AFP’s use of facial recognition service provider found to be a privacy breach
On 26 November 2021, the Privacy Commissioner determined that the Australian Federal Police (AFP) interfered with the privacy of individuals whose personal information was disclosed to a third party facial recognition service provider: Commissioner Initiated Investigation into the Australian Federal Police (Privacy)  AICmr 74. As we have previously reported, in an earlier decision the Commissioner found that Clearview AI had infringed a range of Australian Privacy Principles (APPs) by scraping individuals’ biometric information from the internet and disclosing it through a facial recognition tool. Relatedly, Clearview AI provided free trials of the facial recognition tool to several members of the Australian Centre to Counter Child Exploitation (ACCCE), an organisation led by the AFP, after ACCCE members became aware that other law enforcement agencies had used the facial recognition tool to successfully identify several individuals. Following this, the trial participants uploaded various images to the facial recognition tool, including images of possible persons of interest, an alleged offender, victims, members of the public and members of the AFP. The Commissioner was satisfied that images uploaded to and disclosed by that tool, were “personal information” as defined in the Privacy Act. Given the AFP’s use of the tool was a high privacy risk project under the Australian Government Agencies Privacy Code (the Code), the AFP’s failure to conduct a Privacy Impact Assessment (PIA) resulted in a breach of clause 12 of the Code. Additionally, the Commissioner was satisfied that, by failing to implement a centralised system to accurately record its use of the tool, provide appropriate training, possess written policies specifically identifying the privacy risks of using new technologies to handle personal information, and conduct a PIA, the AFP breached APP 1.2 by failing to take reasonable steps to implement practices, procedures and systems relating to its use of the tool that would ensure it complied with clause 12 of the Code. The Commissioner ordered that an independent review of the changes made to the AFP’s relevant practices, procedures and systems since the trial period be conducted.
ACCC seeks higher penalty for company’s misleading Google ads
On 17 January 2022, the Australian Competition and Consumer Commission (ACCC) filed an appeal against the adequacy of a penalty ordered by the Federal Court against a company found to have made misleading representations in Google ads that it had a government affiliation. We have previously reported on the decision by the Full Court of the Federal Court which found that the company’s advertisements had infringed sections 18, 29(1)(b) and 29(1)(h) of the Australian Consumer Law: Australian Competition and Consumer Commission v Employsure Pty Ltd  FCAFC 142. The matter was remitted to the primary judge to determine pecuniary penalties, and Griffiths J subsequently imposed a penalty of $1m: Australian Competition and Consumer Commission v Employsure Pty Ltd (No 2)  FCA 1488. The ACCC described the $1m penalty as “manifestly inadequate”, having initially sought a $5m penalty at trial. A hearing of the appeal before the Full Court will be fixed at a later date.
Meta loses right to arbitrate in Dialogue case
Facebook Inc. found to have “Australian link” bringing it within scope of Australian Privacy Laws
On 7 February 2022, the Full Federal Court determined that the Privacy Act 1988 (Cth) (Act) and the Australian Privacy Principles (APPs) may apply to Facebook Inc., a company incorporated in Delaware and based in California, on the basis that it is an organisation that “has an Australian link” within the meaning of section 5B(1A) of the Act. In reaching this finding, the Full Court considered whether Facebook Inc. “carries on business in Australia” and whether it collects or holds personal information in Australia. As we have previously reported, Facebook Inc. maintains that the relevant entity conducting business in Australia is Facebook Ireland, with Facebook Inc. only providing data processing services to Facebook Ireland outside of Australia. The Full Court rejected these arguments noting that while Facebook Inc. may not have any physical indicia of a business in Australia (e.g. assets, revenues, contracts, personnel, offices), the concept of carrying on of a business must, of necessity, take its shape from the business being conducted. Thus, Facebook Inc.’s business, being “the extraction of value from information about people”, was deemed an information-based business, so its activities had to be viewed through this lens. More specifically, the Full Court pointed to Facebook Inc.’s role in installing cookies on Australian users’ devices and providing certain platform functionality to Australian developers via its “Graph API” which it manages. The fact that Facebook Inc. performed these acts as part of its services to Facebook Ireland, and did not generate any revenue in doing so, did not alter the Full Court’s finding that the Facebook Inc. was conducting business in Australia. Further, the Full Court found that Facebook Inc. did itself collect personal information in Australia via its cookies installed on users’ devices. Subject to any further appeal, the Australian Information Commissioner now has leave to serve her proceedings on Facebook Inc. in relation to the alleged breaches of the APPs as a result of Facebook Inc.’s involvement in the Cambridge Analytica scandal.
Collection statements have an important role to play in protecting privacy
On 15 December 2021, the New South Wales Civil and Administrative Tribunal handed down a decision which provides helpful guidance to State government agencies handling personal information: CJU v HealthShare NSW  NSWCATAD 372. The Applicant asserted that the Respondent had breached the Privacy and Personal Information Protection Act 1998 (NSW) by disclosing personal information, contained in a complaint, to the South Eastern Sydney Local Health District which the Respondent considered better placed to handle the complaint. The Applicant’s correspondence had been marked “confidential”. The Tribunal concluded that the Respondent had breached Information Principle 3 (Requirements when collecting personal information) and IPP 11 (Limits on disclosure of information). The breach of IPP 3 involved the failure of the Respondent to notify the individual before collection or as soon as practicable thereafter as to the purpose of collection and the persons to whom it might be disclosed – the requirement for “collection statements” is often overlooked or ignored, prompting Member Alexander Christie to observe that such statements “help avoid differences of understanding between individuals making inquiries and providing personal information and the agency, which misunderstanding appears to have happened in this case”. The breach of IPP 11 involved the use of the Applicant’s personal information for reasons other than the purpose of collection – the Respondent contended that the disclosure should have been contemplated by the Applicant, but the Tribunal rejected this argument on the basis that the Applicant had labelled his correspondence “confidential”, meaning that he probably would have objected to the disclosure if notified beforehand.
Legislation passed to protect Australia’s critical infrastructure from cyber attacks
On 2 December 2021, the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (Act) came into force. The Act amends the existing Security of Critical Infrastructure Act 2018 (SOCI Act) by (i) expanding the scope of the SOCI Act’s application to encompass a broad range of new “critical infrastructure sectors” and “critical infrastructure assets”, (ii) establishing new obligations for owners and operators of critical infrastructure assets to notify the Commonwealth of cyber security incidents, and (iii) providing the Commonwealth with extensive new powers to assist owners and operators of critical infrastructure assets in responding to serious cyber security incidents. The amendments represent a significant strengthening of Australia’s framework for managing risks to national security relating to critical infrastructure, driven by growing concerns over the pervasive threat of cyber-attacks. On 10 February 2021, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 was introduced to Parliament which sets out the second-stage of the Federal Government’s critical infrastructure reforms. The new bill introduces new obligations on owners and operators of critical infrastructure assets to adopt and maintain risk management programs in relation to their assets, as well as imposing a regime of ‘enhanced cyber security obligations’ on operators of critical assets that are declared by the Minister to be “Systems of National Significance”.
Social media services are now subject to prescribed online safety “expectations”
On 20 January 2022, the Minister for Communications, Urban Infrastructure, Cities and the Arts issued the Online Safety (Basic Online Safety Expectations) Determination 2022. The Determination was made under section 45 of the Online Safety Act 2021 (Cth), with the objective of setting out basic online safety “expectations” for social media services, relevant electronic services and designated internet services. Providers of these services are expected to take steps to meet the expectations, although the Determination itself does not prescribe how the expectations will be met. There is no penalty for not complying with the expectations, although service providers can be required to report to the eSafety Commissioner on compliance with the Determination and failure to report is subject to civil penalties. The Determination embraces six categories of “expectation”, being expectations regarding safe use (Division 2); certain material and activity (Division 3); reports and complaints (Division 4); accessibility of certain information (Division 5); record keeping (Division 6); and dealings with the Commissioner (Division 7).
Telcos are now subject to the Consumer Data Right
On 24 January 2022, the Minister for Superannuation, Financial Services and the Digital Economy issued the Consumer Data Right (Telecommunications Sector) Designation 2022, with the effect of designating the telecommunications sector as being subject to the Consumer Data Right. Under s 56AC of the Competition and Consumer Act 2010 (Cth), the Minister has the power to designate a sector of the Australian economy as being subject to the Consumer Data Right. The telecommunications sector is the third industry sector to fall within the scope of the consumer data right. Previously, the banking sector was designated under the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019 and the energy sector under the Consumer Data Right (Energy Sector) Designation 2020. The consumer data right is set out in Part IVD of the Competition and Consumer Act 2010 (Cth) and represents a form of data portability, providing individuals and businesses with a right to access specified data and requiring businesses to provide public access to information on specified products that they offer.
Federal Government introduces Anti-Troll Bill to Parliament
The federal government officially introduced its controversial and highly-publicised Social Media (Anti-Trolling) Bill 2022 to the House of Representatives on 10 February 2022. The Bill, previously reported on in TMT Update Volume 44, and in an article by Suzy Roessel and Dr Gordon Hughes on our website, remains largely unchanged from the original Draft Bill announced by Prime Minister Scott Morrison on 28 November 2021 as a mechanism to “unmask anonymous online trolls”. In the Bill’s second reading speech, Minister for Communications, Urban Infrastructure, Cities and the Arts Paul Fletcher MP noted that the Bill aims to ensure that defamation law is “fit-for-purpose in the digital age and to empower Australians to respond appropriately to defamatory attacks by anonymous social media trolls”. If successful, the legislation will effectively overturn the precedent set by the High Court in Fairfax Media Publications v Voller to the effect that media companies are “publishers” of defamatory comments posted by third parties on their Facebook pages. The Bill remains before Parliament for debate.
Federal Government introduces “patent box” reforms to Parliament
On 10 February 2022, the Federal Government introduced the Treasury Laws Amendment (Tax Concession for Australian Medical Innovations) Bill 2022 to the House of Representatives. The Bill implements the “patent box” reforms announced in the 2021-22 budget which seek to encourage innovation and commercialisation of patented inventions in the biotechnology and pharmaceutical industries in Australia by providing tax concessions for income derived from those inventions. The Bill includes two significant expansions of the Bill earlier introduced by Government (previously discussed in an article by Craig Finlayson, Dr Sam Mickan and Felicity Dalle Nogare on our website), including allowing patents issued by the US Patent and Trademark Office or granted under the European Patent Convention to access the regime, and allowing patents granted after the night of the budget (rather than only those applied for) to be eligible for the scheme. For a breakdown of what exactly this means for patent owners in Australia, see the article “Unpacking the proposed “patent box” reforms” by Timothy Creek and Thomas Dysart on our website.
Government responds to CDR report
On 14 December 2021, the Australian Government released its response to the Final Report of the Inquiry into Future Directions of the Consumer Data Right. Previously, an Issues Paper had been released in March 2020, and the Final Report had been issued in December 2020. The Terms of Reference required the Inquiry to consider the ways in which the CDR could be enhanced to boost innovation and competition, and the Final Report grouped its recommendations under four broad areas, being (1) expanding the functionality of the CDR, (2) encouraging broader participation in the CDR, (3) greater interaction with the digital economy and (4) interacting with similar frameworks internationally. The Final report made 100 recommendations, nearly all of which were endorsed or “agreed in principle” by the Government in its response. The Treasury website summarised the response as being a commitment by the Government to “significantly strengthen and deepen the Consumer Data Right’s (CDR) functionality and use through the implementation of third-party action and payment initiation reforms, along with other recommended reforms that will grow the CDR ecosystem and foster greater international engagement”.
Government seeks feedback on handling of public data
On 15 December 2021, the Australian Government launched its Australian Data Strategy, calling for stakeholder feedback on its preliminary paper by June 2022. The Strategy outlines how the Government proposes to harness non-sensitive public sector data and data in the broader community over the period to 2025, at which point the Strategy will be reassessed. The Strategy is based on three key themes: (1) maximising the value of data (describing the economic and social value of data), (2) trust and protection (describing the settings that can be adopted in the private and public sectors to keep data safe and secure) and (3) enabling data use (describing the approaches and requirements to leverage the value of data, such as capabilities, legislation, management and integration of data, and engaging internationally). The Strategy, and its accompanying Action Plan, do not introduce new regulations or legislation, but rather intend to align with existing laws such as the Privacy Act 1988 (noting, nevertheless, that the Privacy Act is currently the subject of a major review).
Social media platforms may have to report suspicious foreign activity
On 17 December 2021, the Senate Select Committee on Foreign Interference through Social Media released its First Interim Report on key risks posed by foreign interference in Australia. The Committee considered potential foreign subversive activities designed to actively sow misinformation about particular issues, inflame existing social divisions, or create a general environment of distrust. The Committee found no evidence that Australia had in fact been the target of any large-scale, coordinated attempts of this nature, but emphasised that “this is not a reason for inaction”. It recommended that a single entity within government be delegated lead accountability for cyber-enabled foreign interference. It recommended that the government establish “appropriate, transparent, and non-political institutional mechanisms for publicly communicating cyber-enabled foreign interference in our elections”. The Committee further recommended that the government establish “clear requirements and pathways” for social media platforms to report suspected foreign interference, including disinformation and coordinated inauthentic behaviour, and other offensive and harmful content.
Telco security obligations reviewed
On 3 February 2022, the Australian Government released a report by the Parliamentary Joint Committee on Intelligence and Security, Review of Part 14 of the Telecommunications Act 1997 – Telecommunications Sector Security Reform. The object of the review was to examine the operation of reforms to Part 14 of the Telecommunications Act 1997 (Cth) which came into effect on 18 September 2017. The essence of the reforms was to establish a regulatory framework to manage national security risks or espionage, sabotage and foreign interference in Australia’s telecommunications networks and facilities. In particular, the Act placed obligations on telecommunications carriers, carriage services providers and carriage services intermediaries to protect networks and facilities to ensure the confidentiality of communications and information, as well as to ensure the availability and integrity of networks and facilities. Section 315K of the Telecommunications Act requires a review of the 2017 amendments, which are contained in Part 14 of the Act, to be completed within 3 years. The outcome of the review was a series of recommendations focussing on infrastructure supporting the operation, including the establishment of a dedicated telecommunications security threat sharing forum and a telecommunications security working group. The review also recommended that steps be taken to repeal Part 14 of the Telecommunications Act and to transfer the regulation of telecommunications security obligations to the Security of Critical Infrastructure Act 2018 (Cth).
South Australian government department granted right to operate a My Health Record portal
On 13 December 2021, the Commonwealth Attorney-General amended the Privacy Regulation 2013 by issuing the Privacy Amendment (South Australia My Health Records Access) Regulations 2021. Section 6F of the Privacy Act allows State or Territory governments to request the Commonwealth to make regulations to prescribe a State government authority or instrumentality as an organisation for the purposes of the Act. In order to handle information in the My Health Record system (and become registered as a “portal operator” under paragraph 48(d) of the My Health Records Act 2012), a State authority must be bound by a ‘designated privacy law’ or be prescribed under section 6F. South Australia does not have its own privacy legislation and hence requested that it be prescribed under section 6F of the Commonwealth Act. The effect is that the Department of the Premier and Cabinet of South Australia can now be registered as a portal operator under the My Health Records Act and operate a My Health Record portal to facilitate consent by individuals to the disclosure of their My Health Record data for the purposes of managing risks from COVID-19.
Fair Work Commission rejects CFMEU’s privacy challenge to BHP’s vaccination mandate
The Queensland branches of the Construction, Forestry, Maritime, Mining and Energy Union (CFMEU), in addition to other unions, launched a complaint against BHP with the Fair Work Commission earlier in January 2022. The legal challenge called into question BHP’s vaccination mandate, arguing that the policy forcing employees to hand over their COVID-19 vaccination details before January 31, or face dismissal, infringed upon workers’ rights to privacy. The complaint came amidst circumstances in which two workers were confirmed to have given fraudulent vaccination information, with several more suspected cases. The Fair Work Commission has since rejected the challenge, with hundreds of BHP miners facing dismissal for not providing evidence of their COVID-19 vaccination status. Although more than 91% of BHP’s employees at Queensland mines have provided proof of double vaccination, the Fair Work Commission’s latest decision means that legal options to challenge dismissals will be “very limited”.