Background

On 16 March 2018 the ACCC announced that it was taking proceedings in the Federal Court against the credit reporting body Equifax Pty Limited. The actions were alleging breaches of the Australian Consumer Law (ACL) which occurred between June 2013 and March 2017 regarding false and misleading representations to consumers.

It is interesting to note that the circumstances to which this ACCC proceeding relate are based on the same or substantially identical allegations made in a representative complaint under the Privacy Act 1988 (Cth) by the Financial Rights Legal Centre Inc and others against Equifax, then known as Veda Advantage Information Services & Solutions Limited in 2016. This resulted in a determination by the Privacy Commissioner that Veda had breached its obligations under the Privacy Act and the Privacy (Credit Reporting) Code. The Determination required Veda to provide free access to affected individuals.

What is the action about?

The facts on which the ACCC allegations are based relate to the provision of credit reports to consumers. Under the Privacy Act a consumer is entitled once a year to a free copy of their credit report or, more frequently if they are declined credit. In order to obtain that free report individuals need to provide sufficient information about their identity to ensure that they are in fact the individual entitled to the report. Individuals who are unwilling to wait the seven to 10 days that it takes to obtain a free report can pay for an express report. In addition, consumers who are concerned about identity theft may subscribe to a credit reporting service that advises them when their file is accessed by a lender.

The allegations in relation to the ACCC claim are that Veda / Equifax made false and misleading representations in relation to its paid reports, suggesting that they were more comprehensive than the free reports when they were not. It is also alleged that in its terms and conditions it misled consumers to understand that they needed to pay to have information corrected when in fact there is no fee allowed to be charged under law for this service. Additionally, individuals who subscribed to the credit reporting service found that their subscriptions were renewed annually unless they opted out in advance, and the ACCC has taken the view that this automatic renewal is an unfair contract term and void under the ACL.

Aren’t these ACCC allegations just limited to credit reporting bodies?

While it is true that the rules relating to credit reporting bodies and their obligations to provide free reports are unique, under the Australian Privacy Principles all businesses are required to provide individuals with the information they hold about them if an individual so requests. Organisations are also required to correct that information if requested by the individual. In an age where people are becoming increasingly concerned about their personal information, it is likely that requests may increase and organisations need to be ready to deal with this. Organisations also need to ensure that in doing so they do not misrepresent their obligations and the requirements of individuals to pay for enforcing their legal rights to access and correction.

Do privacy and competition law overlap? This case is interesting in that the misleading and deceptive conduct relates directly to privacy rights of consumers. For any business that deals directly with consumers the action by the ACCC makes it clear that they will seriously guard the rights of consumers and in the case of the automatic renewal of a consumer contract, it is again a reminder for companies that they cannot make the process of cancelling or terminating a contract difficult for consumers without risking adverse consequences.

Isn’t Equifax the company that was breached in the US?

Equifax Pty Limited, formerly Veda, was acquired by Equifax Inc. in 2016 and is a subsidiary. One of the key issues in the data breach in the US was the fact that individuals who were breached and needed to obtain their credit reports were directed to Equifax’s paid service. The US Federal Trade Commission, the equivalent of the ACCC, is investigating Equifax Inc’s actions in that case and there are recommendations that individuals who have been breached, especially in relation to their credit, should be able to access certain matters such as having their credit frozen to protect them from identity theft, for free and for a period of time.

It is possible that those recommendations will have a flow through effect to the Australian credit reporting industry and it is also possible that this will lead to some form of standard of remedial action for organisations generally in the case of a breach.