Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
Owners of public Facebook pages liable for defamatory postings
On 24 June 2019, the Supreme Court of New South Wales ruled that a media company could be liable for defamatory postings on its Facebook page by members of the public: Voller v Nationwide News Pty Ltd  NSWSC 766. The key factor in the determination was the fact that the defendant had the ability to remove comments which it invited from the public by using various blocking tools. Rothman J emphasised that material only becomes defamatory upon publication, and the defendant had the capacity to control what was downloaded. His honour denied his decision was an assault on free speech, noting that the operation of a Facebook page had “little to do with freedom of speech” but rather the defendant’s “own commercial interests”..
Bank gives Information Commissioner an enforceable undertaking
On 24 June 2019, the Australian Information Commissioner accepted an enforceable undertaking from the Commonwealth Bank following two security incidents. One incident involved the disposal in 2016 of magnetic data tapes containing historical customer statements, and the other involved internal user access to customer data in 2018. There was no evidence that customer privacy had been compromised in either incident. After the incidents were self-reported by the Bank, the Commissioner conducted a preliminary enquiry under section 42(2) of the Privacy Act and concluded that there were grounds for concern about compliance with Australian Privacy Principle 11 (Security of Personal Information). Under section 33E of the Privacy Act and under section 114 of the Regulatory Powers (Standard Provisions) Act 2014, the Information Commissioner can accept an enforceable undertaking. This undertaking was provided pursuant to the Regulatory Powers Act. The Bank undertook to review its internal privacy processes and its privacy risk management and monitoring processes, and to engage an independent expert to conduct a risk assessment.
NSW agency did not mishandle personal information when passing it to another agency
On 2 July 2019, the NSW Civil and Administrative Tribunal ruled that there had been no breach of the Privacy and Personal Information Protection Act 1998 (NSW) when personal information relevant to an enquiry was passed on to a local council and another State agency in order to accurately answer an enquiry: DMW and DMX v NSW Local Land Services  NSWCATAD 128. The applicants were seeking advice regarding regulatory requirements involved in replacing a boundary fence. The enquiry was lodged with the respondent which passed the information on to the Hawkesbury City Council which it considered was the appropriate consent authority. The respondent also passed on details to the Office of Environment Land Management Biosecurity Conservation Helpdesk. The applicants complained that their personal information associated with the enquiry had been disclosed for purposes other than the original reason for collection, in breach of section 18 of the Act. The Tribunal found, however, that the information related to the applicants’ original enquiry and was disclosed in the course of answering that enquiry, thus providing the respondent with a defence under section 18(1)(a) of the Act which permits disclosures where “the disclosure is directly related to the purpose for which the information was collected, and the agency has no reason to believe that the individual concerned would object to the disclosure”.
No privacy breach to post mail to recipient who ‘prefers’ email
On 15 July 2019, the New South Wales Civil and Administrative Tribunal determined that the State’s Department of Family and Community Services had not breached the Privacy and Personal Information Protection Act 1998 (“the PPIP Act”) when it posted a request for information to a residential address despite the applicant’s preference to be contacted by email: DQJ v Secretary, Department of Family and Community Services  NSWCATAD 138. The Tribunal dismissed the application on the basis that, at the time the letter was sent to the contact address, the applicant had not requested that all communication be by email. There was, in the Tribunal’s opinion, no basis on which the Respondent could have known at the time that the applicant did not want any letters sent to the contact address which she provided in her application form. The fact that the applicant had nominated email as a preferred method to be contacted did not prohibit the respondent from posting correspondence to the contact address. Furthermore, there was no evidence to suggest that the letter was opened or that anyone at the contact address became aware of the personal information that was included in the letter. For these reasons, there was no basis to conclude that the respondent had breached section 18(1)(a) of the PPIP Act which prohibits disclosure of personal information by a government agency if the agency has reason to believe that “the individual concerned would object to the disclosure”.
Vodafone gives ACCC an enforceable undertaking
On 15 July 2019, Vodafone Hutchison Australia Pty Limited agreed to a court enforceable undertaking in relation to its third party billing service known as “Direct Carrier Billing” (DCB). Vodafone admitted it made false or misleading representations and likely breached section 12DB(1)(b) of the Australian Securities and Investment Commission Act 2001 (Cth) (ASIC Act) from at least February 2015 when it charged customers through its DCB service for digital content that they unknowingly purchased. The DCB service was automatically enabled on customers’ accounts and allowed purchases or subscriptions for digital content such as games, ringtones and other digital content to be charged to a Vodafone customer’s mobile account after one or two clicks on a web browser, without any identity verification. To address the ACCC’s concerns, Vodafone has provided a section 93AA undertaking that it will refund customers who applied for refund after unintentionally purchasing the content. Vodafone is also required to report to the ACCC on the results of its refunds commitments for a period of 12 months.
Court ends employment restraint on company’s former IT sales manager.
On 26 July 2019, the Supreme Court of New South Wales refused to extend an interlocutory injunction restraining a software vendor’s sales channel manager from commencing new employment with a competitor: Verint Systems (Australia) Pty Ltd v Sutherland  NSWSC 882. The employee was subject to a non-solicitation, confidentiality and 12-month non-compete constraint. The court acknowledged that there were serious questions to be tried but considered there were other factors which militated against an extension of the interim restraint order which had been in place for two months. Whilst the employee had had access to the employer’s confidential information – such as customer lists, customer contract renewal dates, pricing and sales strategies – there was no evidence that he was in physical possession of such data or that he had at any stage downloaded confidential information for his own purposes. The employee’s capacity to use such information would have diminished with time as his memory faded and, on balance, a continuation of the interlocutory relief would affect the employee more harshly than the employer.
NEW LEGISLATION AND GUIDELINES
APRA lifts confidentiality restraints on certain insurance data
On 8 July 2019, the Australian Prudential Regulation Authority (APRA) made a determination that certain information provided to APRA under specified reporting standards by general insurers and Lloyd’s underwriters for the purposes of the National Claims and Policies Database (NCPD) is not confidential: Australian Prudential Regulation Authority (Confidentiality) Determination No 1 of 2019. The determination was made under the Australian Prudential Regulation Authority Act 1998 (Cth) section 57, on the basis that the benefit to the public from the disclosure of the information outweighs any detriment to commercial interests that the disclosure may cause. The instrument identified various reporting standards as being non-confidential in the expectation that this would enhance the ability of the NCPD to provide insurers and the community with a better understanding of public and product liability insurance and professional indemnity insurance, and thereby help make those products more affordable and available by providing insurers with more detailed information when assessing risks and determining appropriate premiums. APRA emphasised that the removal of confidentiality masking would not negate the need for ongoing privacy masking.
Expanded functions for eSafety Commissioner
On 15 July 2019, the federal government introduced the Enhancing Online Safety (Protecting Australians from Terrorist or Violent Criminal Material) Legislative Rule 2019. The Rule has the effect of expanding the functions of the eSafety Commissioner under the Enhancing Online Safety Act 2015 (Cth) to include oversight of potentially terror-related internet content. The office of eSafety Commissioner was created under the initial iteration of the Act, then known as the Enhancing Online Safety for Children Act 2015, and the role of the Commissioner at that time was confined to enhancing the online safety of children. The Office was expanded, and the Act renamed, in 2017 for the purpose of protecting all Australians, not just children, from exposure to illegal or offensive online content, with a particular focus initially on cyberbullying and image-based abuse. The functions of the Commissioner are set out in section 15, and section 15(r) extends to “such other functions (if any) as are specified in the legislative rules”. The new Rule introduced in 2019 extends the Commissioner’s functions to include the promotion of “online safety for Australians by protecting Australians from access or exposure to material that promotes, incites, or instructs in, terrorist acts or violent crimes”. This follows an amendment to the Criminal Code Act 1995 (Cth) in April 2019 in the wake of the Christchurch massacre which, as reported in Volume 27 of this Update, introduced new offences applying to anyone providing an internet, hosting or content service who fails to refer to the Australian Federal Police any recorded or streamed “abhorrent violent material” within a reasonable time after becoming aware of its existence.
Consumer Data Right finally introduced
On 24 July 2019, the Commonwealth government re-introduced legislation into the House of Representatives in a bid to re-start the Consumer Data Right (“CDR”) initiative. The legislation took the form of the Treasury Laws Amendment (Consumer Data right) Bill 2019. We have previously discussed the CDR in earlier Updates, most recently Volumes 25. 26 and 27. The essence of the CDR initiative is that a data portability right will be rolled out across a number of industries over a period of time, commencing with the Big 4 Banks. Pursuant the this new right, individuals and businesses will have a right of access to their data, and the targeted industries will be required to grant public access to information regarding specified products on offer. The Consumer Data Right was previously foreshadowed in an earlier iteration of the same Bill which lapsed on 11 April 2019 when parliament was prorogued for the federal election, although three of the Big 4 Banks voluntarily implemented the first stages of the scheme on 1 July 2019. The re-instated Bill was finally passed on 1 August 2019, and is expected to apply to the Big 4 Banks from February 2020. For a more detailed overview of the CDR scheme, see the article by Gordon Hughes on our website here.
ACCC recommends wide-ranging reforms to laws governing social media platforms
On 26 July 2019, the Australian Competition and Consume Commission released its final Digital Platforms Inquiry report. The inquiry focussed on the impact of digital platforms – specifically online search engines, social media platforms and other digital content aggregation platforms – on the advertising and media markets and on three groups of users, namely, advertisers, media content creators and consumers. The report addressed a range of issues and made numerous recommendations, all of which highlight the intersection of privacy, competition and consumer protection. Recommendations of particular interest included the introduction of digital platform data portability, the development of a code of conduct for digital platforms, a review of the effectiveness of copyright protection for digitised content and the introduction of a statutory privacy right. The report also recommended a range of changes to Australia’s privacy legislation, including an updated definition of “personal information”, more stringent notification requirements relating to the collection of personal data, strengthened consent requirements and the introduction of a right of erasure (otherwise known as a “right to be forgotten”). The government will respond to the Report by the end of 2019. For a more detailed summary of the report, see the article by Gordon Hughes on our website here.
Bill re-introduces national identity-matching scheme.
On 31 July 2019, legislation was tabled in the House of Representatives to enable the implementation of identity-matching services involving the Commonwealth, State and Territory governments. The Identity-matching Services Bill 2019 amends the Australian Passports Act 2005 to enable travel document information to be shared with other Australian jurisdictions in accordance with an intergovernmental agreement signed on 5 October 2017. The identity-matching scheme was previously foreshadowed in an earlier iteration of the same Bill which lapsed on 11 April 2019 when parliament was prorogued for the federal election. Central to the new arrangements will be the establishment of a face verification service which will allow Commonwealth, State and Territory agencies to verify the identity of individuals by reference to facial images in government identity records. Most significantly, the Department of Home Affairs will host a National Driver Licence Facial Recognition Solution consisting of a database of driver licences images and information supplied by each State and Territory, and a facial recognition system for biometric comparison of facial images in the database. It is anticipated that the new system will help combat identify crime, enhance national security and monitor proceeds of crime. To address privacy concerns, it will be an offence to make an unauthorised disclosure or recording of certain information held in the system.
POLICIES, REPORTS AND ENQUIRIES
New South Wales considers mandatory data breach reporting for public sector
On 19 July 2019, the New South Wales Department of Communities and Justice issued a discussion paper entitled Mandatory Notification of Data Breaches by NSW Public Sector Agencies, seeking feedback on whether a mandatory data breach notification scheme should be adopted for the State public sector and, if so, how such a scheme should operate. Mandatory data breach notification was introduced for Commonwealth public sector agencies, as well as private sector organisations with an annual turnover of $3m or more, by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) which came into effect on 22 February 2018. State agencies are not bound by Commonwealth privacy legislation, however. The discussion paper seeks feedback not only on the concept of mandatory reporting but also on key operational elements such as trigger events (i.e. the seriousness of a breach which warrants reporting), the relevance of remedial action (i.e. whether the need to report can be obviated by prompt rectification of the problem) and the method and timeframe for notification.
HEALTH PRIVACY ISSUES
Additional treatment information relating to veterans to be included in My Health Record.
On 1 July 2019, a regulatory amendment issued under the My Health Records Act 2012 prescribed that information relating to the provision of healthcare to veterans may in certain circumstances be included in a My Health Record: My Health Records Amendment (Veterans’ Affairs Treatment Benefits) Regulations 2019. The Treatment Benefits (Special Access) Act 2019 provides for medical treatment, through a Department of Veterans’ Affairs treatment card (gold card), of members of Australian Civilian Surgical and Medical Teams who provided medical aid, training and treatment to local Vietnamese people during the Vietnam War, and the effect of the amendment is that the My Health Records Regulation 2012 now provides for the inclusion in a My Health Record of healthcare provided under the Treatment Benefits (Special Access) Act. The Statement of Compatibility with Human Rights which accompanied the amendment observed that “including healthcare information created under the Treatment Benefits (Special Access) Act 2019 will enable eligible Australians to better manage their healthcare information and assist healthcare providers”.