Key developments arising in late 2017 in the area of Technology, Media and Telecommunications (TMT) included the following.
Google unsuccessful in landmark defamation appeal On 4 October 2017, the Full Court of the South Australian Supreme Court dismissed Google’s appeal against a judgment that it defamed the respondent when its search engine automatically incorporated defamatory material about her in its search results: Google Inc v Duffy  SASCFC 130. We recently reported on this decision in more detail here. In short, internet psychics had posted articles on a website called the "Ripoff Reports" which contained defamatory imputations about the respondent, including that she was a "psychic stalker". Google's search engine automatically generated paragraphs from these articles in search results which were presented to searchers who were seeking information about the respondent. Although Google did not maintain the Ripoff Reports website or approve the defamatory material, it was held to be a secondary or subordinate publisher of the material. Google also failed to justify the defamatory imputations, in particular by failing to establish that the respondent was in fact a "psychic stalker". Google argued that it could rely on the statutory defence of qualified privilege, but the majority dismissed Google's appeal, holding that Google had not established that all searchers who may have seen the defamatory material had a sufficient "interest" in it. The respondent unsuccessfully cross-appealed against the quantum of general damages awarded by the trial judge of $115,000, but the Full Court dismissed her appeal because she did not establish that the amount awarded was "manifestly inadequate". The Full Court held that Google’s conduct in failing to apologise and continuing a plea of justification did not provide a basis for additional damages.
Covert photographs do not necessarily amount to "invasions of privacy" The Supreme Court of the ACT recently heard an appeal over whether three photographs directed at women dressed in sportswear amounted to invasions of privacy within the meaning of section 61B of the Crimes Act 1990 (ACT): Stroop v Harris  ACTSC 294. Under this section, it is an offence to observe another person with the aid of a device, or to capture visual data about the person, in circumstances where a reasonable person would consider the conduct to be both an invasion of privacy and indecent. Two photographs were taken of one women squatting down with her car keys in her hand and the third was taken of the second women squatting down on a tennis court. In the court's view, it was insufficient for the purposes of section 61B to establish simply that reasonable members of the community would consider the photographs to be indecent, inappropriate, demeaning, unpleasant and offensive. Although the victims did not anticipate being observed from the angle at which the photographs were taken, the court found the angle and proximity from which the photographs were taken "did not avoid the concealing effects of clothing (in contrast to "upskirting" or "down-blousing")". It was significant to the court that the photographs did not reveal any uncovered parts of the subjects' bodies and that the subjects were in public places and not engaged in private activities when the photographs were taken.
TPG pays $360,000 for contravening the Spam Act On 3 November 2017, the Australian Communications and Media Authority (ACMA) announced that TPG Internet Pty Ltd had paid a $360,000 infringement notice for contravening section 16(1) of the Spam Act 2003 (Cth) by sending commercial electronic messages to consumers who had previously unsubscribed and thereby withdrawn their consent. In response to a series of complaints from consumers, ACMA conducted an investigation and identified that TPG had failed to process unsubscribe requests from consumers during April 2017. ACMA decided to issue an infringement notice rather than refer the matter to the Federal Court after takin account of the fact that TPG had cooperated in the investigation, admitted the breach and undertaken steps to remedy the causes of the breach. This penalty reinforces the importance of ensuring that unsubscribe requests from recipients of electronic communications are properly processed and actioned.
Local council did not breach privacy obligations by revealing the name of an objector On 10 November 2017, the New South Wales Civil and Administrative Tribunal found that a local council had not breached the information protection principle in section 18 of the Privacy and Personal Information Protection Act 1998 (NSW) by disclosing the name of the applicant, who was objecting to a neighbouring development, to the person who had lodged the development application: CYX v City of Ryde Council  NSWCATAD 324. The Tribunal noted that disclosure was permissible under section 18(1)(b) if the individual "was reasonably likely to have been aware" that a certain type of disclosure would occur. The Tribunal found that the applicant had been informed that his submission could be viewed by any interested person, and that it was therefore reasonable to assume that personal information contained in the submission would be disclosed to the person who had lodged the development application.
Local council response to privacy complaint deemed sufficient On 12 November 2017, the New South Wales Civil and Administrative Tribunal ruled that no further action was required in relation to a privacy breach by the Randwick City Council and that no compensation was payable to the applicant, even though it was acknowledged that the council had overlooked the need to redact the applicant's personal information when responding to a request for information from a third party: DED v Randwick City Council  NSWCATAD 327. The Tribunal concluded that an internal review previously conducted by the Council had been adequate, resulting in an acknowledgement, an apology and changes to internal procedures. The Tribunal was satisfied that the council's treatment of the applicant's complaint had been appropriate in the circumstances, and it rejected an application under section 55(1) of the Administrative Decisions Review Act 1997 (NSW) for a more thorough and independent review. It also rejected a claim for compensation, finding that there was inadequate medical evidence to support the applicant's assertion that the council's conduct had caused him stress and anxiety and noting that there were other factors in the applicant's life which might have caused or contributed to this condition.
"Public interest" insufficient to justify public disclosure of covert video recording On 20 November 2017, the Supreme Court of Western Australia denied an application under section 31 of the Surveillance Devices Act 1998 (WA) to publish and broadcast certain video recordings: SAWA Pty Ltd v Australian Broadcasting Corporation  WASC 349. The recordings had previously been received in evidence in Magistrates Court proceedings concerning a charge of cruelty to animals by the plaintiff. The defendant, which made the application, was planning a story on the plaintiff and on the proceedings. Chaney J noted that section 6 of the Act precludes a person from using an optical surveillance device to covertly record a private activity, and section 27 creates an exception on the grounds of public interest. His honour noted that whilst the recording satisfied the exception in section 27, the court was still required under section 31 to consider whether publication was necessary to "protect or further" the public interest. His honour formed the view that whilst publication of the footage would be consistent with the public interest, it was not necessary for that purpose, adding that the plaintiff's privacy would be "damaged in an uncontrolled way by publication of the video recordings to the world at large".
NEW LEGISLATION AND GUIDELINES
Bill tabled in Tasmanian parliament covering digital communications offences The Civil Digital Communications Bill 2017 (Tas), introduced in the House of Assembly on 18 October 2017, provides for of a raft of new digital offences, including the distribution of malicious and indecent or grossly offensive communications or communications that convey such a message or image or a threat (except where the threat is made for legitimate purposes relating to a legal action). The new offences include an offence of disclosing private sexual photographs and films without consent and with an intention to cause distress. Defences would include a reasonable belief the disclosure was necessary to prevent, detect or investigate crime, the disclosure was made in journalistic material published in the public interest, or a reasonable belief that the photograph or film had been previously disclosed for reward and that the discloser had no reason to believe that disclosure occurred without consent. A further offence set out in the Bill involves electronic stalking, the grounds for which would include monitoring a person's use of the internet and social media.
New Commonwealth government privacy code On 26 October 2017, the Privacy (Australian Government Agencies – Governance) Code was included on the Codes Register. The Code, operative from 1 July 2018, was developed by the Australian Information Commissioner in accordance with section 26G of the Privacy Act and imposes obligations on Commonwealth government agencies which are additional to their existing obligations under the Australian Privacy Principles. The Code expands upon the manner in which public sector agencies must meet the requirements of APP 1. APP 1 implicitly promotes a "privacy by design" approach which ensures privacy compliance is included in the design of an entity's information systems and practices. Of particular significance, the Code requires each agency to have a privacy management plan, a designated privacy officer and a designated "privacy champion", the latter being a senior official within the agency with the role of promoting a culture of privacy and providing leadership on strategic privacy issues. The Code also requires agencies to conduct Privacy Impact Assessments for all high privacy risk assessments, and to include appropriate privacy training in any staff induction program.
Mandatory data breach reporting proposed for New South Wales government agencies On 16 November 2017, a private member's bill was introduced in the New South Wales Legislative assembly which, if enacted, would establish a mandatory data breach reporting scheme for State public sector agencies. Known as the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017, the legislation would introduce a new Part 6A ("Notifications of Serious Violations of Privacy") into the Privacy and Personal Information Protection Act (NSW) and would operate in a manner not dissimilar to the amendments contained in the Commonwealth Privacy Amendment (Notifiable Data Breaches) Act 2017 which will come into effect on 22 February 2018. State public sector agencies are not subject to the Commonwealth amendments. The bill is currently awaiting second reading debate.
Australians to own consumer data On 26 November 2017, the Federal Government announced that it will introduce legislation in 2018 to enact a Consumer Data Right, giving Australians ownership of "consumer data". The government has indicated the scheme will initially cover banking, energy, phone and internet data, and will then progressively be rolled out to cover additional industry sectors. The decision reflects recent recommendations contained in the Productivity Commission's May 2017 Data Availability and Use Inquiry (which we previously reported on in an earlier Update: here, and Dr Alan Finkel's 2017 Independent Review into the Future Security of the National Electricity Market. Comments about the government's decision from the Assistant Minister for Cities and Digital Transformation, Angus Taylor MP, indicate that the key objective of introducing the Consumer Data Right is to allow consumers greater access to data about services provided to them in order to facilitate choice and promote greater competition between service providers. It is proposed that both the Australian Competition and Consumer Commission and the Office of the Australian Information Commissioner will be involved in regulating different aspects of the scheme.
HEALTH PRIVACY ISSUES
Disclosure of personal information justifiable if it lessens an imminent threat to health, safety or welfare On 6 October 2017, the Victorian Civil and Administrative Appeals Tribunal ruled that there had been no breach of Information Privacy Principle (IPP) 2.1 of the Privacy and Data Protection Act 2014 (Vic) when the Department of Health and Human Services informed the grandfather of two children about sentencing remarks made at the criminal trial of their father, the complainant: DNV and Department of Health and Human Services (Human Rights)  VCAT 1569. IPP 2.1 restricts the use of personal information to the primary purpose of collection, or to a related secondary purpose, unless an exception applies. The Tribunal held that, given the potential emotional trauma which might be caused to the children by contact with their father, the disclosure was permissible under IPP 2.1(d)(i) which allows disclosure in order to lessen or prevent a "serious and imminent threat to an individual's life, health, safety or welfare". The term "imminent" was interpreted by the Senior Member as "an event that was likely to happen soon". It was further held that disclosure was permissible in any event by virtue of section 12 of the Act which allows the disclosure of information contained in a document which is a "generally available publication".
No privacy breach caused by disclosure of a teacher's health information between school principals On 30 October 2017, the Victorian Civil and Administrative Appeals Tribunal ruled that a primary school principal had not breached Health Privacy Principle 2.1 by disclosing details of a teacher's workers compensation claim to the principal of another school: CQH and Department of Education and Training (Human Rights)  VCAT 1845. The disclosure was made for the purpose of determining whether the second school could host the teacher in order to provide an opportunity for her to gradually return to work. HPP 2.1 only permits the disclosure of health information for the primary purpose for which it was collected. The Tribunal found that an intrinsic part of managing a workers compensation claim consistent with the relevant legislation was to plan and manage an employee's return to work. Consideration was required as to the type of work which the injured worker could perform. No breach of HPP 2.1 had occurred as the disclosure formed part of the planning process for the employee's return to work.