Federal Court rejects jurisdictional submission by Google

On 4 February 2022, the Federal Court dismissed an application by Google LLC to stay proceedings against an online games distributor, Epic Inc, in respect of a dispute over Google's exclusion of Epic's game Fortnite from the Android platform and its refusal to enable purchase of the game other than via Google Play: Epic Games, Inc v Google LLC [2022] FCA 66. We have previously reported on similar (but in some respects distinct) proceedings brought by Epic against Apple, in which Apple succeeded with its stay application at first instance before the decision was overturned on appeal. In the Google proceedings, Google relied on a clause of the Google Play Developer Distribution Agreement which nominated the law of California as the governing law and vested exclusive jurisdiction in the courts of Santa Clara. Perram J declined to grant the stay on a number of bases, including the fact that it was unclear whether a US court would apply Part IV of the Competition and Consumer Act 2010 or section 21 of the Australian Consumer Law, both of which were fundamental to the Australian proceedings. An important public interest consideration was that neither consumers nor the ACCC would be able to rely upon the findings of any judgment as prima facie evidence, whereas if the proceeding continued in the Federal Court they would be able to do so; and a further public interest consideration was that if the case proceeded in California, the Federal Court's competition law jurisprudence would not be developed which was significant in a case of "wide import for Australian consumers".

DABUS update: Full Court denies AI inventor status

As we have previously reported, the Australian Federal Court in Thaler v Commissioner of Patents [2021] FCA 879, was the first and only court worldwide to decide that an AI can be named as an inventor on a patent. In the landmark decision, Beach J of the Federal Court overturned the Deputy Commissioner of Patents' decision not to grant the patent on the basis that there is nothing in the Patents Act 1990 (Cth) to support a conclusion that an AI cannot be an inventor. However, on 13 April 2022 an enlarged five-judge bench of the Full Court unanimously overturned the Federal Court's decision. The Full Court took a different approach to the Federal Court on the interpretation of key provision s 15(1) of the Act, finding that entitlement to a patent ultimately flows from the inventor being a natural person. Although the Full Court did not consider that the Act, case law or underlying policy supported an "inventor" being anything other than a natural person, it nonetheless addressed the need for policy makers to address the issue "with some urgency". The Full Court's decision brings Australia in line with the UK, European and US courts, as well as various other patent offices, in rejecting AI as an inventor. Stay tuned for further developments in relation to this case, as it is likely that Dr Thaler will apply for special leave to appeal to the High Court. For a detailed analysis of the decision, refer to the article by David Webber and Dr Claire Gregg on our website.

Special leave granted in electronic gaming machine dispute

As we have previously reported, the Full Federal Court in Commissioner of Patents v Aristocrat Technologies [2021] FCAFC 202 held that Aristocrat's electronic gaming machine did not constitute patentable subject matter and, in doing so, reframed the test for patent eligibility of software inventions. Aristocrat subsequently filed a special leave application to appeal this decision to the High Court. The High Court, on 10 March 2022, granted Aristocrat's special leave application, sparking hope that the High Court's decision might provide necessary clarification for owners and patentees of software inventions. We look forward to hearing the High Court's views in the upcoming decision. This outcome was also reported on by DCC.

New Legislation & Guidelines

Commonwealth data sharing legislation comes into effect

On 30 March 2022, the Commonwealth government introduced an amendment to the Data Availability and Transparency (Consequential Amendments) Bill 2020. In 2020, we reported on the Bill which was introduced with the objective of authorising Commonwealth bodies to share their public sector data with accredited users. In 2021 we reported that the Parliamentary Joint Committee on Human Rights declined to endorse the Bill due to concerns over a range of issues including the interaction of the legislation with the Privacy Act 1988 (Cth) and the Freedom of Information Act 1982 (Cth). Issues were also raised by the Senate Finance and Public Administration Legislation Committee, including specific concerns mentioned in a dissenting report tabled by Australian Labor Party Senators on the Committee. In response to this feedback, the Data Availability and Transparency (Consequential Amendments) Bill 2020 (Cth) contained a range of amendments, including a prohibition on foreign entities becoming accredited under the Scheme, clarification of the interaction of the legislation with the Freedom of Information Act, the introduction of a new section 36B of the Privacy Act to enable the Australian Information Commissioner to share information with the National Data Commissioner in certain circumstances, and deferred transitional arrangements to ensure sufficient time for the establishment of appropriate infrastructure and training to accommodate the new scheme. The Amendment Bill, along with the principal Act, were passed on 31 March 2022, and the new Act commenced on 1 April 2022.

Second stage of the critical infrastructure reforms passed into law

As we previously reported, the Government passed its initial stage of reforms to the Security of Critical Infrastructure Act 2018 (Cth) on 2 December 2021, following recommendations from the Parliamentary Joint Committee on Security and Intelligence (PJCIS) that the original bill be split in two. On 30 March 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) was passed by Parliament with amendments from the Senate, implementing the second and final stage of the proposed reforms. As a result, owners and operators of critical infrastructure assets will be required to develop and maintain risk management programs in relation to their critical infrastructure assets which identify hazards, minimise the material risk of such hazards occurring, and mitigate their impact if they do occur. Further, enhanced cyber security obligations will apply to those assets declared by the Minister for Home Affairs to be 'Systems of National Significance", including obligations to develop cybersecurity incident response plans, conduct exercises, complete vulnerability assessments and provide information to the Australian Signals Directorate (ASD). This may include an obligation to install and maintain software to transmit data and information to the ASD where required.

Deadline for compliance by non-major ADIs with new CDR obligations extended to October

On 1 April 2022, the Minister for Superannuation, Financial Services and the Digital Economy published the Competition and Consumer Amendment (Consumer Data Right Measures No. 1) Regulations 2022, extending the date for the commencement of new Consumer Data Right obligations applicable to joint accounts held by non-major authorised deposit taking institutions (ADIs). Previously, the new CDR obligations relating to joint accounts were due to commence on 1 July 2022 but this date has now been extended to 1 October 2022. The extension was a response to stakeholder representations to the effect that the 1 July deadline was impractical when taking into account "the planning required to implement systems changes to meet the obligations".

New Credit Reporting Code introduced

On 11 April 2022, the Australian Information Commissioner published the Privacy (Credit Reporting) Code 2014 (Version 2.2), to take effect on 22 April 2022. The Code supplements the provisions contained in Part IIIA of the Privacy Act 1988 and the Privacy Regulation 2013 in relation to the handling of personal information about individuals' activities in relation to consumer credit. We have previously reported that under the terms of the existing Code, the Commissioner must undertake a review every 4 years. The new Code maintains all of the substantive provisions outlining the rights and obligations of organisations and individuals that were included in Version 2.1. Amendments introduced in the new Code include clarification that the Code does not bind non-participating credit providers as defined in s 6(1) of the Privacy Act, and various changes to reflect and clarify amendments to section 20R of the Privacy Act which was repealed and replaced by the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and other Measurements) Act 2021 – the amended section 20R requires a credit reporting body to give an individual free access to the credit reporting information held by the credit reporting body every 3 months (instead of every 12 months) together with details of an individual's credit rating.

Policies, Reports & Enquiries

Discussion Paper on electronic surveillance released

On 15 February 2022, the Department of Home Affairs released a Discussion Paper entitled Reform of Australia's electronic surveillance framework. The paper forms part of a review of a "complex, inconsistent, outdated and inflexible" framework comprising the Telecommunications (Interception and Access) Act 1979, the Surveillance Devices Act 2004, parts of the Australian Security Intelligence Organisation Act 1979, parts of the Telecommunications Act 1997, and discrete parts of other Commonwealth and State and Territory laws. The reform project aims to reveal the Telecommunications (Interception and Access) Act, the Surveillance Devices Act and parts of the Australian Security Intelligence Organisation Act, and replace what are seen to be a "patchwork of laws" with "a single, streamlined and technology-neutral Act". The catalyst for reform has been the realisation that legislation which was originally designed to protect the privacy of fixed line phone calls and telegrams has struggled through a series of amendments over the years to adequately address technological advances involving the use of computers, emails, texts, "over-the-top" messaging applications and social media. These shortcomings – and the need for reform – were initially identified in the Comprehensive Review of the Legal Framework of the National Intelligence Community conducted by Mr Dennis Richardson AC and published in 2020.

OAIC releases six-monthly report on notifiable data breaches

On 19 February 2022, the Office of the Australian Information Commissioner released its six-monthly report on Notifiable Data Breach Report. The report, covering the period 1 July to 31 December 2021, contains statistical information regarding the reporting of incidents under the scheme. Key findings included a 6% increase in notifications compared with the preceding six month period, although a 9% drop in reports of malicious or criminal attacks. The health sector remains the highest reporting industry sector (18%) followed by the finance sector (12%). Contact information remains the most common type of personal information involved in breaches.

ACCC considers adequacy of competition laws in the digital services market

On 28 February 2022, the Australian Competition and Consumer Commission (ACCC) released its fifth Discussion paper arising out of the Digital Platform Services Inquiry. The Discussion Paper, entitled Updating competition and consumer law for digital platform services, addresses what it perceives as entrenched powerful positions of a limited number of digital services providers which are "increasingly acting as gatekeepers between businesses and end users". The ACCC has expressed concern about the difficulties of enforcement of existing competition and consumer protection legislation as a means of creating a more competitive market, and poses the question of "whether Australia's current competition and consumer protection laws, including merger laws, are sufficient to address the competition and consumer harms that have been identified in relation to digital platform services". The Discussion paper addresses possible options for legislative reform, including a new framework for obligations and prohibitions contained in legislation, codes of conduct, rule-making powers, measures to promote competition, and third-party access regimes.

Parliamentary Committee recommends action on harmful social media content

On 15 March 2022, the House of Representatives Select Committee on Social Media and Online Safety released its Social Media and Online Safety Report. The Committee, chaired by Lucy Wicks MP, was tasked with enquiring, amongst other things, into "the range of online harms that may be faced by Australians on social media and other online platforms, including harmful content or harmful conduct". Amongst its 26 recommendations, the Committee recommended that that future reviews of the operation of the Online Safety Act 2021 take into consideration the implementation of the Safety by Design Principles on major digital platforms, including social media services and long-standing platforms which require retrospective application of the Safety by Design Principles. It also recommended that the eSafety Commissioner examine the extent to which social media companies actively apply different standards to victims of abuse depending on whether the victim is a public figure or requires a social media presence in the course of their employment. Other recommendations included addressing technology-facilitated abuse in the context of family and domestic violence, and mandating that all social media companies set as a default the highest privacy settings for people under the age of 18 years.

ACMA reports that online misinformation is still prevalent despite digital platform Code of Practice

On 21 March 2022, the Australian Communications and Media Authority (ACMA) published A Report to Government on the Adequacy of Digital Platforms' Disinformation and News Quality Measures. In December 2019, as part of its response to the ACCC's Digital Platforms Inquiry, the Australian Government requested that digital platforms in Australia develop a voluntary code of practice to address online disinformation and news quality. ACMA was tasked with overseeing the development of the Australian Code of Practice on Disinformation and Misinformation, which was launched on 22 February 2021, and reporting to government on its effectiveness in practice. Signatories (which include Google, Facebook, Microsoft and Apple) are required to sign up to the objective of "providing safeguards against harms that may arise from disinformation and misinformation" and may opt-in to other code objectives, such as disrupting advertising incentives and supporting strategic research. ACMA's report noted with concern the ongoing prevalence of online disinformation and misinformation, particularly in relation to COVID-19, but acknowledged that platforms were taking proactive steps in accordance with the Code to address these issues. At the same time, the drafting of the Code could be improved by clarifying references to "serious" and "imminent" harm, expanding the types of services covered, establishing industry-wide KPIs, and moving to an "opt-out" model whereby signatories could only opt out of outcomes not relevant to their particular service.

Consultation on Australia's National Data Security Action Plan

On 6 April 2022, the Minister for Home Affairs released a discussion paper outlining the Australian Government's data security initiatives to strengthen and coordinate data security policy across the Federal, state and territory governments and the broader economy. The paper outlines the data security threats currently faced by government and industry and puts forwards proposals on defining and delivering a "whole-of-government" approach to addressing them, building on the feedback received through the Government's recent consultation on other legislative initiatives like the reforms to the Security of Critical Infrastructure Act 2018 and Australia's Cyber Security Strategy 2020. Submissions on the discussion paper will be open until 10 June 2022.

Health Privacy Issues

Providing patient with access to health information may be "unlawful"

On 8 February 2022, the Victorian Civil and Administrative Tribunal ruled that a psychologist's contractual obligation to a third party to maintain the confidentiality of psychometric test material was sufficient to deny access to a patient seeking access to that material under the Health Records Act 2001 (Vic): WZF v Abrahamson [2022] VCAT 145. Under section 25 and Health Privacy Principle 6, an individual has a right of access to their health information held by a health service provider. HPP 6.1(f) provides an exception where providing access would be "unlawful" and HPP 6.1(g) creates an exception where "denying access is required or authorised by or under law". The Tribunal was told that psychometric test material was made available by a third party on contractual terms that required the recipient to not distribute test manuals and/or answer booklets to clients or members of the public. This was considered necessary in order to protect the integrity of the tests, the meaningfulness of which would be severely diminished if they became public knowledge. The Tribunal observed that "the wording of the exemptions in HPP 6.1 (f) and (g) clearly contemplates that [the patient's] right to access her health information is not absolute" and that the psychologist's contractual and ethical obligations made it appropriate for the material to be withheld.

No privacy liability for acts of a "rogue employee"

On 9 February 2022, the New South Wales Civil and Administrative Tribunal ruled that an employer was not vicariously liable for the unauthorised use and disclosure of an employee's health information by another employee acting outside the scope of her employment: EQH v Health Administration Corporation (No. 2) [2022] NSWCATAD 45. The applicant asserted that the respondent should be held accountable for a breach of Information Protection Principles set out in sections 17 and 18 of the Privacy and Personal Information Act 1998 (NSW), and the equivalent Health Privacy Principles 10 and 11 contained in the Health Records and Information Privacy Act 2002 (NSW), both dealing with the unauthorised use and disclosure of information. The Tribunal accepted the employer's contention that it should not be liable for the acts of a "rogue employee" acting "extraneous" to her employment and who had no work-related reason to access the applicant's health information. The Tribunal further concluded that the employer had not breached section 12 of the Privacy and Personal Information Act or the equivalent HPP 5(1)(c) of the Health Records and Information Privacy by failing to adopt adequate security measures to prevent the rogue action taking place – the Tribunal was of the view that the employer's privacy awareness training program, backed by a range of workplace policies, constituted "safeguards" which were "reasonable" for the purpose of both Acts.

Health Privacy Principle 6.6 invoked against Clinic which declined to attach statement by individual who unsuccessfully sought an amendment to a health record

On 5 April 2022, the Victorian Civil and Administrative Tribunal (VCAT) published its reasons for concluding that a medical clinic breached Health Privacy Principle 6.6 under the Health Records Act 2001 (Vic) by not attaching details of a request to amend a patient's health information, notwithstanding its conclusion that it was not necessary to actually amend the health record: GKU v Mostyn Street Clinic [2022] VCAT 231. The Complainant was the father of a young child and had requested the Respondent to amend its medical records to include details of a series of falls suffered by the child at childcare. The Respondent declined to amend its records on the grounds that the incidents were not part of the treatment administered by the clinic, and the treating doctor had no knowledge of the incidents. The Tribunal agreed with the Respondent that there had been no breach of Health Privacy Principle 6.5 which requires an organisation holding health information to take reasonable steps to ensure its patient records are accurate, complete and up-to-date. The Tribunal further found, however, that the Clinic had breached HPP 6.6 which requires that an organisation which receives a written statement concerning a rejected request for correction of health information "must take reasonable steps to associate the statement with the information".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.