Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
Ruling on how to calculate IT employee’s commission
On 31 January 2019, the Supreme Court of New South Wales upheld an appeal by a software sales and services company against the method by which a magistrate had calculated an employee’s entitlement to commission: Dialog Pty Ltd v Sklar  NSWSC 15. The decision serves as a reminder that parties to an employment contract should ensure there is no ambiguity as to the manner in which sales commission is to be calculated. The dispute centred on whether, when calculating the employee’s entitlement to commission on the “gross margin” of revenue which he generated for the company, his base salary and the cost incurred by the employer in providing technical services to clients should be deducted. The employment agreement provided no elaboration on what was intended by “gross margin”. Fagan J determined the meaning of the expression in the context of a business by reference to the Oxford Dictionary, being the “difference between the sales revenue of a business and the costs of sales”. As the employee’s base salary and superannuation, along with the service costs of the company’s technical staff and software engineers, were “specifically and directly a cost of generating the revenue”, they were therefore to be deducted from the revenue generated by the employee’s sales prior to the calculation of commission.
Penalty imposed on Optus for misleading billing information
On 6 February 2019, the Federal Court ordered Optus Mobile Pty Ltd to pay a $10 million penalty to the Commonwealth for making false and misleading representations about an Optus billing service: Australian Competition and Consumer Commission v Optus Mobile Pty Ltd  FCA 106. The Optus billing service enabled Optus customers to purchase digital content from third parties and the associated charges would be billed to them via their Optus accounts. Over a long period of time, a significant number of customers unintentionally purchased digital content through the service and were billed by Optus without their consent. This was due to a range of factors, including Optus failing to implement adequate safeguards against unintentional purchases (customers were not required to verify their identity and/or the details of a purchase in all cases) and by Optus failing to adequately inform customers they had been automatically opted into the relevant service. By applying the associated charges to customer accounts, Optus admitted it made false and misleading representations to customers that they had agreed to acquire the service when that was not the case. Optus admitted it had contravened prohibitions against false and misleading representations in relation to a financial service under the Australian Securities and Investment Commission Act 2001 (Cth). In deciding whether to make the orders sought by the parties, the Court considered whether the amount of the penalty Optus had agreed to pay was appropriate in light of the relevant considerations, including the need for specific and general deterrence and the public interest in parties resolving matters with regulators. The Court considered that Optus was liable for a substantial penalty and ultimately decided $10 million was an appropriate amount. The Court took into account several matters, including that a portion of Optus’ revenue earned through the billing service would have been earned from customers who had in fact agreed to be charged for relevant content (ie, not all customers charged were non-consenting), Optus has already paid around $8 million in refunds and Optus had begun to implement a customer refund program.
No privacy breach by government in its use of prisoner information
On 6 February 2019, the Victorian Civil and Administrative Tribunal (VCAT) dismissed a complaint that a State government department had misused sensitive information relating to a prison inmate: SET v Department of Health and Human Services  VCAT 113. The complainant was concerned that personal information relating to his criminal history, contained in a report prepared by the Department for a conciliation conference relating to the placement of his grandchildren, had been provided to his son. He asserted that this contravened Information Privacy Principle 2.1(a) which limits the disclosure of personal information to the primary purpose of collection and, in the case of sensitive information, secondary purposes directly related to the primary purpose. The Tribunal concluded that the disclosure was in fact confined to the primary purpose of collection, namely, the welfare of the children. The Department’s investigative role included reporting any welfare concerns to the Children’s Court, and it was obliged to provide a copy of its report to the father of the children in accordance with Guidelines issued by the Court. The question of whether the disclosure amounted to use of the information for a secondary purpose accordingly did not arise.
Software copyright decision by Federal Circuit Court overturned
On 26 February 2019, the Federal Court of Australia remitted a software copyright infringement decision for rehearing by the Federal Circuit Court after finding that the primary judge’s rulings were unsupported by sufficient evidence: CPL Notting Hill Pty Ltd v Microsoft Corporation (No 2)  FCA 223. The matter concerned the award of $2.5m damages by the primary judge who found that the appellants had, amongst other things, reproduced certain unlicensed Microsoft software when selling computers with pre-installed Microsoft programs. O’Callaghan J determined that the primary judge had made findings of fact which were not open to the court. It followed that an award of damages by the primary judge under section 115(2) of the Copyright Act for infringement of copyright was not an available remedy, nor was the award of additional damages under section 115(4). In the latter regard, his honour observed that the discretion of the court to award “additional” damages meant damages which were “additional to damages assessed and awarded under section 115(2)” and hence, if no damages could be awarded under section 115(2), section 115(4) could not be enlivened. Noting that the primary judgement had been delivered ex tempore, his honour commented that whilst there were some occasions when the delivery of ex tempore reasons may be necessary or desirable, “this was not one of them”.
Bill seeks to curb exemptions for unwanted direct marketing activity
On 13 February 2019, legislation was tabled the Senate by Senator Stirling Griff of the Centre Alliance Party which sought to address mounting customer complaints about two existing exemptions from direct marketing communications – unwanted calls from politicians and charities, Under the Spam Act 2003, unsolicited commercial electronic messages (that is, emails and text messages) are prohibited unless categorised as a “designated electronic message” under Schedule 1, and this category includes communications from a “registered political party”. Under the Do Not Call Register Act 2006, an exemption applies to telemarketing calls made by registered charities to numbers listed on the Do Not Call Register. Under the Telecommunications Legislation Amendment (Unsolicited Communications) Bill 2019, all electronic messages containing electoral matter, as defined in section 4AA of the Electoral Act 1918, would be required to contain a functional unsubscribe facility, whilst consumers would be given the ability to specifically “opt out” of telemarketing calls from registered charities by specifying that their number is not a “charity-contactable number”.
Legislation tabled to introduce Consumer Data Right
On 13 February 2019, the Treasury Laws Amendment (Consumer Data Right) Bill 2019 was tabled in the House of Representatives. As previously reported, the CDR will give both individual and business consumers expanded rights of access to data held about them by businesses. It will also give such consumers access to data about products and enable them to share such data with accredited third party recipients. The CDR is a mechanism for enabling individual and business consumers to access information about themselves and about their service providers’ products, and to direct their existing service provider to share that information with other service providers. It is proposed that initially the CDR will be confined to the banking sector, with telecommunications providers and energy companies to follow. The CDR enables consumers to access a broader range of information than is currently provided for by Australian Privacy Principle (APP) 12 in the Privacy Act 1988 (Cth). While APP 12 allows individuals to access “personal information” about themselves, the CDR applies to data that relates to businesses as well as individuals and provides access to information about a service provider’s products as well. As the CDR embraces competition and consumer matters, the new scheme would be regulated jointly by the Australian Competition and Consumer Commission and the Office of the Australian Information Commissioner. The Bill was referred to the Economics Legislations Committee for report by 18 March 2019.
Queensland criminalises “revenge porn”
On 21 February 2019, the Criminal Code (Non-consensual Sharing of Intimate Images) Amendment Act 2019 came into effect in Queensland, amending the Criminal Code by introducing a range of new offences relating to what is loosely described as “revenge porn”. A new section 223 establishes a misdemeanour of “distributing intimate images” which attracts a maximum penalty of 3 years’ imprisonment, whilst penalties are increased by sections 227A and 227B for the existing offences of relating to “observations or recordings in breach of privacy”, and the distribution of “prohibited visual recordings”. A new section 229A penalises threats to distribute intimate images or prohibited visual recordings. The term “intimate image’ is defined in section 207A, and extends to photoshopped images and section 223(2) expressly provides that a person under the age of 16 years is incapable of providing consent for the distribution of intimate images.
Treasury Issues Paper seeks feedback on “Initial Coin Offerings”
In January 2019, the Treasury released its Initial Coin Offerings Issues Paper. The paper emphasised the Australian government’s aspiration of becoming a global leader in financial innovation, including with respect to the regulatory aspects of an Initial Coin Offering (ICO). Although ICOs have some parallels with Initial Public Offerings, venture capital and crowdfunding, the ways in which they are structured can be quite distinct from existing forms of capital raising. These distinctions are seen to be testing regulatory frameworks around the world. The Issues Paper sought the views of interested parties on the opportunities and risks posed by ICOs for Australia; whether Australia’s regulatory framework is well placed to allow those opportunities to be harnessed whilst appropriately managing the associated risks; and, whether there are other actions that could be taken to best position Australia to capitalise on new opportunities. Specifically, the Issues Paper posed questions relating to the categorisation of ICO tokens, the drivers of the ICO market (including distributed ledger technology, investor speculation and the growth of digital token exchanges), and the opportunities and risks for industry, consumers, investors, and the economy at large. Responses to the Issues Paper were sought by 28 February 2019.
Consultation paper on “Software as a Medical Device”
The Therapeutic Goods Administration (TGA) recently issued a consultation paper outlining proposed regulatory reforms to software used as a medical device which is not associated with a physical device. Software of this kind is known as “Software as a Medical Device” or “SaMD”. SaMD operates on general computing platforms (including mobile devices) and is used for a purpose which is consistent with the definition of a “medical device” in the Therapeutic Goods Act 1989 (Cth). A SaMD product may be used, for example, to analyse medical images and provide information to assist a clinician diagnose and treat a patient. SaMD may be contrasted with medical device software which is embedded into and/or which controls a physical medical device. The proposed reforms seek to address several regulatory problems, including the ability of individuals to currently acquire SaMD products from overseas suppliers which are not included in the Australian Register of Therapeutic Goods (ARTG) and which do not therefore have a local sponsor with responsibility for the product. The TGA proposes a new classification system for SaMD products based on their associated risk of harming patients, excluding SaMD products from the personal importation exemption provisions (which would require all SaMD to be included on the ARTG and have a local sponsor), and clarifying the relevant regulatory requirements for demonstrating the safety and performance of SaMD products. We have reported in more detail on the TGA’s proposed reforms here. The consultation period is due to end on 31 March 2019.
Queensland Information Commissioner assesses the adequacy of privacy training for government employees
On 12 February 2019, the Office of the Information Commissioner in Queensland issued a report under section 135 of the Information Privacy Act 2009 (Qld) on the adequacy of privacy training by three Queensland government agencies – the Department of Communities, Disability Services and Seniors, TAFE Queensland and the Public Trustee: Awareness of Privacy Obligations: How three Queensland Government Agencies Educate and Train their Employees about their Privacy Obligations. The Commissioner concluded that the effectiveness of training varied amongst the agencies concerned, reflecting different training content, different requirements for completing the training and different processes for ensuring that employees completed the training. The content of training I formation was accurate in the case of each agency, but did not necessarily include all relevant elements. Furthermore, whilst the agencies ran various internal awareness campaigns, their ultimate utility was questionable in the absence of mandatory, periodic refresher training. The Commissioner’s findings contain a relevant message not only for Australian governments but also for the private sector in relation to the need for appropriate and effective privacy awareness training.
ACCC releases discussion paper on extension of Consumer Data Right to the energy sector
On 25 February 2019, the Australian Competition and Consumer Commission (ACCC) issued a discussion paper as part of the consultation process on how best to apply the new Consumer Data Right (CDR) to the energy sector: Consumer Data Right in Energy: Consultation paper – Data Access Models for Data Energy. As we have previously reported, and as mentioned also in this Update, the CDR data portability scheme will be phased into the banking sector over a period of two years from 1 July 2019, to be followed by a CDR applicable to the energy and telecommunications sectors. The ACCC is now seeking comments on three proposed models for consumers to access their data in the energy market, noting that one complication unique to the energy sector is that energy data relating to an individual may be held by a number of organisations and it may not be possible for a single entity to provide sufficient data alone. “Model 1” proposed by the ACCC contemplates a centralised model under which the Australian Energy Market Operator (AEMO) would be the sole holder of a centralised data set, to be shared by AEMO with accredited data recipients via Application Programming Interfaces. Model 2 contemplates AEMO performing a gateway function, acting as a pipeline for the provision of CDR data from data holders which may include retailers and potentially also distributors, to accredited data recipients. Model 3 is described as “the economy-wide CDR model”, involving existing data holders (e.g. retailers) being responsible for providing CDR data directly to accredited data recipients and/or consumers (this is in effect the model used for the banking sector). Submissions on the options were due to close on 22 March 2019.
Treasury releases Privacy Impact Assessment on proposed Consumer Data Right
On 1 March 2018, the Treasury released the second version of its Privacy Impact Statement for the proposed CDR in accordance with the Privacy (Australian Government Agencies – Governance) APP Code 2017 and the Office of the Australian Information Commissioner’s Guide to Undertaking Privacy Impact Assessments (PIA). In addition to our comments above, we have commented previously on the CDR and the Commonwealth agencies’ APP Code. Whilst acknowledging that the CDR offered individuals a range of benefits relating to privacy, competition, convenience and choice, the PIA also highlighted a number of potential threats which “could lead to substantial financial, personal and emotional loss” if not carefully monitored. The PIA contained 10 recommendations, emphasising the need for ongoing behavioural research and consumer testing regarding the design of the CDR system (Recommendation 1), the creation of rules which would ensure that consent is genuine and protects vulnerable individuals (Recommendation 3), the importance of rules and standards remaining across sectors as the scheme progresses beyond the banking industry (Recommendation 5) and the need to ensure that CDR data held by data recipients is not inappropriately accessed by the data recipient’s employees (Recommendation 6).
Government releases data sharing guide
On 15 March 2019, the Department of the Prime Minister and Cabinet released a Best Practice Guide to Applying Data Sharing Principles. The guide is intended to assist government agencies in determining how to share public sector data under their control in a manner which maintains the requisite degree of privacy and security. The Guide draws upon five Data Sharing Principles developed by the Office of the National Data Commissioner and the Australian Bureau of Statistics, an initiative which in turn drew upon the internationally recognised Five Safes Framework. The five Data Sharing Principles are:
- Projects: Data is shared for an appropriate purpose that delivers a public benefit;
- People: The user has the appropriate authority to access the data;
- Settings: The environment in which the data is shared minimises the risk of unauthorised use or disclosure;
- Data: Appropriate and proportionate protections are applied to the data; and
- Output: The output from the data sharing arrangement is appropriately safeguarded before any further sharing or release.