AAT assesses whether data transfer from Europe complies with GDPR
On 12 February 2021, the Administrative Appeals Tribunal addressed the question of whether the provision of personal information to an Australian government agency by Poland's social welfare agency (known by the acronym "ZUS") involved an infringement of the General Data Protection Regulation (GDPR): Imielski v Department of Social Services (Social services second review)  AATA 208. The issue arose in the context of an appeal by the applicant against a decision by Centrelink that her disability support pension had been overpaid after taking into account pension payments received from ZUS. One of the grounds of appeal was that the transfer of personal information from Europe did not comply with Article 45(1) of the GDPR which permits the transfer of personal data to a third country which "ensures an adequate level of protection" (which, by virtue of a 2001 decision of the EU's Article 29 Working Party, Australia is deemed not to offer). The applicant's contention on this point was rejected by the Tribunal, which pointed to Article 46(3) which permits the transfer of personal data between public authorities of separate countries. In this regard, the Tribunal concluded that the transfer was authorised by the Agreement between Australia and the Republic of Poland on Social Security, with Senior Member Chris Publick observing that "the adoption of the Applicant's position would render utterly meaningless the implementation of Australia's suite of international social security agreements with other European Union members".
"Non-binding" company polices may in fact have contractual force
On 19 February 2021, the Australian Capital Territory Court of Appeal rejected an appeal by Hewlett Packard Pty Ltd (HP) against a finding by the primary judge that an employee had been underpaid commissions earned under a sales program: Hewlett Packard Pty Ltd v Subasic  ACTA 3. The respondent's employment contract comprised an Offer Letter and attached General Terms and Conditions. The Offer Letter contained an invitation to participate in a sales program, pursuant to which she could earn incentive payments based on a formula which could be changed from time to time. The respondent elected to participate in the sales program, and contended that HP breached her terms of employment when it subsequently capped the amount of her entitlement under the program. HP countered that the sales program was only a policy, not a term of employment, and as the General Terms and Conditions expressly stated that HP was not bound by its policies, the sales program had no contractual force. The Court of Appeal concluded that an employer could not deprive an employee of employment benefits by incorporating the incentive entitlement into a "company policy" which was expressed to be non-binding. The Court further concluded that the sales plan did not expressly confer a discretion on HP to impose a cap, and there was no implied term to this effect as logically any such discretion would counterintuitively serve as a disincentive for high performers. Furthermore, the express reservation of a right in HP to change the plan from time to time could only have been intended to operate prospectively, not retrospectively.
Template terms may be "unfair"
On 3 March 2021, the Federal Court of Australia rejected an application by Fuji Xerox for a summary dismissal of proceedings instituted by the Australian Competition and Consumer Commission (ACCC) which allege that a number of Fuji Xerox template contracts contain "unfair terms" within the meaning of Part 2-3 of the Australian Consumer Law: Australian Competition and Consumer Commission v Fuji Xerox Australia Pty Ltd  FCA 153. The templates related to the supply or lease of office equipment such as printers and copiers, along with ongoing support services. For a term to be declared void for unfairness under Part 2-3, it must be a standard form consumer contract or small business contract. Fuji Xerox contended that the ACCC's case was misconceived because it failed to identify specific customer transactions involving the template terms. Given that section 23(4) of the Australian Consumer Law confines "small business contracts" to businesses employing less than 20 persons, section 24 requires a court to consider "relevant" matters and section 27 requires an assessment of the parties' relevant negotiating strengths in determining the existence of a "standard form contract", Fuji Xerox argued that each contract had to be assessed on its merits. Stewart J rejected this contention, citing authorities in support of the conclusion that the declaratory relief being sought was confined to a determination that "the identified terms are unfair terms if they are in small business contracts which are standard form contracts", without there being a need to determine whether any particular contracts were small business contracts or standard form contracts.
Viagogo penalty payment deferred
On 4 March 2021, the Federal Court of Australia granted Viagogo AG a stay of payment of a pecuniary penalty pending the outcome of its appeal against an order of the primary judge on 2 October 2020: Viagogo AG v Australian Competition and Consumer Commission  FCA 175. The primary judge had imposed a AU$7m pecuniary penalty on Viagogo arising out of misrepresentations on its website as to the availability and pricing of tickets to events: ACCC v Viagogo AG (No 3)  FCA 1423. Viagogo gave notice of appeal on 29 October 2020. Viagogo contended (and the court accepted) that it would be unduly prejudiced if required to pay the penalty prior to the outcome of the appeal, given that the COVID-19 pandemic had been devastating to the live entertainment industry with a "catastrophic effect" on Viagogo's revenue. A requirement to pay the penalty now could result in further staff reductions and/or delay payments to vendors. The court considered these considerations outweighed the concerns raised by the ACCC, namely, that a deferment would undermine the deterrent effect of the penalty and would be contrary to the public interest. Justice Abraham observed that "a business that derives its revenue from ticket sales would obviously be significantly impacted" by Australia's COVID-19 restrictions and, in addressing the ACCC's contention that the penalty could simply be refunded if the appeal were successful, noted that this overlooked the impact on Viagogo's ability to maintain existing staffing levels in the meantime.
Federal Court documents to be served on Facebook overseas
On 18 March 2021, the Federal Court granted the Australian Competition and Consumer Commission leave to serve various court documents overseas on Facebook Inc and two wholly-owned subsidiaries, Onavo Inc and Facebook Israel Inc, after the law firm representing those entities declined to accept service: Australian Competition and Consumer Commission v Facebook, Inc  FCA 244. The ACCC is alleging that the respondents made false, misleading or deceptive representations that a product known as "Onavo Protect" would keep users' personal activity data private, protected and secret, and that such data would not be used for any purpose other than to provide Onavo Protect services. The Court was satisfied that it had jurisdiction to entertain the proceedings as required by Rule 10.43 of the Federal Court Rules, and that the remedies sought by the ACCC satisfied the requirements of Rule 10.42. The Court further accepted that the ACCC had a prima facie case, with Griffiths J noting the summary of the relevant principles provided by Thawley J in the unrelated case of Australian Information Commission v Facebook Inc  FCA 531 at -, a matter which we reported upon in October 2020, and which decided that Facebook "carried on business in Australia".
Penalty for consumer law breaches by telecommunications company
On 26 March 2021, the Federal Court of Australia imposed a $300,000 pecuniary penalty on a telecommunications provider for making false and misleading statements when approaching potential customers by telephone, and for failing to comply with the requirements of the Australian Consumer Law (ACL) relating to consumer agreements negotiated by telephone: Australian Competition and Consumer Commission v Superfone Pty Ltd  FCA 278. Section 18 of the ACL prohibits a corporation from engaging in false and misleading conduct, whilst section 29 prohibits specific types of misleading conduct such as misrepresenting an affiliation with another entity. Part 3-2 Div 2 of the ACL imposes certain requirements on the negotiation of unsolicited consumer agreements. The contraventions occurred between June 2017 and December 2018 when Superfone cold-called consumers and signed them up to unsolicited new contracts. The false or misleading representations included a failure to inform consumers that they were entitled to a cooling off period, suggesting that there was a connection between the caller and the customer's existing telecommunications provider, and asserting that the a special deal was being offered when in fact the purpose of the call was to entice consumers to purchase the services offered by Superfone. The breaches of Part 3-2 Div 2 included a failure to advise customers of the existence of a ten-day cooling-off period, and a failure to provide a written agreement within 5 days of the initial call.
Digital Platforms Mandatory Bargaining Code legislation passed
On 25 February 2021, the Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Act 2021 was passed by the Australian Parliament. The Act amends the Competition and Consumer Act 2010 by inserting a new Part IVBA to establish a mandatory code of conduct that applies to news media businesses and digital platform corporations when bargaining in relation to news content made available by digital platform services. The object of the legislation is to address the perceived bargaining power imbalance between digital platforms and Australian news businesses which was identified in the Final Report of the Australian Competition and Consumer Commission's Digital Platforms Inquiry. The Bills Digest published by the Parliamentary Library summarises the key elements of the mandatory code as follows:
- it creates a framework for registered news business corporations and designated digital platform corporations to negotiate in good faith for financial remuneration for the use of, and reproduction of, news content
- where a commercial bargain is negotiated outside of arbitration the parties would not need to comply with the general requirements, bargaining and compulsory arbitration rules
- designated digital platform corporations must provide registered news business corporations with a range of information including advance notification of planned changes to an algorithm that will have a significant effect on referral traffic to, or advertising associated with, covered news content
- where parties cannot come to a negotiated agreement about remuneration an arbitral panel will select between two final offers made by the bargaining parties
- responsible digital platform corporations must not differentiate between the news businesses participating in the Code, or between participants and non-participants, because of matters that arise in relation to their participation or non-participation in the Code
- digital platform corporations may make standard offers to news businesses, which are intended to reduce the time and cost associated with negotiations, particularly for smaller news businesses.
The amendments are expected to encourage news business corporations and digital platform corporations to voluntarily work out the price to be paid to the registered news business for the making available of the registered news business' covered news content by the designated digital platform service. Such bargains are expected to be less onerous and less unpredictable than the alternative.
New market and social research privacy code approved
On 1 March 2021, the Office of the Australian Information Commissioner (OAIC) approved Privacy (Market and Social Research) Code 2021, effective from 22 March 2021. Under Part IIIB of the Privacy Act, the Information Commissioner can approve and register enforceable privacy codes, including those developed by entities on their own initiative. The Privacy (Market and Social Research) Code 2014 was registered under subsection 26B(1) of the Privacy Act on 28 November 2014, and has been binding on members of the Association of Market and Social research Organisations (AMSRO). The new 2021 Code replaces the 2014 Code and includes requirements for AMSRO members to notify AMSRO (in its capacity as code administrator) of any notifications made to the OAIC under the Notifiable Data Breaches (NDB) scheme contained in Part IIIC of the Privacy Act, and to notify AMSRO of any serious data breach (whether or not an eligible data breach under the NDB scheme) which demonstrates a significant vulnerability of any research organisation in the handling of identifiable research information. AMSRO is required to review the operation of the Code annually, including by seeking feedback from member organisations about issues or concerns they have experienced.
South Australian government authority voluntarily submits to Privacy Act regulation.
On 18 March 2021, the Privacy Amendment (Office of the National Rail Safety Regulator) Regulations 2021 came into effect. The Regulation, issued under the Privacy Act 1988, amends the Privacy Regulation 2013 to prescribe the Office of the National Rail Safety Regulator (ONRSR), a South Australian government authority, as an "organisation" which is subject to the Act. South Australia does not have privacy legislation, and the Privacy Act does not extend to the activities of State or Territory government instrumentalities - meaning that, in the absence of the new Regulation, the ONRSR, would not be subject to any statutory data protection regime and it would be unable to investigate privacy incidents or provide affected individuals with legally enforceable complaint rights. Section 6F of the Privacy Act, however, allows State and Territory governments to request the Commonwealth to make regulations prescribing a State or Territory government authority or instrumentality as an organisation for the purposes of the Act, and this was the purpose and function of the amendment.
New Spam Regulations issued
On 18 March 2021, the Australian government issued the Spam Regulations 2021. The purpose of the Regulations is to repeal and remake the Spam Regulations 2004 in substance, with only minor changes and additions designed to reflect current drafting practice and to clarify and update conditions to be complied with by an electronic address used to send an unsubscribe message. Specifically, the Regulation excludes faxes from the definition of "commercial electronic message" in section 6 of the Spam Act 2003 on the basis that unsolicited marketing faxes subsequently came to be regulated by the Do Not Call Register Act 2006. The Regulation also specifies a number of conditions to be complied with by an electronic address to which an unsubscribe message may be sent, with the ultimate objective of ensuring that when someone is sent a commercial electronic message they are not required, in order to unsubscribe, to pay abnormal fees or charges, use a high cost premium service or medium, divulge personal information (other than the electronic address to which the commercial electronic message was sent) or log into or create an account.
Online Safety legislation to be upgraded
The Online Safety Bill 2021 (Cth) was tabled in the House of Representatives on 24 February 2021 and passed the House on 16 March 2021. It is currently before the Senate. The Bill introduces a "world-first" adult cyber abuse scheme, giving the eSafety Commissioner power to order the takedown of harmful abuse in cases where the platforms fail to act on a legitimate complaint. The cyber-abuse scheme would apply to "seriously harmful content", being the same standard as in the Criminal Code and a higher standard than applies to the existing law covering cyberbullying of children. In addition, the Bill introduces Basic Online Safety Expectations for digital platforms (which includes mandatory reporting to the Commissioner), strengthened information gathering powers for the Commissioner to identify persons behind anonymous or fake accounts, a rapid website-blocking power for the Commissioner to respond to online crisis events (such as the Christchurch terrorist attacks), and an updated Online Content Scheme involving updated industry codes through updated industry codes. Whilst the accompanying Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021 repeals the pre-existing Enhancing Online Safety Act 2015, the new legislation retains certain provisions of the pre-existing Act, such as the Image Based Abuse scheme.
Parliamentary Joint Committee declines to endorse data sharing legislation
We have previously reported on the Data Availability and Transparency Bill 2020 (Cth) which was introduced on 9 December 2020 with the objective of facilitating controlled access to Australian Government data using a flexible principles-based approach to data sharing. The Bill was subsequently referred to the Parliamentary Joint Committee on Human Rights which issued a report on 24 February 2021. The Committee declined to endorse the Bill. It observed that there were significant privacy implications in respect of which legislation establishing a framework to override existing laws, and facilitate the sharing of, and controlled access to, public sector data held by Commonwealth bodies with accredited entities. Whilst there were obvious benefits in making public sector data more available, the actual objectives of the Bill remained unclear. The Committee did not reach a final position but concluded that "further information is required to assess the human rights implications of this Bill".
ACCC examines Google dominance of default browsers
On 11 March 2021, the Australian Competition and Consumer Commission released an Issues Paper seeking submissions from consumers and industry participants about choice and competition in internet search and web browsers: Digital Platform Services Inquiry - September 2021 Report on market dynamics and consumer choice screens in search services and web browsers: Issues Paper. The Issues Paper seeks to inform a report, to be completed in September 2021, on the competition ramifications of default settings and pre-installation of search services and web browsers. Currently, manufacturers generally supply desktops, tablets and mobiles with a pre-installed operating system, including a specific web browser. Web browsers, in turn, often select a default search service embedded within the browser. The ACCC's Digital Platforms Inquiry Final Report in June 2019, which expressed concern about Google's substantial market power in search services and search advertising, found that Google Search was the default choice on over 95% of mobile devices, influenced in part by substantial payments by Google to Apple for this purpose. One of the recommendations in the report was that "Google should provide Australian users of Android devices with the same options being rolled out to existing Android users in Europe; that is, the ability to choose their default search engine and default internet browser from a number of options", and the purpose of the September 2021 report will be to respond to the government's follow-up request for advice on Google's rollout of choice options on Android devices in Europe after taking into account Australian market conditions.
Mandatory data breach reporting recommended for NSW government agencies.
On 26 March 2021, the New South Wales Portfolio Committee 1 - Premier and Finance published a report on cybersecurity incidents and data breaches involving NSW government agencies. Amongst its 12 recommendations was that "the NSW Government urgently establish a mandatory data breach notification scheme applicable to all NSW Government agencies and its contracted service providers". At present, NSW government agencies are required to handle personal information in accordance with the Privacy and Personal Information Protection Act 1998 (NSW), and there is no equivalent in the State legislation to the mandatory data breach notification scheme which applies to the private sector and Commonwealth public sector agencies under Part IIIC of the Privacy ACT 1988 (Cth). The Committee considered that a mandatory reporting scheme would "support principles of transparency and accountability" and would "facilitate a greater sharing of information regarding attacks". The committee recommended that a mandatory reporting scheme be "prioritised without further delay".
Government re-releases policies on handling health information
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.