Business purchaser did not have ongoing implied software licence
On 8 June 2021, the Federal Court considered the factors to be taken into account when determining the existence of an implied software licence: QAD Inc v Shepparton Partners Collective Operations Pty Ltd  FCA 615. The proceedings related to an alleged infringement of copyright by the purchaser, based on its continued use of software licensed by the plaintiff to the vendor. The licence agreement between the plaintiff and the vendor required the plaintiff’s consent to an assignment, and the plaintiff subsequently stipulated a transfer fee as a condition of assignment. The purchaser declined to pay the transfer fee but contended it had an implied licence to continue using the software, essentially on the basis that the plaintiff had not objected to the ongoing use of the software during the course of negotiations. Thawley J concluded that an implied licence existed during the period of negotiations between the parties regarding the transfer fee, but once those negotiations lapsed, the implied licence came to an end. It followed that the purchaser infringed the plaintiff’s copyright through its continued use of the software. Compensatory damages of $662,408.80 were awarded, being the amount of the transfer fee plus a year’s maintenance fee, together with exemplary damages under section 115(4) of the Copyright Act 1968 for the purchaser’s “flagrant breach”. In the latter regard, the court noted that the software had been essential to the ongoing functioning of the business, but this was no excuse: “The fact that, commercially, [the purchaser] had little choice other than to use the software does not make the infringement less flagrant; rather it explains the reasons why the infringement was so flagrant”.
Information Commissioner determines that Uber breached APPs
On 30 June 2021, the Information Commissioner made a determination under section 52(1A) of the Privacy Act 1988 that Uber Technologies Inc. and Uber B.V. interfered with the privacy of approximately 1.2 million individuals in Australia by failing to adequately protect the personal data of customers and drivers which was accessed in a cyber-attack in October and November 2016. The attack was directed at data stored in Amazon Web Service’s Simple Storage Service. Specifically, Uber was found to have breached Australian Privacy Principle (APP) 11.1 by failing to take reasonable steps to protect personal information against unauthorised access, and APP 11.2 by failing to take reasonable steps to delete or de-identify personal information which was no longer needed for a permitted purpose. Related to these breaches, the Information Commissioner further determined that Uber had breached APP 1.2 by failing to take reasonable steps to implement practices, procedures and systems relating to its functions and activities that would ensure that they complied with the APPs. In making these findings, the Information Commissioner rejected Uber’s submission that it did not, for the purposes of section 5B of the Act, “carry on business in Australia” due to the absence of any direct contractual or other relationship with riders or drivers in Australia, with the Information Commissioner observing that “the fact that an activity which occurs in Australia might be controlled or facilitated by actions of the entity taken remotely and without the need for employees in Australia, does not necessarily mean that no relevant activity is performed by the entity in Australia”.
Federal Court overrides exclusive jurisdiction clause in Apple case
On 9 July 2021, the Full Court of the Federal Court allowed an appeal by Epic Games against a temporary stay of proceedings granted to Apple Inc in a dispute over an Apple Developer License Agreement: Epic Games, Inc v Apple Inc  FCAFC 122. In November 2020, Epic had commenced the proceedings in the Federal Court alleging that Apple’s conduct in requiring developers to (a) distribute iOS apps to Australian users through Apple’s Australian App Store, and (b) only use Apple’s payment processing system for in-app purchases, contravened Pt IV of the Competition and Consumer Act (2010). As we have previously reported in an earlier TMT Update and analysed in a separate article on our website, Apple had sought a stay because the agreement provided that any dispute relating to it must be litigated in the Northern District of California, and in April 2021 Apple was granted a temporary (3 month) stay by the trial judge: Epic Games, Inc v Apple Inc (Stay Application)  FCA 338. Epic asserted in its appeal that the primary judge erred in failing to give effect to “overriding” public policy considerations that militated against the granting of a stay, and in failing to find that there were strong reasons to permit the proceeding to continue in the Federal Court notwithstanding the existence of the exclusive jurisdiction clause. Relying on the principles espoused by the High Court in Akai Pty Ltd v People’s Insurance Co Ltd (1996) 188 CLR 418, the Full Court concluded that the primary judge had erred in granting a stay because, amongst other things, enforcement of the exclusive jurisdiction clause would offend the public policy of the forum, observing that “if contraventions of Pt IV of the CCA are determined by foreign courts they will be determined through the prism of expert evidence about the content of Australian law … This process is not the same as ascertaining and applying the law directly … One of the difficulties and uncertainties involved in proving foreign law is the risk that important aspects of the foreign law will be lost in translation.” The Court acknowledged that exclusive jurisdiction clauses are a significant feature of global commerce, but this was outweighed by public interest factors such as the forensic disadvantage of Epic litigating the matter before a foreign court, the fact that the conduct in question was undertaken in an Australian sub-market, and the fact that “the focus should not only be on the nature of competition law, but the significance of the statutory provisions which allow the Commission to intervene, private parties to get the benefit of factual findings and admission, and the relevance of the Federal Court being chosen by Epic Games as the court of its choice”.
Software developer liable for breach of copyright
On 19 July 2021, the Federal Court of Australia ruled that a software developer infringed copyright when developing software to replace a program which had been sold to the applicant: Campaigntrack Pty Ltd v Real Estate Tool Box Pty Ltd  FCA 809. The Applicant had previously purchased the intellectual property rights in a product which competed with its own real estate online software system. The vendor then created a new product which the applicant alleged reproduced parts of the source code of the purchased product. Thawley J rejected the respondent’s contention that the original assignment related only to the then-current version of the software, stating that such an interpretation would be “defeating the whole purpose underlying the parties’ transaction”. A breach of copyright was evidenced by “many lines of source code which matched exactly”, especially after taking account of “the functionality of the matching code”. His honour also ruled that the developer had, for the purposes of section 36(1A) of the Copyright Act, authorised infringement by other developers over whom he exercised supervision and control. The court found that, in addition to breaching copyright, the respondent had misused confidential information derived from the source code, noting that it “would have been clear to a reasonable person….that he was not free to deal with the information as his own”.
Technology manufacturer liable for breach of confidence
On 26 July 2021, the Queensland Supreme Court delivered a judgement which focusses attention on the effectiveness of Non-Disclosure Agreements (NDAs) in technology development contracts: Madritsch KG & Anor v Thales Australia Ltd  QSC 170. Bradley J ruled that the defendant, a small arms manufacturer and supplier to the Commonwealth, had infringed an NDA with the plaintiffs, both of which were also involved in the firearms industry, regarding details of a technological solution to a functional problem affecting a service rifle used by the Australian Defence Force. The defendant had been provided with technical details relating to the Madritsch product with a view to deciding whether to manufacture the Madritsch solution under licence. The defendant subsequently opted, however, to develop its own solution and the principal issue was whether Thales had made use of confidential Madritsch information in the process. His Honour found for the plaintiffs and in so doing, a number of fundamental considerations regarding the effectiveness of NDAs were confirmed. These included: if the subject matter of an NDA is precisely defined, the risks of the agreement being void for uncertainty are reduced; the fact that the information could have been independently created by the recipient is of no relevance if the recipient in fact relied upon confidential information provided by the discloser; information is not necessarily in the public domain by virtue of the fact that it has previously been disclosed in confidence to a third party; and a time limit on the duration of the confidentiality obligation will, if it is reasonable, reduce the risk of the obligation becoming an unenforceable restraint of trade in circumstances where the Restraints of Trade Act 1976 (NSW) applies. For a detailed analysis of the case, refer to the article by Gordon Hughes on our website.
Blockchain invention deemed patent eligible
On 21 July 2021, the Australian Patent Office delivered a decision discussing the patentability of inventions directed to solving business problems using computer technology: Advanced New Technologies Co Ltd  APO 29. The patent application, titled ‘Method and apparatus for processing transaction request’, relates to a method for processing transactions using a blockchain network, a form of distributed ledger characterised by decentralisation, openness, and transparency. The invention proposed to solve the problems surrounding privacy security issues due to the decentralised nature of blockchains. Prior to the hearing, the Examiner characterised the substance of the invention as an abstract scheme on the basis that the invention was not technical in character and required only generic computer implementation, but the Delegate took a more nuanced approach, reviewing the state of the art at the priority date with respect to blockchain technology to better understand and distinguish the invention. Although the Delegate was not satisfied that preserving the privacy of blockchain nodes was a technical problem, they considered that the invention nevertheless provided a technical solution as “the critical steps of converting the transaction data into an indecipherable data abstract and then generating a transaction abstract based on digitally signed approvals from the transaction nodes involves the application of information technology techniques”, clarifying that the “fact that [a] technique may be well-known does not make it any less technical”. In deciding that the invention, although a computer implemented technology, was more than a mere abstract scheme, the Delegate acknowledged that preventing breach of privacy data was a practical and useful result, where there is, on balance, no reason why “technical improvements to fundamental mechanisms” within a blockchain should not be patentable. The case has, however, been remitted back to examination to reconsider potential issues of inventive step. For a more detailed discussion of this decision, see the article by Richard Brown, Isaac Tan and Angie Chen on our website.
Data collection notification requirements under NSW privacy legislation
On 27 July 2021, the New South Wales Civil and Administrative Tribunal determined that a local council failed to comply with the Information Privacy Principles contained in the Privacy and Personal Information Protection Act 1998 (NSW) when handling a complaint about a draft local strategic planning statement: EMF v Cessnock City Council  NSWCATAD 219. The proceedings arose out of the council’s internal dissemination of a complaint made by the applicant regarding a confidential code of conduct issue. One interesting aspect of the decision related to the means of satisfying Information Privacy Principle 3 in section 10 of the Act (“Requirements when collecting personal information”), specifically, the requirement to notify an individual as to the intended recipients of their personal information. The Tribunal concluded that in accordance with IPP 3, the council was required to take reasonable steps to notify the Applicant prior to, or as soon as reasonably possible after, the information had been collected. The Tribunal was of the view that this requirement could have been met if the council’s webpage (where complaints were lodged) had contained a link to a privacy collection notice. The Tribunal commented that “while not necessarily an IPP 3 notice, this is the general public privacy statement of (or promise by) the Respondent to individuals about the way the Respondent will handle their personal information and any statements in it will, in the absence of an IPP 3 statement, prevail over any inconsistent rights or exemptions given to Council under the LG Privacy Code”. The link would probably have sufficed because it could have been “referred to by individuals in deciding whether to provide their personal information to the Respondent”. The Applicant was awarded compensation of $30,000.
Complex technology contract interpreted by Queensland Supreme Court
On 28 July 2021, Justice Ryan in the Supreme Court of Queensland delivered directions regarding the interpretation of a complex contractual relationship between a US wireless network supplier, a wholly-owned subsidiary and a Brisbane-based microwave and millimetre wave radio technology supplier: BSO Network Inc and Anor v EMClarity Pty Ltd (No 2)  QSC 192. Her Honour’s ruling had previously been handed down on 9 April 2021 but a redacted version has only now been published. Her Honour found that the defendant supplier, EMClarity, had failed to comply with its delivery obligations under a series of contracts and had repudiated the principal supply contract by indicating an intention to vary the timing of delivery. The defendant had advised the plaintiffs that there would be a “pause” in delivery whilst a “quality review” of its processes and products was undertaken, but the court rejected the defendant’s contention that this delay was permissible because the timing of supply was conditional upon the completion of development of the products pursuant to an earlier development agreement. Justice Ryan relied upon well-established principles of interpretation in finding that the parties had reached agreement on the terms of the supply contract, notwithstanding the fact that the agreement was concluded by laypersons and was not “legally perfect”. It was an implied term of the principal supply agreement that the goods would be delivered within a “reasonable time”, although the court declined to speculate as to what a “reasonable time” in this context would actually be. With respect to the alleged disclosure of confidential material by the defendant to a competitor of the plaintiffs, the court considered the juxtaposition between contractual and equitable obligations of confidentiality, concluding that whilst an equitable obligation can co-exist with a contractual obligation, the equitable obligation will not convert a contractually authorised disclosure into a breach of a broader equitable obligation.
A machine can be an “inventor”
On 30 July 2021, the Federal Court of Australia ruled in a world-first decision that artificial intelligence (AI) can be named as the inventor on a patent application: Thaler v Commissioner of Patents  FCA 879. The invention was described as “DABUS”, being an acronym for a device for the autonomous bootstrapping of unified sentience. Dr Thaler was the owner of copyright in the DABUS source code and the owner and operator of the computer on which DABUS operates, but he was not named as an inventor because the substantive innovative work was autonomously generated by DABUS using artificial neural networks. Beach J noted that there is no definition of “inventor” in the Patents Act 1990 (Cth), the Act does not mandate that the named entity be an actual inventor, and the Act does not state that the inventor must be a human. His Honour considered that to deny grant of a patent for an otherwise patentable invention because the inventor is not a natural person would be the antithesis of the object of the Act to “provide a patent system in Australia that promotes economic wellbeing through technological innovation and the transfer and dissemination of technology…”. He further observed that the recognition of AI as being capable of inventorship would incentivise the development of creative machines and lead to new scientific advantages, where they might otherwise be protected as trade secrets. The Australian patent application at issue was filed by Davies Collison Cave on behalf of Dr Thaler – for a detailed analysis of the decision, refer to the article by David Webber, Claire Gregg and Courtney White on our website.
Google Ads suggesting government affiliation were misleading.
On 13 August 2021, the Full Court of the Federal Court upheld an appeal by the Australian Competition and Consumer Commission (ACCC) against a trial judge’s ruling that Google Ads for a workplace relations consultancy were not misleading: Australian Competition and Consumer Commission v Employsure Pty Ltd  FCAFC 142. The trial judge had rejected the ACCC’s assertion that the Google Ads falsely represented that the company had a government affiliation. The Full Court overturned the trial judge’s decision, finding that the respondent had infringed sections 18, 29(1)(b) and 29(1)(h) of the Australian Consumer Law. Section 18 prohibits a company engaging in misleading or deceptive conduct; section 29(1)(b) prohibits a false or misleading representation that services are of a particular quality or standard; and section 29(1)(h) prohibits a false or misleading representation that a person has a sponsorship, approval or affiliation. Whilst the finding is in some respects fact-specific, the reasoning of the Court is instructive. The target audience in this case comprised “business owners who are employers and who search for employment-related advice on the internet”, and the Court considered that the primary judge erred by attributing to this audience “too high a level of shrewdness or wariness, digital literacy, and/or commercial sophistication” and also in the view he reached “as to the level of attention or scrutiny that the ordinary or reasonable business owner was likely to give to the advertisements”. Specifically, the Court considered that it was incorrect for the trial judge to conclude that “an ordinary or reasonable business owner taking reasonable care of his or her own interests would have discerned that each of the Google Ads was an advertisement for privately provided employment-related advice which was not associated with any government agency”.
Disclosure of settlement deed to insurer does not infringe the privacy of litigant.
On 21 August 2021, the New South Wales Civil and Administrative Tribunal ruled that the disclosure of a settlement deed by the Police Force to its workers compensation insurer did not contravene the Privacy and Personal Information Protection Act 1998 (NSW): BVV v Commissioner of Police  NSWCATAD 250. The settlement involved a holistic resolution of a number of issues, some of which related to a workers compensation claim and some of which were unrelated. The Applicant claimed he was unaware that an insurer was represented at the mediation which led to the settlement. The case essentially turned on section 18 of the Act which places limits on the disclosure of personal information by public sector agencies. Section 18(1)(a) permits disclosure if “the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure”. The Tribunal concluded that the Applicant’s personal information contained in the Deed (including information not relating to the workers compensation claim) was collected by the Respondent for the purpose of managing the Applicant’s claims and complaints, and disclosure of the Deed to the insurer in order to facilitate the payment of settlement sums was “directly related” to the collection of that information. The Tribunal also considered that, on the facts, it was “difficult to understand how the Respondent could possibly have had reason to believe that the Applicant would object to the disclosure of the Deed”.
Federal Court grants injunction to US video game publisher.
On 27 August 2021, the Federal Court issued declaratory and interlocutory injunctive relief for copyright infringement in favour of a US video game publisher against a local developer: Take-Two Interactive Software Inc v Anderson  FCA 1024. The respondent’s program “Infamous” allowed players of the applicant’s game “Grand Theft Auto” to gain certain advantages over other players by taking actions in-game that players who did not have the software installed could not. A self-executing order, with which the respondent had failed to comply and which the respondent unsuccessfully sought to set aside, had been issued on 16 April 2021 requiring the respondent to file and serve evidence within 7 days or else judgement would be entered in favour of the applicant. In rejecting the respondent’s application to set aside the earlier judgement, Nicholas J took into account four considerations: the respondent’s explanation for the default; whether the respondent had an arguable defence; whether the respondent would suffer prejudice if the order were not made; and whether the applicant would suffer prejudice if the order were made. The Court ruled that the applicant was entitled to declaratory and injunctive relief for copyright infringement and also, subject to proof, any applicable pecuniary remedy. The Court declined, however, to grant relief in respect of alleged contraventions of Part V Division 2A of the Copyright Act, his honour noting that there was no evidence at this point to indicate whether the applicant’s anti-cheat tools which the respondent interfered with were “technological protection measures” within the meaning of s 116AO of the Act or “access control technological protection measures” as defined in s 10 of the Act.
Intergovernmental data sharing scheme commences
On 9 July 2021, the Intergovernmental Agreement on Data Sharing between Commonwealth and State and Territory Governments came into effect when it was signed by the National Cabinet. The Agreement commits all Australian jurisdictions to share public sector data as a default positon, subject to the process being completed “securely, safely, lawfully and ethically”. The Agreement is premised on the proposition that “access to data is critical for policy, service delivery, and government decision making”, and that “data held by one government can be valuable to another government in delivering its activities”. The Agreement encompasses, amongst other things, routine administrative data, statistics and reference data, and de-identified and identifiable data required for emergency situations. “Identifiable data” is defined as “data consisting of personal information, where an individual is identifiable or reasonably identifiable”. A schedule to the Agreement establishes a mechanism for determining “national priority areas” and a prioritisation process. The operation of the Agreement will be reviewed after two years.
Government commences consultation on online safety expectations.
On 8 August 2021, the Australian Government commenced public consultation on an exposure draft of the Online Safety (Basic Online Safety Expectations) Determination 2021. We have previously reported that on 23 June 2021, the Australian Parliament passed the Online Safety Act 2021. The Act will commence on 23 January 2022. The draft Determination includes the Government’s core expectations, which are specified in the Act, as well as a number of additional expectations. Service providers are expected to take reasonable steps to meet these expectations in order to uphold the safety of Australian end-users on their services. The eSafety Commissioner also has the power to require service providers to report on their compliance with these expectations. Until now, the Government’s expectations of industry have been articulated in the soon-to-be-superseded basic online safety requirements Enhancing Online Safety Act 2015, the safety Commissioner’s Safety-by-Design Principles, and the Online Safety Charter, none of which have any legal or regulatory enforceability. Part 4 of the new Act sets out the requirements for the determination of the basic online safety expectations for social media services, relevant electronic services and designated internet services, and the requirements for compliance reporting by industry. The ultimate objective is to establish a benchmark for online service providers to take proactive (rather than reactive) steps to protect the community from abusive conduct and harmful content online.
Discussion paper foreshadows cyber security code under the Privacy Act.
On 26 August 2021, the Australian Government issued a Discussion Paper seeking public feedback on Australia’s cyber security laws: Strengthening Australia’s cyber security regulations and incentives. Two issues of particular interest raised for discussion involve the prospect of a Security Code being issued under the Privacy Act 1988, and the prospect yet again of enacting a statutory privacy right. In relation to the Privacy Act, the Paper drew particular attention to Australian Privacy Principle 11 which establishes an obligation to keep personal information secure, and Part IIIC which establishes the mandatory data breach notification scheme with respect to “eligible data breaches”, and expressed concern that current laws may not provide “sufficient clarity about cyber security expectations”, whilst the Information Commissioner’s enforcement powers were compromised because they were based on an “escalation model”. The Privacy Act nevertheless had “the greatest potential to set broad cyber security standards (albeit only in relation to personal information)”, particularly if a privacy code could be established under Part IIIB of the Act to provide clear expectations about how Privacy Act entities should meet their existing cyber security obligations under APP 11. A cyber security code could “harmonise international standards and offer opportunities to Australian businesses to market their security credentials internationally”. In relation to a statutory privacy right, the Discussion Paper postulated that “a direct right of action could give individuals greater control over their personal information and provide an additional incentive for entities covered by the Privacy Act to comply with their obligations under the Act”.
Medical information is not always “personal information”
On 16 August 2021, the New South Wales Civil and Administrative Tribunal delivered a ruling on whether information regarding a police officer’s medical fitness for work was “personal information” within the meaning of section 4(3) of the Privacy And Personal Information Act 1998 (NSW): DTN v Commissioner of Police  NSWCATAD 240. The applicant had been discharged from the Police Force due to a workplace injury, and he complained that inaccurate information about his condition had been provided by his employer to its workplace insurer, in breach of the “accuracy principle” in section 16 of the Act. The respondent contended that it was exempt from compliance with the accuracy principle by virtue of section 4(3)(j) which excludes from the definition of “personal information” any “information or an opinion about an individual’s suitability for appointment or employment as a public sector official”. The application was rejected by the Tribunal which ruled that the “content of the information collected and contained in the Document relates to DTN’s fitness to continue working” and that “the context in which the information relates has been stored by the Respondent to assess the ability of DTN to continue in his employment specifically from a medical perspective”, thus enlivening the section 4(3)(j) exemption.