Telecommunications, Media And Technology (TMT) Law Update – Volume 31
Final appeal decision handed down on damages in respect of the repudiation of a Development and Licensing Agreement.
The Full Federal Court recently affirmed a 2018 decision of Nicholas J in relation to an award of reliance damages for PKT Technologies Pty Ltd (Fairlight)’s repudiation of a Development and Licensing Agreement with Peter Vogel Instruments Pty Ltd (PVI): PKT Technologies Pty Ltd (formerly known as Fairlight.AU Pty Ltd) v Peter Vogel Instruments Pty Ltd  FCAFC 2016. We previously reported on earlier decisions in this long-running dispute here and here. The key issue on appeal was whether PVI was entitled to damages for its “wasted expenditure” incurred in reliance on Fairlight performing the Agreement, and for its mitigation costs. Nicholas J awarded reliance damages because his Honour was not satisfied that the Agreement would have been profitable for PVI had Fairlight performed. Fairlight unsuccessfully argued that PVI was only entitled to claim reliance damages if it first established that it could not claim expectation damages due to the conduct of Fairlight. The Full Court rejected this argument, ruling that PVI was entitled to claim reliance damages in the alternative to expectation damages. The Full Court also rejected Fairlight’s submission that the evidence in support of the quantum of reliance damages was inaccurate and unreliable, ruling instead that Fairlight had made a forensic election at an earlier stage to not challenge the evidence and it could not do so on appeal. The evidence was admissible and there was no error in Nicholas J relying on it.
Technical forensic evidence helps plaintiff win breach of confidence case.
On 6 March 2020, the Supreme Court of New South Wales found that two individuals had breached contractual and equitable duties of confidence owed to their former employer by using proprietary contact information and business method information when establishing a competing business: Smartways Logistics Holdings Pty Ltd v O’Sullivan  NSWSC 189. Forensic evidence played a significant part in the court’s assessment of the facts. The plaintiff’s expert witness was given access to the defendants’ laptops which enabled the analysis of data, the extraction of link files and a review of internet explorer file histories. The expert also examined the defendants’ mobile phones and extracted data including call logs, chat messages, contacts, multimedia messaging services (MMS), short messaging services (SMS), voicemail and cloud-based application accounts. The expert found evidence that the defendants had accessed password-protected dropbox accounts containing confidential information when there was no need for them to do so for purposes connected with their employment or otherwise in their employer’s best interests. On the basis of this and other evidence, Henry J found for the plaintiff employer, and granted orders governing declaratory relief, injunctive relief, delivery up and costs.
Federal Court proceedings commenced against Facebook for privacy breach
On 9 March 2020, the Australian Information Commissioner commenced Federal Court proceedings against Facebook, seeking penalties for misuse of personal information in the context of the Cambridge Analytica scandal. The Cambridge Analytica scandal arose in early 2018 when it was revealed that the company had harvested the personal data of millions of people’s Facebook profiles without their consent for political advertising purposes on behalf of US Senator Ted Cruz. The Commissioner alleges that the personal information of more than 300,000 Australians was used for purposes other than the reason for collection, thus constituting a breach of Australian Privacy Principle 6 (“Use or disclosure of personal information”). The misuse allegation centres on personal data being “used for purposes including political profiling, well outside users’ expectations”. Personal data was allegedly exposed through the “This Is Your Digital Life” app which, although only downloaded by 53 Australian Facebook users, compromised personal data relating to the social media friends of those users.
Telstra’s new payphone cabinets do not require town planning approval – yet.
On 10 March 2020, the Federal Court of Australia ruled that the installation of Telstra’s new “payphone cabinets”, capable of displaying commercial advertising but at present displaying only standard telephone service (STS) advertising, was authorised under the Telecommunications Act 1997 (Cth) and the Telecommunications (Low Impact Facilities) Determination 2018 (Cth) and therefore did not require further council approval: Telstra Corporation Limited v Melbourne City Council  FCA 305. The respondents (Melbourne city Council, City of Sydney Council and Brisbane City Council) had contended that the cabinets resembled electronic billboards, and that planning permission was required for this purpose. O’Callaghan J ruled that the cabinets were permissible “low impact facilities” under the Determination and that it was not relevant that the cabinets were capable of displaying commercial advertising. A digital screen was permitted under the Determination for the purpose of STS advertising, and town planning approval would only be required if and when Telstra sought to use the digital screens to display third party commercial advertising.
Updated credit reporting code introduced
On 14 February 2020, the Privacy (Credit Reporting) Code 2014 (Version 2.1) came into effect. The previous code, which had come into effect on 28 June 2018 and which we have previously reported upon, was simultaneously repealed. Part IIIA of the Privacy Act regulates the types of personal information that credit providers can disclose to a credit reporting body. The credit reporting code supplements Part IIIA and the Privacy Regulation 2013, and a breach of the code is a breach of the Act. In formulating the new code, the Information Commissioner had regard to recommendations made in the Review of Privacy (Credit Reporting) Code 2014 (V1.2) Report dated 8 December 2017 by PriceWaterhouseCoopers. Changes introduced by the new code include clarifying that a credit reporting body can only collect publicly available information if the information is about activities conducted in Australia that relate to an individual’s creditworthiness; an obligation on credit reporting bodies to notify an individual’s ban period request (or extension of ban period) to other credit reporting bodies where requested by that individual; and clarifying that a pre-ticked consent box does not constitute opting into direct marketing when individuals access free credit reports.
Privacy exemption for international money transfers
On 14 February 2020, the Australian Information Commissioner issued three public interest determinations relating to the privacy implications of international money transfers. Section 72(2) of the Privacy Act 1988 enables the Commissioner to make a determination that, in the case of an entity which is subject to the Australian Privacy Principles (APPs), adherence to an APP in respect of a particular activity is outweighed by the public interest in permitting that activity to take place. Section 72(4) further enables the Commissioner to give general effect to such a determination by extending it to other entities engaged in similar activity. The Privacy (International Money Transfers) Public Interest Determination 2020 (No 1) and (No 2), issued under section 72(2), and the Privacy (International Money Transfers) Generalising Determination 2020, issued under section 72(4), have the combined effect of allowing Authorised-Deposit Taking Institutions and the Reserve Bank of Australia to disclose the personal information of a beneficiary of an international money transfer to an overseas financial institution when processing a transfer. The Determinations continue the existing practice under similar determinations issued for a 5 year period in 2015. The Commissioner accepted that it would be impractical for ADIs and the RBA to assess the privacy regimes in other countries, as required by APP 8.2(a), in respect of every transfer, and similarly it would be impractical to seek the beneficiary’s consent for each transaction as required by APP 8.2(b). Excessive formality might motivate senders to rely on less and less formal money remittance services, which would be contrary to the public interest.
Private member’s bill in New South Wales proposes remedy for privacy invasions
On 27 February 2020, the New South Wales Shadow Attorney-General, Paul Lynch MP, tabled a private member’s Civil Remedies for Serious Invasions of Privacy Bill 2020. The Bill proposes a statutory cause of action for serious privacy invasions, enforceable in the Supreme Court or District Court as a tort. The Bill contemplates privacy breaches in the form of either intrusions upon seclusion or misuse of private information in circumstances where the plaintiff had a “reasonable expectation of privacy”. The invasion of privacy would have to be serious, having regard to the degree of stress or harm likely to be caused to “a person of ordinary sensibilities”, and whether the defendant was motivated by malice. A court would be required to balance a claim against the public interest, taking into account such matters as freedom of expression, freedom of the media and national security. A court could award damages, including damages for emotional distress but not aggravated damages. Similar legislation was introduced in October 2016 but lapsed in December 2016.
Student ID scheme expanded
On 6 March 2020, the Student Identifiers Act 2014 was amended to enable the extension of the unique student identifier from vocational education and training (VET) to higher education students, and to enable the Student Identifiers Registrar to assign a student identifier to all higher education students: Student Identifiers Amendment (Higher Education) Act. Specifically, the Act enables the assignment, collection, use, disclosure and verification of student identifiers for higher education students. The Registrar, appointed under Part 4 of the Act, has powers and functions that will expand to include the operation of the student identifier in the higher education sector. Starting in 2021, new domestic and onshore overseas higher education students can apply for a student identifier. From 1 January 2023, registered higher education providers must not confer a regulated higher education award on an individual unless the individual has been assigned a student identifier or unless an exemption applies. According to the Explanatory Memorandum, any privacy concerns are addressed by the fact that the legislation “does not displace the protections provided for personal information under the Privacy Act 1988”.
IBAC focusses on Victorian public sector information security
On 12 February 2020, the Victorian Independent Broad-based Anti-corruption Commission (IBAC) published an analysis and recommendations regarding information security breaches in the Victorian public sector: Unauthorised Access and Disclosure of Information held by the Victorian Public Sector: an Analysis of Corruption Risks and Prevention Opportunities (IBAC, February 2020). The report expressed concern about the potential for unauthorised access to personal health records, contact details and sensitive political and economic information, much of which it suspected might go unreported due to a lack of detection, lack of awareness or an incomplete understanding of the law. In the latter regard, the report observed that the legislative framework for managing data was complex, underpinned primarily by the Privacy and Data Protection Act 2014, the Public Records Act 1973 and the Charter of Human Rights and Responsibilities Act 2006. Concern was also expressed about corruption risks associated with “big data” and associated data-matching. The report recommended increased training for relevant personnel and the adoption of cultural change programs.
ACCC to enquire into online advertising technology.
On 15 February 2020, the Commonwealth government directed the Australian Competition and Consumer Commission (ACCC) to undertake a long-term inquiry into digital platforms and to undertake an 18-month inquiry into advertising technology (“ad-tech”): Competition and Consumer (Price Inquiry – Digital Advertising Services) Direction 2020. The inquiry forms part of the government’s response to the ACCC’s Digital Platforms Report, which we have previously reported upon. The Direction was made under section 95H(1) of the Competition and Consumer Act 2010, and the ACCC responded on 25 February 2020 by issuing the Competition and Consumer (Price Inquiry – Digital Platforms) Instrument 2020 as required under section 95J. The ACCC is required to give the Treasurer an interim report by 30 September 2020 and then every six months, with a final report due by no later than 31 March 2025. The inquiry is to focus on technologies facilitating the supply of online advertising to Australian consumers, and specifically their capacity to gather information about consumers and to use it to target them with highly personalised advertising.
Mandatory data breach notifications on the rise
On 28 February 2020, the Information Commissioner published statistics on mandatory data breach notification for the six month period ending 31 December 2019: Notifiable Data Breaches Report: July – December 2019 (OAIC). The report revealed that there was an increase of 19% in notifications, rising from 460 in the previous six months to 537. Malicious or criminal attacks accounted for 64% of all notifications, whilst 32% were attributable to human error. The highest reporting sector was the health sector, followed by finance, education, legal and personal services (such as recruitment agencies and childcare centres). The most common form of information involved in breaches was contact information, such as home address, phone number or email address. It was noted that in addition to “phishing”, the theft of paperwork and storage devices was a significant source of malicious or criminal attacks.
Consumer Data Right issues paper released
On 6 March 2020, the Australian Treasury released an Issue paper entitled Inquiry into Future Directions for the Consumer Data Right. In January 2020, the Treasurer announced an inquiry into future directions for the new Consumer Data Right, and the issues paper calls for public submissions by 23 April 2020. We have previously written about the nature and scope of the Consumer Data Right which, from 1 July 2020, will enable customers to access certain data about themselves which is held by the major banks and direct that the information be transferred to a third party. The inquiry is looking at how the Consumer Data Right might be enhanced, specifically with respect to the expansion of its functionality, the leverage of infrastructure and interaction with other countries.
Privacy standard recommended for artificial intelligence
On 12 March 2020, Standards Australia released a roadmap for the responsible development of artificial intelligence: Artificial Intelligence Standards roadmap: Making Australia’s Voice Heard. The report, commissioned by the Department of Industry, Science, Energy & Resources, focussed, amongst other things, on the privacy implications of artificial intelligence. Noting that an international standard was published in mid-2019 which was mapped against the European General Data Protection Regulation (GDPR), and further noting a submission by the Office of the Australian Information Commissioner that requirements should be mapped against the Australian Privacy Principles (APPs), the report recommended that Australian businesses and government agencies develop a proposal for a direct text adoption of ISO/IEC 27701 (Privacy Information Management), with an annex mapped to local Australian privacy law requirements. This would provide Australian businesses and the community with improved privacy risk management frameworks that aligned with local requirements, including the APPs and potentially the GDPR, the APEC Cross-Border Privacy Rules System (CBPR) and other regional privacy frameworks.
Health Committee opposes disclosure of COVID-19 patient details to media
On 8 March 2020, the Australian Health Protection Principal Committee issued a coronavirus (COVID-19) statement with regard to the release of personal information of COVID-19 patients and their close contacts. The Committee is Australia’s key decision making committee for health emergencies, comprising all state and territory Chief Health Officers and chaired by the Australian Chief Medical Officer. The statement noted that the Committee was aware of media requests to release the names, addresses and recent movement of people with COVID-19. The Committee expressed concern that the release of personal information in such circumstances was potentially contrary to privacy laws and public health ethical principles, adding that “the release of personal health details could increase the likelihood of people not cooperating with contact tracing and laboratory testing to identify and isolate cases of COVID-19”. For these reasons, the statement concluded that the Committee “does not in any way support the public release of personal information of people found to have COVID-19 or those who may have been in close contact with patients”.