IT security company liable for confidentiality breaches by new employees

On 21 October 2022, the Australian Capital Territory Court of Appeal dismissed an appeal against a trial judge's findings that an IT security company was entitled to an account of profits together with equitable compensation and declaratory relief against a company to which confidential information had been transferred by three departing employees: Dreamtime Supply Company Pty Ltd v Steadfast ICT Security Pty Ltd (No 2) [2022] ACTCA 57. The primary judge had found that the departing employees were involved in conduct that breached their employee and director fiduciary, contractual and statutory obligations and that the new employer, Dreamtime, was knowingly involved in the conduct of the other defendants. The primary judge held that the conduct of one of the employees, in particular, was "thoroughly dishonest and in flagrant breach of his obligations to his employer". The departing employees were variously found to have beached their employment contracts, breached fiduciary obligations to Steadfast, and infringed sections 180, 181, 182 and 183 of the Corporations Act 2001. The findings of the trial judge were upheld, with one small exception conceded by the respondent and also in relation to the quantification of damages awarded against one of the individuals.

Mediator permitted to disclose third party's details in the course of mediation proceedings

On 9 November 2022, the New South Wales Civil and Administrative Tribunal ruled that a mediator did not infringe the New South Wales Information Privacy Principles when handling personal information of a third party seeking to join the mediation proceedings: ENS v Commissioner for Fair Trading [2022] NSWCATAD 356. The mediator was appointed by the Commissioner for Fair Trading in connection with a dispute involving a lot owner and a strata scheme manager. The applicant sent an email to the mediator, enquiring whether, and how, he could join in the mediation process. The mediator forwarded details of the request to the lot owner enquiring whether she was agreeable, and the applicant contended that this involved the unauthorised release of his personal information. The Tribunal concluded that the disclosure was permitted by s 18(1)(b) (IPP 11) of the Privacy and Personal Information Protection Act 1998 (NSW). Section 18(1)(b) states that disclosure is permissible if the individual concerned is reasonably likely to have been aware that information of that kind is usually disclosed to that other person or body. According to the Tribunal, the test is one of objective "reasonableness". Senior member French was satisfied that a person who requests to join a specific mediation would, reasonably, be aware that the applicant for mediation would be informed of that request and asked their views about the request. "It would be contrary to common sense that a person could join a mediation without the original parties to the mediation being consulted first about whether they should be permitted to do so." On this basis, the disclosure fell within the exception found in s 18(1)(b).

Insurer found to have collected excessive personal information

On 10 November 2022, the New South Wales Civil and Administrative Tribunal ruled that an insurer unnecessarily collected personal information about an individual whilst processing his workers compensation claim: EEH v NSW Self Insurance Corporation [2022] NSWCATAD 361. The Applicant had entered into a Deed of Release in relation to a workers compensation claim against the New South Wales Police Force, and a copy of the Deed, containing personal information, was subsequently provided to the Respondent insurer. The Applicant asserted that, in contravention of Information Privacy Principle 1 as set out in section s 8(1) of the Privacy and Personal Information Protection Act 1998 (NSW), the collection by the Respondent of his personal information (or at least some of it) was not reasonably necessary for any lawful purpose directly related to a function or activity of the Respondent. IPP 1 provides that a public sector agency must not collect personal information unless (a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and (b) the collection of the information is reasonably necessary for that purpose. Senior Member Christie concluded that a significant part of the Applicant's personal information in the Deed had no direct or apparent relevance to the resolution, settlement, subsequent payment or management of the Applicant's workers compensation claim. The Tribunal also concluded that breaches of IPPs 2 (Collection direct from the individual) and 5 (Retention and security of personal information) had occurred. The Tribunal ordered that the Respondent permanently and securely redact or delete all of the Applicant's personal information which had been collected and/or held in breach of any of IPPs 1, 2 and/or 5, and that the Respondent provide to the Applicant an unreserved formal written apology addressing and apologising for the Respondent's breaches of IPPs 1, 2 and 5 and for all resultant harm, distress, loss and embarrassment.

Telcos fined for misleading website claims

On 25 November 2022, the Federal Court of Australia imposed a $13,500,000 pecuniary penalty on Optus in respect of contraventions of sections 29(1)(g) and (m) of the Australian Consumer Law: Australian Competition and Consumer Commission v Optus Internet Pty Limited [2022] FCA 1397. The order by Moshinsky J arose out of action initiated by the Australian Competition and Consumer Commission alleging that throughout 2019, Optus had engaged in misleading or deceptive conduct by representing on its website that it would, within a reasonable period of time of a customer's service being connected, check and confirm the speed of each customer's NBN line when in fact it did not have in place adequate systems, processes and policies to ensure that the representations would be fulfilled and thereby did not have reasonable grounds for making the representations. Two other decisions were handed down by the same court on the same day in relation to other telecommunications companies (Telstra and TPG) found to have misled consumers about residential broadband internet plans, with Telstra being ordered to pay pecuniary penalties to the Commonwealth in the sum of $15,000,000: Australian Competition and Consumer Commission v Telstra Corporation Limited [2022] FCA 1398.

Federal Court grants blocking order in respect of 48 carriage service providers

On 25 November 2022, the Federal Court of Australia ordered that each of 48 respondents, all carriage service providers to disable access to a Domain Name, IP Address or URL: Roadshow Films Pty Ltd v Telstra Corporation Limited [2022] FCA 1413. The application for site blocking orders had been brought under s 115A of the Copyright Act 1968 (Cth). The orders were sought by the applicants in respect of the online location known as Mixdrop. According to the evidence, Mixdrop is what is referred to as a cyberlocker. The term "cyberlocker" is used to describe an online storage and distribution facility where copyright material (typically movies and television programs) are uploaded and downloaded in breach of copyright. The applicants are well-known producers and distributors of cinemograph films comprising commercially released movies and television programs. The evidence relied on by the applicants establishes that these films are made available online at Mixdrop without the licence of the copyright owners. Nicholas J concluded that "the requirements of s 115A(1) are satisfied and, in particular, that Mixdrop infringes, and facilitates the infringement, of copyright in the applicants' cinemograph films, and has a primary purpose, and the primary effect, of infringing, and facilitating the infringement, of copyright".

Google obtained effective consent to change its privacy policy

On 9 December 2022, the Federal Court of Australia dismissed a claim by the Australian Competition and Consumer Commission (ACCC) that Google LLC had misled users when it amended its privacy policy: Australian Competition and Consumer Commission v Google LLC (No 2) [2022] FCA 1476. In order to obtain permission to make these changes to its policy, Google displayed a notification on the desktop and mobile devices of its account holders who had signed-in to their Google accounts. The ACCC alleged that account holders were not adequately informed by Google's notification as to the nature and effect of the changes. The effect of the changes was that if a user clicked "I agree", Google was permitted to combine the user's personal information in their Google accounts with information about their activities on non-Google sites, thereby improving Google's advertising business. Yates J rejected the ACCC's assertion that Google had engaged in misleading and deceptive conduct in breach of section 18 of the Australian Consumer Law. His Honour was satisfied that if a user did not click "I agree", the proposed changes were not implemented in relation to that user. Google's permission to combine information was provided only by obtaining account holders' explicit, opt-in consent through the notification.

New Legislation & Guidelines

Amendments to Privacy Act follow major Australian data breaches

On 28 November 2022, the Privacy Legislation Amendment (Enforcement and other Measures) Act 2022 was finally passed, coming into effect the day after royal assent. The principal significance of the legislation is the amendments which it introduces to the Privacy Act 1988 (Cth). Under the amended Privacy Act, the maximum penalty for serious or repeated privacy breaches pursuant to section 13G of the Act is increased from $2.22 million to whatever is the greater of $50 million; three-times the value of any benefit obtained through the misuse of information; or 30 per cent of a companies adjusted turnover in the relevant period. The amendments also provide the Australian Information Commissioner with enhanced enforcement powers, including by expanding the types of declarations which can be made at the conclusion of an investigation; amending the extraterritorial provisions in section 5B of the Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians' information directly from a source in Australia; and strengthening the Notifiable Data Breaches scheme by inserting a new section 26WU to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.

NSW introduces mandatory data breach notification obligations

On 16 November 2022, the New South Wales parliament passed the Privacy and Personal Information Protection Amendment Act 2022, introducing a mandatory notification of data breach scheme. The amendments to the Privacy and Personal Information Protection Act 1998 (NSW) will take effect 12 months after the date of assent, 28 November 2022. Under the new scheme, which is contained within a new Part 6A of the Act, New South Wales public sector agencies will be required to notify the NSW Privacy Commissioner and affected individuals of data breaches involving their personal or health information which are likely to result in serious harm. The amendments expand the definition of "public sector agency" in section 3 to include state-owned corporations which are not subject to the Privacy Act 1988 (Cth). Exemptions apply if the head of the public sector agency has taken action to mitigate the effects of the data breach such that the breach is not likely to result in serious harm to an individual. New South Wales is the first State to introduce public sector mandatory data breach reporting, although similar initiatives have to date been canvassed in Victoria and Queensland.

Disclosure restrictions on telcos may be relaxed

On 24 November 2022 the Senate referred the Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Bill 2022 to the Environment and Communications Legislation Committee for inquiry and report by 1 March 2023. The Bill addresses a range of matters associated with information disclosure and the national interest, including facilitating assistance provided by the telecommunications industry to law enforcement agencies and emergency service organisations. In particular, it seeks to facilitate information disclosure under Part 13 of the Telecommunications Act 1997. Section 276 of the Act provides that a carrier "must not disclose or use any information or document that relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person" where it comes into the carrier's knowledge or possession in connection with its business as a carrier. Division 3 of Pt 13 sets out the exceptions to the offence under s 276, including the right under section 287(b) to disclose certain personal details if it is believed on reasonable grounds that "the disclosure or use is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person". The proposed amendment to section 287(b) would omit the word "imminent", thus bringing section 287 into line with the "Permitted General Situations" table at section 16A of the Privacy Act 1988 which permits disclosure if, inter alia, an entity reasonably believes that this "is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety".

Consumer Data Right commences for energy sector

On 15 November 2022, the Consumer Data Right formally commenced in relation to the energy sector. Customers of Origin and AGL now have access to the CDR. Customers of Energy Australia will have access from May 2023, and residential customers of other retailers will have access from November 2023. We have previously reported that the energy sector was designated as subject to the CDR by the Consumer Data Right (Energy Sector) Designation 2020. The CDR will now apply to specified data sets in the National Electricity Market (NEM), including consumer data sets relating to the sale or supply of electricity, including where electricity is bundled with gas. Product data sets in the CDR energy sector include electricity, gas and dual fuel plans. Data sets are defined in detail in Schedule 4 to the CDR Rules. Under the CDR for the energy sector, a primary data holder is an energy retailer with whom the consumer has a relationship and holds data sets including customer data, account data, billing data and tailored tariff data. The Assistant Treasurer, the Hon Stephen Jones MP, commented that "the energy market rollout follows the safe and successful introduction of CDR into the Open Banking environment, giving consumers power over their bank data", and thus making Australia the first jurisdiction in the world to roll out CDR across multiple sectors. The Office of the Australian Information Commissioner (OAIC) is meanwhile in the process of updating the CDR Privacy Safeguard Guidelines and Guide to Privacy for Data Holders to reflect the expansion of the CDR to the energy sector.

Consumer Data Right commences for non-bank lending sector

On 25 November 2022, the Assistant Treasurer issued the Consumer Data Right (Non-Bank Lenders) Designation 2022, designating the non-bank lending sector as subject to the CDR. Non-bank lending is the fourth sector of the Australian economy to which the CDR will be applied, following designation of the banking, energy and telecommunications sectors. As we have previously reported, Treasury recommended in August 2022 that "extending the CDR to non-bank lending is likely to result in significant benefits for individual and business consumers – namely better service and greater potential for innovation". The Designation was issued pursuant to section 56A(2) of the Competition and Consumer Act 2010 which provides that the Minister may, by legislative instrument, designate a sector of the Australian economy to be subject to the consumer data right. Subsequently, on 5 December 2022, Treasury and the Data Standards Body called for public submissions on the development of rules and data standards to implement the CDR in the non-bank lending sector: Consumer Data Right in Nonbank Lending: CDR Rules and Data Standards Design Paper.

WA emergency services facilities can intercept calls in an emergency

On 29 November 2022, the Commonwealth Attorney-General issued the Telecommunications (Interception and Access) (Emergency Service Facilities – Western Australia) Instrument 2022. The Instrument was made under subsection 6(2D) of the Telecommunications (Interception and Access) Act 1979. Section 7 of the Act establishes a general prohibition against the interception of communications passing over a telecommunications system. However, subsection 6(2F) provides that a person who is lawfully engaged in duties relating to the receiving and handling of communications to or from an emergency service facility may listen to or record such a communication without contravening the general prohibition. The Attorney-General may declare premises to be an emergency service facility, pursuant to subsection 6(2B) of the Act. The purpose of the Instrument is to specify information required under subsection 6(2D) of the Act to support the declaration. That is, to meet the statutory requirements for declaring premises to be emergency service facilities operated by relevant forces and services in Western Australia, to ensure that those forces and services in Western Australia can lawfully intercept communications when taking emergency calls without the requirement to obtain consent. The designated forces are the Western Australia Police Force, St John Ambulance Australia (Western Australia), Department of Fire and Emergency Services, Airservices Australia – Aviation Rescue and Firefighting Service, Royal Flying Doctor Service and Perth Airport Control Centre. The Instrument repealed the Telecommunications (Interception and Access) (Emergency Service Facilities – Western Australia) Instrument 2015.

Federal Opposition reintroduces Ransomware Bill

On 26 September 2022, Shadow Minister for Home Affairs Karen Andrews reintroduced the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (Bill) by way of private members' bill. The Bill amends the Criminal Code Act 1995 (Cth) to introduce new criminal offences for cyber extortion and dishonestly dealing with data obtained by unauthorised access, as well as new aggravated offences for targeting critical infrastructure, buying and selling ransomware and providing ransomware services. The Bill also extends the jurisdiction of Criminal Code's computer offences to conduct that occurs outside Australia but impacts persons in Australia. Lastly, the Bill includes amendments to the Proceeds of Crime Act 2002 (Cth) to extend law enforcement agencies' powers of search and seizure in relation to digital currency exchanges to combat the use of digital assets and cryptocurrencies in the commission of crimes.

Policies, Reports & Enquiries

OAIC releases notifiable data breach statistics

On 10 November 2022, the Office of the Australian Information Commissioner released its report on notifiable data breaches for the period January to June 2022: Notifiable data breaches report January to June 2022, OAIC (2022). The report noted a 14% decrease in the number of reported security incidents during the relevant period. The most prolific industry sector to report breaches was health services, followed by the finance, education, legal/accounting and recruitment sectors. The most prominent type of cyber incident involved ransomware (31%), followed by phishing (26%), stolen credentials (25%), hacking (9%) and malware (6%). The top causes of "human error breaches" involved misdirected emails (38%), unintended release or publication (24%) and misdirected postal mail (8%). Notifications made under the My Health Records Act 2012 were not included as they are subject to specific notification requirements set out in that Act.

The end of the COVIDSafe app

On 1 December 2022, the Office of the Australian Information Commissioner (OAIC) published its final six-monthly COVIDSafe privacy report. As previously reported, the Privacy Act 1988 was amended in May 2020 with the introduction of Part VIIIA which introduced controls over the handling of personal information collected via the government's contact tracing app, COVIDSafe. Section 94ZB of the Act required the OAIC to report every six months on the performance of the Commissioner's functions and the exercise of her powers under or in relation to Part VIIIA. The Minister for Health and Aged Care determined on 16 August 2022, by issuing the Privacy (Public Health Contact Information)(End of the COVIDSafe Data Period) Determination 2022, that COVIDSafe was no longer required to prevent or control the entry, emergence, establishment or spread of COVID-19 in Australia. The Commissioner's reports had consistently indicated that no complaints or data breach notifications were being received with regard to the COVIDSafe system. The final report recorded that the Department of Health and Aged Care had deleted all COVID app data from the National COVIDSafe Data Store in accordance with legislative requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.