$8,500,000 penalty for misleading comparative advertising

On 8 October 2020, the Federal Court imposed a financial penalty and issued a corrective publication order on an online and telephone comparison service which had made misleading statements regarding the price of certain energy plans: Australian Competition and Consumer Commission v iSelect Limited [2020] FCA 1523. The respondent represented on its website that it would compare all of the plans available from its partner retailers in a consumer’s area and recommend the most suitable or competitive plan to the consumer but in fact did not necessarily include the most competitive rate on offer. Furthermore, due to a coding error, the prices quoted to certain NSW consumers did not account for “controlled load usage” in the tariff rate, the effect being that these consumers were underquoted in relation to the total price payable for electricity plans recommended by iSelect. The conduct was held to contravene sections 18, 29(1)(g) and 34 of the Australian Consumer Law. Observing that “the contravening conduct was serious and may have diminished genuine consumer choice”, Moshinsky J imposed a pecuniary penalty of $8,500,000 in respect of each contravening act.

Misleading Trivago website appeal dismissed

On 4 November 2020, the Full Court of the Federal Court of Australia dismissed an appeal by Trivago N.V. against a finding in January 2020 that its online search and comparison site for hotel accommodation was misleading or deceptive: Trivago N.V. v Australian Competition and Consumer Commission [2020] FCAFC 185. We have previously reported on the trial judge’s determination that the website was misleading because it showed search results based on an algorithm that was weighted towards hotel booking sites that paid Trivago the highest commissions, meaning that the search results often did not highlight the cheapest rates. The Full Court concluded that the trial judge had been “substantially correct”. It was critical of the primary judge’s failure to apply the “ordinary and reasonable member of the target audience” test, but considered this had no ultimate impact on the findings as it remained the case that a dominant message on the website was that it displayed the best offers for particular hotels either in terms of price or some other characteristic.

Emergency use of IPND personal information

On 12 November 2020, the Minister for Home Affairs issued the Telecommunications (Data for emergency warning systems) Instrument 2020. Disclosure of information obtained by carriers in the course of providing their services is permitted in the context of the national telephone warning system used by emergency services to send voice messages to landlines and text messages to mobile phones within a defined area about likely or actual emergencies. Specifically, Integrated Public Number Database (IPND) information may be disclosed to an “emergency management person” in the event of an emergency within the meaning of an “emergency law”. Section 275B of the Telecommunications Act 1997 (Cth) defines “emergency management person” and s 275D defines “emergency law”. The new Instrument gives effect to ss 275B and 275D, replacing the 2016 Instrument and accommodating changes to titles and functions of State and Territory emergency management persons and emergency laws which have occurred in the ensuing period. The ultimate objective is to ensure there are no unintended barriers to the access and use of information held in the IPND when public emergency warnings become necessary.

New Privacy Act for New Zealand

A new Privacy Act will operate in New Zealand from 1 December 2020. The Privacy Act 2020 (NZ) will replace the Privacy Act 1993. A key change involves the introduction of significant penalties for privacy infringement, with the Human Rights Review Tribunal having the power to award up to $350,000 to each member of a class action. The new Act will also introduce a privacy breach notification regime which will apply to breaches which cause, or are likely to cause “serious harm”. In addition, transborder data flow restrictions have been tightened, with overseas disclosure limited (in the absence of informed consent by the data subject) to recipients who are subject to similar safeguards to those in the Privacy Act. New criminal offences will apply in the case of persons gaining access to information by subterfuge or knowingly destroying personal information in order to prevent access. New Zealand already enjoys “adequacy status” for the purposes of Article 45(1) of the General Data Protection Regulation (GDPR) so the changes will not directly affect the status of the local privacy regime from the perspective of European and United Kingdom data exporters.

Radiocommunications Act reforms loom

On 12 November 2020, the Radiocommunications Legislation Amendment (Reform and Modernisation) Bill 2020 was introduced in the Senate, along with related legislation, following a recommendation by the Senate Environment and Communications Legislation Committee on 4 November that it be passed. The legislation seeks to modernise and update the management of spectrum and radiocommunications in Australia by substantially amending the Radiocommunications Act 1992 (the Act). The origins of the reform lie in the 2015 Spectrum Review undertaken by the then Department of Communications which highlighted the limitations of the current framework and considered reforms to the way spectrum was managed. The primary measures contained in the legislation include clarification of the objects of the Act; the provision of greater flexibility to the Australian Communications and Media Authority (ACMA) in allocating spectrum; reducing regulatory barriers between licence types; streamlining device supply schemes and equipment regulation; and introducing a modernised compliance and enforcement regime which gives ACMA a greater range of options beyond the institution of criminal proceedings.

OAIC releases results of privacy survey

On 28 September 2020, the Office of the Australian Information Commissioner (OAIC) published the results of its Australian Community Attitudes to Privacy Survey (ACAPS) 2020. Conducted between February and March 2020 and involving nearly 3000 respondents over the age of 18 years, the biggest perceived privacy risks identified were:

  • identify theft and fraud (76%)
  • data security and data breaches (61%)
  • digital services, including social media sites (58%)
  • smartphone apps (49%), and
  • surveillance by foreign entities (35%) or Australian entities (26%).

Only 1 in 5 Australians (20%) read and are confident they understand privacy policies on internet sites. The main reasons why Australians do not read privacy policies include the length and difficulty of the policies. Parents considered that companies should provide important data privacy information to children in clear language that is not misleading (85% support, 60% strongly support).

First follow-up interim report issued by ACCC on digital platform services.

On 1 October 2020, the Australian Competition and Consumer Commission (ACCC) issued an Interim Report arising out of its Digital Platform Services Inquiry. As we have previously reported, the ACCC released a report in July 2019 on the impact of online search engines, social media and digital content aggregators on competition in the media and advertising services markets, with a particular emphasis on the substantial market power of Google and Facebook. When responding to the report in December 2019, the government announced that the ACCC would have a role for five years in monitoring digital platform services in Australia, and the interim report released in October 2020 is part of that process. The interim report noted, amongst other things, that most consumers continued to be unclear on what they are consenting to, thus vindicating the ACCC’s recommendation for changes to privacy law and the Australian Consumer Law to ensure consumers can exercise choice and control that align with their privacy preferences. The report also observed that whilst Australian businesses were increasingly reliant upon the platforms to reach consumers online, the platforms’ terms and conditions, which must be accepted by default, often left small businesses at a significant disadvantage.

ACMA releases telco complaints-handling data

On 28 October 2020, the Australian Communications and Media Authority (ACMA) published its annual report on telco complaints-handling performance. Telcos report complaints data to ACMA each quarter in respect of mobile, fixed-line voice, fixed-line broadband, NBN broadband and NBN voice-only services. The data showed that almost 1.4 million complaints to telcos were received over the 2019–20 financial year – down by 17.5% from the previous year. Key findings were as follows:

  • total complaints reported by telcos are down by 17.5% from last year, with almost 1.4 million complaints received over the 2019-20 financial year;
  • complaints per 10,000 services decreased by 18.9% to 77 complaints per 10,000 services;
  • the average time taken by telcos to resolve customer complaints decreased from 5.8 to 5.2 days; and
  • from June 2019 to June 2020 the rate of complaints referred by the TIO back to the telcos increased from 8.5% to 13%.

Despite the encouraging trend, ACMA chair, Nerida O’Loughlin, commented that “given these ongoing, systemic and impactful consumer issues, the ACMA strongly supports the government’s reconsideration of the current telco consumer protection regime”.

Review of Privacy Act 1988 commences

On 30 October 2020, the government released Terms of Reference and an Issues Paper for a wide-ranging review of the Privacy Act 1988 by the Attorney-General’s Department. The Issues Paper is part of the government’s response to recommendations contained in the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. As we have previously reported, the ACCC released a report in July 2019 on the impact of online search engines, social media and digital content aggregators on competition in the media and advertising services markets, with a particular emphasis on the substantial market power of Google and Facebook. The report’s recommendations included a range of changes to the Privacy Act. Under the Terms of Reference now issued by the government, the review will embrace a range of issues which have proved troublesome in recent years, including the definition of “personal information”; exemptions such as those applying to small business, employee records and political parties; overseas data flows; the “right to be forgotten”; the impact of the notifiable data breach scheme; and the prospect of a statutory tort for serious invasions of privacy.

Changes to Australian Consumer Law foreshadowed

On 4 November 2020, the Australian Treasury published a Regulatory Impact Statement (RIS) on Enhancements to Unfair Contract Term Provisions. Under the Australian Consumer Law, an “unfair term” in a “standard contract” is void. The issue is of particular significance to TMT industries which transact a huge volume of business over the internet using non-negotiable proprietary terms. Amongst a number of recommendations, the RIS concluded that courts should have greater discretion in determining appropriate remedies, rather than the term being automatically declared void. Courts should also have the ability to apply civil penalties in appropriate cases. There should be a rebuttable presumption that a contract term is unfair (thus reversing the onus of proof) if, in a particular instance, the same or a substantially similar term has been used by the same entity or in the same industry sector and previously declared by a court to be unfair. It was recommended that these and other changes be implemented by way of amendment to the Australian Consumer Law, to be further reviewed after three years.

Review of Australia’s mandatory data retention regime

The Parliamentary Joint Committee on Intelligence and Security recently released its report following its review of Australia’s mandatory data retention regime. The Committee has made a series of recommendations for reform in relation to the scope, operation and oversight of the regime. The Committee’s original terms of reference included journalist information warrants, but that issue was subsequently transferred to the Committee’s press freedom inquiry. The key recommendations of the Committee included:

  • introducing a definition for the currently undefined phrase “content or substance of a communication” in the Telecommunications (Interception and Access) Act 1979 – this is an important feature of the legislation as service providers are not required to retain, nor disclose, such information. Given the lack of a definition, the scope of the related rights and obligations in the legislation are arguably unclear. For example, it is unclear if metadata or “telecommunications data” is part of the “content” of a communication;
  • retaining the existing data retention period at 2 years;
  • various other amendments, including recommending the Department of Home Affairs develop new guidelines published, to address reporting and record-keeping obligations, government agency access procedures and oversight procedures over the regime; and
  • amendments to clarify that service providers are not required to retain data generated by “Internet of Things” devices.

ACCC releases Consumer Data Right on-boarding guide

On 18 November 2020, the Australian Competition and Consumer Commission released its On-boarding Guide for Data Holders and Data Recipients in connection with the Consumer Data Right (CDR). The CDR, which commenced in respect of the banking sector on 1 July 2020, is a data portability mechanism for enabling individual and business consumers to access information about themselves and their service providers’ products, and to direct their existing service provider to share that information with other service providers. Central to the scheme is the role of “data holders” (which hold the original consumer data to which the right of transfer applies) and “accredited data recipients” (which are entities accredited under the scheme to receive consumer data subject to strict privacy safeguards). “On-boarding” is the process whereby a new participant in the scheme prepares to commence active participation following completion of registration and accreditation. The Guide provides a detailed description of eleven steps involved in the on-boarding process, and deals also with matters such as the testing of participants’ technology solutions, collection arrangements involving outsourced service providers, and the use of the CDR logo.

OAIC responds to the ACCC’s proposed expansion of the Consumer Data Right Rules

The Office of the Australian Information Commissioner (OAIC) has responded to the ACCC’s proposal to expand the CDR scheme. The ACCC proposed introducing a lower-level of “restricted” accreditation to increase participation in the scheme. The OAIC has highlighted the privacy risks associated with that proposal and recommended, amongst other things, minimum standards and rules outlining the specific responsibilities of restricted accredited participants. The OAIC’s submission also addresses the ACCC’s proposal to allow accredited data recipients (ADRs) to disclosure CDR data to “trusted advisors” of consumers. The OAIC recommends only allowing such disclosure if the trusted advisors are subject to the Privacy Act 1988. The submission also addresses the proposed disclosure of “CDR insights” (information derived from CDR data) to facilitate the provision of a broader range of services to consumers (such as identity checks and payment verifications). The submission flags potential inconsistencies between the proposal and provisions of the Competition and Consumer Act 2010 (Cth) relating to credit information. The OAIC has recommended the ACCC consider whether the existing CDR framework is appropriate to implement such a policy change. Additionally, the OAIC broadly supports the ACCC’s proposal to allow non-individual consumers, such as partnerships and limited companies, to participate in the CDR scheme via a nominated representative. The OAIC also considers that an ADR should be permitted to obtain a consumer’s consent to the future disclosure of CDR data to a second ADR at the same time as the first ADR obtains the consumer’s consent to it collecting and using their CDR data. The OAIC has however emphasised the need to ensure that consumers understand the differences between the different consents which they provide to collection, use and disclosure.

Government response to Senate Committee recommendations on My Health Record regime

On 5 November 2020, the Australian Government responded, somewhat belatedly, to 14 recommendations made by the Senate Community Affairs References Committee in October 2018 on the operation of the My Health Records system. As previously reported, the My Health Records Amendment (Strengthening Privacy) Act 2018 came into effect on 11 December 2018. The government response expressed support for recommendations to amend the My Health Records Act 2012 to strengthen children’s privacy protection, to prevent access of a My Health Record for employment or insurance purposes, and to provide a right of deletion of a record, noting that these changes had been effectively embraced by the Amendment Act in 2018. It rejected, however, a recommendation that all Australians be provided with record access codes accompanied by the ability to decide on a case by case basis whether to make the record available to a clinician. In this regard, the report observed that “asking for a PIN, and requiring consumers to remember their PIN, [would] interrupt the clinical workflow and impede use of the record”.

Draft guidelines for regulating the collection of contact tracing information

On 20 November 2020, the Office of the Information Commissioner (OAIC) and State and Territory health authorities published draft guidelines intended to harmonise the various Australian jurisdictional requirements regarding the collection of personal information from patrons for COVID-19 contact tracing purposes. Governments are encouraged to follow the guidelines when requiring businesses or venues to collect data from customers, including collection via digital check-in services such as apps and QR codes. Focussing on the need to protect personal information, the draft Requirements to collect personal information for contact tracing purposes seek public feedback on matters such as data minimisation, security, purpose limitation, retention and deletion. Mindful of the small business exemption which applies to businesses with an annual turnover of less than $3m, the guidelines encourage digital check-in providers which are not already covered by the Privacy Act to opt in to coverage pursuant to section 6EA of the Act. State instrumentalities which implement government-developed digital check-in services, and which do not have enforceable privacy laws (for example, in Western Australia), are encouraged to opt in in to coverage of the Privacy Act pursuant to section 6F of the Act.