Alleged CDR breach by Bank of Queensland
On 13 July 2022, the ACCC issued its first infringement notice for a breach of the Consumer Data Right (CDR). As we have previously reported, the CDR was initially rolled out to the major banks in July 2020, and then to all other banks in 2021. The Bank of Queensland paid a penalty of $133,200 after ACCC alleged it had breached the CDR by failing to be in a position to share data for financial products by the deadline of 1 July 2021, the service in fact being unavailable until 13 December 2021.
Parking dispute did not lead to privacy breach
On 22 July 2022, the Victorian Civil and Administrative Tribunal rejected an assertion that a local council parking enforcement officer breached the Privacy and Data Protection Act 2014 (Vic) by revealing the name of an individual who had made a complaint about a car parked across her driveway: Shaw v Yarra City Council  VCAT 811. The complainant alleged that the council breached Information Privacy Principle (IPP) 2.1 by disclosing personal information for an unauthorised secondary purpose, and IPP 4.1 by failing to protect personal information from unauthorised disclosure. The decision turned on disputed facts, and the Tribunal concluded that the parking officer had not disclosed the complainant's name as alleged.
Samsung penalised for misleading smartphone advertising
On 28 July 2022, the Federal Court imposed a pecuniary penalty of $14m on Samsung in connection with misleading advertising regarding the capabilities of "Galaxy" branded smartphones: Australian Competition and Consumer Commission v Samsung Electronics Australia Pty Ltd  FCA 875. The action arose out of claims that certain Galaxy smartphone models were suitable to be submerged in pool or sea water. Murphy J determined that, as there was a material prospect that the charging port of those phones might be damaged due to corrosion in such circumstances, Samsung had contravened sections 18(1), 29(1)(a) and 33 of the Australian Consumer Law. His Honour noted that a penalty of such magnitude would "carry a sufficient sting or burden so as to deter Samsung Australia from a repetition of similar conduct, and it should serve as a salutary reminder to other large providers of smartphones to avoid such conduct".
Google penalized for misleading phone settings
On 12 August 2022, the Federal Court ordered Google LLC to pay $60m in penalties for making misleading representations to consumers regarding the collection and use of personal location data using the "Location History" on Android phones: Australian Competition and Consumer Commission v Google LLC (No 4)  FCA 942. We have previously reported that in April 2021 the Court found Google in breach of the Australian Consumer Law for misrepresenting its account setting relevant to location data and, specifically, failing to advise consumers that the default setting "Web & App Activity" was used to collect and store personal information. The parties jointly submitted that a penalty of $60m was appropriate for the infringement of section 18 of the Australian Consumer Law, and Thawley J considered no separate penalty was necessary. Applying the "totality principle", His Honour concluded that the penalty struck "a reasonable balance between deterrence and oppressive severity in circumstances where there is a multiplicity of offences".
Fuji contracts found to contain unfair terms
On 12 August 2022, Stewart J in the Federal Court declared that 38 contract terms in contracts between Fuji and small businesses were unfair, and accordingly void and unenforceable: Australian Competition and Consumer Commission v Fujifilm Business Innovation Australia Pty Ltd  FCA 928. The Court's order applied to 11 types of standard form contracts used by Fuji in the course of carrying on its office equipment supply and software licensing and support businesses. Fuji was ordered to cease using the terms, which included terms relating to automatic renewal, disproportionate termination rights, liability limitation, unfair payment and unilateral variation, for a period of 5 years.
An IP address is not "personal information"
On 12 August 2022, the Victorian Civil and Administrative Appeals Tribunal ruled that the collection of an IP address from an individual without informing him did not constitute an infringement of the Privacy and Data Protection Act 2014 (Vic) as no "personal information" was involved: GMW v Victoria Legal Aid  VCAT 922. The Complainant had been seeking assistance from Victoria Legal Aid via a chat service and noted that his IP address appeared on the transcript of the call which he subsequently received. The Tribunal accepted the Respondent's contention that an IP address is not personal information for the purposes of the Act. It could not be said to identify an individual because "an IP address may not be a stable identifier of a device or an ISP as many are designed to be dynamic and temporary". Citing the original AAT decision in Telstra Corporation Limited and Privacy Commissioner  AATA 991, Member Smith concluded that "an IP address is not about the person but about how data is transmitted from a person's device over the internet and a message sent to, or a connection made, with another person or agency's device".
Google found not to be a "publisher" of defamatory content
On 17 August 2022, the High Court of Australia allowed an appeal by Google LLC against a finding by the Victorian Supreme Court and Court of Appeal that it was liable as a publisher for defamation accessible via its search engine from a third-party newspaper site: Google LLC v George Defteros (17 August 2022, M86/2021). The Victorian Court of Appeal had upheld the trial judge's finding that Google became liable as a publisher seven days after it received notification of the defamatory content. Kiefel CJ and Gleeson J considered that the key issue was "whether providing search results which, in response to an enquiry, direct the attention of a person to the webpage of another and assist them in accessing it amounts to an act of participation in the communication of defamatory matter". In finding for Google, their Honours observed that "facilitating a person's access to the contents of another's webpage is not participating in the bilateral process of communicating its contents to that person", and that whilst notice of the existence of defamatory matter may be relevant to knowledge in the defence of innocent dissemination, "it is not relevant to the question whether defamatory material is published".
Federal Court dismisses appeal regarding adequacy of privacy compensation
On 2 September 2022, the Federal Court dismissed an application by an individual for judicial review of a decision by the Australian Information Commissioner: Saffari v Australian Information Commissioner  FCA 1016. The applicant alleged that the Commissioner made errors of law in determining a complaint about an interference with his privacy by Amazon Australia Services, Inc. The interference with privacy arose by reason of Amazon disclosing the applicant's identity as the anonymous author of a book that was self-published by him using a service provided by Amazon to enable that to take place - the disclosure was made by Amazon to a third party, who had complained to Amazon about the book. The Commissioner had awarded the applicant $3,000 in compensation, and the applicant sought a review under s 39B of the Judiciary Act 1903 (Cth) and under s 5(1)(e) and (f) of the Administrative Decisions (Judicial Review) Act 1977 (Cth) on the basis that the Commissioner had failed to consider elements of a submission by the applicant regarding an apology. Bromwich J concluded that the Commissioner had in fact considered the submission, and that in any event the submission "was not of substance in the sense that it was capable of making any difference".
No obligation to give access to documents which cannot be found
On 9 September 2022, the Federal Court dismissed an application for judicial review of a decision by the Information Commissioner not to investigate a privacy complaint: Skib a v Australian Information Commissioner  FCA 1171. The Applicant complained that the Department of Education, Skills and Employment had refused to comply with a request for access to records containing her personal information in accordance with Australian Privacy Principle 12.1. The Department had advised the Commissioner that no such records could be found, and, on this basis, the Commissioner had ruled that there was nothing which the employer had to produce to the applicant. Rares J concluded that "if it transpires, after a reasonable and proper search, that it [the Department] is unable to locate such information, that is the end of the matter".
State privacy legislation trumped by other legislation
On 21 September 2022, the New South Wales Civil and Administrative Tribunal ruled that the actions of a local council had not breached the Information Privacy Principles contained in the Privacy and Personal Information Act 1998 (NSW) ("the PIPP Act") when it served a rate default notice on a property owner's tenant, because the process was authorised by the Local Government Act 1993 (NSW): FKV v Nambucca Valley Council  NSWCATAD 309. Section 569 of the Local Government Act allows a tenant to pay rates directly to the Council in certain circumstances, rather than the landlord, in satisfaction of the outstanding amount. The owner asserted that revealing his debt status infringed Information Privacy Principles 9, 10 and 11. The claim was dismissed, however, on the basis that section 25 of the PIPP Act exempts compliance with the IPPs by a public sector agency if the agency is permitted to engage in the relevant conduct under the provision of other legislation or means of lawful compliance. Senior Member McAteer summarised the Tribunal's position: "In the current case having found that Council was entitled to apply s 569, then they were also able to rely on that provision to excuse any departure from the relevant IPP's by such action".
New Legislation & Guidelines
Progress on extending CDR to the telecommunications sector
On 15 September 2022, Treasury released exposure draft amendments to the Consumer Data Right (CDR) Rules 2020 for consultation. The exposure draft rules would, as we have previously reported, expand the CDR to the telecommunications sector. The objective of expanding the CDR to the telecommunications sector is, according to Treasury, to "drive more competition and allow consumers to better leverage their internet and mobile data when choosing products". The rules which would expand the CDR to telecommunications were set out in Schedule 5 of the exposure draft. The remaining amendments provided for operational enhancements to the Competition and Consumer (Consumer Data Right) Rules 2020. The deadline for submissions closed on 14 October 2022.
Proposal to facilitate "action initiation" under CDR
On 26 September 2022, Treasury released exposure draft legislation to enable "action initiation" in the Consumer Data Right (CDR). The draft Treasury Laws Amendment (Measures for Consultation) Bill would create a new option for consumers to instruct a business to initiate actions on their behalf and with their consent. Pursuant to a new provision in the Competition and Consumer Act 2010, provisionally nominated as an amendment to section 56ABa service provider given an instruction under the rules to perform an action would be required to do so if it ordinarily performed actions of that type in the course of its business. Beyond that, the legislation would introduce little regulation of the action layer - the service provider could, for example, perform the action, and charge any fee, in the way it ordinarily did. The deadline for submissions on the draft Bill closed on 24 October 2022.
Change to security laws in response to Optus cyber-attack
On 10 October 2022, the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 came into effect. As a direct consequence of a major Optus data breach involving nearly 10 million customers which was reported in late September 2022, the instrument amended the Telecommunications Regulations 2021 to prescribe new circumstances in which carriers and carriage service providers can disclose customer information to third parties. Section 276 of the Telecommunications Act 1997 (Cth) contains a general prohibition on disclosure, whilst section 292 empowers regulations to be made which create exceptions to that prohibition. The purpose of the amendments to the Regulations is to remove legal barriers faced by carriers and carriage services providers in disclosing certain customer data in limited circumstances, such as a cyber-security incident, fraud, scam, identity theft or malicious cyber activity. The amendment to the Regulations permits carriers and carriage service providers to securely disclose government identifiers such as drivers' licence and passport numbers to financial services entities (covering entities like Australian banks) and government agencies. On 12 October 2022, the Attorney-General, Mark Dreyfus, told the National Press Club that further changes, arising out of a review of the Privacy Act which was commenced by the Attorney-General's department under the previous government in 2019, would be introduced before the end of 2022.
Policies, Reports & Enquiries
Research body backs GDPR-style legislation for Australia
In June 2022, a submission by the Australian Research Data Commons (ARDC) in response to the National Data Security Action Plan Discussion Paper has urged the Australian government to align its privacy legislation with the EU General Data Protection Regulation (GDPR). The ARDC is Australia's peak body for research data. The submission described the GDPR as an "emerging global standard with which Australian organisations must increasingly comply because they either process data about Europeans or else wish to collaborate on personally identifiable data with organisations otherwise bound by the GDPR". The fact that Australia's privacy legislation was not considered adequate for the purposes of Article 45 would over time become increasingly problematic for Australian researchers as the proportion of research data they can access and the ability to collaborate with GDPR-bound counterparts declines. The submission speculated that Australian researchers "may prefer to move their data and research activity onto offshore research infrastructure and into environments recognised as being compliant with the GDPR".
CDR should be extended to non-banking lending sector
On 19 August 2022, Treasury published a recommendation that the Consumer Data Right be extended to the non-bank lending sector: Consumer Data Right: Non-Bank Lending Sectoral Assessment, Final Report. The Report concluded that "extending the CDR to non-bank lending is likely to result in significant benefits for individual and business consumers - namely better service and greater potential for innovation". Consistent with the approach adopted towards the banking, energy and telecommunications sectors, it recommended designating generic and publicly available information about non-bank lending products, information about a CDR customer (such as contact information) and information about the use of a non-bank lending product. By streamlining non-bank lending application processes, the CDR would also help lenders make more accurate and efficient lending decisions, while reducing the administrative burden of receiving consumers' financial information. Any privacy concerns could be "appropriately mitigated by the rules and standards, which are likely to closely mirror those currently in operation in the banking sector".
Changes to Credit Reporting Code foreshadowed
On 20 September 2022, the Office of the Australian Information Commissioner (OAIC) proposed a number of amendments to the Privacy (Credit Reporting) Code 2014 ("the CR Code"). The recommendations were contained in its submission to the 2021 Independent Review of the Privacy (Credit Reporting) Code, the first such review since 2017. Credit reporting information is regulated by the Privacy Act 1988, and Part IIIA of the Act imposes obligations on banks and other credit providers, as well as credit reporting bodies, to protect an individual's personal information when they are seeking credit. The CR Code outlines how entities are to comply with Part IIIA when handling credit information. The proposals included streamlining the process for individuals to access their credit reports; facilitating the ability of individuals to 'shop around' for credit products; offering an automatic extension to people who have been subject to identity theft when they request a ban on their credit report to prevent fraud; and requiring credit reporting bodies to remove statute-barred debts from an individual's credit report. The OAIC plans to implement the proposals over the next two years.
Experts call for facial recognition technology regulation
On 21 September 2022, the Human Technology Institute at the University of Technology Sydney published a report calling for the introduction of legislation to regulate the development and use of facial technology: Facial Recognition Technology: Towards a Model Law. The report proposed a Commonwealth "FRT Model Law" within the regulatory purview of the Office of the Australian Information Commissioner or other suitable regulator, complemented by a process at State and Territory level to ensure harmonisation across all Australian jurisdictions. The report emphasised that facial recognition technology, despite its obvious benefits, "necessarily also engages, and often limits or restricts, a range of human rights", and key element of the Model Law would be that "anyone who develops or deploys an FRT Application must first assess the level of human rights risk that would apply to their particular FRT Application".
Independent review of CDR completed
On 29 September 2022, the Commonwealth government released the report of the independent Statutory Review of the Consumer Data Right (CDR), led by Ms Elizabeth Kelly: Australian Government, Statutory Review of the Consumer Data Right: Report. The report contained 16 recommendations, including the introduction of "action initiation"; a streamlined mechanism to update designation instruments; and greater visibility of success measures. The report further recommended that screen scraping should be banned in sectors where the CDR was a viable option; priority be given to improving CDR functionality ahead of an accelerated CDR rollout; and consideration should be given to "a whole of ecosystem cyber security assessment". In addition, small business participation should be encouraged; government participation should be prioritised; and consideration should be given to funding consumer advocacy groups.
Heath Privacy Issues
Tribunal rules on unauthorised disclosure of case management records
On 5 August 2022, the New South Wales Civil and Administrative Tribunal ruled that a disclosure of patient information by the South-eastern Sydney Local Health District amounted to a breach of the Health Records and Information Privacy Act 2002 (NSW), notwithstanding that the disclosure had been made in the interests of the patient: ERJ v South Eastern Sydney Local Health District  NSWCATAD 260. The Applicant was being provided with case management support by one of the Respondent's facilities, and information concerning his treatment was disclosed to a separate agency which was providing medical treatment to the Applicant. Health Privacy Principle 11 does not permit the disclosure of health information for a secondary purpose unless either the individual has consented, or the secondary purpose is "directly related" to the primary purpose of collection and which the individual would reasonably expect. The Tribunal concluded that the disclosure was not made in connection with the primary purpose of collection and whilst it was made for a directly related secondary purpose, it was not a disclosure of the type which the Applicant would reasonably have expected. As there was no evidence of consent by the Applicant, the Respondent was found to be in breach of HPP 11.
Tribunal cannot offer a "second opinion" on clinical test results
On 2 September 2022, the Victorian Civil and Administrative Tribunal rejected a complaint by an individual that the Department of Health and Human Services infringed various Health Privacy Principles by refusing her permission to access and to provide her with an opportunity to amend the adverse results of a compulsory urine test: IGA v Australian Clinical Labs  VCAT 1014. Deputy President Nihill ruled that the Tribunal did not have the power to question the test results which the applicant claimed must be in error if they showed the presence of methamphetamine, and hence there had been no breach of HPP 3.1 or HPP 6.5 in declining to amend the results. The applicant further asserted that the Department was in breach of HPP 6.1, which requires access to health information to be provided on request, by virtue of the Department's delay in sending her a copy of the reports. The Deputy President determined, however, that the documents had in fact been eventually sent to her, albeit "it took some time", and accordingly the requirements of HPP 6.1 had been met.
Tribunal failed to consider the correct issue
On 7 September 2022, the Supreme Court of Victoria overturned and remitted a decision of the Victorian Civil and Administrative Appeals Tribunal which had earlier found that the respondent doctor had not breached the Health Privacy Principles set out in the Health Records Act 2001 (Vic) when incorrectly recording the applicant's medical history: EXW v Dr Christopher Mulroney  VSC 524. Ginnane J accepted that it was not for the Tribunal to "second guess or reassess or indeed delve into" the doctor's diagnosis, but the central issue to be considered by the Tribunal should have been whether the health record accurately recorded the diagnosis which had been made. The Tribunal had, in this regard, failed to exercise its jurisdiction by not considering the complainant's case.
Medibank suffers data breach
Medibank Private has experienced a major cybersecurity incident, mere weeks after the massive Optus data breach which placed information of one-third of Australians at risk: https://www.afr.com/technology/privacy-breach-fines-will-be-the-least-of-medibank-s-worries-20221020-p5brfp. Medibank disclosed that it may have had as much as 200 GB of health insurance data stolen, which includes "first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data" of some users of international students services. Claims data allegedly includes the location of medical services, some diagnoses and procedures. Given the fact that most health data stored by companies such as Medibank is only regulated by the Privacy Act, maximum civil penalties of $2.2 million for failing to secure data are "virtually nothing" for big companies, according to former NSW Deputy Privacy Commissioner Anna Johnston. Bigger concerns include potential compensation payments to affected individuals, loss of shareholder value, reputation and customers. The Albanese government has proposed to overhaul Australia's privacy laws, which will increase maximum fines for these kinds of privacy breaches to the larger of $10 million, three times the benefit obtained through the misuse, or 10% of annual Australian turnover.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.