation amends the Criminal Code Act 1995, the Crimes Act 1914, the Telecommunications (Interception and Access) Act 1979 and the Inspector-General of Intelligence and Security Act 1986. The legislation amends key offences dealing with threats to national security and gives particular focus to the mishandling of confidential information. The legislation strengthens existing espionage offences, reforms the Commonwealth’s secrecy offences in order to more comprehensively criminalise the leaking of harmful information, and introduces a new “theft of trade secrets” offence with the objective of protecting Australia from economic espionage by foreign government principals. In relation to the mishandling of information specifically, the legislation amends part 5.2 of the Criminal Code to introduce comprehensive new espionage offences in Division 91, criminalising a broad range of dealings with information including possessing or receiving and targeting not only persons who disclose the information but also the actions of a foreign principal who receives the information. Division 91 also introduces a new offence of soliciting or procuring a person to engage in espionage and introduces a new preparation or planning offence to allow law enforcement agencies to intervene at an earlier stage than has previously been possible.
Ipso facto reforms
From 1 July 2018, amendments to the treatment of ipso facto clauses came into effect. Specifically, the Treasury Laws Amendment (2017 Enterprise Incentives No. 2) Act 2017 Cth introduced Parts 5.1, 5.2 and 5.3A into the Corporations Act. An “ipso facto clause” permits termination of a contract by one party if the other party is subject to an insolvency event, and the effect of the amendments is to introduce a stay period (the length of which varies depending upon the type of insolvency event) in order to provide a company with the opportunity to trade out of its difficulties. Pursuant to the same amending legislation, reforms were previously introduced on 11 September 2017 which provided directors with a “safe haven” against personal liability for insolvent trading under certain conditions. For more detail, see the article on our website, Australia’s ipso facto reforms have serious consequences for IP Agreements.
Commonwealth government privacy code commences
On 1 July 2018, the Privacy (Australian Government Agencies – Governance) Code commenced. As previously reported, the Code, which was developed by the Australian Information Commissioner in accordance with section 26G of the Privacy Act, imposes obligations on Commonwealth government agencies which are additional to their existing obligations under the Australian Privacy Principles. The Code expands upon the manner in which public sector agencies must meet the requirements of APP 1. APP 1 implicitly promotes a “privacy by design” approach which ensures privacy compliance is included in the design of an entity’s information systems and practices. Of particular significance, the Code requires each agency to have a privacy management plan, a designated privacy officer and a designated “privacy champion”, the latter being a senior official within the agency with the role of promoting a culture of privacy and providing leadership on strategic privacy issues. The Code also requires agencies to conduct Privacy Impact Assessments for all high privacy risk assessments, and to include appropriate privacy training in any staff induction program.
New mandatory comprehensive credit reporting laws imminent
The National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, supported by the Mandatory Comprehensive Credit Reporting Regulations, is currently before the Senate. The legislation seeks to amend the Credit Act to mandate a comprehensive credit reporting regime. Under this mandatory regime, Authorised Deposit-taking Institutions will be required to provide comprehensive credit information on open and active consumer credit accounts to certain credit reporting bodies. The legislation will also expand ASIC’s powers to monitor compliance with the mandatory regime. Since March 2014, the Privacy Act has allowed credit providers and credit reporting agencies to use and disclose “comprehensive credit information” about a consumer (such as the number of credit accounts a person holds, the maximum amount of credit available to a person and an individual’s repayment history) but such disclosure had not been mandated. Acting on recommendations from the Murray Inquiry and the Productivity Commission, the legislation has the objective of enabling credit providers to obtain a more comprehensive view of a consumer’s financial situation so as to ensure responsible lending practices.
Draft legislation for data sharing released
On 5 July 2018, the Department of the Prime Minister and Cabinet released a consultation paper entitled New Australian Government and Data Sharing and Release Legislation. The consultation paper, which calls for responses by 1 August 2018, foreshadows the introduction of a Data Sharing and Release Bill. The Bill is a manifestation of the government’s earlier response to recommendations by the Productivity Commission in May 2017, which we have previously reported upon, recommending the introduction of new procedures to facilitate the public disclosure of certain formation in the public interest whilst maintaining appropriate privacy, confidentiality and security safeguards. The proposed legislation contemplates the establishment of a National Data Commissioner and the introduction of a Consumer Data Right. The government had previously announced, in May 2018, the introduction of a Consumer Data Right, a form of data portability, to be applied to all major banks from 1 July 2019 with respect to data applicable to credit and debit cards and deposit and transaction accounts. The regime would be extended to mortgages by 1 February 2020, and all other banking products by 1 July 2020. Remaining banks would follow within 12 months, and the scheme would subsequently be rolled out to the energy and telecommunications sectors. The objective is to provide customers with improved access to their own data and an ability to insist that it be transmitted in usable form to potential competitor organisations for comparative purposes.
Revised data sharing rules for insurers
Effective from 1 July 2018, the Private Health Insurance (Data Provision) Rules 2018 revoke and remake the previous Private Health Insurance (Data Provision) Rules 2017. The rules are made pursuant to section 333-20 of the Private Health Insurance Act 2007 and clarify the obligation of private health insurers to disclose certain data about the treatment of insured patients in de-identified form to the Department of Health. In order to maintain the privacy of individuals, the Act makes it an offence for a person to disclose protected information to another person if that information was obtained in the course of performing a duty, function or power under the Act.
Opt-out period for My Health Record commences
From Monday 16 July 2018, a 3 month opt-out period for the Federal government’s My Health Record system commenced. We have previously reported that the scheme, involving an electronic summary of an individual’s health information which can be shared online between health care providers, was to be converted from an “opt-in” model to an “opt-out” model due to the disappointingly low level of optional participation since the inception of the scheme in 2012. On 15 October 2018, at the conclusion of the current 3 month opt-out period, a My Health Record will be created for any individual who has not opted-out by that time. The new arrangements have attracted adverse comment from the medical and security sectors which have expressed concerns about the privacy implications of security breaches.