1. How can the government's attitude and approach to internet issues best be described?
Australian governments have recognised the potential that the internet promises, particularly in a country with the unique characteristics of Australia (low population density, large geographic area and advanced economy). The federal government is pressing ahead with a A$43 billion rollout of a next-generation broadband network designed to provide internet access via fibre-optic connection to virtually all Australian homes and businesses.
While governments have recognised this potential from the perspective of investment, they have generally done little to address the special characteristics of the internet when it comes to regulation. In most areas, governments have tried to treat the internet in an identical manner to other content and service delivery mechanisms. This has not been without consequence and has resulted in the law relating to internet issues developing on a largely ad hoc basis in many areas.
The internet presents particular difficulty in many aspects of Australian law, including in the realms of copyright, defamation and gambling.
2 What legislation governs business on the internet?
Australia has a federal legal system (like the United States and the European Union) and businesses must comply with both federal and the relevant state/territory legislation. The federal government's legislative powers are restricted to those heads of power which are enumerated in the Australian Constitution. As a result, businesses must pay attention to laws at both federal and state/territory levels.
Traditional business legislation applies to internet businesses in a manner as close as is feasible to the manner in which it applies to offline business.
Key pieces of legislation include the Corporations Act 2001 (Cth), the Privacy Act 1988 (Cth) and the Competition and Consumer Act 2010 (Cth). The Australian Consumer Law (ACL), which is schedule 2 to the Competition and Consumer Act, is the foremost source of consumer protection law in Australia and is enforced by the Australian Competition and Consumer Commission (ACCC).
3 Which regulatory bodies are responsible for the regulation of e-commerce and internet access tariffs and charges?
Consistent with the position of Australian governments that internet businesses should be regulated in the same manner as offline businesses, there is no dedicated government agency tasked with the regulation of e-commerce. Rather, the regulation of internet businesses falls within the ambit of various regulators, such as:
- the ACCC and the corresponding fair trading offices at the state and territory level, which deal with anti-competitive conduct and consumer protection;
- the Australian Communications and Media Authority (ACMA), which has the responsibility to regulate certain content on the internet;
- the Office of the Australian Information Commissioner (OAIC), which administers the Privacy Act 1988 (Cth); and
- the Telecommunications Industry Ombudsman, which deals with complaints regarding the provision of internet services.
4 What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions (or disputes) in cases where the defendant is resident or provides goods or services from outside the jurisdiction?
Although no view has yet been taken by the High Court of Australia (Australia's highest court) in relation to the location of a transaction in the business context, the High Court has found that, in the context of defamation, the publication of a website occurs in the jurisdiction in which the relevant material is downloaded (or viewed).
In the absence of a view being expressed clearly by any Australian parliament or higher court, Australian courts are likely to apply standard private international law tests to determine whether the laws of the jurisdiction will apply to that transaction.
It is a principle of private international law in Australia that, as long as there is a sufficient connection between a matter and a jurisdiction, then the laws of that jurisdiction can apply, particularly in the context of business transactions.
Contracting on the internet
5 Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether 'click wrap' contracts are enforceable, and if so, what requirements need to be met?
Yes, it is possible to form and conclude contracts electronically. Contracts are formed in the standard manner by one party making the offer and the other accepting. As in many other Commonwealth jurisdictions, there may be a preliminary stage, or 'offer to treat', and it is recommended that businesses ensure that their websites are considered offers to treat, rather than offers which a customer is then at liberty to accept.
ACMA plays little role in most business activities but is involved in the regulation of certain online gambling activities, the publication of restricted material on websites and the control of spam.
The leading case on click wrap contracts in the Australian context is eBay International Ag v Creative Festival Entertainment Pty Ltd (2006) FCA 1768. The general principles which emerge from that case are that the following are required for the formation of a click wrap contract:
- clear notice to the customer that the transaction is governed by the terms of a contract;
- an opportunity forthe customerto review the terms of the standard form contract before agreeing to them; and
- a clear and unambiguous statement of what constitutes acceptance of the terms of the contract.
Provided these conditions are met, courts are likely to enforce such contracts, subject to consumer protection exceptions.
The most important of these exceptions are the unfair terms provisions of the Competition and Consumer Act 2010 (Cth). These provisions render certain terms, especially those found in standard form documentation, unenforceable and businesses should ensure that the terms on which they offer to provide goods and services to customers comply with the requirements of this act.
6 Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to- business contracts?
There is no legislation which regulates specifically contracting on the internet but provisions in legislation which apply to the interpretation of contracts generally may also apply to internet transactions. See, for example, the Sale of Goods Act 1923 (NSW) and other equivalent state/territory legislation.
While not internet-specific, the provisions of the Competition and Consumer Act 2010 (Cth) can apply to both business-toconsumer and business-to-business contracts which are conducted over the internet. Whether the provisions will apply will depend on, for example, the value of the goods and services being acquired and their intended use (personal, domestic and household consumption or alternatively for use in business).
7 How does the law recognise or define digital or e-signatures?
Electronic signatures are regulated by acts at the federal and state/territory level that are all based largely on the UNCITRAL Model Law on Electronic Signatures. Last year, those acts were amended in order to allow Australia to accede to the United Nations Convention on the Use of Electronic Communications in International Contracts 2005.
A fundamental principle under Australian law is that, with some exceptions, a transaction between two or more parties is not invalid by virtue of the transaction being conducted electronically. The various acts allow business and government to fulfil, in electronic form, any of the following requirements:
- giving information in writing;
- providing a handwritten signature;
- producing a document in material form; and
- recording or retaining information.
An electronic signature is valid provided that other forms of electronic communication such as fax or e-mail are already accepted by parties for the exchange of signatures (Getup Ltd v Electoral Commissioner (2010) FCA 869). While the exceptions relate generally to the lodgement of certain documents with government authorities (eg, for voting purposes), businesses should be aware that real property transactions are also exempted.
We note that digital signatures sometimes refer to signatures which are encrypted using cryptographic methods (such as public key encryption) as opposed to other types of signatures which may be sent using electronic methods. Australian law does not distinguish between digital signatures and other types of electronic signatures.
8 Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?
No, there are not.
9 What measures must be taken by companies or ISPs to guarantee the security of internet transactions?
There are no explicit requirements to guarantee the security of internet transactions. However, all businesses, including ISPs, are under obligations to protect the privacy of information which they collect from customers.
10 As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?
Section 3LA of the Crimes Act 1914 (Cth) provides the Australian Federal Police with the power to seek a court order requiring a person to provide reasonable assistance to access data held on a device that is the subject of a warrant. It is arguable that this would include the disclosure of private keys. (Similar powers are provided to Customs officers under section 201A of the Customs Act 1901 (Cth).)
In contrast, although state and territory police have the authority to seize devices which may have encrypted data, they do not have the ability to seek a court order in the same ways that the Australian Federal Police can as outlined above.
There are export restrictions on cryptography technologies but they are of relevance only to businesses exporting such technologies from Australia. There are no express regulations regarding certification authorities.
11 What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?
The registration of country-level domain names ending with '.au' is handled by registrars accredited by '.au' Domain Administration Ltd (auDA).
Registrars authorised by auDA provide services to people who want to register a new domain name, renew their existing domain name, or make changes to their domain name record. A list of these accredited organisations can be found at: www.auda.org .au/registrars/accredited-registrars/.
To own a '.com.au' or '.net.au' domain, the registrant must fulfil at least one of the following criteria, namely it must be:
- an Australian registered company;
- a business trading under a registered business name in any state
- or territory;
- an Australian partnership or an Australian sole trader;
- a foreign company licensed to trade in Australia;
- an owner of a Australian registered trademark;
- an applicant for an Australian registered trademark;
- an association incorporated in any Australian state orterritory; or
- an Australian commercial statutory body.
The domain name must be an exact match, abbreviation or acronym of the registrant's name or trademark or otherwise closely and substantially connected to the registrant. A registrant does not need to be a resident in Australia.
Although not a government body, auDA operates under quasi-governmental authority and has in place dispute resolution procedures that can be utilised in the event of a dispute regarding the registration of a domain name. These procedures include the ability to cancel or transfer a registration. As part of the process, a complainant must be able to show that:
- the registrant's domain name is identical or confusingly similar to a name, trademark or service mark in which the complainant has rights; and
- the registrant has no rights orlegitimate interestsin respect of the domain name; and
- the registrant's domain name has been registered orsubsequently used in bad faith.
These requirements are the same as those under the ICANN Uniform Domain Name Dispute Resolution Policy (although it should be noted that the ICANN Uniform Domain Name Dispute Resolution Policy and the auDA Dispute Resolution Policy are not identical).
12 Do domain names confer any additional rights (for instance in relation to trademarks or passing off) beyond the rights that naturally vest in the domain name?
The mere registration of a domain name does not confer on a registrant any additional rights in the form of intellectual property rights beyond those that vest naturally in the domain name. For example, the registration of a particular domain name does not itself exclude others from using that same name as a trademark. That said, the use of a mark in a domain name can be evidence that the mark is being used as a mark in the course of trade.
13 Will ownership of a trademark assist in challenging a 'pirate' registration of a similar domain name?
The ownership of a trademark certainly assists in challenging a 'pirate' registration of a similar domain name as registration of a domain name does not give the registrant ownership in that name, nor does it give the registrant an unchallengeable right to use it.
Conversely, by registering a trademark, the owner acquires a proprietary right to the use of that mark as a trademark in association with a class, or classes, of goods and services under the Trade Marks Act 1995 (Cth). Thisright may be asserted against any person using, 'as a trade mark', a mark that is substantially identical, or deceptively similar, to the registered trademark in connection with the same classes of goods and services. The use of a mark in a domain name will generally be considered use of that mark as a trademark, especially in relation to an operational website.
Only owners of particularly well-known trademarksin Australia can prohibit a third party from using the trademark in respect of all categories of goods and services and, even then, only if such use would adversely affect the interests of the registered owner.
14 What rules govern advertising on the internet?
Internet advertising is generally governed by the same rules and regulations which apply in respect of other forms of advertising, with a few exceptions.
All advertisements (regardless of the means of transmission) must comply with the ACL. Advertisements must not be misleading and deceptive or likely to mislead or deceive consumers. Advertisements must not contain false misrepresentations in respect of the nature, quality, value or grade of the goods or services to be provided, nor must advertisements represent falsely that the goods or services have sponsorship, approval or performance characteristics which they do not have. Furthermore, any claims which are made in respect of the goods or services must be able to be substantiated.
In addition, depending on the nature of the goods or services being advertised, other regulations may be relevant. Goods and services for which specific regulations apply include but are not limited to tobacco; nutrition and health claims in respect of food; alcohol; certain gambling services and therapeutic goods. In respect of therapeutic goods, for example, online advertisements for most overthe-counter medicines do not require approval. However, therapeutic claims in the advertisements must be restricted to the indications for which the product has been registered on the Australian Register of Therapeutic Goods.
The Advertising Standards Bureau administers Australia's selfregulatory advertising codes, many of which are applicable to online advertising. The Australian Association of National Advertisers (AANA) Code of Ethics addresses issues such as sex, sexuality and nudity, discrimination, health and safety standards and appropriate language. Other codes cover specific areas including food and beverages, motor vehicles, the restaurant industry and marketing to children.
ACMA isresponsible forthe administration of a nationalregulatory scheme for internet content and investigates complaints about online content, including advertisements.
15 Are there any products or services that may not be advertised or types of content that are not permitted on the internet?
Content will be prohibited on the internet if it has been refused classification or classified X18. Content will also be deemed prohibited if it is classified as restricted to 18 years or over (R18+) and has not been protected by an adult verification system. Examples of content likely to be prohibited include child pornography, excessively violent material or material which provides detailed instructions to commit a crime or use drugs. ACMA may issue a take-down notice for such content appearing on Australian websites, or else add the URL of the website or web page to a banned URL list, known as the 'blacklist', in the case of websites hosted outside Australia. On 1 March 2012, the Australian Law Reform Commission (the ALRC) made recommendations on the classification of content in Australia. If the Australian government accepts the ALRC's recommendations, this would affect the advertising of content on the internet as the categories of prohibited content will change.
Under the therapeutic goods regime, prescription-only and some pharmacist-only medicines cannot be advertised online to consumers. Products containing ingredients in schedules 3, 4 of 8 of the Poisons Schedule ordinarily cannot be advertised to consumers. The Food Standards Code sets out restrictions on the health and nutrition claims which can be made in respect of foods.
Various restrictions apply in different states and territories in respect of licensed online betting or wagering operators, for example, some states do not allow the advertisement of inducements to bet. In addition, it is an offence to provide certain types of interactive gambling services or to market those services to Australian-based internet users, regardless of where the gambling service provider is located. The restriction applies in respect of online casino games, which are played with real money.
Online advertising of tobacco products will be banned when the Tobacco Advertising Prohibition Amendment Bill 2010 (Cth) (the Tobacco Advertising Amendment Bill) commences on 6 September 2012. The Tobacco Advertising Amendment Bill will prohibit the advertising of tobacco products on the internet and in other electronic media such as mobile phones or computers, unless the advertising complies with state or territory legislation or Commonwealth regulation. This prohibition will apply to any person who publishes in Australia a tobacco advertisement on the internet or via any electronic means. The meaning of 'published in Australia' will apply to an advertiser that has a significant Australian connection even if the advertisement did not originate in Australia or if its origin cannot be determined.
16 Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?
Australia has comprehensive laws regulating the provision of financial services to Australian consumers and businesses, including through the internet. The legislative regime applies where the relevant financial services are offered to persons or entities in Australia, regardless of the jurisdiction from which the financial services are provided. In general terms, providers of financial services must hold an Australian Financial Services Licence (AFSL) under the Corporations Act 2001 (Cth). The Australian Securities and Investments Commission (ASIC) is responsible for the issue and administration of AFSLs, and for the administration and enforcement of the licensing regime and securities laws generally.
Offers of securities for sale or issue require the preparation of formal disclosure documents (for example, a prospectus) unless certain exceptions apply. Offers that require formal disclosure cannot be advertised, including over the internet, except in a prescribed manner that directs people receiving the advertisement to the relevant disclosure document. The distribution of disclosure documents themselves by electronic means (such as by e-mail or on a website) is permissible only if a hard copy of the prospectus has been lodged with ASIC and other requirements are met.
The Corporations Act and the Australian Securities and Investments Commission Act 2001 (Cth) impose both civil and criminal liability in respect of information concerning financial products or services that is misleading and deceptive or is likely to mislead or deceive, whether by act or omission. Liability can attach even where the offending acts are done, or omissions made, outside Australia.
Persons offering consumer credit or acting as an intermediary (eg, a broker) in relation to consumer credit are required to hold an Australian Credit Licence. Credit licences are also issued and administered by ASIC. The National Consumer Credit Protection Act 2009 (Cth) regulates the content of advertising – in any medium – in relation to consumer credit products, for example by requiring the use of comparison interest rates calculated in a manner prescribed by the legislation. That act also imposes civil and criminal liability for misleading and deceptive conduct in relation to consumer credit products.
17 Are ISPs liable for content displayed on their sites?
ISPs are given limited protection for content displayed on their sites by the operation of clause 91 of schedule 5 of the Broadcasting Services Act 1992 (Cth) in circumstances where the ISP is not aware of the nature of the content. Similar protection is afforded to ISPs under the Uniform Defamation Law in force in each state and territory, in which ISPs are considered to be 'subordinate distributors' of defamatory content.
However, once an ISP is on notice of defamatory material, recent authorities indicate that the ISP will be held liable as any publisher of the defamatory material, at least from the time of the notice until such time that the material has been taken down.
18 Can an ISP shut down a web page containing defamatory material without court authorisation?
In most circumstances, an ISP would (or should) have terms and conditions of service that would allow them to shut down a web page alleged to contain defamatory or other illegal or offensive material or at least suspend service pending further investigation by the ISP.
To limit risk of exposure, it is not uncommon for ISPs to include in their terms and conditions the right to take such action, as well as an indemnity in favour of the ISP against the costs of any legal proceedings that may be brought against the ISP for doing so.
19 Can a website owner link to third-party websites without permission?
Generally speaking, yes. However, while permission to link to a thirdparty website is not strictly required, there are situations in which a website owner may be at risk if they do so. These are discussed further below.
20 Can a website owner use third-party content on its website without permission from the third-party content provider?
Notwithstanding the unique characteristics of the internet, Australian courts have sought to apply standard legal principles (such as copyright, trademark and anti-competitive and consumer protection law) to the reproduction of content on websites. Accordingly, the same restrictions and exceptions applying to offline businesses will apply to internet businesses.
With respect to copyright, a website must not reproduce a substantial part of a work which is protected by copyright (unless the reproduction falls within a fair dealing exception such as the reporting of news or research and study). In order for a work to be protected by copyright, it must meet certain criteria which differ depending on the type of work (eg, sound recording, piece of text, movie, compilation).
In recent years, Australian courts have stressed the need for an identifiable author (or authors) as a necessary condition for copyright to subsist in a work. This has called into question the protection afforded to works which are produced substantially by automated processes. There is then the real likelihood that certain types of databases and computer software are not protected by copyright. Australia has no sui generis database right and, without legislative intervention, there will be limited mechanisms by which these works can be protected.
Even if an act may otherwise be an infringement of copyright, it may be exempted under fair dealing provisions of the Copyright Act 1968 (Cth). Fair dealing is a similar, but more limited, concept to that of fair use in the United States. Unlike in the United States, the categories of fair dealing permitted are limited to those set out expressly in the Copyright Act 1968 (Cth).
As noted above, other legal principles may apply to the use of content on a website. The use of a third party's intellectual property (eg, trademarks) to direct people to a website can give rise to an actionable claim. This is an issue in respect of paid keywords/ adwords which may be purchased by a competitor so as to ensure that a paid search advertisement is displayed to a user that inputs the trademark into a search engine, such as Google, or through the use of another business's trademarks in a web page's metatags.
The Full Court of the Federal Court of Australia has recently found Google liable for engaging in misleading and deceptive conduct by displaying sponsored links in response to a user's search for a particular word or words in cases where the results displayed include links to a competitor's website (ACCC v Google  FCFCA; special leave to the High Court of Australia was granted on 22 June 2012 with the appeal expected later in 2012). Website owners should seek legal advice before using the trademarks of a competitor in any manner connected with a website.
21 Can a website owner exploit the software used for a website by licensing the software to third parties?
The answer depends on the terms of any licence that may exist in respect of the software. There are no legislative provisions that would prevent a person from licensing the software used for a website to a third party provided that the person is the owner of the copyright in the software or otherwise has the right to distribute the software via the internet.
Similarly, there are no legislative provisions prohibiting a person providing software as a service to customers provided that the person holds, or has otherwise been licensed, the necessary rights to do so.
22 Are any liabilities incurred by links to third-party websites?
As noted above, while a website owner is not prohibited from linking to a third-party website as a matter of general principle, liabilities may arise in particular situations.
First, if the third-party website contains material which is prohibited, ACMA can issue a link-deletion notice to the website owner or the service provider that makes the website available. The linkdeletion notice can require the website owner to remove the link to the third-party website.
Second, if the material available on the third-party website contains material which infringes copyright, the website owner may be at risk of a claim being made on the grounds that it has authorised the infringement.
Third, if the third-party website provides prohibited gambling services, a website which provides link to those third-party websites may be considered to be promoting the third-party website. In that case, ACMA may request the Australian Federal Police to take action against the website owner.
Data protection and privacy
23 How does the law in your jurisdiction define 'personal data'?
The Privacy Act 1988 (Cth) uses the term 'personal information', which is defined as being information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
'Sensitive personal information' is defined as information or an opinion about an individual's racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; or criminal record; health information about an individual or genetic information about an individual that is not otherwise health information. Amendments to the Privacy Act are currently before Parliament. These amendments include expanding this definition to include biometric information and biometric templates.
'Health information' is information or an opinion about the health or a disability (at any time) of an individual; an individual's expressed wishes about the future provision of health services to him or her; a health service provided or to be provided to an individual; other personal information collected to provide, or in providing, a health service; other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Australian companies are required to comply with the 10 National Privacy Principles (NPPs), which are set out in schedule 3 to the Privacy Act, if their annual turnover exceeds A$3 million or on other defined bases, for example, if they provide health services and hold health information; or if they disclose or collect personal information for a benefit.
The NPPs regulate the way in which personal information is collected (NPP1), the use and disclosure of personal information (NPP2), the manner in which personal data may be accessed and corrected by individuals (NPP6), the use of identifiers (NPP7) and transborder data flow (NPP9).
In May 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Enhancing Privacy Bill) was introduced into the Australian parliament. The Enhancing Privacy Bill seeks to modernise Australia's privacy protection framework and to provide greater control to consumers over the manner in which organisations use their personal information. The Enhancing Privacy Bill proposes the introduction of the Australian Privacy Principles (APPs). These will combine and replace the current NPPs (which apply to the private sector) and the Information Privacy Principles (which apply to the public sector). The APPs will continue to cover the collection, storage, security, use, disclosure, access and correction of personal information acquired by an organisation. However, the key change is that the APPs will now apply to both the private and public sectors, unless an exception applies. The definition of what constitutes 'person information' will not change.
24 Does a website owner have to register with any controlling body to process personal data? May a website provider sell personal data about website users to third parties?
No, a website owner does not have to register with any controlling body to process personal data. However, a website owner who collects personal data may be bound by the Privacy Act 1988 (Cth) which sets out the National Privacy Principles.
If a website user is concerned that their privacy has been breached by the website owner, the user can make a complaint to the Privacy Commissioner. The Privacy Commissioner sits within the Office of the Australian Information Commissioner.
The Enhancing Privacy Bill seeks to strengthen the power of the Privacy Commissioner to make determinations to direct organisations to stop certain conduct or redress loss or damage. Given that in December 2011 the Privacy Commissioner exercised its existing power under the Privacy Act to issue determinations for the first time, it is likely that these amendments may lead the commissioner to become increasingly active.
Online behavioural advertising is regulated by industry standards. In March 2011, the Australian Digital Advertising Alliance (ADAA) released the Australian Best Practice Guideline for Online Behavioural Advertising (the Guideline).
The Guideline contains seven self-regulatory principles:
- third parties shall not combine online behavioural advertising (OBA) data with personal information unlessthey treat the OBA data as personal information data, to be treated in accordance with the Privacy Act 1988 (Cth);
- clear information should be provided to web users;
- user choice over OBA (ie, users should have an opt-out option);
- data should be kept secure;
- careful handling of sensitive segmentation (an example of a 'sensitive segment' is children);
- users should be educated; and
- businesses are accountable for upholding the Guideline.
The founding members of the ADAA include significant bodies in the Australian advertising industry: the AANA, the Australian Direct Marketing Association (ADMA), the Australian Interactive Media Industry Association, the Communications Council, the Australian Interactive Advertising Bureau, the Media Federation of Australia, the Internet Industry Association, Google, Microsoft, NineMSN, Sensis Digital Media, Network Ten Digital and Yahoo!7.
At the time of writing, 10 major companies were signatories to the Guideline including Google, Microsoft, NineMSN and Yahoo!7.
A website, www.youronlinechoices.com.au, has also been launched by the ADAA to inform internet users about how OBA works.
26 If an internet company's server is located outside the jurisdiction, are any legal problems created when transferring and processing personal data?
No problems currently arise under Australian law provided that the terms of the service agreement between the user and the internet company is not breached by the internet company when transferring and processing data. Businesses should seek legal advice to determine whether problems arise in respect of the jurisdictions (eg, Europe) to which the personal data are to be transferred or in which they are to be processed.
Problems may arise for the internet company when law enforcement agencies seek the disclosure of personal data (eg, for investigation of criminal suspects). Data stored on servers outside Australia are not covered by the Telecommunications (Access and Interception) Act 1979 (Cth), which is the statute that provides law enforcement agencies with the power to authorise the disclosure of personal data. The Privacy Act 1988 (Cth) does not authorise law enforcement agencies to request the disclosure of personal data; however, it does make provision for entities which hold personal data to disclose them to law enforcement in certain situations without being in breach of the act. Thus, if an internet company's servers are located outside Australia, it may find itself under constant pressure to disclose personal data to Australian law enforcement agencies, which in fact lack the power to compel such disclosure.
Businesses should also be aware of the potential risks posed by the USA Patriot Act if they store personal data with US-owned or US-linked cloud service providers. Under the act, the US government may be able to access the data. This power was recently recognised by the Department of Finance and Deregulation in a Privacy and Cloud Computing Better Practice Guide issued to enhance the privacy safeguards used by Australian government agencies to protect personal data.
27 Does your jurisdiction have data breach notification laws?
No; however, Australia's lack of data breach notification laws has received much media coverage, particularly in light of recent incidents involving, for example, Sony and skincare retailer Lush.
The Australian Law Reform Commission's 2008 'Report into Privacy Law, For Your Information: Australian Privacy Law and Practice', recommended that the Privacy Act 1988 (Cth) be amended to provide for notification by agencies and organisations to individuals affected by a data breach, arguing that such a requirement is consistent with the Privacy Act's objective to protect the personal information of individuals. The federal government is continuing to consider the recommendations contained in the 2008 report, but did not include a provision of this nature in the Enhancing Privacy Bill. Earlier in 2012, the Office of the Australian Information Commissioner released 'Data breach notification: A guide to handling personal information security breaches' to encourage organisations holding personal information to voluntarily put in place reasonable measures to deal with data breaches.
28 Is the sale of online products subject to taxation?
Australia has a Goods and Services Tax (GST) which is applied at a rate of 10 per cent on most goods and services transactions in Australia.
All domestic transactions that take place online where the seller is an Australian retailer will attract GST. Transactions between an overseas retailer and an Australian purchaser will only attract GST where the value of the goods or services being sold exceed A$1,000.
There has been recent debate about whether this A$1,000 threshold should be abandoned so that GST is extended to cover all online purchases made by Australians. However, the federal government recently announced that it would retain the A$1,000 GST threshold for online transactions with overseas retailers. This was on the basis that the cost of recovery of the tax on small value items would exceed the tax collected.
29 What tax liabilities ensue from placing servers outside operators' home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?
The Income Tax Assessment Act 1936 (Cth) and the Tax Assessment Act 1997 (Cth) regulate individual and company taxation in Australia. Residents of Australia are generally taxed on their worldwide income. As a general rule, a company will be treated as a 'resident' of Australia if it is:
- incorporated in Australia, or
- not incorporated in Australia, but carries on businessin Australia and has either its central management and control in Australia or its voting power controlled by shareholders who are residents of Australia.
A non-resident company is liable to income tax only on assessable income derived from sources in Australia. If a non-resident company is deriving profit from the server placed in Australia, then it is likely that the non-resident company will be exposed to Australian taxes. Additionally, the non-resident company may also be liable to pay capital gains tax if it wishes to sell the server in future.
Conversely, if an Australian resident places servers outside Australia, it may be taxable in the foreign jurisdiction depending on the tax laws of that jurisdiction. The income may also be taxable in Australia but a credit will be given against the Australian tax liability for any income tax that is legitimately paid in the foreign jurisdiction.
If the Australian resident is a company and the operation of the server is seen as operating a business in a permanent establishment in the foreign jurisdiction and it passes certain active income tests, the income from the operation of the server may be non-taxable in Australia.
30 When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?
Australia's GST is a value-added tax (VAT). If a person carries on a business or other form of enterprise in Australia, they must register for GST if their GST turnover over a 12-month period, either starting or ending with the current month is A$75,000 or more (A$150,000 or more for nonprofit organisations). 'GST turnover' refers to gross business income (not profit), excluding certain other revenue streams, such as GST included in sales to customers and sales not connected with Australia.
A company can register for GST by completing an application to register for GST. This is the same application that needs to be completed for an Australian Business Number (ABN). An ABN is required to be part of the GST system and an ABN also serves as a GST registration number. Thus, a company should register for GST at the same time it decides to register its business in Australia.
Registration can be completed online at www.business.gov.au or by contacting an Australian tax agent.
Domestic internet sales are taxed the same way as non-online sales. Generally, registered businesses:
- include GST in the price of sales to their customers and then pay the GST to the Australian Taxation Office (ATO); and
- claim credits for the GST included in the price of their business purchases, as a refund from the ATO.
The GST payable and claimable can be offset so only the net amount is paid to or received from the ATO in any one reporting period.
While GST is paid at each step in the supply chain, businesses do not actually bear the economic cost of the tax. The cost of GST is borne by the final consumer who cannot claim GST credits.
31 If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?
If imported goods are returned to an onshore retail outlet of the offshore supplier, any cost reallocation between the onshore retailer and the offshore supplier must be done on an arm's length basis to comply with the Australian transfer pricing rules in the Income Tax Assessment Act 1936 (Cth)
The GST implications of returns of goods will depend on who paid the GST and whether or not the purchaser is registered for GST.
32 Is it permissible to operate an online betting or gaming business from the jurisdiction?
Yes, but there are a number of restrictions. The Interactive Gambling Act 2001 (Cth) (IGA), a federal law, treats betting and gaming differently. Betting is essentially exempt from the IGA, meaning that only restrictions at the state and territory level apply to these types of operators. Gaming, on the other hand, is essentially prohibited insofar as services are provided to persons physically located in Australia. Under the IGA, there are no restrictions on an operator providing gaming services from Australia to persons outside Australia. Although the IGA contains provisions that would prohibit the provision of gaming services to persons in designated countries, no country has ever been designated.
If an activity is not prohibited by the IGA, it may nevertheless require a licence at the state and territory level. A licence provided by any state or territory in Australia allows the licence holder (for example a betting operator) to accept bets from any person, including persons located in any Australian state or territory. This right may be subject, in some cases, to individual states and territories (or relevant authorities located in that state or territory) determining a level of payment in connection with the events that take place within the state or territory, together with integrity and social responsibility compliance requirements. Any fees levied against betting operators licensed in Australia are in addition to taxes they pay in their licensing state.
In May 2012, the Department of Broadband, Communications and the Digital Economy released an interim report following its review of the IGA. Among its recommendations was the legalisation of in-play betting (save for microbets) and online tournament poker.
33 Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?
The IGA does not create an offence for an Australian resident to use online casinos and betting websites (even if the casino or betting website is prohibited). However, state and territory laws contain provisions which make it an offence to participate in unlawful gambling. To our knowledge, these laws have not been enforced against any individuals in Australia in respect of online gambling websites.
In all jurisdictions, the minimum age for use of gambling services is 18 and all operators have an obligation to ensure that they do not provide services to persons under the age of 18.
Online gambling operators are required to comply with antimoney-laundering and counter-terrorism financing regulations regarding the verification of identities of all customers. Operators are permitted to allow individuals to open accounts prior to an identity being verified but cannot allow any withdrawals to be made until the verification process is complete. If the verification process is not completed within 90 days, the account must be closed.
34 What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?
Australia has no specific legislation concerning outsourcing and the same issues which relate to any provision of services should be considered, namely:
- clear definition of services being provided;
- service levels and the consequences if services are not provided to a satisfactory level;
- additional dispute resolution measures;
- termination procedures;
- auditing procedures; and
- confidentiality and intellectual property protocols.
For services that are outsourced to providers overseas, concern should be given to:
- privacy and data protection; and
- choice of law.
The tax implications will depend on a number of issues which may include:
- the residency of the provider of the services;
- the location where the services are provided;
- the place where relevant contracts are entered into; and
- whether an international tax agreement between Australia and a foreign country is applicable to the transaction.
35 What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, do the rules apply to all employees within the jurisdiction?
There is no specific legislation relating to the rights of employees who have jobs outsourced. That said, provisions under the Fair Work Act 2009 (Cth) will apply to employees who are terminated and grant workers the right to reinstatement or compensation if a termination is deemed unfair.
Provisions of the Fair Work Act will also apply where a business is transferred from one employer to another employer (provided the transferee is also subject to the act, for example a company incorporated in Australia).
36 When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability?
ISPs and internet content hosts (ICHs) are exempt under clause 91 of schedule 5 of the Broadcasting Services Act 1992 (Cth) from any civil or criminal liability for incorrect content carried or hosted by them at least until they become aware of the nature of the content. The same provision also exempts ISPs and ICHs from the effect of any law which would require them to monitor or keep records of content which they carry or host
However, once the ISP/ICH becomes aware of erroneous information, they may be liable as a publisher of such information. While liability cannot in those circumstances be avoided altogether, civil liability may be limited as between the ISP/ICH and the website owner or other persons posting information by way of indemnities in their terms and conditions.
37 If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?
IceTV Pty Ltd v Nine Network Australia Pty Ltd (2009) 239 CLR 458 is the most recent High Court authority concerning copyright with respect to databases. In that case, the High Court reiterated the position that copyright does not protect facts or information, only the particular form of expression employed, including the selection and arrangement of the information.
Thus, if a database is published on a website, the data themselves will not be protected if the information is only factual information. Moreover, as noted above, there may be particular difficulties in proving that copyright subsists in a work if the author (or authors) of the work cannot be identified. This can cause particular difficulties where there is extensive automation in the preparation of a database (eg, a telephone directory).
38 Are there marketing and advertising regulations affecting website providers?
While there are no specific regulations affecting website providers, all advertising must comply with the ACL (see above). The ACL requires that advertising must not be misleading and deceptive, nor likely to mislead and deceive consumers, and must not contain false representations. Furthermore, any claims which are made in advertisements must be able to be substantiated.
Depending on the nature of the goods or services being advertised or promoted on the website, other regulations may be relevant. The marketing and advertising of food, alcohol, certain gambling services, therapeutic goods and tobacco products are subject to specific regulations. Please see the response to question 14 for further information.
In addition, particular marketing or advertising content will be prohibited if it has been refused classification or classified X18. Examples of prohibited content and the manner in which it is dealt with in Australia are contained in question 15.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.