Australia: Data Protection in the Pacific: What are your obligations?

In comparison with most of the world, co-ordinated data protection and privacy legislation in the Pacific is unsophisticated – in fact, it is pretty much non-existent. With this in mind, can telecommunications and technology companies operating in the Pacific (Operators) do what they want with confidential customer information and data? Of course not!

Operators collecting, storing and using personal information of consumers in Pacific jurisdictions[1] are likely to be bound by:

1. a common law duty of confidentiality; and
2. obligations contained in local telecommunications legislation.

Generally, the obligations contained in local telecommunications legislation will mirror common law confidentiality obligations.

What is the common law duty of confidentiality?

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent, or where required by law, or in the public interest. Each of the jurisdictions considered is a common law jurisdiction, and Operators in those jurisdictions will be bound by their common law duty of confidentiality.

Legislation specific to telecommunications service providers/licensees

Generally, local telecommunications legislation will impose a duty on Operators (where such Operators are bound by that legislation) to:

• protect confidential customer information;
• disclose confidential customer information only in prescribed circumstances (that is, with customer consent² or where required by law or by the telecommunications regulator); and
• use such confidential customer information for disclosed purposes/for the purposes of supplying telecommunications services to the customer only.

Fiji

Section 54(1)(e) of the Telecommunications Promulgation 2008 (Fiji Promulgation) provides that any service provider supplying telecommunications to consumers must keep information about consumers confidential, including billing information and call information, except to the extent necessary to publish any public telecommunications directory, enable billing of the consumer or to address fraud or bad debt. We note that customer consent is not an express exemption to disclosure of consumer information under the Fiji Promulgation.

Section 73(2) of the Fiji Promulgation provides that a licensee must, in connection with the operation of telecommunications networks or facilities or the supply of telecommunications networks or facilities or the supply of telecommunications services, give officers and authorities of the Government such help as is reasonably necessary for the following purposes:

• enforcing the criminal law and laws imposing pecuniary penalties;
• protecting the public interest; and
• safeguarding the national security.

The Telecommunications Authority of Fiji (TAF) has power to require disclosure of information and documents reasonably required by it from persons or licensees (section 31 of the Fiji Promulgation).

Solomon Islands

Section 73(1) of the Telecommunications Act 2009 (SI Act) requires that service providers take all reasonable steps to ensure the confidentiality of consumer communications.

Section 72(2) of the SI Act provides that service providers may collect, use, maintain or disclose user information only with the consent of that user (except in certain prescribed circumstances, for example, disclosure of certain information in a printed or electronic telephone directory). Appropriate safeguards must be applied to prevent the collection, use, maintenance or disclosure of such information.

Government authorities may access otherwise confidential information or communications of users, provided they do so in a lawful manner (section 74 of the SI Act).

Vanuatu

Section 40 of the Telecommunications and Radiocommunications Regulation Act 2009 provides that a service provider must not, without the consent of the end user, or unless required by law or authorised by warrant or by the telecommunications regulator:

1. divulge any personal end user information to any person who is not an agent or employee of the service provider; or
2. collect any personal end user information not reasonably required for the provision of any telecommunications service to an end user.

Samoa

Section 48 of the Telecommunications Act 2005 (Samoa Act) provides that a service provider shall not disclose information concerning a customer without the customer's written consent or unless disclosure is required or permitted by the Regulator or by law.

Access by the Government, Government agencies and authorities to otherwise confidential customer information or communications shall be in accordance with the laws of Samoa (section 51 of the Samoa Act).

Service providers are obliged under the Samoa Act to:

1. take all reasonable steps to ensure confidentiality of customer communications; and
2. operate their network with due regard for the privacy of its customers.

What are the consequences of non-compliance for an Operator?

An Operator which fails to comply with its common law duty of confidentiality may find itself exposed to a breach of contract claim by the relevant customer, and that Operator may be liable to pay damages.

Breach of an Operator's obligations under the relevant telecommunications legislation may result in:

• penalties (which may be imposed on the Operator/its officers);
• remedies being imposed on the Operator (in addition to/in lieu of a penalty);
• civil liability (resulting in Operator/its officers being required to pay damages),

by the telecommunications regulator and/or the relevant Court.

Ultimately, the telecommunications regulator in each of the jurisdictions discussed in this article has the power to amend the terms and conditions of, or revoke a licence for material failure to comply with a licence term or condition, or the relevant telecommunications legislation.

How can we help?

We can assist Operators by:

• reviewing customer terms and conditions to ensure that they comply with local legislation and obligations with respect to confidentiality of customer information;
• reviewing internal policies and procedures which deal with collection, use and storage of customer information;
• advising in relation to requests for disclosure, including assessing the suitability of a customer consent, or the validity of an external request for information; and
• providing general advice in relation to privacy of customer information and disclosure under the laws of the Pacific.

Footnotes

¹For the purposes of this article, we have considered the nature of such obligations in Fiji, the Solomon Islands, Vanuatu and Samoa)

²We note that the consent of the customer is not an express exemption to a Fiji Operator's disclosure obligations under the Telecommunications Promulgation 2008 (Fiji)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.