Key developments arising in late 2017 and early 2018 in the area of Technology, Media and Telecommunications (TMT) are summarised as follows.

Nominal damages for unauthorised use of Pokémon images. On 19 December 2017, the Federal Court ruled that an online marketplace had engaged in misleading and deceptive conduct, and infringed copyright, by enabling Pokémon images to be applied to consumer items: The Pokémon Company International, Inc v Redbubble Ltd [2017] FCA 1541. Pagone J ruled that the Respondent had engaged in misleading and deceptive conduct in contravention of sections 18 and 29 of the Australian Consumer Law by representing that it was authorised to sell products containing the images or that it had some other form of lawful association with the Applicant. The Applicant's copyright had been infringed when the Respondent made the images available on the website and when it communicated the work to the public. Furthermore, the Respondent had authorised infringement of the Pokémon copyright in contravention of section 36 of the Copyright Act 1968 by authorising infringement by third parties, known as "fulfillers", who were engaged to apply the images to the products – in this regard it was relevant, in the context of section 36(1A) of the Copyright Act, that the Respondent had the power to prevent infringement and had a commercial relationship with the "fulfillers". Whilst the Respondent had taken "reasonable steps" to avoid infringement by establishing an IP policy and internal processes for dealing copyright complaints, this was but one factor to be taken into account. The court concluded that on balance the Respondent's conduct amounted to authorising infringement – nevertheless, only nominal damages were awarded because there was no proof of lost sales suffered by the Applicant, and his honour further rejected a claim for additional damages under section 115(4) of the Copyright Act as there was no evidence to support a finding of a "flagrant disregard" of the Applicant's rights.

CAD drawings protected by implied copyright and confidentiality rights On 21 December 2017, the Federal Court ruled that a manufacturer of mobile garbage bins infringed copyright and implied confidentiality obligations when it used CAD drawings sourced from the Applicant: Mastec Australia Pty Ltd v Trident Plastics (SA) Pty Ltd (No 2) [2017] FCA 1581. White J ruled that there was an implied term that the Applicant was the owner of copyright in the drawings which, although physically prepared by the Respondent, had been the subject of close collaboration with the Applicant and which "at almost every stage incorporated the ideas and requirements" of the Applicant, resulting in output which was "derived from [the Applicant's] inputs as much, if not more, than those of [the Respondent], the latter having brought its skills to bear but only for the purpose of giving effect to the Applicant's ideas". With respect to the confidentiality of the design, the court noted that an express contractual confidentiality obligation was for a limited period only, but there was a further implied confidentiality term as well as an equitable duty of confidence, which was ongoing. In the latter regard, his Honour noted that the equitable duty commonly arises where "a commissioning client has disclosed confidential information to a manufacturer in order that the latter may produce an item for the client", reflecting a more general principle that "when confidential information is conveyed, its use and further disclosure is limited to the purpose for which it was given in the first place".

Domain name supplier found to have engaged in misleading or deceptive conduct On 21 December 2017, the Federal Court ruled that a supplier of internet domain name registration services had engaged in misleading or deceptive conduct when sending offers to prospective customers which had the appearance of invoices for the renewal of their existing domain names: Director of Consumer Affairs Victoria v Domain Register Pty Ltd [2017] FCA 1603. Specifically, the Respondent's notice offered to supply registration of a ".com" domain name to persons who already had a registered business name with a "" domain name. Murphy J ruled that the Respondent had infringed section 18 of the Australian Consumer Law, rejecting the Respondent's contention that an ordinary or reasonable member of the target audience was likely to have had "a reasonably high level of knowledge and perspicacity regarding the internet and domain registration" and was likely to have paid close attention to the notice. Whilst there had been a huge growth in the use of the internet in the past decade, his honour considered there were "still likely to be many members of the class in the present case who are relatively unsophisticated internet users, who have little knowledge about the registration of domain names and who do not know it is possible to register very similar domain names merely by altering the suffix". His Honour reached his conclusion despite finding that a substantial majority of persons receiving the Respondent's notice "did not understand it to be an invoice".

Overseas suppliers of online products are subject to Australian consumer protection laws On 22 December 2017, the Full Court of the Federal Court rejected an appeal against an earlier finding that, amongst other things, a US-based online supplier of video games was not subject to consumer guarantees contained in Division 1 of part 3-2 of the Australian Consumer Law: Valve Corporation v Australian Competition and Consumer Commission [2017] FCAFC 224. We have previously reported on the lower court findings . The Full Court noted that the Appellant ("Valve") was a foreign corporation based in Seattle, with its business premises and staff all located outside Australia, but with servers located in Australia. The subscriber agreements were expressed as being subject to the laws of the State of Washington, USA. Valve's alleged misleading conduct related to contractual statements which purported to exclude the application of the relevant provisions of the Australian Consumer Law. The court rejected the Respondent's contention that as each subscriber contract was formed outside Australia, there was no pre-requisite "supply" of goods or services in Australia as required by the Australian Consumer Lawit held that for the purposes of the legislation, "the supply of computer games by Valve to customers in Australia took place where the customer downloaded the computer game on his or her computer". The effect of sections 64 and 67 of the Australian Consumer Law was that a supplier could not "contract out" of the consumer protection provisions, and it was not relevant that the governing law or proper law of the contract was that of a foreign jurisdiction. Our colleagues Darron Saltzman and Lachlan Sadler recently published a more extensive note regarding this decision here.

Public sector data sharing legislation passed by Victorian parliament The Victorian Data Sharing Act 2017 (Vic) came into force on 6 December 2017, the day after Royal assent. The Act is intended to promote the sharing and use of public sector data in Victoria. The legislation creates the office of Chief Data Officer, whose functions will include conducting data integration and analytical work to support government decision-making, building data analytical capabilities across the Victorian public sector and coordinating data sharing and integration on behalf of the State with "data sharing bodies" and other designated bodies. The Chief Data Officer will only be able to request data or information from such bodies to inform government policy making and service planning and design. A body can refuse to provide the requested data or information in certain circumstances, such as where the provision would breach privilege or an obligation of confidence, compromise an ongoing investigation, or endanger the health, safety or welfare of an individual. Reasonable steps must be taken to de-identify any personal information before any data or information can be used by the Chief Data Officer or a data analytics body which receives the data or information from the Chief Data Officer. Using or disclosing data otherwise than in accordance with provisions in the Bill is an offence under the new Act.

Commonwealth legislation will enable ACMA to impose restrictions on gambling promotions On 6 December 2017, the Communications Legislation Amendment (Online Content Services and Other Measures) Bill 2017 (Cth) was introduced in the Senate. The Bill seeks to amend the Broadcasting Services Act 1992 so as to enable the Australian Communications and Media Authority (ACMA) to make online content service provider rules imposing gambling promotions restrictions on online content service providers. The Bill provides ACMA with the power to determine program standards about gambling promotional content which apply to certain broadcasters and subscriptions providers. The Bill also seeks to amend the Australian Communications and Media Authority Act 2005 so as to require ACMA to monitor compliance with online content service provider rules.

Small business cyber guide released On 5 January 2018, the Australian Small Business and Family Enterprise Ombudsman published a guide to help small businesses understand and prevent cyber attacks. The publication was prompted by research which showed that 60% of small firms which experienced a cyber breach went out of business within the following six months. The Guide identifies risks arising from email phishing, malware, ransomware, denial of service and watering hole attacks. It recommends "three quick steps" to maximise protection – prevention (such as the use of back up, security patches and passwords), well-being (such as ensuring staff discuss and implement security matters internally) and response (advising staff and authorities when a breach occurs, and giving consideration to cyber insurance).

NSW Civil and Administrative Appeals Tribunal declines to order the release of documents relating to a report about a medical practitioner despite a legislative presumption in favour of the disclosure of government information On 6 December 2017, the New South Wales Civil and Administrative Appeals Tribunal declined an application for the release of documents relating to a report on an incident involving medical practitioners at the Orange Health Service: Amos v Western NSW Local Health District; Arnold v Western NSW Local Health District [2017] NSWCATAD 359. The report concerned a decision by a medical practitioner to continue seeing patients following a collapse at work, and included the names and opinions of witnesses. Pursuant to section 5 of the Government Information (Public Access) Act 2009 (NSW) (the GIPA Act), there is a presumption in favour of the disclosure of government information unless there is an overwhelming public interest against the disclosure. The respondent resisted disclosure on a number of grounds, including section 14(3)(a) and (b) of the GIPA Act which states that considerations to be taken into account when determining the level of public interest include whether disclosure might reveal an individual's personal information or contravene an information privacy principle under the Privacy and Personal Information Protection Act 1998 (the PPIP Act). On this issue, the Tribunal concluded that the report contained "personal information" because it included information about, and opinions expressed by, staff. Given that the applicants had intimated that any information received might be used to investigate disciplinary action against the Director of Medical Services at the Orange Health Service, disclosure would involve the use of that information for purposes not directly related to the original purpose of collection and hence in breach of section 18 of the PPIP Act. For this reason, disclosure would not be in the public interest.

Victorian legislation will facilitate information sharing regarding the wellbeing of children On 12 December 2017, a Bill to amend the Health Records Act 2001 (Vic) and the Privacy and Data Protection Act 2014 (Vic), amongst others, was introduced in the Victorian Legislative Assembly. The amendments, which are contained in the Children Legislation Amendment (Information Sharing) Bill 2017 (Vic), arise in the context of a State government initiative to implement a scheme for the sharing of information by specified entities in the interests of the wellbeing and safety of children, and the establishment of a register of children for the purpose of monitoring and supporting their participation in government-funded programs and schemes. When passed, the legislation will amend the Health Records Act by inserting a new section 14C, and the Privacy and Data Protection Act by inserting a new section 15B, to create exemptions to compliance with various health privacy principles or information privacy principles (as the case may be) regarding the collection and disclosure of health information or personal information for purposes relevant to the scheme.

Regulations permit interim use of government identifiers as part of codeine dispensing scheme Australian Privacy Principle 9 prohibits the adoption by an organisation of a government related identifier as its own identifier of an individual unless, pursuant to APP 9.3, the organisation is prescribed by government regulation. On 19 December 2017, the Privacy Amendment (Government Related Identifiers) Regulations 2017 came into effect, permitting GuildLink Pty Ltd, a wholly owned subsidiary of the Pharmaceutical Guild of Australia, to use MedsASSIST identifiers in the course of operating the MedsASSIST scheme. MedsASSIST is a system operated by GuildLink for the purpose of monitoring the dispensing of medicines containing codeine, and a MedsASSIST identifier is an identifier derived from a passport, driver's licence or other card issued under the authority of a State or Territory such as a proof of age card, photo identification card or proof of identity card. MedsASSIST is a real-time recording and monitoring system developed as an effective alternative to requiring patients to have to go to the doctor to obtain a prescription for these products. The system requires the recording by pharmacists of an individual's identification details. The effect of the Regulation is that GuildLink can, for example, now use driver's licence numbers as its own means of proving the identity of individuals in the context of the MedsASSIST scheme. MedsASSIST is due to cease operating in early 2018 when the Standard Uniform Scheduling of Medicines and Poisons is amended so as to end over-the-counter supply of codeine.