On 20 August 2020, the Federal Court ordered that online health marketplace HealthEngine pay $2.9 million for breach of the Australian Consumer Law (ACL).1 HealthEngine admitted liability for engaging in misleading conduct under the ACL by sharing personal information of customers with private health insurance brokers without consent. HealthEngine also admitted to removing or manipulating customer reviews. These proceedings demonstrate the Australian Competition and Consumer Commission’s (ACCC) increasing role in protecting digital privacy and data sharing in Australia.
HealthEngine hosts an online directory which facilitates patient bookings with over 70,000 health practices and practitioners in Australia. Part of HealthEngine’s business involves the publishing of reviews and ratings to enable these patients to identify health practices or practitioners which are suitable to their needs.
In August 2019, the ACCC commenced Federal Court proceedings against HealthEngine for misuse of patient data and for manipulating reviews.2 The ACCC claimed that, from 31 March 2015 to 1 March 2018, HealthEngine did not publish negative patient feedback, edited patient feedback before it was published as a review and misrepresented the reasons why it did not publish a rating for some health practices. Additionally, the ACCC claimed that, during the period 30 April 2014 to 30 June 2018, HealthEngine provided personal information supplied to it by patients to third party private health insurance brokers, in return for a fee, without obtaining consent from patients and without adequately disclosing that this would occur. This information allegedly included names, dates of birth, email address and phone numbers of over 135,000 patients.
In relation to the harm suffered, the ACCC claimed that in failing to disclose information from other patients regarding the quality of health care providers, consumers may have chosen a provider that they otherwise would not have. Additionally, the ACCC claimed that such conduct created a false impression about the quality of health care providers, which influenced consumers to use the HealthEngine platform. HealthEngine’s failure to properly disclose their use of patient details was also alleged to have deprived patients of the opportunity to control the transfer of their personal information. Patients were therefore unable to make an informed choice regarding the use of their personal information in this way.
In support of their claims, the ACCC also argued that HealthEngine benefitted financially from engaging in the conduct above. This is because HealthEngine received a fee from every booking made through their platform and from insurance brokers to who patients were referred.
Although the Office of the Australian Information Commissioner (OAIC) is Australia’s national data protection authority, recent action by the ACCC suggests that it is more willing to intervene in privacy matters. For instance, in addition to these proceedings, the ACCC has also recently commenced proceedings against Google under the ACL alleging that Google did not obtain users’ informed consent before collecting their personal data and engaged in misleading conduct when collecting users’ location data. Additionally, the ACCC has also collaborated with the OAIC in the establishment of the Consumer Data Right (CDR) scheme, which will regulate consumer data sharing in the banking, energy and telecommunications sectors.3
As these proceedings demonstrate, penalties under the ACL are strict and severe. Given the ACCC’s willingness to intervene in these types of matters, businesses must therefore ensure that they are aware of their obligations under the ACL and that they provide clear and accurate information to consumers about how their personal information will be handled. Privacy policies should also be updated regularly, given that a failure to provide information to consumers may also be considered misleading or deceptive conduct under the ACL.