Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
Privacy breach results from inaccurate police records
On 20 November 2018, the Victorian Civil and Administrative Tribunal (VCAT) found that Victoria Police had breached Information Privacy Principle (IPP) 3.1 under the Privacy and Data Protection Act 2014 (Vic) by failing to ensure the accuracy of personal information which it had disclosed to a third party: Zeqaj v Victoria Police (Human Rights) [2018] VCAT 1733. The complaint related to the disclosure of information to the Australian Taxation Office in which the applicant was described as a “known criminal identity”. The Tribunal concluded that as the applicant had no criminal convictions or findings of guilt, and that the information provided to the ATO was therefore inaccurate. IPP 3.1 requires an organisation to take “reasonable steps” to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date and, despite evidence that Victoria Police took reasonable steps in an organisational sense to ensure the accuracy of information which it handles, such steps had not been taken in this instance.
Queensland Information Commissioner entitled to refusing a privacy hearing
On 22 November 2018, the Supreme Court of Queensland upheld a decision by the Queensland Information Commissioner to decline to deal with a privacy complaint lodged by the parent of a child attending a secondary school: Purrer v Information Commissioner [2018] QSC 272. The Information Commissioner had decided not to accept the privacy complaint on the basis that it was a multi-faceted matter concerning a range of events of a potentially serious nature, not all of which involved privacy issues. The court noted that section 168(1)(c) of the Information Privacy Act 2009 (Qld) gave the respondent a broad discretion to decline to deal with a privacy complaint if the respondent “reasonably believes the complaint or part is frivolous, vexatious, misconceived or lacking in substance”, and Boddice J concluded that it was reasonable for the respondent to form this belief. Whilst the applicant had concerns about the accuracy of certain information, a privacy complaint was not the appropriate mechanism to which to address the issue.
Supreme Court of New South Wales considers common law privacy right
On 30 November 2018, the Supreme Court of New South Wales handed down a judgement in which Davies J considered whether a cause of action existed based on a breach of privacy: Kostov v Nationwide News Pty Ltd (No 1) [2018] NSWSC 1822. The proceedings followed an earlier decision by the court in which a defamation claim instituted by the plaintiff against the Daily Telegraph had been dismissed. The plaintiff had then commenced personal injury proceedings which included an allegation of “breach of privacy”, prompting the court in the new proceedings to consider the Australian authorities relating to the existence of a common law right to privacy. His honour lent support for the tort of defamation being “a legitimate vehicle for the enforcement of an interest in privacy”, adding that “in circumstances where no Australian superior court has recognised the generalised tort for breach of privacy, and where the plaintiff does not rely on the equitable doctrine of breach of confidence, the plaintiff’s interest in privacy is enforceable at law only so far as the particular way in which her privacy was invaded falls within the scope of the tort of defamation”. Given that the court had previously determined that the publication complained of was not reasonably capable of defaming her, his Honour chose not to pursue the analysis further.
New South Wales legislation facilitates personal data exchanges between government agencies and other jurisdictions
On 21 November 2018, the New South Wales Parliament passed the Road Transport Amendment (National Facial Biometric Matching Capability) Act 2018, becoming effective following assent on 28 November 2018. The legislation facilitates the exchange of personal information in connection with the National Facial Biometric Matching Capability Service administered by the Commonwealth under the Inter-Governmental Agreement On Identity Matching Services which was entered into by the Commonwealth, States and Territories in October 2017. The legislation specifically provides that sections 9 and 10 of the Privacy and Personal Information Protection Act 1998 (NSW) do not apply in relation to photographs and personal information collected by an authorised government agency from the Commonwealth Service, and similarly authorises the release to the Service of photographs and personal information held by an authorised New South Wales government agency.
New Office of National Intelligence required to balance national security and individual privacy rights
On 29 November 2018, the Office of National Intelligence Act 2018 (Cth) and the Office of National Intelligence (Consequential and Transitional Provisions) Act 2018 (Cth) were passed, becoming effective following assent on 10 December 2018. The legislation implemented recommendations of a 2017 Independent Intelligence Review to establish an Office of National Intelligence (ONI) as an independent statutory agency within the Prime Minister’s portfolio, reporting directly to the Prime Minister and subsuming the role, functions and staff of the Office of National Assessments. The Explanatory Memorandum noted that the ONI would be subject to strict secrecy and information handling provisions which would provide strong protection for all information, including personal information. Sections 38 and 39 authorise the disclosure by Commonwealth agencies of personal information to the ONI in circumstances where such disclosure might otherwise not be permissible under the Privacy Act 1988. However the Prime Minister is required to make Privacy Rules regulating the ONI’s collection of identifiable information, with an added requirement that the ONI publish the Privacy Rules on its website, and in this way the legislation attempts to ensure a degree of transparency in a privacy sense. Although the ONI would itself be exempt from the operation of the Privacy Act, it would be required to comply with the Privacy Rules.
Commonwealth legislation enables authorities to demand access to unencrypted data
On 6 December 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) was passed, coming into effect following assent on 8 December 2018. Popularly referred to as the ”Encryption Act”, the legislation amended the Telecommunications Act 1997 (Cth) to establish frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies in relation to encryption technologies via the issuing of technical assistance requests, technical assistance notices and technical capability notices. Schedule 1 of the Act provides a legal basis on which a designated communications provider can provide voluntary assistance under a “technical assistance request” to ASIO and other intelligence organisations and also permits the Director-General of Security or head of an interception agency to issue a “technical assistance notice” requiring a designated communications provider to provide assistance. The legislation does not require providers to implement or build systemic weaknesses in forms of electronic protections (“backdoors”) or prevent providers from fixing identified weaknesses, but Schedule 2 authorises computer access for the purpose of collecting information in an unencrypted state. Specifically, new paragraph 317E(1)(a) enables authorities to apply for the removal of electronic protection via a “technical assistance request” or “technical assistance notice”, and this may extend to decrypting encrypted communications.
Commonwealth to expand whistleblower protection
On 7 December 2018, the Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2018 (Cth) was introduced in the Senate. The objective of the legislation is to consolidate and broaden the existing protections and remedies for corporate and financial sector whistleblowers. It also amends the Taxation Administration Act 1953 (Cth) to create a whistleblower protection regime for disclosures of information by individuals regarding breaches of the tax laws or misconduct relating to an entity’s tax affairs. In broad terms, the legislation will extend the group of people who can make disclosures and be eligible for protection, broaden the type of matters which whistleblowers can make disclosures about, allow anonymous disclosures, and strengthen whistleblower immunity.
ACCC issues discussion paper on unfair terms in standard contracts
On 21 November 2018, The Treasury released a discussion paper entitled Review of Unfair Contract Term Protections for Small Business. As standard form contracts represent an integral part of service delivery in both the software and online service industries, legislative regulation of unfair contract terms in standard form contracts is of considerable significance. When the protections contained in the Australian Consumer Law were extended to protect small businesses in November 2016, the government undertook to conduct a review after the extension had been in operation for a period of two years. The present scheme allows a court to declare a term of a standard form contract entered into by a small business to be unfair and, therefore, void. A “small business” in this context is one which employs fewer than 20 people and the upfront price payable under the contract is under $300,000 in a single year or $1,000,000 if the contract runs for more than twelve months. Issues raised for discussion include the threshold requirements relating to the number of employees and value of transactions, difficulties in determining what amounts to a “standard form contract”, and the overall question of whether the regime offers an appropriate level of protection to small business.
Office of the National Health Practitioner Ombudsman and Privacy Commissioner issues annual report
On 26 November 2018, the Office of the National Health Practitioner Ombudsman and Privacy Commissioner released its annual report for 2017-18. The National Health Practitioner Ombudsman and Privacy Commissioner is an independent statutory officer appointed by the COAG Health Council with powers derived from the Ombudsman Act 1976 (Cth), the Privacy Act 1988 (Cth) and the Freedom of Information Act 1982 (Cth). Complaints managed by the Office relate to the health, conduct or performance of a registered health practitioner. The report revealed that over a twelve month period, the Office received 794 complaints, of which 75% were closed within thirty days. Whilst the Office can accept complaints from individuals regarding privacy breaches, and whilst an additional workload was expected following the introduction of the mandatory data breach reporting scheme on 22 February 2018, the Office did not receive any formal notifications from the Australian Health Practitioner Regulation Agency (AHPRA) or the National Boards about eligible data breaches.
ACCC foreshadows wide-ranging measures to address the influence of Google and Facebook
On 10 December 2018, the Australian Competition and Consumer Commission (ACCC) released its preliminary report into digital platforms. In December 2017, the Australian Treasurer had directed the ACCC to carry out an enquiry into the effect that digital search engines, social media platforms and other digital content aggregation platforms have on competition in media and advertising services markets, and particularly the impact of digital platforms on the supply of news and journalistic content and the implications of this for media content creators, advertisers and consumers. The wide-ranging recommendations in the preliminary report include measures to address the market power of Google and Facebook, measures to monitor or regulate digital platforms’ activities, measures to assist a more effective removal of infringing copyright material and measures to keep consumers better informed about their rights. In the latter regard, the preliminary report contemplates recommendations for the amendment of the Privacy Act 1988, including the introduction of the concept of opt-in consent and a right of erasure (such as exists under the GDPR). The introduction of a statutory cause of action for serious invasion of privacy (as previously recommended by the Australian Law Reform Commission) is also contemplated, along with an amendment to the Australian Consumer Law which would render unfair contract terms illegal (not just void, as is presently the case). Responses to the preliminary report are required by 15 February 2019.