Key developments during February 2017 in the area of Technology, Media and Telecommunications (TMT) are summarised as follows.

JUDGMENTS

New South Wales Supreme Court upholds contractual restraint of trade. On 30 January 2017, the New South Wales Supreme Court upheld the validity of a 12 month post-employment restraint on a computer engineer: Thinkstorm Pty Ltd v Farah [2017] NSWSC 11. The employer was engaged in the business of providing IT personnel to clients. The defendant, who had expertise in the use of a particular workforce management software system, had worked for over five years, at the direction of the employer and pursuant to three successive employment contracts, for Queensland Health. The defendant resigned his employment with the plaintiff and then continued to provide the same services to Queensland Health through an alternative employer, notwithstanding a 12 month contractual restraint on working for the plaintiff's customers. Lindsay J considered that in general "12 months appears to be the outer limits of what would be a restraint of reasonable duration" but nevertheless acknowledged that restraints of 6 to 12 months were not uncommon in the IT industry. In concluding that the restraint in this instance was reasonable, his honour took account of the fact that the defendant had agreed, in each of three successive employment engagements with the plaintiff, to restraints of 12 months, agreeing in each instance that the restraint was reasonable to protect the plaintiff's legitimate interests.

Federal Court finds two ex employees' company responsible for copyright infringement and breach of confidence. On 10 February 2017, the Federal Court found that a company formed by two former employees of an equipment manufacturer infringed the employer's copyright in its proprietary software by launching competing software products which were substantially similar: IPC Global Pty Ltd v Pavetest Pty Ltd (No 3) [2017] FCA 82. The court noted that parts of the respondents' software were identical or similar to the applicant's software, and that the copied code played a functionally significant role in the operation of the applicant's software as a whole. Moshinsky J emphasised that the test for infringement involved a qualitative rather than a quantitative assessment of substantiality. The court further found that the applicant's source code and protocol documents comprised confidential information which had been misused by the respondents and that Pavetest had gained a "springboard" benefit (relevant to the question of damages) as a result of the considerable development time it had saved by copying the applicant's material.

Federal Court rules on misleading advertising about rival apps. On 13 February 2017, the Federal Court delivered a judgement in which it held that Fairfax Media engaged in misleading or deceptive conduct in breach of sections 18 and 29 of the Australian Consumer Law by publishing certain advertisements comparing an app which was operated by a wholly owned subsidiary, with an app which was operated by the applicant: REA Group Limited v Fairfax Media Limited [2017] FCA 91. Some advertisements were found to be clear "puffery" and others were found to have a legitimate basis. Of particular interest was the court's approach to identifying the class of persons to whom the advertisements were directed, being an essential step in determining whether the conduct was likely to mislead or deceive. Murphy J noted the advertisements were directed at a broad cross-section of the public and were primarily aimed at motivating the reader to download the app, more specifically, real estate agents and members of the public with an interest in the property market. His honour considered it was relevant that as the app was free and its use could be discontinued at will, people were less likely to pay attention to claims in the advertisements. Apps were "ubiquitous" in modern life and real estate agents, in particular, would approach claims in such advertisements with "a high level of caution or scepticism". An unfounded claim that the respondent's app had more listings than any comparable product was held to be false or misleading, but not claims such as "the best property listings in Melbourne" or "the #1 property app in Australia".

New South Wales Supreme Court finds company and a director misled investors over value of software company. The New South Wales Supreme Court has ruled that a software company breached its share issues agreement, and a director engaged in misleading or deceptive conduct in contravention of section 18 of the Australian Consumer Law, by overstating the potential value of the business to prospective investors: Ebbsfleet Pty Ltd v Semantic Software Asia Pacific (No 3) [2017] NSWSC 78. The plaintiff purchased 6.5 million shares in the defendant company in reliance upon an express contractual warranty by the company, and representations by the director, that the shares would triple in value within two years. The warranty and representations revolved around the anticipated future value of existing software patents and additional technology then under development. In relation to the finding of breach of contract, Stevenson J disregarded a clause which limited the warranties to 12 months' duration as this would have had the unintended effect of destroying the effect of the warranty that the shares would triple in value in two years. In relation to the director's misrepresentations, his honour disregarded a contractual acknowledgement by the investors that they had not been induced to enter the agreement by any representation or warranty, and a contractual disclaimer of liability for damages, on the basis that such clauses cannot insulate a party from the operation of the Australian Consumer Law. The court concluded that but for the warranties and the director's representation, the plaintiff would not have invested their funds in the company.

NEW LEGISLATION AND GUIDELINES

Mandatory data breach reporting legislation passed. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed on 13 February 2017. The legislation, which will come into effect on 22 February 2018 (12 months after Royal Assent), implements the recommendations of a Parliamentary Joint Committee on Intelligence and Security, as well as the Australian Law Reform Commission, by requiring government agencies and private sector organisations to notify the Australian Information Commissioner and affected individuals in the event that they suffer an eligible data breach. The legislation was previously tabled in the House of Representatives in October 2016. As mentioned in our last update, a Regulatory Impact Statement released by the Attorney-General's Department on 11 January 2017 was supportive of a mandatory reporting scheme. The essence of the new scheme is that an entity will be required to comply with specific notification obligations as soon as practicable after becoming aware of reasonable grounds for believing it has been the subject of an "eligible data breach". An eligible data breach will occur if personal information about one or more individuals held by the entity is subject to unauthorised access or disclosure, or is lost in circumstances in which unauthorised access or disclosure is likely to occur, and a reasonable person would conclude that such access or disclosure is likely to result in serious harm to any such individual.

The current children's online safety legislative scheme will be expanded to embrace older Australians.: On 7 February 2017, the Enhancing Online Safety for Children Amendment Bill 2017 was introduced in the House of Representatives. The Bill will amend the Enhancing Online safety for Children Act 2015 (in the process re-naming it the Enhancing Online Safety Act 2015) by broadening the functions of the Children's eSafety Commissioner (changed to simply the "eSafety Commissioner") and emphasising, in particular, that the functions of the Commissioner in fact go beyond the online safety of children and embrace assistance to adults who are victims of illegal or offensive online content or "revenge porn", or who simply seek general advice about managing technology risks and online safety. The principal objective of the amendments is to make it clear to the public that the Commissioner can be a source of assistance and advice in relation to a range of online safety issues, irrespective of the age of the enquirer. The Second Reading Speech emphasised the government's commitment to "bridging the digital divide" and ensuring older Australians have the skills and confidence to participate in the modern digital economy.

Northern Territory and ACT energy and water utilities may disclose credit information to credit reporting bodies. On 23 February 2017, the Privacy Amendment (Energy and Water Utilities) Regulation 2017 was passed. The Regulation enables electricity, gas and water utilities in the Northern Territory and the ACT to continue disclosing credit information about individuals to credit reporting bodies until 1 January 2018, by which time it is anticipated that legislation will have been enacted to enable the utilities to participate in recognised external dispute resolution schemes in those jurisdictions. Section 21D(2)(a)(i) of the Privacy Act 1988 requires a credit provider to be a member of a recognised external dispute resolution scheme unless regulations provide otherwise. Utilities are considered to be "credit providers" under the Act. Legislation is required in order to enable the recognition of EDR schemes in the Northern Territory and the ACT, and the purpose of the Regulation is to enable utilities in those jurisdictions to continue interacting with credit reporting bodies until such legislation has been implemented.

ACT privacy legislation recognises equivalence of Victorian and New South Wales privacy laws. On 27 February 2017, the Australian Capital Territory passed the Information Privacy Amendment Regulation 2017 (No 1), effectively recognising the Privacy and Data Protection Act 2014 (Vic) and the Privacy and Personal Information Protection Act 1998 (NSW) as offering privacy protection equivalent to the Information Privacy Act 2014 (ACT). Under section 21(1) of the ACT Act, a Territory agency must include a provision in its contracts requiring contractors to comply with the Territory Privacy Principles or a "corresponding privacy law". Under section 21(4), a "corresponding privacy law" means the Privacy Act 1988 (Cth) or the law of any other jurisdiction prescribed by regulation. The effect of the new regulation is that in future ACT government agencies will not be required to mandate compliance by contractors with ACT privacy laws if the contractor is already bound to comply with Victorian or New South Wales privacy laws, thus avoiding the need for dual compliance. The regulation recognises that the ACT, Victorian and New South Wales Acts offer similar privacy frameworks.

POLICIES, REPORTS AND ENQUIRIES

Senate committee reports on data re-identification bill. On 7 February 2017, the Senate's Legal and Constitutional Affairs Legislation Committee delivered its report on the Privacy Amendment (Re-identification Offence) Bill 2016. As mentioned in a previous update, the Bill was referred to the Committee on 10 November 2016. The legislation is designed to prohibit conduct related to the re-identification of de-identified personal information published or released by Commonwealth entities, and will have retrospective effect to 29 September 2016, being the date upon which the Attorney-General initially issued a media release advising of the government's intention to introduce the new criminal offence. The Committee concluded that despite concerns raised in relation to the introduction of a criminal offence, a reverse onus of proof and retrospective application, on balance the legislation represented a "necessary and proportionate response" to the challenge of striking a balance between the potential benefits of research involving open data and any consequent threat to individual privacy.