Key developments during April and May 2017 in the area of Technology, Media and Telecommunications (TMT) are summarised as follows.

JUDGMENTS

Number plates are not "personal information"

On 3 April 2017, the New South Wales Civil and Administrative Tribunal determined that by requiring motorists to enter their licence plate numbers at its parking meters, a local council did not collect "personal information": DAB vs Byron Shire Council [2017] NSW CATAD 104. The Tribunal was told that licence number plates entered into parking meters were used for the purpose of interrogating a database of exemption holders, meaning that if the licence plate was not on the database, payment would be required. The Applicant asserted that this involved the collection of her "personal information" because, when compared with other information in the possession of the Council, it was possible for her to be identified. The Tribunal proceeded on the basis that the threshold question was whether the licence plate information was "about an individual" and, if so, whether the Council had reasonable access to other information which would enable it to identify the motorist. The Tribunal concluded that from a technical perspective, it was unlikely that the Council could compare the licence plate number with other information in its possession so as to enable it to identify the individual. The Tribunal further queried whether the threshold question – that the information was "about an individual" – had been satisfied but as the point was not argued by the parties, it was not considered further. The point would have been of interest in the view of the recent decision of the Full Court of the Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4, reported on in a previous update here.

Work addresses may be "personal information"

On 25 May 2017, the New South Wales Civil and Administrative Tribunal ruled that a person's work address could constitute "personal information" for the purposes of the Privacy and Personal Information Protection Act 1998 (NSW); CRP vs Department of Family and Community Services [2017] NSWCATAD 164. The case concerned the disclosure by a government agency of an employee's work address to an estranged family member. The decision is of particular interest as it involved a consideration of the recent decision of the Federal Court of Australia in Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4, reported on in a previous update here. The Respondent submitted that the work address was not information "about an individual" because the Applicant was a public servant employed by the Respondent's business at the premises, and because the disclosure occurred during the normal course of business by an employee. The Tribunal disagreed, concluding that the information was about an individual "in that the information was both requested and provided in a context solely concerning the Applicant". The Tribunal distinguished that the decision in Privacy Commissioner v Telstra Corporation Limited on the basis that in that case, the data in question was information about billing, cause and location, not about the caller as an individual, whereas in the present matter the information always contained the identity by name of the Applicant. The Tribunal concluded that there had been a breach of Information Privacy Principles 10 and 11 (sections 17 and 18 of the PPIP Act) and ordered that the Respondent provide a written apology to the Applicant and review its privacy practices generally.

ACCC serves proceedings on Apple, Inc. outside the jurisdiction

On 21 April 2017, the Federal Court of Australia granted the Australian Competition and Consumer Commission (ACCC) leave to serve proceedings on Apple, Inc. in the United States of America in accordance with the Convention on the Service Abroad of Judicial and Extra judicial Documents in Civil or Commercial Matters: Australian Competition and Consumer Commission vs Apple Pty Ltd [2017] FCA 416. The proceedings relate to a claim by the ACCC that Apple Pty Ltd and Apple, Inc. had engaged, amongst other things, in misleading or deceptive conduct in contravention of section 18 of the Australian Consumer Law when informing consumers about their rights in relation to defective iPhones and iPads. Leave to serve proceedings on Apple, Inc. in the USA was sought because Apple had not provided an address for service in Australia. The Court considered the components of rule 10.43 of the Federal Court Rules 2011 regarding service on a person in a foreign country were satisfied. The "prima facie" case revolved around the fact that the Apple website, in providing information about remedies for defects, failed to refer to consumer guarantees and the rights and remedies available under the Australian Consumer Law. Moshinsky J declined to make an order for substituted service pursuant to Rule 10.24, however, as his Honour was not satisfied that it was "not practicable" to serve the documents on Apple, Inc. in the United States pursuant to the Federal Court Rules.

NEW LEGISLATION AND GUIDELINES

Privacy Commissioner releases new guidelines on "personal information"

The Privacy Commissioner released revised guidelines in May 2017 about the scope, meaning and requirements of the definition of "personal information" under the Privacy Act 1988 (Cth) (Act), following the Full Federal Court's recent decision in Telstra. The revised guidelines are intended to assist entities subject to the Act to determine when information is "personal information", including when information is "about an individual". The guidelines explain that the Commissioner considers information will be "about an individual" if "there is a connection between the information and the individual", which is a question of fact, and which will depend on the context and circumstances of a particular case. The guidelines note that one way in which this threshold requirement can be satisfied is where the individual is "a" subject matter of the information, such as where the information reveals or conveys something about the individual.

Privacy Commissioner releases new guidance for Australian businesses about data protection requirements under the EU's General Data Protection Regulation

From 25 May 2018, new data protection requirements will come into force under the EU's General Data Protection Regulation (EU Regulation). The new requirements will apply to Australian businesses with an establishment in the EU which offer goods or services in the EU, or which monitor the behaviour of individuals in the EU. The Privacy Commissioner's guidance aims to assist Australian businesses understand the new requirements and how they can comply with the EU Regulation. Some important changes to the EU Regulation include a new definition of "consent" and expanded accountability and governance requirements. The Privacy Commissioner's guidance explains that a number of the new EU requirements resemble obligations which already exist in Australia under the Australian Privacy Principles. The EU Regulation will also include new individual rights, such as the right to erasure (the so-called "right to be forgotten", which does not presently form part of Australian law), a right to object to the processing of an individual's personal data and a right to data portability (meaning the right to receive personal data provided to a data controller in a "structured, commonly used, machine-readable format").

ACMA Rules for accessing IPND database updated

From 1 April 2017, the Telecommunications Integrated Public Number Database Scheme 2017 replaced the Telecommunications Integrated Public Number Database Scheme 2007. The 2007 scheme was due to sunset on 1 April 2017. Pursuant to section 295A of the Telecommunications Act 1997 (Cth), the Australian Communications and Media Authority (ACMA) is required to have a scheme in place which authorises access to the Integrated Public Number Database (IPND) for the purposes of conducting permitted research and publishing public number directories. The IPND was established in 1998 as the industry wide database of all Australian telephone numbers and associated customer details. The 2017 rules are intended to allow more efficient access to limited IPDN information by researchers, and ACMA can now also authorise recognised research industry bodies to manage access to limited IPND information on behalf of their members under controlled circumstances. An authorised research industry body is not, however, permitted to access the names of customers, and access is only permitted for the purpose of research on health, electoral and government policy topics. All researchers gaining access to IPND information are subject to the requirements of the Privacy Act 1988 (Cth).

ACMA Guideline for prepaid mobile service identity check

On 12 April 2017, the Australian Communications and Media Authority (ACMA) issued the Telecommunications (Service Provider – Identity Checks for Prepaid Mobile Carriage Services) Determination 2017, revoking and replacing its 2013 Determination, with the objective of simplifying the identity checking requirements for prepaid mobile services. The new Determination allows carriage service providers (CSPs) to verify a person's identity information through a range of methods including confirming an existing post-paid account, using a government online verification service or signing identification at a CSP shopfront. A credit card issued by an authorised deposit taking institution can still be used as a means of verifying a customer's identity, and now also a credit card made available to a person by a licensed credit provider.

No changes to existing arrangements for civil litigants to access retained telecommunications data

On 13 April 2017, the federal government announced there would be no changes to existing restrictions on civil litigants accessing telecommunications data retained solely under the government's data retention scheme. The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 was introduced on 13 April 2015 to amend the Telecommunications (Interception and Access) Act 1979 and the Telecommunications Act 1997, by requiring telecommunications carriers, carriage service providers and internet service providers to retain communications data for two years. The Telecommunications Act section 280 introduced a prohibition on the disclosure of retained data in response to subpoenas and other court orders in civil proceedings, subject to any exceptions introduced by regulations. In December 2016, the Attorney-General's Department called for submissions on whether regulations should be passed to permit access in any, and if so which, civil proceedings. Submissions closed on 27 January 2017, and the review which followed focused on the use of telecommunications data in the justice system, privacy of communications and the regulatory burden on the telecommunications industry. The review concluded that there was insufficient reason to justify making exceptions to the restrictions currently imposed by the data retention legislation.

Amendments to consumer laws contemplated

On 19 April 2017, Consumer Affairs Australia and New Zealand (CAANZ) proposed significant legislative reforms to strengthen the Australian Consumer Law. The proposals, if implemented, would directly impact upon the rights of TMT consumers and potentially increase the exposure of TMT suppliers, amongst others, in Australia. The CAANZ proposals include an increase in financial penalties for a breach of the Australian Consumer Law from $220,000 to $500,000 for individuals and from $1.1m to a minimum of $10m for companies; a simplified process for consumers to obtain refunds for faulty products; new requirements for extended warranties including a 10 working day cooling-off period; and in relation to online shopping, a requirement for charges associated with pre-selected options to be included in the headline price. The proposals will be considered by Commonwealth, State and Territory ministers at a meeting of the Legislative and Governance Forum later in 2017.

New South Wales agency to have telephone interception powers

On 16 May 2017, the Law Enforcement Conduct Commission of New South Wales (LECC) was granted the power to intercept telecommunications under warrant for the purposes of law enforcement: Telecommunications (Interception and Access – Law Enforcement Conduct Commission of New South Wales) Declaration 2017. The LECC was created last year pursuant to the Law Enforcement Conduct Commission Act 2016 (NSW). Under the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), the power to intercept telecommunications under warrant is confined to the Australian Federal Police, a limited number of other Commonwealth agencies, and to "eligible authorities" of a State or Territory. The Commonwealth Attorney-General has discretion to declare an "eligible authority" of a State pursuant to section 35 of the TIA Act. The LECC is now eligible to apply for warrants to intercept a person's private communications in certain circumstances, with the power only being available in relation to the investigation of serious offences, and at all times remaining subject to various record keeping and accountability requirements as set out in the TIA Act.

POLICIES, REPORTS AND ENQUIRIES

Australian Cyber Security Centre survey results released

On 19 April 2017, the federal government released the results of a comprehensive cyber security survey conducted by the Australian Cyber Security Centre (ACSC). The ACSC is a focal point for federal agencies such as Defence, the Attorney-General’s Department, the Australian Security Intelligence Organisation, the Australian Federal Police and the Australian Crime Commission in a single location, and a hub for collaboration and information sharing with the private sector and State and Territory governments. The survey found that during the 2015 – 2016 financial year, 90% of organisations had faced some form of attempted security compromise, and 58% of organisations had experienced at least one incident that successfully compromised data and/or systems. Although most organisations assessed the security incidents as being of low impact, 60% nevertheless reported that they had experienced tangible impacts on their businesses due to attempted or successful compromise. The survey found that 71% of organisations had a cyber security incident response plan in place, but only 46% regularly reviewed these plans and 24% tested their plan less than once per year. The survey findings recommended greater attention to security by senior executives, an improved understanding of factors which could pose security risks, and a better understanding of the value of data at risk.

Final Productivity Commission recommendations on data use.

On 31 March 2017, the Productivity Commission released its final report on Data Availability and Use. We have previously reported on the Commission's draft report which was released on 3 November 2016. The final report is consistent with the draft report. The Commission observed that Australia was failing to keep pace with global trends in relation to the development of frameworks covering data generation and usability, commenting that a "lack of trust by both data custodians and users in existing data processes and protections" was impeding progress. The Commission has recommended the introduction of a new Data Sharing and Release Act and the creation of a new agency, to be known as the National Data Custodian, to operate in parallel with the Privacy Act 1988 (Cth) and the Privacy Commissioner to ensure greater access by both individuals and researchers to datasets in a manner which, in the case of personal information, would continue to observe and protect applicable privacy interests.

Commonwealth Ombudsman reports on data retention act compliance

The Commonwealth Ombudsman has released a report on the monitoring of agency access to stored communications and telecommunications data for the period 1 July 2015 – 30 June 2016. The report relates to data retention practices which commenced on 13 October 2015 pursuant to the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth), otherwise known as "Data Retention Act". The legislation gives the Commonwealth Ombudsman an overarching role in assessing agency compliance with Chapter 3 (preserving and accessing stored communications) and Chapter 4 (accessing metadata) of the Act. The Ombudsman is required to inspect agency records to determine the extent of compliance and the use of these powers by the agency and its officers. The Ombudsman reported that most agencies were compliant with the Act although there were non-compliances in relation to various record keeping provisions and adherence to warrant conditions and restrictions. Most agencies had sound policies and procedures in place for accessing metadata although common shortcomings to all agencies included the level of involvement and support from senior leadership, the timeliness and comprehensiveness of training given to those exercising metadata powers, and the effectiveness of internal communications within agencies to raise awareness of relevant changes and to share best practices.

HEALTH PRIVACY ISSUES

VCAT analyses Victorian Health Privacy Principles

On 12 April 2017, the Victorian Civil and Administrative Tribunal (VCAT) dismissed a complaint that a medical organisation had failed to comply with Health Privacy Principle 5 as set out in the Health Records Act 2001 (Vic): Kitson vs MedHealth Pty Ltd [2017] VCAT 502. MedHealth is an intermediary organisation which engages medical specialists to undertake independent medical examinations for third parties such as solicitors and insurers. The complainant was seeking a copy of his own medical assessment which MedHealth forwarded to the medical consultant concerned. The complainant took issue with MedHealth's compliance with HPP 5 ("Openness") which deals with the requirements to have a policy in place explaining how health information is handled. There were a number of bases for the complainant's concerns, each of which was rejected by Vice President Judge Hampel. Of particular relevance, the Tribunal rejected a complaint that MedHealth had provided a copy of its privacy policy in a "non-responsive" fashion, observing that there was no requirement under HPP 5.1 to be "responsive" to a request so long as the privacy policy was provided to an individual on request. The Tribunal agreed with the complainant that the privacy policy erred in stating that any request for a copy of the policy had to be accompanied by an explanation of the purpose for the request, but further concluded that as MedHealth had not in fact requested the complainant to reveal the purpose of his request, no breach of the HPPs had occurred in that regard. The Tribunal further held that there was no obligation under HPP 5.2 for an organisation to set out the lawful bases on which access to information could be refused, nor was there an obligation under HPP 5.2(b)(iii) to advise individuals as to specific security measures in place to protect health information.