Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
No privacy breach where state agency exchanges personal information with local council
On 9 August 2019, the New South Wales Civil and Administrative Tribunal concluded that there was no breach of the Privacy and Personal Information Protection Act 1998 (NSW) by a government agency which forwarded to a local council details of an inquiry received from a member of the public: DMW and DMX v NSW Rural Fire Service  NSWCATAD 158. The Applicant, who was seeking approval to clear trees and rebuild a broken fence, had applied to the Rural Fire Service (RFS) for a hazard reduction certificate. The application for a certificate was refused, and the RFS forwarded particulars associated with the application to the Hawkesbury City Council because of concerns that the Applicant was threatening to clear vegetation illegally. The Tribunal concluded that the RFS did not breach section 18 of the Act, which prohibits the use of personal information by a public sector agency for purposes unrelated to the reason for collection, because the disclosure to the council fell within the "law enforcement" exemption in section 23(5)(a). Section 23(5)(a) permits disclosures "in connection with proceedings for an offence or for law enforcement purposes". Relevantly, the Tribunal accepted that the council's law enforcement powers in relation to the unauthorised clearing of vegetation were police-like functions".
Federal Court orders that access to offshore infringing websites be disabled
On 19 August 2019, the owners of the copyright in a range of cinematograph films secured an injunction in the Federal Court under section 115A of the Copyright Act 1968 (Cth) which required carriage service providers Telstra, Optus, Vocus, TPG and Vodafone to disable access to offshore pirate sites: Roadshow Films Pty Ltd v Telstra Corporation Limited  FCA 1328. Section 115A(1) allows a copyright owner to require a carriage service provider to disable access to online locations outside Australia which infringe or facilitate the infringement of copyright an which have the primary purpose of doing do. Thawley J was satisfied that the offshore websites, which enabled the linking, streaming and torrenting of motion pictures without licence, flagrantly infringed the applicants' copyright with the objective of generating advertising revenue. In the circumstances, disabling access to the various online locations was a "proportionate response...and in the public interest".
Federal Court rules on patentability of computer-implemented invention
On 13 September 2019, the Full Court of the Federal Court dismissed an appeal against a ruling by the trial judge that a computer-image invention was not patentable subject-matter: Encompass Corporation Pty Ltd v InfoTrack Pty Ltd  FCAFC 161. The court held that the invention did not involve a manner of manufacture, consistent with the precedent set in CCOM Pty Ltd v Jiejing Pty Ltd (1994) 51 FCR 260, RPL Central Pty Ltd v Commissioner of Patents  FCA 871 and Research Affiliates LLC v Commissioner of Patents  FACFC 150. In reaching its decision, the court emphasised that the claimed invention must be to a specific computerised business method, not the application of an abstract idea using generic computer technology. The generic computer implementation of an abstract idea was insufficient to demonstrate a manner of manufacture involved in the method.
Federal Court rules on failed commercialisation relationship
On 2 October 2019, Burley J in the Federal Court of Australia delivered a much-anticipated judgement addressing the fallout from an unsuccessful commercialisation relationship: University of Sydney v ObjectiVision Pty Limited  FCA 1625. A range of issues were in dispute but, common to many commercialisation ventures, the findings of the Court regarding joint copyright ownership in a computer program, the meaning of "not unreasonably withholding consent" and the operation of the defence of estoppel were particularly informative. In relation to the joint ownership of software code, his Honour rejected the University's contention that it is necessary for all joint authors to be identified and proved, and that it is necessary to establish that "any such author worked on [the computer program] in its entirety, rather than on a discrete part of it". His Honour observed that "the Court must be in a position to conclude that the elements of collaboration and non-separate contribution are present, but there is no obligation for the party asserting joint authorship to tease out in evidence every aspect of the contribution".
ACCC institutes proceedings against Google
On 29 October 2019, the Australian Competition and Consumer Commission (ACCC) instituted proceedings against Google LLC and Google Australia Pty Ltd, alleging that Google engaged in misleading conduct and made false or misleading representations to consumers about the personal data which it collects: Australian Competition and Consumer Commission v Google Australia Pty Ltd & Anor (NSW Federal Court Registry, file number NSD1760/2019). The proceedings, which come in the wake of the ACCC's Digital Platforms Inquiry (upon which we have previously commented) centre upon representations made by Google to users of the Android Operating System in 2017 and 2018 that Google would not obtain data about an individual's location or, if it did, such data would only be used for the user's own purposes. The ACCC asserts that this is in fact not the case, citing in particular the fact that during set-up of a Google account, users were previously not notified that even if "Location History" is turned off, Google could continue to obtain, retain and use personal data about the user's location unless they also switched off "Web & App Activity". The ACCC further asserted that on-screen statements explaining how location data would be used when customers accessed their "Location History" were misleading, involving a failure to disclose that the data could be used for a number of purposes unrelated to the customer's use of Google services.
New Legislation Guidlines
Proposed consumer credit reporting and hardship laws will have implications for Privacy Act.
On 15 August 2019, the Commonwealth government invited public comment on exposure draft legislation relating to its proposed mandatory comprehensive credit reporting and hardship arrangements. Part IIIA of the Privacy Act 1988 (Cth) addresses the activities of credit reporting agencies and credit providers in relation to the handling of personal credit information. Part of the philosophy underpinning Part IIIA is that individuals should be prevented from borrowing money which they cannot afford to repay, meaning that it is in the public interest for credit reporting agencies to be fully informed. A shortcoming in the existing scheme, however, is that it is not mandatory for credit providers to notify credit reporting agencies about an individual's credit history, meaning that credit reporting data is potentially compromised. The government introduced legislation in 2018 to address this shortcoming by amending the National Consumer Credit Protection Act 2009 to mandate participation by credit providers in the credit reporting scheme, but the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, which was passed in the House of Representatives on 25 June 2018, lapsed on 1 July 2019 after parliament was prorogued for the federal election. The government's new exposure draft, now titled the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019, provides that for the most part the Privacy Act will remain unchanged, save for amendments to section 20Q ("Security of credit reporting information") which will be amended to require credit reporting information to be stored in Australia.
Consumer Data Right legislation introduced
On 13 August 2019, the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth) came into effect, introducing amendments to the Competition and Consumer Act 2010. We have previously reported that an earlier iteration of the legislation lapsed on 11 April 2019 when Parliament was prorogued for the federal election. The legislation is intended to provide individuals and businesses with a right to access information held by other businesses regarding transactions which they have entered into as consumers and to authorise secure access to this data by trusted and accredited third parties. The legislation will initially apply to the banking sector before being rolled out to the energy and telecommunications sectors. The fact that the legislation addresses the rights of business consumers as well as individual consumers distinguishes it from the narrower scope of the Privacy Act 1988, even though the two Acts will interact to some extent. The legislation is supported by the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019, issued on 4 September 2019, which designates the banking sector as being the first industry to be subject to the new scheme. The legislation is already the subject of proposed amendment, with the Treasury Laws Amendment (2019 Measures No 2) Bill 2019 currently before the House of Representatives – the amendment legislation would introduce a requirement that Consumer Data Rules made by the Australian Competition and Consumer Commission (ACCC), as we have previously discussed, must include an obligation on accredited data recipients to delete CDR data in response to a request from a CDR consumer.
Negotiations begin for CLOUD Act agreement with the US
On 7 October 2019, the Minister for Home Affairs announced the commencement of formal negotiations for a bilateral agreement under the US Clarifying Lawful Overseas Use of Data Act, otherwise known as the CLOUD Act. The CLOUD Act, enacted in 2018, is designed to facilitate access by foreign, "trusted" partners to US-based global providers. The process is seen to be quicker and more efficient than traditional access requests through the mutual legal assistance process. A condition of participation is that foreign countries must be able to demonstrate the existence of robust protections for privacy and civil liberties, and concern has been expressed that Australia's anti-encryption laws, which give law enforcement agencies the power to issue "technical capability notices" requiring technology companies to provide assistance or introduce technical changes to their platforms, might fail to satisfy this threshold. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Assistance and Access Act), which introduced the changes to Australia's legislation in December 2018, has previously been discussed in our TMT Update.
Identity-Matching Bill withdrawn
On 30 October 2018, the Parliamentary Joint Committee on Intelligence and Security delivered a bi-partisan recommendation that the Identity-Matching Services Bill 2019, and the related Australian Passports Amendment (Identity-matching Services) Bill 2019, be withdrawn and redrafted. We have discussed the Bill in a previous TMT Update. The Bill proposed a legal framework which would enable the matching of passport photos and Australia-wide drivers' licence photos under a national facial-recognition scheme. It was criticised by the Committee over the threats it posed to the privacy rights of individuals, specifically in view of the degree and manner of access allowed to governments in respect of private biometric information. The Committee concluded that the regime should be restructured around "privacy, transparency and subject to robust safeguards", and should be subject to Parliamentary oversight. There should be annual reporting on the use of the identity-matching services, and the primary legislation should specifically require that there be a Participation Agreement setting out in detail the obligations of all parties (essentially the Commonwealth, States and Territories) participating in the identity-matching services.
Policies, Reports and Inquires
Quarterly data breach statistics released
On 27 August 2019, the Privacy Commissioner released the Notifiable Data Breaches Quarterly Statistics Report for the period 1 April to 30 June 2019. The statistics revealed that during the quarter, there were 245 notifications, consistent with the quarterly volume since the mandatory notification scheme commenced in February 2018. The most common form of data breach involved malicious or criminal attack (62%), followed by human error (34%). Emailing to the wrong address was the most prominent form of human error, with the mishandling of contact information accounting for 90% of notifications. The health sector reported the most breaches during the quarter, slightly ahead of the finance sector. The Privacy Commissioner commented that the reporting regime was now "well accepted" and that "putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers".
Facebook, AI Group, respond to ACCC's recommended reforms to social media platform laws
On 12 September 2019, both Facebook and the Australian Industry Group responded to the ACCC's Digital Platforms Inquiry final report. As we have previously discussed, the report made wide-ranging recommendations for law reform, including to Australia's privacy laws. The recommended privacy reforms included an updated definition of "personal information", more stringent notification requirements relating to the collection of personal data, strengthened consent requirements and the introduction of a right of erasure (otherwise known as a "right to be forgotten"), to some extent bring Australia more into alignment with the EU's Global Data Protection Regulation (GDPR). Facebook submitted in response that it supported the extension of the GDPR into Australia, but expressed concern that the ACCC was recommending a "substandard version of the GDPR", adding that it lacked the "critical subtleties" of the GDPR's approach to "personal data" and was "out of step" with the GDPR in the way it addressed the legal bases for processing data. The AI Group argued that the GDPR "cannot simply be implemented in Australia" and that it was premature to be adopting some GDPR concepts which were still relatively new.
Australian Government responds to ACCC's recommended reforms to social media platform laws
On 12 December 2019, the Australian Government released its response to the ACCC's Digital Platforms Inquiry final report. As we have previously discussed, the report made wide-ranging recommendations for law reform, including to Australia's privacy laws. In addition to foreshadowing a commitment to address bargaining power concerns and a staged process to reform media regulation, the response reiterated an earlier commitment to increase penalties for privacy breaches and to "strengthen Privacy Act protections". Most significantly, the government agreed with the ACCC's recommendation that the OAIC should develop a binding privacy code to apply to social media platforms and other online platforms that trade in personal information. The government foreshadowed legislation to "require these entities to be more transparent about data sharing; to meet best practice consent requirements when collecting, using and disclosing personal information; to stop using or disclosing personal information upon request; and include specific rules to protect personal information of children and vulnerable groups". In relation to consumer protection, the government foreshadowed "amending the definition of 'personal information' in the Privacy Act to capture technical data and other online identifiers; strengthening existing notice and consent requirements to ensure entities meet best practice standards; and introducing a direct right of action for individuals to bring actions in court to seek compensation for an interference with their privacy under the Privacy Act".
Government releases discussion paper on sharing public sector data.
We have previously reported on the Productivity Commission's recommendations for a new regime governing access to public sector data. Consequent upon the Productivity Commission's recommendations, the Office of National Data Commissioner was established within the Department of the Prime Minister and Cabinet in 2018. In July 2018, the Commonwealth government invited public comment on an Issues Paper outlining a draft Data Sharing and Release Act. In September 2019, in response to submissions received in relation to the draft legislation, the government issued a Discussion Paper, entitled Data Sharing and Release: Legislative Reforms Discussion Paper. The Discussion Paper acknowledges that privacy and security must be addressed in any open data regime, but adds "closed data protects privacy, but carries the risk that research does not use the best information, government policies are not targeted where they are most needed, and citizens find it difficult and annoying to access government services". The Discussion Paper further posits that "closed data keeps the Australian public in the dark about what government does with the data it collects and holds". The proposed legislation would empower the government to share public sector data for specified purposes, subject to oversight from the National Data Commissioner working in conjunction with the Australian Information and Privacy Commissioner.
OAIC releases draft CDR guidelines
We have previously reported on the proposed Consumer Data Right which will commence in February 2020 in the banking sector, giving individual and business consumers a data portability right and which will be subject in part to the oversight of the Office of the Australian Information Commissioner (OAIC). On 16 October 2019, the OAIC published draft Privacy Safeguard Guidelines for the Consumer Data Right. The draft Guidelines analyse each of the 13 Privacy Safeguards in detail, providing an outline of the mandatory requirements applicable to the banking sector, the Information Commissioner's interpretation of certain ambiguous obligations, and examples of how the privacy safeguards and Consumer Data Rules may apply in certain circumstances. The Guidelines, issued under s 56EQ(1)(a) of the Competition and Consumer Act 2010 will not, when finalised, be a legislative instrument or legally binding. The deadline for public submissions closed on 20 November 2019.
APRA and OAIC sign MOU governing collaboration
On 18 November 2019, a copy of a memorandum of Understanding between the Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC) was released. The MOU sets out mutual principles underpinning the working relationship between the two government agencies. The MOU foreshadows collaboration and information exchange between the agencies, particularly with respect to ACMA's powers and functions in relation to the Broadcasting Services Act 1992, the Radiocommunications Act 1992, the Telecommunications Act 1997, the Telecommunications (Consumer Protection and Service Standards) Act 1999, the Spam Act 2003, the Do Not Call Register Act 2006, and the Interactive Gambling Act 2001, and the OAIC's powers and functions under the Australian Information Commissioner Act 2010, the Privacy Act 1988, and Part 13, Division 5 of the Telecommunications Act 1997 The document addresses the need for regular liaison meetings and the need to ensure that requests for exchange of information comply with the authorised disclosure provisions under the enabling legislation of the respective agencies and any other applicable laws including the Privacy Act 1988.
ACMA publishes guidance note on changes in broadcasting and associated newspaper control
On 26 November 2019, the Australian Communications and Media Authority (ACMA) published Guidance Notes for ACMA Form B2/B3, dealing with notification of changes in control pursuant to sections 63 and 64 of the Broadcasting Services Act 1992. The Guidance Note is directed at the holder of a commercial television broadcasting licence, a commercial radio broadcasting licence, or a datacasting transmitter licensee who becomes aware that a person has ceased to be in a position to exercise control of the licence, and at any publisher of an associated newspaper who becomes aware that a person has become or has ceased to be in a position to exercise control of the newspaper. Specifically, under section 63 of the Broadcasting Services Act, a licensee or publishers must provide ACMA with details in a prescribed form within 10 days of becoming aware that become aware that "a person who was not in a position to exercise control ... comes into a position to exercise control of the licence or the newspaper", or that "a person who was in a position to exercise control ceased to be in a position to exercise control of the licence or the associated newspaper". Under section 64, the converse applies, being an obligation to notify ACMA if a person "not in a position to exercise control of a licence or an associated newspaper, becomes aware that the person becomes in a position to exercise control of the licence or the associated newspaper".
Health Privacy Issues
OAIC reports on digital health activities
On 18 November 2019, the Annual Report of the Australian Information Commissioner's activities in relation to Digital Health was released. The report sets out the OAIC's digital health compliance and enforcement activity during 2018-19 in accordance with s 106 of the My Health Records Act 2010 (Cth) and s 30 of the Healthcare Identifiers Act 2010 (Cth), as outlined in the 2017-19 memorandum of understanding between the OAIC and the Australian Digital Health Agency (ADHA). It was reported that during 2018-19, the OAIC received 57 complaints regarding the My Health Record system, 37 of which had been finalised. This was a significant increase in the number of complaints over the previous year (in which only 8 were recorded), indicating, in the Commissioner's view, an increased public awareness rather than a deterioration on compliance standards.
National Health Practitioner Ombudsman reports on enquiries and responses
In November 2019, the National Health Practitioner Ombudsman and Privacy Commissioner, Richelle McCausland, released her office's Annual Report 2018-19. It was reported that during the 12 month period, 1,035 approaches were received from members of the public and health practitioners, representing a 30% increase from the previous year. The Ombudsman concluded that her office had, as a consequence of acting upon these approaches, assisted in bringing about "significant improvements in the administrative actions of the Australian Health Practitioners Regulation Agency (AHPRA) and the 15 National Boards". Of the 128 investigations finalised during the year, 44 formal comments or suggestions were issued to AHPRA and the National Boards, whilst an own-motion investigation was launched (at the request of AHPRA) into the issue of safeguarding the confidentiality of people who make notifications about health practitioners.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.