Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
Access to infringing music video websites blocked by Federal Court injunctions
On 27 May 2019, Perram J in the Federal Court delivered reasons in support of his earlier decision to grant injunctions requiring a number of internet service providers to block access to websites involved in “industrial scale” copyright infringement in connection with music videos: Australasian Performing Rights Association Ltd v Telstra Corporation Limited  FCA 751. The websites enabled users to circumvent restrictions on YouTube which only allowed users to stream (and not download) the relevant music videos. The websites allowed users to “rip” (download) music files from the videos, which infringed copyright because it reproduced and communicated to the public online the corresponding musical works and sound recordings. The court held this was “self-evidently” the primary purpose of the websites based on a “quick inspection” and likely to be their “exclusive purpose and effect”. The websites had been the subject of blocking orders in other jurisdictions. His honour considered this to be an instance of “blatant piracy” and that the case for injunctive relief was “overwhelming”.
Collection of Opal Card data does not infringe State privacy legislation
We have previously reported that in August 2018, an Appeal Panel of the New South Wales Civil and Administrative Tribunal set aside a decision of the Tribunal to the effect that collection of travel history data concerning an individual’s movements when using a registered Gold Opal Card infringed the Privacy and Personal Information Act 1998 (NSW). The Appeal Panel determined that it would conduct a re-hearing, and on 18 April 2019 it delivered its findings. The Appeal Panel determined that collection of personal information under these circumstances in fact did not constitute an unlawful collection of data and hence did not infringe section 8(1)(a) of the Act: Transport for New South Wales v Waters (No 2)  NSWCATAP 96. The Appeal Panel accepted that the individual’s travel data constituted personal information at the time of collection by a smart card reader because his identity could “reasonably be ascertained” by interrogating the registration database, but it further found that the collection of such information was reasonably necessary in order to achieve the primary purpose of collection, namely, to calculate and charge each customer the correct fare, to make payments to transport operators and to otherwise manage the ticketing system.
CCTV footage at correctional institution does not necessarily reveal personal information
On 14 June 2019, the New South Wales Civil and Administrative Tribunal ruled that the granting of access to CCTV vision taken at a correctional centre would not result in a breach of Information Privacy Principle 18 of the Privacy and Personal Information Protection Act 1998 (NSW) (the “PPIP Act”) because it was possible for the faces of data subjects to be redacted, albeit at some cost: Seremetis v NSW Department of Justice  NSWCATAD 118. The issue arose in the context of an application for release of video images under the Government Information (Public Access) Act 2009 (NSW) (the “GOPA”). The applicant was seeking CCTV footage of movement between specified areas within the Metropolitan Remand and Reception Centre where he alleged he had been assaulted. The government argued that access should be denied on the basis that use of CCTV footage in this manner would involve usage for reasons inconsistent with the original purpose of collection, contrary to Principle 18 of the PPIP Act. The Tribunal rejected the government’s argument on this point but nevertheless held that access should be denied on other public interest grounds, namely, that release of the footage could disclose camera angles and reveal other security information which could compromise public safety, stating that “the safe and secure custody of inmates and the supervision of those inmates is very significant and anything which has a detrimental impact on that should be avoided where possible”.
Tougher penalties proposed for social media and online platforms
On 24 March 2019, the federal government foreshadowed tougher penalties relating to online privacy. Amendments to the Privacy Act 1988, which would be introduced in the second half of 2019, would see an increase in penalties for all entities covered by the Act, including social media and online platforms operating in Australia, to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company’s annual domestic turnover – whichever is the greater. The Office of the Australian Information Commissioner would be provided with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches. Social media and online platforms would be required to stop using or disclosing an individual’s personal information upon request, and specific rules would be introduced to protect the personal information of children and other vulnerable groups. The proposed draft legislation would also incorporate any relevant findings of the current Digital Platforms inquiry by the Australian Competition and Consumer Commission which is due to issue its final report in June 2019.
Draft Consumer Data Right Rules released for comment
On 29 March 2019, the Australian Competition and Consumer Commission released an exposure draft of the Competition and Consumer (Consumer Data) Rules 2019. We have commented previously on the proposed introduction of a Consumer Data Right (“CDR”), confined initially to the banking sector. Although the enabling legislation has not yet been passed (the Treasury Laws Amendment (Consumer Data Right) Bill 2019 lapsed on 11 April 2019 when Parliament rose for the federal election, and must now be re-introduced), the ACCC is anxious to enable the banking sector to commence planning for the anticipated introduction of the CDR on 1 July 2019. The Rules emphasise that there are three ways in which requests for data can be lodged – either by means of a product data request (that is, a request for product data using a specialised service provided by the data holder), a consumer data request made by a CDR consumer (a request for CDR data made by the consumer direct to the data holder) or a consumer data request made on behalf of a CDR consumer (a request for CDR data made by an accredited person on behalf of the consumer). The Rules would only apply in relation to certain classes of product and consumer CDR data as set out in Schedules to the Rules. Schedule 2 relates to the banking sector. Initially, the new rules would apply only in relation to certain products that are offered by certain data holders within the banking sector, but will be progressively expanded to cover a broader range of data holders and products.
Carve outs proposed for Consumer Data Right
We have previously reported on the proposed introduction of a Consumer Data Right, effective within the banking industry from 1 July 2019. The object is to provide customers with greater control over their data by introducing a form of data portability. On 14 June 2019, the government released for public consultation the second version of a draft Open Banking Designation Instrument for the application of the Consumer Data Right to the banking sector. The first stage of consultation was held from 23 September 2018 to 12 October 2018. The second stage of consultation responds to concerns raised in the first stage regarding the breadth of the scheme by suggesting the carve out of “materially enhanced information”. “Materially enhanced information” would be data having enhanced value as the result of the application of insight, analysis or transformation by the data holder, and which would not be subject to mandatory disclosure. The Designation Instrument includes an example list of banking data sets that are not ”materially enhanced”, and Treasury is specifically seeking additional examples as part of the current consultation.
New offence created for permitting “abhorrent violent material” on the internet
On 4 April 2019, the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Bill 2019 was passed by the federal parliament. The legislation, which was passed in the wake of the Christchurch terrorist attack of 15 March 2019, amended the Criminal Code Act 1995 to introduce new offences to ensure that internet, hosting or content service providers have a positive obligation to refer abhorrent violent material to law enforcement, and to expeditiously remove abhorrent violent material that is capable of being accessed within Australia. “Abhorrent violent material” may comprise audio, visual, or audio-visual material which is recorded or streamed by a perpetrator or an accomplice. It must be material that reasonable persons would regard as being offensive, and must be recorded or streamed in the course of engaging in a terrorist attack, murder or attempted murder, torture, rape or kidnapping. The amendment provided a new power to the eSafety Commissioner to issue a written notice to a provider of a content service or hosting service, notifying them that abhorrent violent material can be accessed by or is hosted on their service, thus creating a presumption that then provider has been reckless as to whether the specified material could be accessed from the service.
“Small business” status removed from company allegedly engaged in privacy violations
On 4 April 2019, Aussie Farms, Inc was prescribed by Regulation as being an organisation subject to the Privacy Act 1988 (Cth), even though it has an annual turnover of less than $3m and would otherwise qualify for the small business exemption: Privacy Amendment (Protection of Australian Farms) Regulations 2019. Under section 6E(1) of the Act, a small business operator may be prescribed for this purpose. Aussie Farms is an animal welfare organisation which has published on its website information about certain Australian farms and agricultural operators. The information has included personal contact details, locations, images and other specifics. According to the Explanatory Statement, “publication of the personal information has caused deep concern within Australia’s agricultural community due to fears that farmers’ property or families may be inappropriately targeted and subject to activity that threatens their livelihood”. Subsequently, on 8 April 2019, the Attorney-General asserted that Aussie Farms was continuing to act in a manner contrary to the Privacy Act, and formally referred the alleged breach to the Privacy Commissioner for investigation.
New mandatory wording for consumer contracts
On 8 June 2019, new mandatory wording will be required in consumer contracts which contain “warranties against defects”. This is of particular significance to online service providers. “Consumer contracts” (relevantly, contracts for the provision of goods or services up to the value of $40,000) are subject to non-excludable consumer guarantees under Part 3-2 the Australian Consumer Law. A “warranty against defects”, as defined in section 102(3) of the ACL, is an additional and separate warranty offered by the supplier. The purpose of the mandatory wording is to ensure that consumers are not led to believe that the “warranty against defects” is their only remedy. Mandatory wording already exists in relation to the supply of goods under a consumer contract which contain a warranty against defects, and the new wording, contained in amendments to Regulation 90 of the Competition and Consumer Regulations 2010 which were introduced by the Competition and Consumer Amendment (Australian Consumer Law Review) Regulations 2018, now extends this requirement to cover contracts for the supply of services, and contracts for the supply of both goods and services.
Privacy of teacher data in the ACT considered in the context of new educational information sharing scheme
New legislation tabled in the Australian Capital Territory Legislative Assembly on 6 June 2019 for the regulation of teachers and trainee placements has sought to strike a balance between the interests of the profession and the privacy rights of teachers. The ACT Teacher Quality Institute Amendment Bill 2019 requires pre-service teachers to apply for approval with the ACT Teacher Quality Institute to undertake professional experience in a school in the ACT during pre-service teacher education, and establishes a framework for the approval of pre-service teachers for this purpose. The Bill authorises the Institute to provide pre-service teacher information to principals and universities, to collect data about the current workforce profile of teachers in order to inform teacher workforce planning, and to enable the Institute to provide pre-service teacher data and teacher workforce data to a research agency or a data linkage agency approved by the Minister to inform teacher workforce planning, subject to conditions about use of the data to protect the privacy of individuals. The Explanatory Memorandum addresses in detail the need to balance the broader objectives of the Bill with the specific privacy rights of individual teachers, concluding that adequate constraints on the handling of personal data are already contained in the Information Privacy Act 2014 (ACT).
AHPRA not subject to PPIP Act in the context of complaint handling
On 24 May 2019, the New South Wales Civil and Administrative Tribunal ruled that the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act) does not apply to the Australian Health Practitioner Regulation Agency (AHPRA) in the context of the complaint handling and resolution processes established under Part 8 of the Health Practitioner Regulation National Law (NSW) (the National Law): CEU v Australian Health Practitioner Regulation Agency  NSWCATAD 94. AHPRA is the national agency established under s 23 of the National Law to provide administrative assistance and support to 15 National Health Practitioner Boards that are responsible for regulating the health professions, including the Nursing and Midwifery Board of Australia. In 2015, the applicant had made an anonymous complaint to AHPRA against the Nursing Faculty of the University of Technology Sydney (UTS). The applicant asserted that, contrary to her request not to do so, AHPRA forwarded the complaint to UTS. The applicant lodged a privacy internal review application to AHPRA in November 2018 but AHPRA refused to investigate, advising her that the Nursing and Midwifery Council of NSW and the Health Care Complaints Commission were the appropriate review bodies. Section 6 of the Health Practitioner Regulation (Adoption of National Law) Act 2009 (NSW) declares that NSW is not participating in the health, performance and conduct process provided by Divs 3-12 of Part 8 of the National Law. AHPRA also denied forwarding the complaint to UTS. The Tribunal accepted that the PPIP Act did not apply to AHPRA in the context of the complaint handling and resolution processes established under Part 8 of the National Law for health practitioners and students in New South Wales, and that the decision of AHPRA that it was not required to conduct an internal review into that conduct under s 53 of the PPIP Act was correct.