Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
Serviced office contract terms found to be unfair
A supplier of serviced office space, incorporating virtual office services such as IT and communications, has conceded to the Federal Court that its customer contracts contained unfair contract terms in breach of Part 2-3 of Ch 2 of the Australian Consumer Law: Australian Competition and Consumer Commission v Servcorp Limited  FCA 1044. The contracts were “small business contracts” within the meaning of section 23(4) of the ACL and “standard form contracts” within the meaning of section 27. Section 24(1) of the ACL provides that a term in a standard form contract is “unfair” if it creates a significant imbalance of the parties’ rights, is not reasonably necessary to protect the legitimate interests of a party and would cause detriment to the other party if relied upon. Markovic J considered that a number of terms in the service contracts caused a significant imbalance in the parties’ rights, including an automatic rollover provision, a provision allowing a unilateral adjustment of rates by the service provider, a total disclaimer of liability and a provision enabling the supplier to terminate without cause on one month’s notice. The respondent was ordered to undergo a compliance program and to pay the costs of the proceedings.
Police disclosure exempt from NSW privacy legislation
On 24 August 2018, the New South Wales Civil and Administrative Tribunal found that the New South Wales Police had not contravened the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act) when releasing details to the Commissioner for Victims Rights about the status of an investigation: DKB v Commissioner of Police, NSW Police Force  NSWCATAD 193. The applicant was seeking victims compensation under the Victims Rights and Support Act 2013 (NSW), and the Commissioner for Victims Rights sought particulars from the Police including whether there had been any possible contributory behaviour by the applicant. The Tribunal concluded that the Police, by responding to the request, had not infringed the applicant’s rights under the PPIP Act because section 27 states that the Information Privacy Principles do not extend to the actions of the police force other than in the exercise of administrative and educative functions. The Tribunal was of the opinion that the disclosure, relating to an active investigation, could not be categorised as a mere “administrative or educative function”.
Appeal Panel overturns Opal Card privacy decision in New South Wales
Name of blogger protected by legal professional privilege
On 24 August 2018, the Federal Court of Australia ruled that the solicitors for a prospective respondent, the owner of a website, could not be compelled to identify the publisher of a blog which was critical of the applicants: John Bridgeman Limited v Dreamscape Networks FZ-LLC  FCA 1279. The applicants were seeking an order for discovery under r7.22 of the Federal Court Rules which provides the court with the discretion to order discovery of information revealing an individual’s identity where the person against whom the order is sought knows or is likely to have that information. The Court must be satisfied that the prospective applicant may have a right to obtain relief against that individual and that they are not otherwise able to ascertain the information. Rangiah J denied the application on the grounds that the information was protected by legal professional privilege. His Honour rejected the applicants’ submission that the sole purpose of the publisher providing his name to the solicitors had been to allow a client agreement to be entered into, rather than to obtain legal advice. The court’s preferred view was that the dominant purpose of the initial communication between the publisher and the solicitor was to obtain legal advice about the preservation of the publisher’s anonymity, and disclosure of the publisher’s name by the solicitor would involve the disclosure of a confidential communication protected by legal professional privilege.
NEW LEGISLATION AND GUIDELINES
Draft legislation would mandate decryption
On 14 August 2018, the Department of Home Affairs released an exposure draft Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. The draft was open for public comment until 10 September 2018. The object of the legislation is to provide national security and law enforcement agencies with the means to access encrypted communications and devices by amending section 313 of the Telecommunications Act 1997 (Cth) and enabling the Director-General of Security to obtain a warrant mandating the assistance of communications providers in certain circumstances. Specifically, the legislation would allow the government to require decryption where the provider has existing means to decrypt. The draft Bill has attracted political opposition, as well as formal objection from global technology companies such as Google, Facebook, Amazon and Twitter.
Tasmanian legislation will allow police to collect information using body worn cameras
On 22 August 2018, the Surveillance Legislation Amendments (Personal Police Cameras) Bill 2018 was introduced in the Tasmanian Parliament. The legislation amends the Listening Devices Act 1991 and the Police Powers (Surveillance Devices) Act 2006 to permit the use of personal cameras to record sound and visual images under certain conditions. In Tasmania, the Listening Devices Act regulates the use of listening devices and the Police Powers (Surveillance Devices) Act regulates the use of surveillance devices. The amendments will permit the use of personal cameras by police, whether hand held or worn, to record sound or visual images where the police officer is in uniform, has informed the other party that the device is in use or in circumstances where the other party ought reasonably be aware that their private conversation is being recorded. Information collected in this manner must nevertheless be handled by police in accordance with Tasmania’s privacy legislation, the Personal Information Protection Act 2004.
Increased penalties for Australian Consumer Law infringements
On 31 August 2018, the Treasury Laws Amendment (2018 Measures No. 3) Act 2018 came into force, substantially increasing maximum penalties applicable under the Australian Consumer Law. Significantly, the maximum penalty for a body corporate was increased from $1.1m to $10m (or, if greater, three times the value of the benefit gained from the offence or, if this cannot be determined, 10% of the annual turnover of the company), whilst the maximum penalty for an individual was increased from $220,000 to $500,000. The amendment holds significance for the TMT sector, given the frequency with which consumer protection issues are central to customer disputes, with the impact being most relevant to persons engaging in unconscionable conduct (section 20) or engaging in unconscionable conduct in the supply or acquisition of goods or services (section 20). The amendments reflected recommendations made by Consumer Affairs Australia and New Zealand (CAANZ) in its ACL Review which commenced in June 2015 and was completed in March 2017.
POLICIES, REPORTS AND ENQUIRIES
OAIC releases quarterly report on mandatory data breach notifications
On 31 July 2018, the Office of the Australia Information Commissioner (OAIC) released the second quarterly report on notifications received under the Notifiable Data Breaches (NDB) scheme which came into effect 22 February 2018: Notifiable Data Breaches Quarterly Statistics Report. This report – the second issued by the OAIC – addresses the period 1 April to 30 June 2018. The report reveals that 242 notifications were provided during the quarter, compared with 63 during the period 22 February to 31 March 2018. A majority of notified data breaches involved the personal information of 100 individuals or fewer, with the most common breach being the incorrect use or disclosure of contact information. Breaches involving the disclosure of financial details, identity information and health information also featured. Malicious or criminal attacks accounted for 59% of data breaches during the quarter, followed by human error (36%) and system faults (5%). The most common form of human error involved sending personal information via email to the wrong recipient.
ACCC consults on proposed Consumer Data Right
On 10 September 2018, the Australian Competition and Consumer Commission (ACCC) released a consultation paper on the Consumer Data Right Rules Framework. We have previously reported on the proposed legislation, currently in the form of a draft Data Sharing and Release Bill, to introduce a form of data portability known as the “Consumer Data Right”. The initiative manifests the government’s response to the final report of the independent Review into Open Banking, which was released in December 2017. The Consumer Data Right will allow consumers to require their bank to share their data with accredited service providers such as a comparison site or another bank in order to obtain more tailored or competitive, services. Under the draft legislative framework, the ACCC is required to determine rules that will govern the application of the Consumer Data Right, both in particular sectors and across the economy more generally. The consultation paper released by the ACCC seeks comments on the content of the proposed rules framework by 12 October 2018. The scheme is expected to commence on 1 July 2019.
HEALTH PRIVACY ISSUES
Changes to My Health Record legislation foreshadowed
On 31 July 2018, the Minister for Health, the Hon Greg Hunt, announced that amendments to the My Health Record Act 2012 (Cth) would be made to address recent concerns. Considerable community angst had followed the commencement of the 3 month “opt-out” arrangement for the My Health Record on 16 July 2018 – we reported on the scheme in a recent TMT Update. Public debate centred upon security concerns, and in particular the ambiguous wording in that Act which could be interpreted as enabling police or government agencies to access information in a My Health Record without consent. The Minister announced that legislation would remove this ambiguity and make it clear that a court order would be required in these circumstances. The Minister also advised that an amendment would ensure that if someone wished to cancel their record, they would be able to do so permanently, with their record deleted completely from the system. The foreshadowed legislation was subsequently manifested in the My Health Records Amendment (Strengthening Privacy) Bill 2018 (Cth) which was tabled in the House of Representatives on 22 August 2018. The Bill was referred to the Senate Community Affairs Legislation Committee which is due to report by 8 October 2018.
Suspicion of unauthorised disclosure insufficient
On 9 August 2018, the New South Wales Civil and Administrative Tribunal dismissed a complaint by a prisoner that his health information and personal information had been disclosed to the Australian Federal Police for an unauthorised purpose: DLT v Justice Health and Forensic Mental Health Network  NSWCATAD 180. The complaint arose out of correspondence between the respondent and the AFP which the Applicant contended disclosed information, or at least intimated that there had been a disclosure of information, in contravention of Health Privacy Principle 11 of the Health Records and Information Privacy Act 2002 (NSW) and section 18 of the Privacy and Personal Information Protection Act 1998 (NSW). The Application was dismissed on the basis that it was lacking in substance. The Tribunal concluded that the available evidence did not support the inference contended by the Applicant, noting that a “near suspicion” [of unauthorised disclosure] is not sufficient”.