Australian members of Meritas, the premiere global alliance of independent law firms, have joined together to publish Australia: A legal guide for business investment and expansion. The guide provides practical information for foreign investors and businesses wanting to operate in Australia.
In part 8 of this series of articles, which presents different sections of the guide, we look at competition and consumer protection in Australia.
Competition and consumer protection
Australia has extensive competition and consumer laws dealing with, among other things, the promotion of competition and consumer protection. This section provides an introduction to this area of Australian law.
The Competition and Consumer Act 2010 (CCA) provides the primary source (though not the only source) of competition regulation in Australia. It is supplemented in some respects by state legislation and, for some industries, industry-specific legislation.
The competition law provisions of the CCA include regulatory control over, for example:
- mergers and acquisitions
- price-fixing arrangements (e.g. price fixing agreements between competitors or the fixing by a supplier of the minimum price at which goods supplied by it can be resold)
- misuse of market power by a corporation with a substantial degree of power in a market
- customer, supplier and territorial arrangements (e.g. arrangements that control the suppliers that a party to the arrangement can use and/or which allocate particular customers or exclusive territories to a party)
- anti-competitive arrangements between competitors (e.g. bid-rigging between tenderers in the course of a tender process) or between organisations in general
- third-party access to essential infrastructure.
Some of the regulated conduct is only prohibited if it has the purpose or the effect of substantially lessening competition in a market. However, there are other types of regulated conduct (e.g. most price-fixing arrangements between competitors) that are prohibited outright regardless of the effect on competition.
Policing compliance with the CCA is the responsibility of the Australian Competition and Consumer Commission (ACCC). There are provisions in the CCA allowing the ACCC to authorise, in certain circumstances, proposed conduct that would otherwise, or which might otherwise, breach the competition law provisions of the CCA. Such conduct includes third line forcing, which is prohibited unless authorised by the ACCC.
The CCA also provides for voluntary industry codes of conduct, such as the Food and Grocery Code of Conduct, and mandatory codes, such as the Franchising Code of Conduct. Breaches of industry codes can result in sanctions under the CCA.
The CCA provides various types of protection for Australian consumers, including:
- control over the manner in which a total price is to be brought to the attention of a consumer where a component part of a price (e.g. a price exclusive of taxes, postage and handling) is referred to
- a prohibition on misleading or deceptive conduct in trade or commerce (e.g. a prohibition on misleading advertising)
- a number of consumer guarantees that every ‘consumer’ has the benefit of, and which cannot be contracted out of by manufacturers or suppliers
- unsolicited consumer contracts
- the regulation of the provision of credit finance to consumers
- the imposition of product liability on manufacturers and importers in favour of consumers
- restrictions on the dissemination of certain private information relating to consumers and others.
The consumer guarantees that are granted are available regardless of any warranty that the consumer may purchase or may be given. These statutory guarantees apply to all consumers, which includes any person who acquires goods or services, where the contract price is under $40,000. It also applies where the contract price is more than $40,000 if the goods or services purchased are normally used for personal, domestic or household purposes. A warranty against defects that may be provided by a manufacturer or supplier is in addition to any of the consumer guarantees and does not limit or replace them. All documents (including any material on which there is any writing or printing or on which there are any marks or symbols) evidencing a warranty against defects, including any description of the features or terms of a warranty against defects, must adhere to the requirements of the Australian Consumer Law.
In addition to civil liability for contraventions of the competition and consumer provisions of the CCA, courts can impose significant pecuniary fines and criminal penalties for contraventions. For example, criminal fines and imprisonment for up to 10 years is available for contraventions of the cartel provisions of the CCA. Maximum fines of $1.1 million can be imposed on corporations for any misleading and deceptive representations.
Protection also exists under the CCA for consumers signing a consumer contract where a standard form of contract is used (with little opportunity to negotiate) and which contains an ‘unfair term’. A term will generally not be unfair if reasonably necessary to protect the legitimate interests of the business.
Australia has a number of rules that limit the use and disclosure of personal information. The principle underlining the regime is one of informed consent. Presently, there is no right to privacy. Individuals have the right to be fully informed prior to disclosing information as to how and why an organisation collects personal information, and the uses made of it, so as to be able to make a fully informed decision as to whether to agree to those information-handling practices. The primary statute governing privacy is the Privacy Act 1988.
Following recommendations from the Australian Law Reform Commission, there is now a uniform approach to privacy through a single set of 13 privacy principles applying to the public and private sectors. These are known as the Australian Privacy Principles (APPs) and came into effect on 12 March 2014, with the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Further amendments were made to the Privacy Act 1988 in February 2018 concerning the mandatory notification of certain types of data breaches that are likely to cause serious harm to an individual.
Private sector businesses that have a turnover of more than $3 million, provide health services and hold health information, commercially deal in personal information or are contracted service providers under a Commonwealth contract, must comply with the APPs. The APPs:
- allow individuals the option to operate anonymously or pseudonymously (APP 2)
- apply higher standards for APP entities collecting solicited personal information and outline how unsolicited information must be handled (APPs 3 and 4)
- outline how personal information may be used or disclosed and place strict conditions on the use of personal information for direct marketing purposes (APPs 6 and 7)
- require certain steps to be taken to ensure protection of personal information before it is sent overseas (APP 8)
- place obligations on APP entities to ensure that information collected is up to date, can be corrected and require reasonable steps to be taken to ensure its accuracy (APPs 10 and 13)
- allow individuals to better access their personal information by including a requirement to provide, unless a specific exception applies (APP 12).
Where an organisation in Australia deals in information, the Act applies to that organisation’s handling of information inside and outside Australia. The Act also applies to foreign organisations if the foreign organisation conducts business in Australia and collects information in Australia.
Australia’s statutory privacy law provisions do not generally provide for civil actions by affected individuals. However, some causes of action for breach of confidence exist.
There are some parallels between the concepts underlying Australia’s notifiable data breach scheme and the personal data breach provisions under GDPR (Articles 33, 34, 58 and 83). However, there are important differences. For example, the mandated ‘assessment phase’, where one is not sure whether serious harm is likely, and the penalties attaching to failure to notify. The penalties are significantly higher in the European Union.
Unlike the European GDPR, Australian privacy principles are not strictly based on statements of individuals’ human rights and freedoms.
Australian privacy law does not include an express distinction between controllers and processors and does not mandate any particular terms for written contracts between controllers and processors.
Australia privacy law does not have an express equivalent of those provisions of General Data Protection Regulation (GDPR) that require at least one of six lawful bases for collection.
As to the territorial reach of the Privacy Act 1988 (Cth), it covers those who:
- have some recognition under Australian law (for example are incorporated in Australia)
- do not have such recognition but who both carry on business in Australia and collect the relevant personal information in Australia.
As to cross-border disclosure of personal information, Australian law does not allow cross-border disclosures in circumstances where adequate protection of individuals’ rights is not guaranteed. Instead, Australian law imposes, in effect, vicarious liability on the entity governed by the Privacy Act 1988 for the data breaches of those to whom cross-border disclosures occur and who are not governed by that Act.
The Australian Information Commissioner may seek to impose civil penalty provisions for interferences with privacy. These can include financial penalties in the order of $500,000.
The Australian Information Commissioner has broad supporting powers. These are to investigate and conciliate and to make ancillary orders, for example obtaining documents and carrying out ‘own motion’ assessments.
The Commissioner’s authorised actions are also:
- examining proposed legislation that would allow interference with privacy or may have any adverse effects on people’s privacy
- researching and monitoring developments in data processing and computer technology to ensure that adverse effects on people’s privacy are minimised promoting an understanding and acceptance of the Australian privacy principles and their objects
- preparing and publicising guidelines for agencies and organisations to follow to avoid breaches of privacy
- encouraging industries to develop programs to handle personal information consistent with the Australian privacy principles.
In addition to the commonwealth regime, each state and territory has differing requirements for businesses operating within each particular jurisdiction.
The Australian Federal Parliament has also legislated to control or prohibit in certain circumstances direct marketing activities, including using telephone numbers listed on the Do Not Call Register, commercial or electronic messages (spam) and unsolicited consumer contracts by telephone.
The Spam Act 2003 covers email, instant messaging, SMS and MMS or any other electronic messaging of a commercial nature. It does not cover faxes, internet pop ups or voice telemarketing. There are three essential requirements that must be met in order to ensure that a commercial electronic message is not spam:
- the sender is identified
- the message is sent with consent
- the message includes a functional unsubscribe facility.
Spam compliance is an area that is the subject of significant activity by the regulator, the Australian Media and Communications Authority (ACMA). The maximum penalty for an initial offence is $68,000 per day for an individual and $340,000 per day for a body corporate. For repeat offences, the maximum penalty increases to $340,000 per day for an individual and $1,700,000 for a body corporate.
Under the Do Not Call Register Act 2006, individuals can only place private, fixed-line or mobile phone numbers on the Register. Businesses are prohibited from making telemarketing calls to numbers listed on the Register, subject to some exceptions. In addition to these requirements, the Telemarketing Industry Standard sets out a number of requirements that must be followed by any business that is making a telemarketing call, including those numbers not on the Register.
Again, this regime is administered by ACMA, which is entitled to seek civil penalty orders from the Federal Court of Australia or the Federal Circuit Court of Australia for breaches.
In addition to this regulatory regime, the Australian Direct Marketing Association (ADMA) has adopted a number of principles in its codes of practice that apply to association members making telemarketing calls from fixed-line and mobile phones.
There is also a Fax Marketing Industry Standard, which is similar to the Telemarketing Standard, that applies to all participants in the fax marketing industry regardless of whether or not the numbers are on the Register.
The Australian Consumer Law also contains similar (but not identical) provisions in relation to calling or contacting a person for the purpose of negotiating an unsolicited consumer agreement, or for an incidental or related purpose, either in person or by telephone.
Unsolicited consumer agreements occur as a result of negotiations by phone or at a location other than the seller’s place of business; when the seller approaches uninvited; and the total value of the business is more than $100 (or cannot be determined when the agreement is made). The most common form of sales methods that can lead to unsolicited consumer agreements are:
- door-to-door selling
- being approached by a sales agent in a public space.
Failure to comply with the requirements can lead to significant fines, in addition to any reputational loss or damage.