Online defamation principles considered by NSW Supreme Court
On 20 March 2020, a judgment of the New South Wales Court of Appeal observed a range of principles relevant to online defamation in a case involving defamatory Facebook posts: Stoltenberg v Bolton; Loder v Bolton  NSWCA 45. The parties accepted the trial judge's statement of principles concerning proof of publication, including his reliance upon Dow Jones & Co Inc v Gutnick (2002) 210 CLR 575 in support of the proposition that in an action for defamation involving online material, publication is established though evidence that a third party downloaded and read the material. Specifically, Gutnick also stands for the proposition that publication is a bilateral act in which material is not made available in a comprehensible form until downloaded on to the computer of a person who has used a web browser to pull the material from the web server. The parties also accepted the trial judge's reliance upon Sims v Jooste (No 2)  WASCA 83 in support of the proposition that whilst publication, in a legal sense, may be established by pleading and proving a platform of facts from which an inference that material has been downloaded can properly be drawn, the mere fact of posting material online does not lead to an inference that it has been downloaded.
Roadshow Films obtains Federal Court site blocking orders against ISPs
On 20 April 2020, the Federal Court handed down another site blocking a decision pursuant to section 115A of Copyright Act 1968 (Cth), ordering a group of ISPs to block access to various target online locations: Roadshow Films Pty Ltd v Telstra Corporation Limited  FCA 507. There have been a number of injunctions of this kind granted since section 115A was introduced in December 2018. An interesting aspect to this decision was one of the orders which Burley J made. His Honour referred to Paul Fletcher MP's comments during the second reading speech for the bill which introduced these laws that the Federal Court would have "the power to issue responsive and adaptive injunctions, without the need for the copyright owner to go back to court" by allowing the copyright owner and ISP to agree "to apply the injunction to other pathways that start to provide access to an infringing site". Burley J made an order providing for the copyright owners to notify the ISPs if they believed a different domain name, IP address or URL was providing access to the same (previously blocked) infringing site. The ISPs will then be required to notify the copyright owners and the Federal Court if they agree to take steps consistent with the blocking order to also disable access to the new relevant domain name, IP address or URL. If the ISPs do not agree, or the court otherwise considers it appropriate, the proceeding will be relisted for further directions.
Information Commissioner granted leave to serve Facebook entities
On 22 April 2020, pursuant to an ex parte interlocutory application, the Federal Court granted the Australian Information Commissioner leave to serve the respondents Facebook Inc. and Facebook Ireland Limited outside Australia: Australian Information Commissioner v Facebook Inc.  FCA 531. Facebook Inc. is located in the United States, and Facebook Ireland is located in Ireland. In the proceedings, the Commissioner alleges that the respondents were repeatedly involved over a 12 month period in the interference with the privacy of approximately 311,127 Australian Facebook users. The court was satisfied that the Commissioner had a prima facie case for the purposes of Rule 10.43(4) of the Federal Court Rules 2011, that the respondents were "organisations" as defined in section 6C of the Act and that the respondents had an "Australian link" for the purposes of section 5B(3) of the Act. In the latter regard, the evidence established that the respondents "carried on business in Australia" in the relevant sense and there was a prima facie case (albeit subject to argument) that the respondents collected personal information in Australia.
Digital media company misled a purchaser of shares.
On 24 April 2020, the Supreme Court of New South Wales held that an investor (the cross-claimant) had been induced to acquire shares in a digital media managed services company (referred to as "BRS") as a result of misleading and deceptive conduct by the vendors (the cross-defendants) in contravention of section 18 of the Australian Consumer Law: Barrett v Maradaca Pty Ltd  NSWSC 440. BRS's major client was Optus, a subsidiary of Singapore Telecommunications Ltd, and the ongoing viability of the company was dependent upon maintaining that relationship. Prior to acquiring her shares in BRS, the cross-claimant had been in competition with Optus to purchase the BRS shares. In accepting BRS's invitation to purchase the shares, the cross-claimant was not informed of recent developments in the legal and commercial relationship between BRS and Optus which increased the risk that, if Optus did not acquire the shares, it would terminate its contractual arrangements for the supply of services by BRS and "poach" BRS's skilled employees, thereby frustrating the cross-claimant's commercial objectives in entering the transaction. Based on the facts and the chronology of events, the court concluded that BRS had engaged in misleading conduct by silence. Although the cross-claimant was a sophisticated business person prepared to take calculated risks, she had relied on an implicit assurance from BRS that there was no need to do due diligence beyond the date when she had initially expressed interest.
NEW LEGISLATION AND GUIDELINES
New Singapore-Australian digital trade arrangements announced.
On 23 March 2020, negotiations for the Australia-Singapore Digital Economy Agreement (DEA) were concluded. The DEA will upgrade the digital trade arrangements between Australia and Singapore under the Comprehensive and Progressive Agreement on the Trans-Pacific Partnership and the Singapore-Australia Free Trade Agreement. The DEA will include new rules aimed at ensuring that businesses can transfer data across borders and will not be required to build or use data storage centres in either jurisdiction (it is stated, nevertheless, that the Privacy Act 1988 "still applies when Australian data is transferred into another country", thus suggesting that the final text will stop short of expressly recognising the equivalence of Singapore's privacy laws for the purposes of Australian Privacy Principle 8). New rules will also stipulate that the transfer of source code to Singapore will not be required as a condition for the import, distribution, sale or use of software, whether mass-market software or bespoke/custom software, and special recognition will also be afforded to intellectual property where the ownership of source code is crucial to a business's competitiveness in local and global markets. The DEA text still needs to undergo further legal review by both Australia and Singapore prior to signature and publication, followed by treaty ratification processes, including tabling in Parliament and consideration by the Joint Standing Committee on Treaties, and will not be signed until late 2020 at the earliest.
States prepare to relax electronic signing laws.
On 22 April 2020, the Queensland Parliament passed the COVID-19 Emergency Response Act 2020, being the second stage of its legislative response to the COVID-19 state of emergency declared across the State on 29 January 2020. One aspect of the legislation involved the introduction of a framework to enable modification by regulation of statutory requirements to "making documents". This in turn contemplated the possibility of electronic signing and witnessing of certain documents which otherwise require a physical presence, notwithstanding an acknowledgement in the Explanatory Memorandum that this "may increase the potential for identity theft and fraud or for the undue influence and unconscionable dealing in the absence of persona witnessing requirements". Similarly, in Victoria, the passage of the COVID-19 Omnibus (Emergency Measures) Act 2020 on 23 April 2020 provided a framework for the making of emergency regulations which could include "the witnessing, execution or signing of legal documents such as affidavits, statutory declarations, deeds, powers of attorney, contracts or agreements, undertakings and wills". Similar legislation was passed in New South Wales and Tasmania on 25 March 2020, the Australian Capital Territory on 2 April 2020, Western Australia on 3 April 2020 and South Australia on 8 April 2020. We have previously published an article on our website dealing with issues relevant to electronic signatures more generally.
ACCC Guidelines on Consumer Data Right exemptions
On 20 March 2020, the Australian Competition and Consumer Commission (ACCC) released guidelines concerning the approach it will take in assessing applications for exemptions from Australia's new Consumer Data Right (CDR) regime: Consumer Data Right: Guidance for applicants seeking exemption under section 56GD. As the title suggests, section 56GD of the Competition and Consumer Act 2010 (Cth) gives the ACCC a broad discretionary power to exempt a person from one or more provisions of the Act relating to the new CDR regime. The threshold appears to be relatively high as the guidelines emphasise that exemptions will not generally be granted "without clear justification or exceptional circumstances". One example provided in the guidelines relates to a credit union which is planning to acquire another credit union. The guidelines suggest it may be appropriate for the acquirer to seek an exemption by seeking a delay to the start date of its obligations under the CDR regime in respect the customers of the target credit union (following completion of the acquisition). A copy of the ACCC's guidelines is available here.
Non-major ADIs given three month exemption from commencement of CDR obligations.
On 24 April 2020, the ACCC announced that three-month exemptions under the CDR regime had been granted to financial services providers required to share product reference data from 1 July 2020. The deferment was attributed to the disruption caused by the COVID-19 pandemic. The temporary exemptions apply to non-major Authorised Deposit-Taking Institutions (ADIs) including non-major banks, building societies and credit unions. The major banks have been sharing product reference data since 1 July 2019.
POLICIES, REPORTS AND ENQUIRIES
NSW Committee reports on State digital restart fund legislation.
On 27 March 2020, the New South Wales legislative Council Portfolio Committee No 6 issued its report on the Digital Restart Fund Bill 2019 (NSW), making a single recommendation that the Legislative Council proceed to consider the Bill and that the government address various comments and concerns identified by stakeholders during debate in the House. The Bill aims to provide a better way of resourcing digital and information technology initiatives across the government sector. The Council had referred the Bill to the Committee on 12 November 2019 to consider, amongst other things, privacy, information access and cybersecurity issues. The Report noted that the Bill was silent on information access and privacy issues, although the State's Information and Privacy Commissioners did not express any ongoing concerns in their submissions to the Committee. It was further noted that the Bill was silent on cybersecurity issues, although issues regarding cybersecurity were raised in only one submission.
Legislation to curb direct marketing by charities rejected.
On 16 April 2020, the Senate's Environmental and Communications Legislation Committee published the results of its enquiry into the Telecommunications Legislation (Amendment (Unsolicited Communications) Bill 2019, rejecting the need for the legislation. The Bill, which was referred to the Committee on 28 November 2019, would amend the Do Not Call Register Act 2006 to allow consumers to opt out of receiving phone calls from charities, the Spam Act 2003 to provide an unsubscribe function to all unsolicited political communications, and the Commonwealth Electoral Act 2018 to ensure actors are identified as such in pre-recorded voice calls in election campaigns. The Committee expressed concern that the legislation would adversely impact fundraising by charities, noting that in its view consumers were adequately protected at present by existing industry codes of conduct. The Bill had originally been introduced as a private member's Bill by Senator Stirling Griff.
ACCC to develop mandatory code of conduct involving digital platforms and media businesses.
On 20 April 2020, the Australian Treasurer, the Hon. Josh Frydenberg, announced that the Commonwealth Government had directed the Australian Competition and Consumer Commission (ACCC) to develop a mandatory code of conduct to address bargaining power imbalances between digital platforms and media companies. It is anticipated that the code will require digital platforms, such as Google and Facebook, to pay news media businesses for the content they produce. Previously, in December 2019, the ACCC had been directed by the Government to facilitate the development of a voluntary code but, due to a sharp decline in advertising revenue driven by COVID-19, which had placed the media sector under pressure, it was decided to accelerate the process. The mandatory code to be developed by the ACCC will address commercial arrangements between digital platforms and news media businesses. Elements which the code will cover include the sharing of data, ranking and display of news content, and the monetisation and the sharing of revenue generated from news. The mandatory code will also establish appropriate enforcement, penalty and binding dispute resolution mechanisms. A draft mandatory code is expected to be released for comment in July 2020.
HEALTH PRIVACY ISSUES
Public interest in combatting coronavirus in Queensland schools outweighs privacy rights.
On 20 March 2020, the Queensland Minister for Health, the Hon. Steve Miles, issued a Human Rights Certificate with respect to the Public Health (COVID-19) and Other Legislation Amendment Regulation 2020. The Regulation is made under the Hospital and Health Boards Act 2011 (Qld) and the Public Health Act 2005 (Qld). The purpose of the certificate was to declare that the Regulation was compatible with the human rights protected by the Human Rights Act 2019 (Qld), which came into effect on 1 January 2020. The Regulation prescribed COVID-19 as a "contagious condition" which in turn had the effect of requiring children suspected of having the condition to be excluded from a school or care centre. The Minister took account of the fact that section 25 of the Human Rights Act recognises a person's right to privacy, and that the Regulation had the potential to impact upon the privacy of children and their families, but considered that these rights were outweighed by the public interest in minimising the spread of COVID-19 among children and the broader community.
OAIC guidance on how to handle COVID-19 information in the workplace
On 1 April 2020, the Office of the Australian Privacy Commissioner published a Privacy Guidance in relation to the handling of personal information in the context of the coronavirus pandemic. The Guidance is directed at the Commonwealth public sector, and the private sector. The Guidance emphasises that information can be collected from staff and visitors to the extent necessary to prevent or manage COVID-19 in the workplace. Being "sensitive information", the collection of health information generally requires the consent of the individual, although Australian Privacy Principle 3.4 has the effect of permitting collection without consent where necessary to lessen or prevent "a serious threat to the life, health or safety of any individual, or to public health or safety". According to the Guidance, it is acceptable to inform staff that a colleague or visitor may have contracted COVID-19 if such a disclosure is required in order to manage health issues affecting the workplace - it may or may not be necessary to disclose the person's name, depending on the circumstances. The Guidance also contains a reminder about the need to maintain the security of personal information regarding third parties when working from home, including the importance of storing devices such as laptops securely when not in use.
Tasmanian Government privacy constraints suspended during state of emergency
On 6 April 2020, the operation of the Personal Information and Protection Act 2004 (Tas) was provisionally curtailed with the passage of the COVID-19 Disease Emergency (Miscellaneous Provisions) Act 2020 ("the COVID-19 Act"). The Personal Information and Protection Act ("the PIPA") regulates the handling of personal information in the Tasmanian public sector. The purpose of the COVID-19 Act is to deal with risks posed by COVID-19 to the State's judicial, administrative and legislative functions. The COVID-19 Act inserted a new section 60A into the Emergency Management Act 2006 (Tas) to the effect that the PIPA would not, in the event the Minister declared a state of emergency, apply in certain respects, specifically in relation to the disclosure, collection, exchange or use of "relevant information" for "relevant purposes" by a "relevant person or body". In context, this embraces personal information which is requested, required, obtained, disclosed or used during a state of emergency by a person exercising powers under a state or Commonwealth law. A state of emergency was called in Tasmania, in response to the COVID-19 outbreak.
OECD supports a cautious approach to contact tracing apps.
On 16 April 2020, the Organisation for Economic Co-Operation and Development (OECD) published a report on the use of contact tracing apps in seeking to combat the spread of the coronavirus: OECD, Tracking and Tracing COVID: Protecting Privacy and Data while using Apps and Biometrics. The report acknowledged that digital technologies, in particular mobile and biometric applications, were being adopted in innovative ways to improve the effectiveness of government responses to the crisis, and it described the resulting information as "invaluable". It further observed, nevertheless, that "current digital solutions for monitoring and containment have varying implications for privacy and data protection". Privacy protection measures should be embedded in the design to balance the benefits and risks associated with the collection and sharing of information, and the data should only be retained for as long as was necessary to serve the original purpose of collection.
COVID-19 contact tracing app launch accompanied by privacy reassurances.
Originally published 28th April 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.