Use of facial technology can be a privacy breach

On 12 October 2021, the Privacy Commissioner determined that convenience store 7-Eleven interfered with customers' privacy through the use of facial recognition technology without consent: 7-Eleven Stores Pty Ltd [2021] AICmr 50. The issue arose out of the deployment of facial recognition technology over a 2-month period in 2020 as part of a customer feedback mechanism. Customers were invited to complete a voluntary survey on a tablet about their in-store experience. Individual customers were identified through the generation of encrypted algorithmic representations of their faces, or "faceprints". The purpose of capturing faceprints and thereby identifying specific individuals was to eliminate persons who distorted the survey by providing multiple responses, and also to gain an understanding of customer demographics. The Commissioner determined that the facial images constituted "personal information" and, being biometric, also constituted "sensitive information" which had been collected without express or implied consent. Accordingly the collection amounted to a breach of Australian Privacy Principle 3.3, and the respondent's store notices and privacy policy contained insufficient information to amount to a notification of collection for the purposes of APP 5. The Commissioner ordered that all faceprints collected through the customer feedback mechanism to be destroyed. A detailed analysis of the decision by Dr Gordon Hughes appears on our website.

Scraping biometric information from public sources can be a privacy breach

On 14 October 2021, the Privacy Commissioner determined that Clearview AI Inc infringed the Australian Privacy Principles (APPs) by scraping individuals' biometric information from the internet and disclosing it through a facial recognition tool: Commissioner-initiated investigation into Clearview AI Inc. (Privacy) 2021 AICmr 54. The Determination followed a joint investigation conducted between the Office of the Australian Information Commissioner and the UK Information Commissioner. Clearview created a database of images, and licensed a facial recognition tool to law enforcement agencies whereby the agency could upload a digital image of an individual's face and run a search against the respondent's database. By collecting sensitive information (that is, biometric information) from public sources without adequate consent, failing to notify the data subjects of the collection and failing to ensure that the personal information was kept up-to-date, as well as by failing to take reasonable steps to implement appropriate systems to ensure compliance with the APPs, Clearview was found to have breached APPs 1.2, 3.3, 3.4, 3.5, 5 and 10.2. The Commissioner ordered that all scraped images collected from individuals in Australia be destroyed, adding that de-identification did not appear to be a viable step for the respondent to take to ensure compliance with the APPs.

Instagram and Facebook fail in bid to vary injunction

On 27 October 2021, Beach J in the Federal Court refused an application by Instagram and Facebook to vary the terms of an injunction granted in May 2019: Dialogue Consulting Pty Ltd v Instagram, Inc (No 2) [2021] FCA 1322. As we have previously reported, Dialogue is alleging that Instagram has breached its Terms of Use by excluding Dialogue from access to its platform, whilst Instagram counters that Dialogue has been engaged in unauthorised data "scraping". In 2019, His Honour granted an interim injunction restraining the respondents from taking any steps to terminate or suspend the access of Dialogue to the platform. Instagram sought a variation on the grounds that there had been a material change in circumstances, essentially arising from the need to comply with a permanent injunction which was made against Facebook in the United States requiring Facebook to implement a privacy program involving internal safeguards and which would necessitate entities such as Dialogue completing an annual self-certification. It was argued that if Dialogue failed to complete the self-certification, its access would have to be terminated. Beach J rejected the contention that the variation was necessary to protect the confidential information and data of Dialogue's business customers, describing the purported justification for the variation as "flimsy and possibly strategic". His Honour agreed there had been a "material change in circumstances", but not a change which warranted the variation sought, concluding that "the interests of justice rather support maintaining the status quo as between Dialogue and its customers on the one hand and the respondents on the other hand".

New test for patentability of software inventions

On 19 November 2021, the Full Federal Court found that an electronic gaming machine (EGM) was ineligible for patent protection and, in doing so, reframed the test for patent eligibility of software inventions: Commissioner of Patents v Aristocrat Technologies Australia Pty Ltd [2021] FCAFC 202. In the previous decision (also reported on by DCC, in June 2020), primary judge Burley J explained that the test for eligibility, defined by the phrase "manner or manufacture", should be approached using a two-stage enquiry for patentability. Majority judges Middleton and Perram JJ considered that Burley J's initial enquiry was incorrect, instead posing two questions for determining relevant patentable subject matter:

  • Is the invention claimed a computer-implemented invention?
  • If so, can the invention claimed broadly be described as an advance in computer technology?

The majority judges struggled to characterise EGMs as anything other than a computer, and Nicholas J opined, in separate reasons to the majority, that whether an invention results in an advance in computer technology may depend on problems which may arise with respect to how computing technology has been implemented in different fields. The majority judges held that although elements of the game "may constitute advances in gaming technology", they were "not advances in computer technology". Ultimately, all three judges agreed that the proceedings should be remitted back to the primary judge for reconsideration. A more detailed analysis of the decision appears in an article by Dr Sam Mickan and Isaac tan on our website.

New Legislation & Guidelines

Private member's bill seeks to restrain political "spam"

On 20 October 2021, a private member's bill was tabled in the Senate by South Australian Senator Stirling Griff which sought to regulate unsolicited electronic and telephone communications from political parties. The Spam Amendment (Unsolicited Political Communications) Bill 2021 would amend Schedule 1 to the Spam Act 2003 pursuant to which political communications are classified as "designated commercial electronic messages" exempt from the regulations otherwise applied to SMS and email advertising. Specifically, the amendment would require political parties to provide an unsubscribe function for all unsolicited electronic communications, including SMS communications, containing electoral content that aims to influence the way electors vote in a federal election. The Bill was said to be a response to concerns that at present there is no avenue for voters to avoid unwanted unsolicited texts from political parties, independents and candidates which in recent times have "prompted hundreds of complaints to the Australian Communications and Media Authority".

Exposure draft of social media legislation released

On 25 October 2021, the Commonwealth government released an Exposure Draft of legislation to introduce a binding online privacy code for social media and certain other online platforms, to be co-developed by the Australian Information Commissioner and industry. The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) was opened for 6-week public consultation and feedback. Online platforms subject to the code would need to comply with strict new privacy requirements, including stronger protections for children on social media. The Attorney-General stated that under the code, "social media platforms will be required to take all reasonable steps to verify their users' age, and give primary consideration to the best interests of the child when handling children's personal information". The code would also require platforms to obtain parental consent for users under the age of 16.

Greens' Bill would regulate the use of COVID-19 check-in data.

On 25 October 2021, the Australian Greens Party introduced a Bill in the House of Representatives which would limit the use of COVID-19 check-in data for law enforcement purposes unrelated to the pandemic. The Privacy (COVID Check-in Data) Bill 2021 would introduce a ban on using COVID-19 check-in data for enforcement related activity purposes by preventing Commonwealth, State or Territory authorities from using or providing COVID-19 check in data for law enforcement purposes. Introducing the Bill, Adam Bandt MP asserted that "the Commonwealth Parliament should support effective contact tracing and encourage the use of check-in systems" and lamented what he observed to be an inconsistent approach across Australian jurisdictions in relation to the accessing of check-in data, with some jurisdictions permitting it under warrant and some prohibiting it. The main purpose of the Bill was, he said, "to support the effective management and control of COVID in Australia by providing stronger privacy protections for COVID check-in data to encourage public acceptance and use of COVID check-in apps and enable faster and more effective contact tracing".

Private member's bill targets social media providers.

On 25 October 2021, the National Party's Anne Webster MP introduced a private members' bill in the House of Representatives which seeks to make social media service providers liable for defamatory material hosted on their platforms if not removed within a reasonable timeframe. The Social Media (Basic Expectations and Defamation) Bill 2021 would give the Minister power to make determinations about the "basic expectations" of a social media service, having regard to "the importance of social media services, the value of truth and free debate, the harmfulness of defamation, and the importance of preventing social media services from being used to facilitate unlawful conduct". The eSafety Commissioner would be given the power to require a service provider to prepare reports about the extent to which the provider complied with or contravened the basic expectations as set out by the Minister's determination, with penalties applicable in the event the provider failed to comply. Members of the public could complain to the Commissioner if they had reason to believe that they are being defamed by material posted on a social media service, and following investigation the Commissioner could issue a "defamation notice" requiring removal of the material within 48 hours, failing which the provider would become liable for the defamatory content.

NSW legislation will regulate the use of COVID-19 data

On 9 November 2021, legislation was tabled in the New South Wales parliament with the objective of regulating the manner in which COVID-19 information is handled following collection from members of the public. The Service NSW (One-stop Access to Government Services) Amendment (COVID-19 Information Privacy) Bill 2021 has the stated objective of providing "additional safeguards on certain information collected during the COVID-19 pandemic". Specifically, the Bill notes that the collection of information about the location or movement of people during the COVID-19 pandemic plays a vital role in protecting people from serious illness and death and that people are generally compelled to provide information which they are entitled to expect will only be used for the purpose of protecting them from the pandemic. Inappropriate use or disclosure of the information "may increase the circumstances in which information is not provided and consequently increase the risk of serious illness or death". The Bill expressly prohibits the use of such information for purposes other than those for which it is collected, including contact tracing. The NSW Privacy Commissioner welcomed the legislation, noting that it would "assist in supporting the continued acceptance by the community of public health requirements for the collection of personal and health and information for contact tracing purposes and promote public trust in these requirements". The Bill subsequently passed both Houses and came into effect on 29 November 2021.

CDR Amendment Rules issued in relation to energy sector

On 12 November 2021, the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 were issued by the Minister for Superannuation, Financial Services and the Digital Economy. An earlier article on our website by Dr Gordon Hughes explains the background to the Consumer Data Right, whereby amendments to the Competition and Consumer Act 2010 introduced a mechanism for enabling individual and business consumers to access information about themselves and about their service providers' products, and to direct their existing service provider to share that information with other service providers. The article also explained how the energy market would be targeted after the scheme was rolled out to the banking sector. The Amendment Rules, made pursuant to section 56BA of the Competition and Consumer Act 2010, amend the Competition and Consumer (Consumer Data Right) Rules 2020 to give effect to the Government's intention to implement the CDR in the energy sector. The 2020 Rules specified the energy data holders and data sets to which the Consumer Data Right (CDR) applied, and covered consumer data sets relating to the sale or supply of electricity, including where electricity is bundled with gas. The Amendment Rules establish a peer-to-peer data access model for the energy sector (Schedule 1), make energy sector specific rules (Schedule 2) and introduce various minor amendments to remove anomalies and ensure the CDR Rules operate as intended (Schedule 3).

Telecommunications companies to have greater powers to intercept malicious SMS messages

On 25 November 2021, the Minister for Home Affairs issued the Telecommunications (Interception and Access) Amendment (2021 Measures No. 1) Regulations 2021. The Regulations, made under the Telecommunications (Interception and Access) Act 1979, specify matters which a court must take into account in determining whether to authorise the identification and blocking of malicious SMS messages. Sections 7 and 108 of the Act allow carriers to intercept or access communications in limited circumstances. The Explanatory Statement accompanying the Regulations asserts that the increased volume of harmful text messages sent by malicious actors is having an adverse impact on the effective running of telecommunications systems, as well as undermining its integrity. Subsection 10A(3) of the Regulations states that a court is to have regard to such matters as the impact of malicious SMS messages on the operation and maintenance of telecommunications systems; the extent to which interception by a telecommunications employee is necessary to address the issue; general community expectations; the potential financial or psychological harm which could be caused by malicious messages; and any, by way of balance, any potential impact on the privacy of users.

Draft Anti-Troll Bill released for comment

On 28 November 2021, the Prime Minister announced a "world-leading" move to combat online trolls through the introduction of "new court powers to force global media giants to unmask anonymous online trolls and better protect Australians online". The draft Social Media (Anti-Trolling) Bill 2021 (the "Anti-Troll Bill") was released on 1 December 2021, with the accompanying Explanatory Paper stating that the legislation was intended to address the implications of the decision of the High Court in Fairfax Media Publications Pty Ltd v Voller. We have previously commented on the Voller decision which held that media companies could be liable as "publishers" of defamatory comments made on their Facebook pages by third-parties, a decision with potential implications for all account holders. The Anti-Troll Bill has a number of functions: (1) an Australian account holder will not be liable as a publisher of defamatory comments made by a third party commenter in Australia; (2) a social media platform will be regarded as the "publisher" of such a comment, and cannot rely on section 235 of the Online Safety Act 2021 (Cth) or the innocent dissemination defence if it is sued for defamation over the comment; (3) the platform will have a defence, however, if it has implemented a complaints scheme that meets prescribed requirements; (4) under the complaints scheme, the platform must notify the commenter within 72 hours of receipt of a complaint, and may remove the comment with the consent of the commenter; (5) if the complainant is dissatisfied with this outcome, it may request the platform to provide the contact details of the commenter, subject to consent from the commenter for it to do so; and (6) if all this fails, the scheme provides a mechanism for a complainant to seek a Court order requiring disclosure of identifying information and/or location of the commenter (described further below). For a critique of the draft legislation, see the article by Suzy Roessel and Gordon Hughes on our website.

Policies, Reports & Enquiries

Another privacy review

On 25 October 2021, the Commonwealth government released a discussion paper dealing with a range of issues arising out of the Digital Platforms Inquiry. Simply titled Privacy Act Review: Discussion Paper, the stated objective of the review is to "consider whether the scope of the Privacy Act 1988 and its enforcement mechanisms remain fit for purpose". The initiative is part of the government's follow-up to its initial response to the ACCC's Digital Platforms Inquiry, pursuant to which the government undertook to review the Privacy Act. Numerous familiar and contentious issues are likely to be reviewed and assessed, including the definition of "personal information", the current exemptions from the Act, cross-border data flow regulation, the "right to be forgotten" and, not for the first time, whether a statutory tort for serious invasion of privacy should be introduced. This is the second of two papers seeking public input, putting forward possible solutions based on previous submissions.

Technology Supply Chain Principles proposed by federal government

On 14 November 2021, the Minister for Home Affairs released draft Critical Technology Supply Chain Principles, and is seeking public feedback. The ten voluntary principles are grouped under three pillars: security-by-design; transparency of technology; and autonomy and integrity, with the ultimate objective of giving businesses and consumers "the confidence to take up, invest in, and further develop critical emerging technologies – such as artificial intelligence, quantum computing, blockchain, and algorithmic automation". The three pillars, underpinning the 10 principles, emphasise that security "should be a core component of critical technologies", that transparency of supply chains is "critical both from a business perspective and a national security perspective", and that it is "fundamental" to know whether suppliers are acting autonomously. Businesses are urged to build strategic partnering relationships with critical suppliers.

CDR to be extended to telecommunications sector

On 20 November 2021, Treasury issued a Final Report which recommended that the telecommunications sector be designated for the Consumer Data Right (CDR): Consumer Data right: Telecommunications Sectoral Assessment. The CDR, which was introduced in 2017, was always intended to apply initially to the banking, energy and telecommunications sectors. Having already been introduced into the banking sector and being in the throes of implementation in the energy sector, the Government announced in May 2021 that Treasury would conduct a sectoral assessment to consider whether to now extend the CDR to the telecommunications sector. Treasury's Report noted that there would be a range of benefits to individual and business consumers, accompanied by general public interest benefits, arising from designation of the telecommunications sector. In particular, Accredited Data Recipients could use information elicited through the CDR to "find the most suitable product for consumers in a timely manner, better monitor usage, and facilitate engagement in the telecommunications market, thereby improving market efficiency". There would be particular benefits to small business consumers and vulnerable consumers who lacked the time or resources to engage meaningfully in the market. The Report recommended that the designation include generic and publicly available product data, product data that relates to particular consumer products, and basic consumer and account data such as data available on invoices or through online accounts or mobile apps. For more detailed background on the CDR, see an earlier article on our website by Dr Gordon Hughes.

Credit Reporting Code to be reviewed

On 7 December 2021, the Australian Information and Privacy Commissioner announced the commencement of a review of the Privacy (Credit Reporting) Code 2014. Under the terms of the existing Code, a review is to be conducted every 4 years, and the last review took place in 2017. The Commissioner has released a Consultation Paper which is "aimed at eliciting feedback on the CR Code to find out what is working well and what can be improved". The Code supplements the provisions contained in Part IIIA of the Privacy Act 1988 and the Privacy Regulation 2013 in relation to the handling of personal information about individuals' activities in relation to consumer credit. It elaborates upon a variety of obligations, ranging from credit reporting system arrangements to the handling of different types of credit information to detailed audit functions necessary to ensure compliance with the legislation. A breach of the Code is a breach of the Privacy Act. The Consultation Paper raises 32 specific questions for public comment, including whether any provisions of the Code are no longer fit for purpose; whether the Code strikes an appropriate balance between the protection of privacy on the one hand and use of credit-related personal information on the other; and whether various specified provisions remain useful in their current form or require amendment.

Reform of electronic surveillance laws on the cards

On 6 December 2021, the Department of Home Affairs released a discussion paper outlining the Government's commitment to develop a new modernised and streamlined electronic surveillance legislative framework by 2023. The proposed reforms aim to repeal the Telecommunications (Interception and Access) Act 1979 (Cth), Surveillance Devices Act 2004 (Cth) and relevant parts of the Australia Security Intelligence Organisation Act 1979 (Cth) and replace the existing patchwork framework with a single piece of legislation. The proposal follows on the back of the Comprehensive Review of the Legal Framework of the National Intelligence Community (Comprehensive Review) in which Mr Dennis Richardson AC found the current laws to be complex, inconsistent and outdated, putting at risk the effectiveness of agencies in investigating and responding to serious criminality and threats to national security. The discussion paper sets out 37 questions on which the Government is seeking views of industry stakeholders and the public. The closing date for submissions to the discussion paper is 5.00pm AEDT on 11 February 2022

Health Privacy Issues

Vaccination status record is a "health record"

On 15 October 2021, the Chief Health Officer of the Australian Capital Territory issued a health direction regarding access to aged care facilities: Public Health (Aged Care Workers and Visitors COVID-19 Vaccination) Emergency Direction 2021. The Direction included a requirement for operators of residential aged care facilities to take all reasonable steps to collect and maintain a record of the vaccination status of each worker at their facility. The Direction noted that a record of vaccination status is a "health record" for the purposes of the Health Records (Privacy and Access) Act 1997 (ACT). The ACT, like Victoria and New South Wales but unlike other Australian jurisdictions, has health records legislation which imposes privacy constraints on the handling of health records, operating in parallel with prevailing federal, State or Territory data protection legislation (as applicable). The Determination helps remove any doubt as to the regulation of vaccine status information – in the ACT at least, a facility operator will have obligations under the Health Records (Privacy and Access) Act in relation to the record including collection, storage, use, access, and disclosure of the vaccine record.

Information collected by a doctor about a third party may be "health information"

On 18 October 2021, the Victorian Civil and Administrative Tribunal (VCAT) considered the scope of the definition of "health information" under the Health Records Act 2001 (Vic): GKU v Rowland [2021] VCAT 1187. The respondent medical practitioner provided a letter to a patient, for use in connection with family law and custody proceedings, in which he stated that the approach of the patient's husband to the proceedings "would seem vexatious". The husband alleged that this implied that he had a mental health condition commonly found in vexatious litigants. The Tribunal rejected the husband's contention that this information constituted "health information" as defined in paragraph (a)(i) of the definition in the Act, namely "the physical, mental or psychological health... of an individual", as the expression used by the practitioner was simply his opinion about the conduct of the husband and not an opinion about his mental health. However, the expression did fall within the definition in paragraph (b), being "other personal information collected...in providing...a health service" – although the health service was being provided to the wife, not the husband, the language of the definition did not appear "to restrict or limit the protections of the Act to the collection of health information by or for a party that is the recipient of a health service". The Tribunal found that the doctor had breached HPP 2.2 by disclosing health information for a purpose unrelated to the primary purpose of collection, but declined to take further action.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.