Carriage service providers ordered to disable access by unidentified hacker

On 25 March 2021, the Federal Court of Australia made an order under section 115A of the Copyright Act 1968 requiring the respondent carriage service providers to take steps to disable access to online locations outside Australia: Gardner Industries Pty Ltd as trustee for the S M Gardner Family Trust v Telstra Corporation Limited [2021] FCA 294. Section 115A(1) provides that the owner of a copyright may apply for an injunction requiring a carriage service provider to disable access to an online location outside Australia which infringes, or has the primary purpose of infringing, copyright (whether or not in Australia). The applicant had become aware of its website had been interrogated, or "hacked", in 2018, and issued a "takedown notice" without result. One problem was that the identity of each target online location was hidden by a domain registrant. Greenwood J found that the Target Online Locations, which were located outside Australia, had the primary effect of infringing or facilitating an infringement of the applicant's copyright and that the applicant had made reasonable efforts to identify the operators. The carriage service providers subject to the order were Telstra, Optus, Vocus, TPG and Vodafone.

Victorian Court of Appeal considers definition of "personal information"

On 12 May 2021, the Victorian Court of Appeal followed the reasoning of the Federal Court decision of Privacy Commissioner v Telstra Corporation Ltd in determining that a witness statement did not constitute "personal information" for the purposes of the Privacy and Data Protection Act 2014 (Vic): Tucker v State of Victoria [2021] VSCA 120. Although the Telstra decision involved the Commonwealth legislation in which the definition is expressed in different terms, both definitions require that the information must not only identify an individual but be "about" that individual. The issue in Tucker – a case which involved a workplace dispute – was whether information given to an investigator about a work colleague constituted personal information about the witness which would entitle the employer to redact the evidence on "privacy grounds". The court concluded that "where a witness gives evidence to an investigator about what he or she heard or observed a work colleague say or do, neither the identity of the witness nor his or her evidence is 'about' the witness", and hence the redaction was inappropriate. The court added that "employers must avoid being over-zealous in invoking privacy as a basis for withholding relevant information from an employee who is the subject of serious allegations" as this could result in a denial of procedural fairness.

Heavy penalty for Telstra's "unconscionable conduct"

On 13 May 2021, the Federal Court of Australia ordered Telstra to pay $50m in penalties for engaging in unconscionable conduct by selling mobile contracts to more than 100 Indigenous consumers across three states and territories: Australian Competition and Consumer Commission v Telstra Corporation Limited [2021] FCA 502. In a statement of agreed facts and submissions, it was acknowledged that sales staff at five licensed Telstra-branded stores – located at Alice Springs, Casuarina and Palmerston (NT), Arndale (SA), and Broome (WA) – signed up 108 Indigenous consumers to multiple post-paid mobile contracts which they did not understand and could not afford. Telstra's conduct infringed section 21 of the Australian Consumer Law which provides that a person must not, when supplying goods or services, "engage in conduct that is, in all the circumstances, unconscionable". In determining an appropriate penalty, Her Honour took into account Telstra's enforceable undertaking, its corrective and remediation action, its public apology and its high level of cooperation in the proceedings but nevertheless concluded that a "significant penalty is necessary to send a strong and clear message to all those who might be tempted to take advantage of vulnerable consumers in similar ways".

Federal Court imposes penalties on NBN service providers

On 1 June 2021, the Federal Court imposed pecuniary penalties of $1,500,000 and $1,000,000 respectively on two residential NBN broadband services providers in respect of misleading statements on their websites regarding typical internet evening download speeds: Australian Competition and Consumer Commission v Dodo Services Pty Ltd [2021] FCA 589. In each case, it was found that the service providers (Dodo and iPrimus) had contravened section 29(1)(b) and (g) and section 34 of the Australian Consumer Law. At the heart of the matter were guidelines published in August 2017 by the ACCC on broadband speed claims, including a suggested methodology for identifying internet speeds during typical busy periods. Both respondents admitted that their representations were not supported by that methodology. In determining an appropriate penalty, Murphy J emphasised that the principal object was deterrence, although the penalty should not be so high as to be oppressive. His Honour noted that both companies had stood to benefit from customers choosing their purchase plans over their competitors, and each company had previously provided an enforceable undertaking which had clearly proved to be insufficient. He considered that "the proposed penalties are likely to be sufficient to provide a sufficient sting or burden for the respondents", and were "unlikely to be seen as merely a cost of doing business". In resisting the application of a higher penalty, His Honour took account of the fact that there was no evidence that consumers did not receive the represented internet connection speeds and no evidence that they suffered any loss.

Vague software development contract wording causes problems

On 9 June 2021, the Victorian Civil and Administrative Appeals Tribunal (VCAT) dismissed a claim for breach of contract brought by a business against a software developer in a case which emphasised the importance of precise drafting of an IT contract: Macmillan v Industry Code Pty Ltd (Civil Claims) [2021] VCAT 592. The applicant asserted that the respondent developer failed to complete computer code on time, even though the software was eventually supplied. The principal source of dispute was whether the loosely-worded arrangement contained a deadline for completion of the development or whether the time frame was an estimate only. The Tribunal concluded that on a plain reading of the contract, there was no specific term requiring the respondent to deliver the software within a particular period. Rather, the evidence was clear that the respondent had at all relevant times referred only to an "estimated" time of 15 days for completion. The Tribunal noted that not only was this an estimate, it was of uncertain duration, because it was "difficult to even say whether that would mean 15 calendar days, or three weeks (21 days in total, given the exclusion of weekends)". As a consequence of this finding, the Tribunal also rejected the applicant's submission that the applicant had made a false or misleading representation as to the existence of a warranty in breach of section 29(1)(m) of the Australian Consumer Law (ACL), that the contract's exemption clause was void as an unfair term under section 23 of the ACL or that there had been a failure to comply with a consumer guarantee arising under Part 3-3 of the ACL in respect of the services.

Mosaic Brands loses procedural point in spam case

On 21 June 2021, the Federal Court of Australia dismissed an application to invalidate a notice issued by the Australian Communications and Media Authority (ACMA) seeking the production of documents relevant to alleged infringements of the Spam Act 2003 (Cth): Mosaic Brands Ltd v Australian Communications and Media Authority [2021] FCA 669. The notice was issued by ACMA under s 522 of the Telecommunications Act 1997 (Cth) following complaints that Mosaic may have sent commercial electronic messages which failed to comply with the requirements of sections 16 and 18 of the Spam Act. Mosaic objected that the notice was too broad and too vague as to the documents being sought. It successfully contended that ACMA's power to issue notices under s 522 of the Telecommunications Act was subject to an "entitlement disclosure condition", meaning that the notice must specify with reasonable clarity that the information required to be given and/or the documents required to be produced relate to the performance of one or more of the ACMA's telecommunications functions or the exercise of one of more of those powers. Her Honour rejected Mosaic's contention, however, that the notice failed to satisfy this condition, noting that if "read in context and in a fair, non-technical manner... the Notice makes it tolerably clear what documents and information were required and why the ACMA was entitled to require their production".

New Legislation & Guidelines

New federal data matching rules published

On 8 June 2021, the Australian Information Commissioner released the new Data-matching Program (Assistance and Tax) Rules 2021 issued under section 12 of the Data-matching Program (Assistance and Tax) Act 1990 (Cth). By way of background, government agencies seeking to carry out data-matching activities involving the use of tax file numbers must comply with the Act. The purpose of such data-matching activities is largely focussed on assisting four government agencies (the Department of Education, Skills and Training, the Department of Social Services, the Department of Veterans' Affairs, and Services Australia) to detect incorrect or inconsistent payments. To date, the Act has been supplemented by statutory guidelines in the form of the Guidelines for the Conduct of the Data-Matching Program, a breach of which constitutes an infringement of privacy under s 13 of the Privacy Act 1988 (Cth). The current Guidelines are due to sunset on 1 October 2021, and are to be remade into the Rules without significant amendment. According to the Information Commissioner, "the impact of the Rules is to impose additional procedural and reporting obligations upon regulated agencies who conduct regulated data matching activities".

Ransomware payments legislation tabled by Opposition

On 21 June 2021, the Ransomware Payments Bill 2021 (Cth) was introduced in the House of Representatives by the Australian Labor Party. The Bill was tabled by the Shadow Assistant Minister for Communications and Cybersecurity, Tim Watts MP, and realistically is unlikely to be passed. Nevertheless it raises a number of interesting concepts, and seeks to address the problem that a majority of businesses are reluctant to report that they have been the target of a ransomware attack. The Bill seeks to establish a mandatory reporting requirement for Commonwealth entities, State and Territory agencies, corporations and partnerships which make ransomware payments in response to a ransomware attack. Entities which make a payment would be required to notify the Australian Cyber Security Centre (which is part of the Australian Signals Directorate) of key details of the attack, the attacker and the payment, with a view to such information being shared in de-identified form with the private sector, assisting law enforcement and informing policy responses.

Western Australia to participate in national identity matching scheme

On 22 June 2021, the Western Australian government introduced the Transport Legislation Amendment (Identity Matching Services) Bill 2021. The purpose of the legislation is to allow the disclosure of photographs from Western Australian driver's licences, learner's permits and photo cards to the National Driver Licence Facial Recognition Solution. The initiative is consistent with the objectives of the Intergovernmental Agreement on Identity Matching Services (IGA) signed by the State Premier at the special Council of Australian Governments (COAG) meeting on counter terrorism on 5 October 2017. Participating jurisdictions are able to access face matching services and share identity information and images from government-issued documents.

Expanded online safety legislation passed by federal parliament

On 23 June 2021, the Online Safety Bill 2021 (Cth) and the Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021 (Cth) were passed and are now awaiting assent. The legislation repeals and replaces the Enhancing Online Safety Act 2015 under which the Commonwealth government established a Children's e-Safety Commissioner (subsequently re-titled simply the "e-Safety Commissioner") and implemented a take-down complaints system for cyber-bullying material on social media. The new legislation retains and replicates certain aspects of the old scheme but in addition, it specifies basic online safety expectations, broadens the cyber-bullying scheme to address services other than social media and reduces the timeframe for service providers to respond to a removal notice from the eSafety Commissioner. Specifically, the legislation brings providers of app distribution services and internet search engine services into the remit of the online content scheme, and establishes a power for the eSafety Commissioner to request or require internet service providers to disable access to material which depicts, promotes or incites abhorrent violent conduct for time-limited periods in crisis situations.

Policies, Reports & Enquiries

Whistleblowing laws under the spotlight

On 20 May 2021, the Senate Environment and Communications References Committee published its report Freedom of the Press, and one of the important areas traversed by the report was the current state of Australia's public sector whistleblowing legislation. The relevant legislation for the Commonwealth public sector is the Public Interest Disclosure Act 2013 (Cth), and the Committee expressed the view that a combination of factors—including legislative complexity—was eroding trust in the scheme which in turn "could have a chilling effect on public interest journalism and/or exacerbate the number of unauthorised disclosures in the Commonwealth public sector". The report emphasised that whilst there were obvious reasons for placing national security constraints on whistleblowing by public officials in intelligence agencies, the current blanket exclusion for "intelligence information" precluded the disclosure of matters intended specifically to be covered by the Act and which would not necessarily harm national security interests. It recommended that non-security related disclosures should be expressly covered by the Act, and that the Act should further be amended to incorporate a public interest defence.

Human Rights Commission considers automated decision-making implications

On 27 May 2021, the Australian Human Rights Commission released its final report on Human Rights and Technology. One significant aspect of the report was the Commission's consideration of whether Australian privacy law should regulate automated individual decision-making in a manner akin to the EU's General Data Protection Regulation (GDPR) Article 22. Article 22.1 provides that, with some exceptions, a data subject has the right "not to be subject to a decision based solely on automated processing, including profiling" which has potential legal ramifications for that individual, whilst Article 22.3 requires data controllers to implement measures to ensure the data subject has "the right to obtain human intervention" to contest the decision. The Commission recommended that where the Australian Government is contemplating the creation of an AI[1]informed decision-making system, it should provide rights to internal review by a human, and the decision should be subject to external merits review by a body such as the Administrative Appeals Tribunal. With respect to the private sector, the Commission considered that it would be "good practice" for AI-informed decisions to be subject to review by a human with appropriate authority, skills and information. The Commission stopped short, however, of recommending a legal requirement to this effect with respect either the public or private sectors, principally because "given the breadth of AI-informed decision making, the almost infinite potential for it to expand further, and the fact that some decisions cannot currently be made more accurately by humans without the assistance of AI, it would be very difficult to legislate a specific form of review that would be suitable for all types of AI[1]informed decision making".

Human Rights Commission considers statutory privacy right

On 27 May 2021, the Australian Human Rights Commission released its final report on Human Rights and Technology. A significant aspect of the report was the Commission's call for the creation of a statutory privacy right. Noting that the true anonymization of personal information was becoming increasingly challenging through the use of artificial intelligence, the Commission considered that a statutory privacy right would help combat the misuse and overuse of biometric technologies in particular, and in practical terms would present a barrier to intrusive, wide-scale surveillance, extending privacy protection in Australian law beyond personal information to include interference with bodily and territorial privacy. This would also more appropriately implement Australia's obligations under Article 17 of the International Covenant on Civil and Political Rights, which requires states to implement legal protection against an interference or attack on the "arbitrary or unlawful interference" with an individual's "privacy, family, home or correspondence". The Commission considered that "the statutory cause of action should be comprehensive and non-restrictive, and cover all intentional, reckless and negligent acts of privacy invasion by public and private entities". The Commission's recommendation follows similar recommendations in the past by the Australian Law Reform Commission (2014) and the Law Reform Commissions of both New South Wales (2009) and Victoria (2010).

Human Rights Commission considers rights of disabled IT users

On 27 May 2021, the Australian Human Rights Commission released its final report on Human Rights and Technology. A significant aspect of the report was the Commission's discussion of "functional accessibility", that is, the accessibility of technology for individuals suffering a disability. The Commission stressed that functional accessibility needs to be incorporated in the design of both the hardware and software, and in any updates or new iterations, of goods, services and facilities that use digital communication technologies. This line of discussion in turn drew focus to the Web Accessibility Guidelines (WCAG) 2.1 published by the Worldwide Web Consortium (otherwise known as W3C). WCAG 2.1 aims to provide a single, shared accessible standard for web content to a wide range of people with disability including: blindness and low vision; deafness and hearing loss; learning disabilities; cognitive limitations; limited movement; speech disabilities; and photosensitivity. Australian government policy is for all agencies to implement WACG 2.1 although conformity varies across agencies. There is, in any event, no legislation applicable to the public or private sector to mandate functional accessibility. The Commission recommended the development of a new and binding digital technology communication standard covering the provision of publicly-available goods, services and facilities that use digital technologies for communications purposes, and embracing software and hardware technologies used in laptops and mobile devices, websites and public-facing communication platforms in areas such as banking (e.g. ATMs) and travel (e.g. ticketing machines).

Consultation begins on Commonwealth digital identity legislation

On 10 June 2021, the Commonwealth government commenced public consultation on its proposed digital identity legislation. The object of the legislation, which the government plans to introduce in late 2021, is to facilitate online access to government services. The government has announced an intention to "enshrine in law a range of privacy and consumer protections and enable the digital identity system to be used confidently across federal, state, territory and local governments as well as the private sector", an is specifically seeking feedback in relation to the structure of the legislation, scope of the legislation and interoperability with other systems, regulatory oversight of the system, privacy and consumer safeguards, trustmarks, liability and redress framework, penalties and enforcement, and administration of charges for the Digital Identity system.

Health Privacy Issues

University entitled to access employee's computer

On 25 May 2021, the Victorian Civil and Administrative Tribunal (VCAT) dismissed a complaint by a university employee that the university had infringed the Health Privacy Principles (HPPs) contained in the Health Records Act 2001 (Vic) when it accessed his work computer for routine administrative functions: Kerig v Victoria University [2021] VCAT 532. A fellow employee had used the applicant's work computer whilst the applicant was on annual leave, and reported difficulty in accessing it. An IT investigation determined that, in breach of the university's policies, the computer had been configured by the applicant in an unauthorised way, it contained certain inappropriate material. The applicant claimed that as the computer also contained personal health information, the investigation infringed HPP 1 (Collection) and HPP 2 (Use and Disclosure). With respect to HPP 1, the Tribunal concluded that the university had the right to access an employee's computer; the collection of a minimum amount of information was unavoidable in order to determine whether the unauthorised configuration represented a breach of security. With respect to HPP 2, the Tribunal determined there had been no use of health information for a secondary purpose as "the sole purpose of the investigation ... was, first to ascertain why it could not be accessed/used by [the applicant's work colleague] and secondly, upon apparently unacceptable content being discovered on the computer, to investigate further, as a potential disciplinary breach, the nature and extent of the content on the computer's hard drive".

Privacy Commissioner reports on COVIDSafe app activity, but not the Commonwealth

On 17 June 2021, the Office of the Australian Information Commissioner (OAIC) released its second six-month report on privacy protections that apply to the Commonwealth government's COVIDSafe system. Part VIIIA of the Privacy Act was introduced in May 2020 to regulate the use of the Commonwealth contact tracing app, with supervisory powers being granted to the OAIC. The report covers the period November 2020 – May 2021. Key findings in the report were that (1) during the reporting period of 16 November 2020 to 15 May 2021, the OAIC received 14 enquiries about COVIDSafe, but no complaints; and (2) the Commissioner did not exercise her powers in relation to complaints, investigations, Commissioner-initiated investigations, information sharing and data breaches. This relative lack of contentious activity suggests that early concerns about the privacy invasiveness of the app were unfounded. The OAIC's second report contrasts with the failure to date of the Commonwealth to produce a report on the effectiveness of the app, despite a requirement under section 94ZA of the Privacy Act 1988 to prepare a report "as soon as practicable after the end of each six-month period".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.