Privacy policy not sufficient to infer consent

On 25 November 2020, the Privacy Commissioner determined that Flight Centre had interfered with the privacy of almost 7,000 customers by disclosing their personal information to third parties without consent: Flight Centre Travel Group (Privacy) [2020] AICmr 57. The incident arose out of a "design jam" which brought together 16 teams to create technological solutions for travel agents, using a dataset which inadvertently included customers' personal information. The Commissioner ruled that the incident constituted a breach of Australian Privacy Principles 1.2 (by failing to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs), 6.1 (by disclosing individuals' personal information to third parties without consent) and 11.1 (by failing to take reasonable steps to protect the individuals' personal information from misuse and loss and from unauthorised access, modification or disclosure). Significantly, the Commissioner rejected an argument by Flight Centre that individuals had provided express or implied consent on the basis that the Flight Centre privacy policy stated that "you consent to us [using your personal information for the purpose of] developing, improving and marketing our products and services and those of our related entities". The Commissioner considered that consent could not be inferred "simply because [a company] provided an individual with a policy or notice of a proposed collection, use or disclosure", noting in this regard that the policy "was not sufficiently specific, and bundled together different uses and disclosures of personal information".

"Sign-in wrap" contract comes before the Federal Court

On 22 December 2020, the Federal Court of Australia handed down a judgement which provides some insight into issues surrounding the enforceability and effect of "internet contracts": Dialogue Consulting Pty Ltd v Instagram, Inc [2020] FCA 1846. Dialogue is alleging that Instagram has breached its Terms of Use by excluding Dialogue from access to its platform. Instagram, which alleges that Dialogue was engaged in unauthorised data "scraping", was seeking a stay of proceedings under section 7(2) of the International Arbitration Act 1974 (Cth) on the grounds that the Terms of Use required disputes to be submitted to arbitration. Beach J rejected Dialogue's arguments that the online terms had not been accepted or, if accepted, that the arbitration clause was an unfair term as defined in section 24 of the Australian Consumer Law or alternatively constituted unconscionable conduct as defined in section 21. Applying US law, Beach J nevertheless held that Instagram had waived its right to invoke the arbitration clause, noting that the respondent had chosen at the inception of the proceedings not to plead or rely upon the arbitration term, and this was indicative of a deliberate or intentional waiver of the contractual right. Perhaps the most significant aspect of the judgement was the court's analysis of US cases dealing with online contracts, even though the question of enforceability was determined under Australian law - his honour noted the terminology "clickwrap", "browsewrap" and "sign-in wrap", and concluded that the Instagram Terms of Use fell into the latter category.


"Data disruption warrants" to be introduced

In December 2020, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 was introduced into the House of Representatives. The Bill amends the Surveillance Devices Act 2004 and Telecommunications (Interception and Access) Act 1979 to introduce data disruption warrants to enable the Australian Federal Police and the Australian Criminal Intelligence Commission to disrupt data by modifying, adding, copying or deleting data in order to frustrate the commission of serious offences online. The legislation also amends the Surveillance Devices Act and the Crimes Act 1914 to introduce network activity warrants to enable the collection of on-line information regarding criminal activity. The Bill was referred to the Parliamentary Joint Committee on Intelligence and Security, the Senate Standing Committee for the Scrutiny of Bills and the Parliamentary Joint Committee on Human Rights, and a number of changes have been recommended.

Intelligence legislation expands powers of the Inspector-General of Intelligence and Security

On 9 December 2020, the Australian government tabled the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020, essentially for the purpose of extending the jurisdiction of the Inspector-General of Intelligence and Security (IGIS) to include the intelligence functions of the Australian Criminal Intelligence Commission (ACIC) and the Australian Transaction Reports and Analysis Centre (AUSTRAC). Significantly, aspects of the IGIS's expanded powers will impact the default rights of individuals under the Privacy Act 1988, as agencies (specifically AUSTRAC) would be permitted to share personal information with the IGIS, and the IGIS would have the ability to transfer information to other integrity bodies. According to the Explanatory Memorandum, the rights of individuals are nevertheless protected, to the extent practical, by implementing a range of safeguards relating to the handling of complaints about actions taken by intelligence agencies. The legislation was referred for consideration by the Senate Standing Committee for the Scrutiny of Bills.

Privacy Act amendments permit disclosure of financial hardship information

On 3 February 2021, the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019 was passed by the Australian parliament. In addition to amending the National Consumer Credit Protection Act 2009, the legislation amends the Privacy Act 1988 to permit credit providers to disclose financial hardship information subject to certain constraints. From 1 July 2022, "credit information" will include financial hardship information, meaning that credit reporting bodies will be permitted to use, disclose and retain financial hardship financial hardship information. To protect data subjects, the amended section 20E of the Privacy Act stipulates that credit reporting information that is or was derived from financial hardship information about an individual must not be disclosed by a credit reporting body for debt collection purposes, whilst the amended section 20R requires that if a consumer requests credit reporting information, a credit reporting body must provide the body's credit score scale, the consumer's rating on the credit score scale, the credit information that was used by the body to generate the consumer's rating on the credit score scale, and the relative importance or weighting of that credit information.


ACCC releases interim report on digital advertising services inquiry

The ACCC is currently reviewing the market for digital advertising services in Australia. It recently released an interim report which outlines numerous concerns of publishers, advertisers, industry groups, academics and "ad tech" providers, in relation to competition and transparency issues in this market, due in part to the market's complexity, Google's dominant position, and the consequences of individual privacy protections which limit data sharing and reporting. The report suggests the various issues need to be addressed to ensure advertisers do not pay too much for advertising goods and services online (to avoid higher advertising costs being passed onto consumers) whilst at the same time ensuring publishers receive adequate advertising revenue (to maintain the quality and variety of online content). The ACCC's key interim proposals include measures to increase data portability and interoperability to reduce barriers to entry and rules to address conflicts of interest (such as rules against "self-preferencing" and obligations to act in the best interests of publishers and advertising customers), as well as measures to improve transparency in the "supply chain" of these services, including by implementing a system of allocating a single identifier for each "transaction" in the digital advertising services supply chain for tracing purposes. The interim report also suggests the industry should develop and implement a standard to enable advertisers to assess relevant services more fully and independently and to encourage more competition. Submissions on the report may be submitted until 26 February 2021. The ACCC's final report is due to be delivered to the Treasurer by 31 August 2021.

Originally published 16 February 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.