For some time now in Australia we have witnessed a "cold war" between the consumer regulator, the Australian Competition and Consumer Commission (ACCC), and the privacy regulator, the Office of the Australian Information Commissioner (OAIC), in respect of "consumer privacy" (which in the US has traditionally been in the purview of the Federal Trade Commission). Until now this has mostly been an 'academic' discussion. However, with the launch of the "Consumer Data Right" in the banking sector (with other sectors to soon follow) and the recent successful action by the ACCC against HealthEngine Pty Ltd (HealthEngine) this is now a "real war" having (and likely to increasingly have) a material impact on businesses for privacy-related infringements in the "consumer privacy" space.

Background

We are already seeing a more aggressive enforcement stance from the OAIC (admittedly coming off a low base) in terms of its application to the Federal Court of Australia (Court) to impose massive fines on Facebook in relation to the Cambridge Analytica activities. In ACCC v HealthEngine Pty Ltd [2020] FCA 1208 (Case) we are seeing the ACCC stake its claim in the consumer privacy space, using consumer law to prosecute what are, effectively, privacy breaches.

The Case

HealthEngine is an online and appointment booking engine which also provides ratings and rankings of numerous health practitioners. As well as finding that HealthEngine failed to publish many of the negative comments about its paying health practitioner members (the reason for most of the rest of the A$2.9 million fine), HealthEngine offered a service to discuss an individual's health insurance needs (and make recommendations) if the individual indicated 'yes' on the online form when booking an appointment with a health practitioner (Referral Conduct).

As regards the Referral Conduct, HealthEngine did not itself provide this service (i.e. make the call to the individual). Rather, HealthEngine had a paid arrangement with nine health insurance brokers and would, on receiving a 'yes' in the online form, send the personal information of that individual to one of the nine third party brokers for that broker to call the individual to discuss their health insurance needs. While it was not claimed that HealthEngine stated anywhere that it solely performed the Referral Conduct, it was found that it was not made clear to the individual answering 'yes' that their personal information would be disclosed to anyone else or that the call to discuss their health insurance needs would not be performed by HealthEngine (but rather a third party insurance broker).

While there was no definitive statement either that HealthEngine would (a) not disclose any personal information or (b) itself respond to the 'yes' enquiry and call the individual to discuss the individual's health insurance needs, the Court held as regards the Referral Conduct that HealthEngine had not made it "adequately clear" on the online booking form (or presumably not adequately brought to the consumer's attention any disclosure made in any privacy related statement or policy) that, if an individual answered 'yes', the individual's personal information would be sent to one of nine different third party health insurance brokers who would then make contact with the individual.

This Referral Conduct occurred over a four-year period (2014 to 2018) and, while there was no compulsion on an individual to answer 'yes' to receive a call to discuss their health insurance needs, the Court confirmed that there was an obligation on HealthEngine to clearly inform individuals that (a) their personal information will be provided to a third party health insurance broker and (b) that it would be that third party health insurance broker that called them to discuss their health insurance needs. Failure to do this was found to be conduct that was likely to cause people to believe that HealthEngine provided the relevant services (i.e. the discussion of the patient's health insurance needs) and that the person's personal information was not being disclosed to do so, both of which were misleading.

As a result, for the Referral Conduct, the Court imposed a pecuniary penalty of A$1.4 million for this behaviour (out of a total fine of A$2.9 million). In addition to this significant pecuniary penalty, the Court also ordered HealthEngine to:

(i) undertake an independent annual review of its existing compliance program (which would, in this case, likely also include its relevant privacy processes and policies) for a period of three years and to implement all changes identified as necessary for compliance by that independent reviewer, with written confirmation to the ACCC that those changes had been made; and

(ii) contact all persons whose personal information was provided to a health insurance broker during the period (2014 to 2018), informing them in a prescribed form of letter of certain specified matters, indicating that the Court had found such conduct contravened the Australian Consumer Law (ACL) and providing instructions on how that individual could request his or her personal information be deleted.

While (i) above is onerous, we suspect that (ii) will be (for some companies) an extremely difficult and costly exercise. In this case, HealthEngine will need to determine for each individual that used their services if and to which broker their personal information was sent in order provide those details to the individual. Unless HealthEngine's IT systems and database are set up appropriately and capable of doing this and the relevant information has not been deleted, this will be a Herculean (and extremely expensive) task.

What this means in practice

In practice this confirms that a company's privacy policy (or other privacy-related statement) needs to be accurate and, also as required by the privacy law, clearly set out the purposes for which personal information is collected, used and to whom it will be disclosed (and for what purposes) and adequately brought to the consumer's attention In fact, under the ACL, more may be needed to bring your customers' attention to particular matters and/or disclosures of their personal information. Failure to do this (and to notify same prior to, at the time of or immediately after collecting the personal information off an individual for the first time) will breach the Privacy Act (for those covered by it) and, if not, made adequately clear, the ACL for all (not just those subject to the Privacy Act) dealing with consumers.

What to do now

Unfortunately, whether it's either or both of a breach of the Australian Privacy Principles (AAPs) or the ACL, in the consumer privacy area you are now likely to be exposed to enforcement action from both a now-more-aggressive OAIC and the aggressive ACCC. As a result, it is time to ensure that your privacy policy (at least) is up to date, is bespoke to you (i.e. not borrowed from another company you saw online or an off-the-shelf policy which is "close enough"), clearly reflects what personal information you collect, what you use it for, who you disclose it to (and why) and your processes adequately bring these matters to the attention of your customers. The formula is simple: save a few thousand dollars now by not spending it on a bespoke privacy policy and your processes around notifying customers or risk paying A$1.4 million later!

Given these developments and our strong belief that enforcement in the consumer privacy space this will continue to escalate, to avoid a significant fine we recommend that you urgently:

  1. review your privacy policy to ensure that it clearly (and specific to your business) states what personal information you collect, why you collect it, what you use it for and to whom you disclose it (and for what purposes);
  1. ensure that your processes provide this privacy policy (or an appropriate privacy statement) prior to, on or immediately after the first collection of personal information from each individual;
  1. implement appropriate processes to ensure your organisation's compliance with privacy (and relevant consumer privacy) law and your privacy policy and, especially if handling significant volumes of consumer personal information, we recommend you consider implementing an overarching privacy risk framework; and
  1. add the review of your privacy (at least your consumer privacy) compliance to your internal audit program or, if you do not have an internal audit program, list it for review at least every two years.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.