Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
Judgements
Interlocutory injunction restrains mobility of IT
employee
A decision by the Supreme Court of New South Wales on 11 January
2019 to grant an interlocutory injunction enforcing an employment
restraint highlights many of the issues to be considered when
seeking to contractually protect confidential information in this
manner: Quantum Service and Logistics Pty Ltd v Schenker
Australia Pty Ltd [2019] NSWSC 2. The employer, Quantum,
had entered into a sub-contract with Schenker to provide technical
services (such as software configurations and installations and
post-sales warranty services) to a client of Schenker, Fuji Xerox
Australia. The contract between Quantum and Schenker included a
restraint which prevented Quantum employees taking up employment
with Schenker for six months following termination of the
agreement. The court noted that a restraint between
substantial commercial organisations might generally be treated
more favourably than a restraint in an employment contract,
particularly in circumstances where it was necessary to protect a
company's confidential information or, in some instances and to
some extent, the stability of its workforce, but it might
nevertheless be unenforceable if it unreasonably impacted on
individual employees. Whilst a blanket restriction on all
employees might not be justifiable, in this instance the individual
in question did possess "significant confidential information
concerning how Quantum effectively provides sub-contract
services". The individual might not have been able to
avoid using this information, even if it was not positively
disclosed to his new employer.
Beyoncé turns our focus to website
accessibility
On 3 January 2019, a class action was filed in the New York
Southern District Court against the management and entertainment
company founded by singer Beyoncé, alleging that the website
Beyonce.com denied equal access to vision-impaired users in
contravention of the Americans with Disabilities Act
("ADA"): Conner v Parkwood Entertainment LLC No
1:19-cv-00053. Meanwhile, the US Court of Appeals for the 9th
Circuit ruled on 15 January 2019 that the ADA applied to a national
pizza chain's website which was incompatible with the
plaintiff's screen-reading software: Robles v Domino's
Pizza, LLC No. 17-55504 (9th Cir. 2019). These
proceedings provide a timely reminder to website owners – and
website developers – about the potential ramifications in
Australia of failing to provide an appropriate level of website
accessibility. The prevailing international standard is WCAG
("Web Content Accessibility Guidelines") 2.0, an updated
version 2.1 having been released in draft form in June 2018.
There is no statutory requirement in Australia for either the
public or the private sector to comply with WCAG 2.0, although
Commonwealth government policy is that all federal agencies must be
compliant. But beyond WCAG, a failure to provide website
accessibility for visually impaired users might constitute a breach
of section 5(1) of the Disability Discrimination Act 1992
(Cth) which provides that discrimination occurs where "the
discriminator treats or proposes to treat the aggrieved person less
favourably than, in circumstances that are the same or are not
materially different, the discriminator treats or would treat a
person without the disability". A claim was successfully
pursued on this basis before the Human Rights and Equal Opportunity
Commission in respect of the accessibility of tickets to the Sydney
2000 Olympic Games: Maguire v Sydney Organising Committee for
the Olympic Games [2001] EOC 93‑123. Best practice
in Australia is therefore to ensure that website development and
related services are WCAG 2.0 compliant.
New Legislation and Guidelines
Modern slavery legislation comes into
effect
On 1 January 2019, the Modern Slavery Act 2018 (Cth) came
into effect. The legislation, which applies to entities
carrying on business in Australia with a minimum annual
consolidated revenue of $100m, introduces an annual reporting
requirement involving the provision of a Modern Slavery Statement
to the responsible Minister for publication on an online central
register. This will impact big corporate players in the
TMT space. A Modern Slavery Statement must describe the
entity's structure, operations and supply chains; the potential
modern slavery risks in the entity's operations and supply
chains; actions the entity has taken to assess and address those
risks, including due diligence and remediation processes; and
how the entity assesses the effectiveness of those actions.
"Modern slavery" is defined by reference to the
Criminal Code, the UN Protocol to Prevent, Suppress
and Punish Trafficking in Persons, Especially Women and
Children, and the ILO Convention concerning the
Prohibition and Immediate Action for the Elimination of the Worst
Forms of Child Labour. Essentially, modern slavery
contemplates activity involving sexual servitude, child
exploitation and abuse, forced labour, deceptive recruiting, forced
marriage, trafficking in persons and debt bondage. Meanwhile,
at State level, the Modern Slavery Act 2018 (NSW) was
passed on 21 June 2018 but is yet to come into force – the
New South Wales Act has a lower revenue threshold of $50m and,
unlike its federal counterpart, incorporates significant financial
penalties for non-compliance.
Japan achieves "adequacy" status under
GDPR
On 23 January 2019, the European Commission determined that
Japan's data protection framework met the "adequacy"
requirements of the General Data Protection Regulation (GDPR),
meaning that personal data can now flow from the EU to Japan
without further safeguards having to be put in place by the
parties. Article 45 of the GDPR allows the transfer of
personal data to a third country without further authorisation if
the Commission has decided that the country's laws ensure an
"adequate level of protection" for the individual data
subject. The decision was reached after Japan agreed to
implement a number of additional safeguards for EU citizens.
Japan joins Andorra, Argentina, Canada, Faeroe Islands, Guernsey,
Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and
the United States (in the context of the EU-U.S. Privacy
Shield) on the list of countries recognised as providing
"adequate protection" for GDPR purposes. Australia,
on the other hand, is not well positioned to achieve adequacy
status – in 2001, the EU Article 29 Working Party determined
that Australia's privacy laws were not "adequate" for
the purposes of the GDPR predecessor, EU Directive
95/46/EC, and so long as the small business exemption in
section 6C and the employee record exemption in section 7B(3) of
the Privacy Act 1988 (Cth) remain in place, this is
unlikely to change.
Questions remain over GDPR adequacy status of EU-US
Privacy Shield
On 24 January 2019, the European Data Protection Board
("EDPB") announced that due to substantial shortcomings,
the EU-US Privacy Shield risked being struck down by the European
Court of Justice later this year. This announcement came
despite the EU's second "adequacy" review, tabled on
19 December 2018, which overall provided a favourable assessment of
the data transfer arrangement, noting with approval that the US
Department of Commerce had strengthened the certification process
and introduced new oversight procedures and that the US Federal
Trade Commission had recently issued administrative subpoenas to
request information from a number of Privacy Shield
participants. The EDPB nevertheless expressed ongoing
concerns about the "indiscriminate collection and access of
personal data for national security purposes", the inadequate
powers of the Ombudsperson, and an insufficiently robust compliance
verification process. The EU-US Privacy Shield was
implemented in 2016 to provide a mechanism for transferring
personal data from the European Union to the United States –
US companies which voluntarily commit to the 23 Privacy Shield
Principles are deemed to provide "adequate" privacy
protection for EU regulatory purposes despite the lack of national
data protection laws in the US.
Policies, Reports and Enquiries
Privacy review of proposed Consumer Data Right
approaches completion
On 18 January 2019, the consultation period on Treasury's
Draft Privacy Impact Assessment: Consumer Data Right came
to an end. The proposed Consumer Data Right (CDR) will
provide individuals and businesses with a right to access data
relating to them held by businesses (for example, raw bank
transaction data), and to authorise secure access to this data by
accredited third parties. The CDR is scheduled to commence in
the banking sector on 1 July 2019, in which context it will be
referred to as "Open Banking". Open Banking will be
phased in over two years, to be followed by a CDR applicable to the
energy and telecommunications sectors. The government
initially committed to the introduction of a CDR on 9 May 2018 in
line with the recommendations of the Review into Open
Banking in Australia. The Draft Privacy Impact
Assessment (PIA) for the CDR was prepared by Treasury in accordance
with the Privacy (Australian Government Agencies –
Governance) APP Code 2017. The Draft PIA is based on the CDR
regulatory framework proposed in the Treasury Laws
Amendment (Consumer Data Right) Bill 2018. It is
anticipated that a revised PIA, incorporating the views of the
public as well as key decisions on the Consumer Data Rules and
standards, will be completed ahead of the Autumn Parliamentary
sitting period.
Quarterly report on notifiable data breaches released by
OAIC
On 7 February 2019, the Office of Australian Information
Commissioner (OAIC) published its quarterly report on notifiable
data breaches, covering the period October to December 2018.
The OAIC publishes statistical information each quarter "to
assist entities and the public to understand the operation of the
scheme". The report revealed that between 1 October and
31 December 2018, there were 262 reported data breaches, compared
with 245 in the previous quarter. Of these, 64% (or 168)
related to malicious or criminal attacks, 33% were attributable to
human error and 3% were attributed to system faults. Sixty
percent of the reports involved fewer than 100 individual data
subjects. The top 5 sectors to report were private health
service providers (54 reports), finance (40), legal, accounting and
management services (23), private education providers (21) and
mining and manufacturing (12).
Health Privacy Issues
Privacy risks associated with medical
devices
On 20 December 2018, the Australian Department of Health, through
the Therapeutic Goods Administration, issued a consultation paper
which highlighted privacy risks associated with the use of some
medical devices: Medical Device Cyber Security: Draft Guidance
and Information for Consultation. The paper highlighted the
potential for privacy breaches through the disclosure of personal
information in the event of an "adverse medical device cyber
security event" and through injudicious online content sharing
involving public or private product forums for users of digital
health products. The paper urged businesses to address
medical device cyber security in their business plans and urged
healthcare providers to specifically enquire, during the
procurement process for medical devices, as to how data from the
device is logged and stored, whether third party cloud survive
providers were used and whether data was stored offshore.
My Health Record opt-out period ends
On 31 January 2018, the My Health Record opt-out period came to an
end. The My Health Record system, established in 2012, is an
electronic summary of an individual's health information which
can be shared online between healthcare providers. Until 31
January, patients had to expressly opt-in to be part of the scheme.
The conversion to an opt-out model, announced on 1 June 2017 by the
Department of Health, was intended to boost what had previously
been a disappointingly low level of participation. Persons
not opting-out by 31 January 2019 will automatically have an
on-line My Health Record. The opt-out arrangement was
initially due to expire on 15 October 2018 but was extended for a
month pursuant to the My Health Records (National Application)
Amendment (Extension of Opt-out Period) Rules 2018 due to
lobbying from the Australian Medical Association and the Royal
College of General Practitioners which sought more time for
consideration of the implications. The period was then
further extended to 31 January 2019 pursuant to the My Health
Records (National Application) Amendment (Extension of Opt-out
Period No.2) Rules 2018. The Rules were made under
section 109 of the My Health Records Act 2012 and
reflected public concern about the timeframe available to opt-out,
the security of online storage and transmission, and the extent of
authorised access. Late changes to the scheme included a
prohibition on access for insurance or employment purposes,
enhanced protection for persons at risk of domestic violence,
restrictions on access by law enforcement and government agencies,
and an express undertaking that the system would not be privatised
or commercialised.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.