Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
Federal Court issues site blocking order against ISPs
On 20 September 2018, the Federal Court granted an injunction under the s115A of the Copyright Act 1968 to compel internet service providers (ISPs) to block online access to certain domain names, which were streaming unauthorised copyright-protected content: Television Broadcasts Limited v Telstra Corporation Limited  FCA 1434. The applicant relied on its copyright in the relevant films that were streamed online from the domain names. Nicholas J held the requirements of section 115A(1) had been satisfied, namely, that the respondent ISPs were carriage service providers providing access to online locations outside Australia, the online locations facilitated the infringement of the applicant’s copyright in its cinematograph films, and the primary purpose of the online locations the subject of the application was to facilitate such infringements. His Honour rejected the contention that undue hardship would be caused to viewers presently using streaming devices to view the content for free, and that a blocking order would be disproportionate if it prevented the viewing of the relatively small percentage of content which was not protected by copyright.
NEW LEGISLATION AND GUIDELINES
Decryption bill tabled in federal parliament
On 20 September 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 was tabled in the House of Representatives. The legislation, which had been foreshadowed in an exposure draft bill released on 14 August 2018 which we have previously discussed here, introduces a number of enhanced surveillance powers, the most contentious being contained in Schedule 5, which would enable ASIO to require a person with knowledge of a computer or a computer system to provide assistance that is reasonable and necessary to ASIO in order to gain access to data on a device that is subject to an ASIO warrant. The types of assistance ASIO may seek under these amendments, according to the Explanatory Memorandum, include compelling a target or a target’s associate to provide the password, pin code, sequence or fingerprint necessary to unlock a phone. The Minister for Home Affairs emphasised in his Second Reading Speech that the government was “not seeking to mandate so-called backdoors”, noting that the Bill specifically provided that companies could not be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability.
Government releases further draft material on proposed Consumer Data Right.
We have previously reported here on the federal government’s proposed Consumer Data Right, and also an ACCC consultation paper here. On 24 September 2018, the government released the second stage of exposure draft legislation and explanatory material relating to the proposed Consumer Data Right: Treasury Laws Amendment (Consumer Data Right) Bill 2018: Provisions for further Consultation. The revised draft legislation includes a limitation on rule making powers relating to access to derived data, and also clarifies the interaction of the Privacy Safeguards. The released material also includes a draft Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2018. As required by section 56AC of the draft Bill, the Designation Instrument specifies that authorised deposit-taking institutions would be covered initially by the Consumer Data Right, whilst further designating the classes of information which would be subject to it. The consultation period for the draft material expired on 15 October 2018.
Public interest determination regarding privacy of the Australian Honours System
We have previously reported here that in March 2018, the Australian Information Commissioner issued a temporary public interest determination to the effect that the Department of Home Affairs could disclose certain information in connection with the assessment of proposals for awards under the Australian Honours System. On 5 October 2018, the Commissioner issued a final determination to replace the temporary determination: Privacy (Australian Honours System) Public interest Determination 2018. The new PID allows the Department to disclose personal information to the Office of the Official Secretary to the Governor-General and to the Department of the Prime Minister and Cabinet for the purpose of verifying the Australian citizenship or permanent residency status of individuals who are the subject of a nomination. The Commissioner concluded that whilst such disclosures would be inconsistent with Australian Privacy Principle 6 because they did not involve the disclosure of information in connection with the primary purpose of collection or a reasonably related secondary purpose, it was nevertheless in the public interest for such disclosures to be permitted.
POLICIES, REPORTS AND ENQUIRIES
Use of CCTV by local councils reviewed
On 19 September 2018, the Victorian Government Auditor’s Office published the results of a review of the use of surveillance technologies by local councils in public places and in council facilities: Security and Privacy of Surveillance Technologies in Public Places, VGAO, September 2018. Noting that over 1,100 CCTV devices were currently in use by relevant local councils, the audit focussed on compliance with privacy laws and, specifically, the security of information collected. The report made a series of findings and recommendations, highlighting the need for up-to-date CCTV polices, the development of site-specific operating procedures, the conduct of privacy impact assessments prior to implementation of new systems, updating signage in locations with corporate CCTV systems and ensuring regular periodic audits of CCTV system use and security.
APRA releases updated outsourcing guide
On 24 September 2018, APRA published an updated information paper on outsourcing by APRA-regulated entities (institutions across the banking, insurance and superannuation sectors) involving cloud computing services: Information Paper: Outsourcing Involving Cloud Computing Services. APRA had previously released a paper in 2015. The updated paper was expressed as being a response to APRA’s observations concerning the growing usage of cloud computing services by APRA-regulated entities, and an increasing appetite for higher inherent risk activities, as well as areas of weakness identified as part of supervisory activities. The paper outlined risk management issues for consideration by APRA-related entities when utilising cloud computing services. These included change management strategy, an appropriate governance framework, a systematic solution selection process, a measured approach for transitioning, initial and periodic security risk assessments, a considered allocation of responsibility as between the provider and the client, ongoing oversight, business recovery contingency planning and the adoption of a suitable audit and assurance model.
Government to review management of identity information
On 26 September 2018, the federal government announced that it would conduct a review of arrangements for the protection and management of identity information in Australia. The Minister for Home Affairs stated that the ultimate objective was to better protect Australians from the theft or misuse of their identity information, minimise the impact of identity crimes on individuals, tailor government services as necessary and promote the protection of individual privacy. The Review will focus primarily, but not necessarily exclusively, on arrangements for issuing, using and managing an individual’s documents, credentials and their related identity information that are most commonly relied upon as evidence of a person’s identity by government and key sectors of the economy. Consideration would be given to legislative frameworks, data handling practices and the nature and extent of coordination amongst government agencies. The closing date for public submissions is 26 October 2018.
Discussion paper addresses the privacy of transport system data
On 26 September 2018, the National Transport Commission released a discussion paper on privacy challenges associated with government collection and use of information likely to be generated by C-ITS (Co-operative Intelligent Transport System) and automated vehicle technology. C-ITS data is produced when components of the transport network (vehicles, roads and infrastructure) communicate and share real-time information (for example, information on vehicle movements, traffic signs and road conditions) through C-ITS devices. The information is used by government to inform and enhance decision making in relation to law enforcement, traffic management and infrastructure planning. The paper recognised that C-ITS technology creates potential privacy challenges, particularly as a result of the use of in-cabin cameras, biometric and health sensors and widespread direct collection of location information. The NTC expressed a preliminary preferred option for the creation of new principles to address the privacy challenges of C-ITS and automated vehicle technologies. The discussion paper calls for public submissions by 22 November 2018.
US Senate Committee contemplates need for federal privacy law
The absence of a federal privacy law in the United States has long been regarded as problematic by the international community. On 26 September 2018, the US Senate Select Committee on Commerce, Science and Transportation conducted a hearing entitled “Examining Safeguards for Consumer Data Privacy”. The Committee has oversight of, amongst other things, communications and interstate commerce. The catalyst for the hearing, chaired by Senator John Thune, was a perceived need to address the implications of the commencement of the European Union’s Global Data Protection Regulation but was also reflective of concerns about the absence of a federal privacy law and the growing “patchwork” of inconsistent state privacy and data protection laws. The Committee took account of recent privacy reports that were released by the Obama Administration in February 2017 and the Federal Trade Commission in January 2018, both of which highlighted the need for federal legislation which provided baseline privacy protections for consumers in the United States.
Treasury to review taxation of the digital economy
On 2 October 2018, the Commonwealth Treasury issued a discussion paper regarding options for a more sustainable tax system for the digitised economy: The Digital Economy and Australia’s Corporate Tax System. The paper proceeds on the premise that the “changing and unpredictable nature of digitisation” has implications for the Australian tax system which relies on fundamental concepts of source of income and residence of the taxpayer to determine taxable income. Income from business activities undertaken offshore is typically exempt. Many foreign-based, highly-digitised businesses have relatively small Australian-sourced profits, and increasing digitisation and increasingly mobile intangible assets are seen as intensifying the challenge to traditional thinking. A central issue raised by the paper for discussion is whether changes are required to existing profit attribution rules, noting that whilst current rules focus on physical presence in the country, highly digitised business can operate with only a digital presence (which facilitates the flow of data) without requiring access to traditional local assets such as offices, machinery or labour. Amongst various options raised for consideration was an EU-style Digital Services Tax to be levied on revenue from digital services where user-created value is central, such as digital advertising and intermediation activities, and from the sale of data from users’ engagement with digital interfaces. The call for submissions closes on 30 November 2018.
HEALTH PRIVACY ISSUES
Inaccurate medical report breaches Victorian Health Privacy Principle
On 25 September 2018, the Victorian Civil and Administrative Tribunal concluded that a medical practitioner breached Health Privacy Principle 3.1 by preparing a report which contained factual inaccuracies: DFB obo MWS v Gerschman  VCAT 1457. The Victorian Health Privacy Principles are set out in Schedule 1 to the Health Records Act 2001 (Vic). Health Privacy Principle 3.1 includes a requirement for health information to be accurate, complete and up to date. The Tribunal accepted that a medico-legal report prepared by the respondent contained an incorrect reference to the complainant’s age and a number of other incorrect references to the complainant’s treatment. The respondent explained that it had been difficult to assemble accurate factual information due to the number of interruptions by the complainant during the consultation. The Tribunal concluded that a majority of the complaints were proven but, exercising its discretion under section 78(1)(b) of the Health Records Act, declined to take any further action (apart from the payment of $150 to the complainant in respect of the respondent’s failure to attend an earlier hearing).
New Rules issued regarding the handling of Medicare and Pharmaceutical Benefits information
On 11 October 2018, the Australian Information Commissioner issued the National Health (Privacy) Rules 2018. The Rules, which are issued under section 135AA(3) of the National Health Act 1953, govern the handling by government agencies of information obtained in connection with a claim for a payment or benefit under the Medicare Benefits Program and the Pharmaceutical Benefits Program. Guidelines were last issued in 2008 and clearly require review, but as the Department of Health has indicated that it intends to review arrangements relevant to section 135AA as part of a measure to improve Medicare compliance, the new Rules essentially seek only to maintain the current arrangements for an interim period not extending beyond 1 April 2022. The new Rules accordingly focus only on updating administrative arrangements to more accurately reflect current practices operating between Departments, specifically the management of claims information, technical standards for databases, the storage and use of Medicare PINs, the exchange of personal information between the Department of Human Services and the Department of Health, and arrangements relevant to the linkage of Medicare Benefits and Pharmaceutical Benefits claims information.