Judgements

Investigating a privacy complaint may constitute a breach of privacy

On 21 March 2022, an Appeal Panel of the New South Wales Civil and Administrative Tribunal ruled that a city council erred when it internally classified a confidential “code of conduct” complaint containing personal information as a “privacy complaint”, and that by dealing with the complaint under a different mechanism it in fact infringed the Privacy and Personal Information Protection Act 1998 (NSW) by not handling the personal information in accordance with the applicable Information Privacy Principles: Cessnock City Council v EMF [2022] NSWCATAP 72.  Specifically, in upholding the earlier decision of the Tribunal, the Appeal Board found that the council had breached Information Privacy Principles 3 and 10 (that is, the principles set out in sections 10 and 17 of the Act).  IPP 3 requires a public sector agency to inform an individual as soon as practicable that their personal information has been collected, and IPP 10 places restrictions on the use by a public sector agency of personal information for purposes other than those for which it was originally collected.  The Appeal panel was particularly influenced by the fact that the information had been provided to the council for a specific purpose, underscored by the fact that the individual labelled their submission as “confidential”.

Disclosure of suspect's name by NSW Police not a breach of privacy

On 5 April 2022, the New South Wales Civil and Administrative Tribunal ruled that the NSW Police had not infringed the Privacy and Personal Information Protection Act 1998  (NSW) when its media unit released an individual's name following his arrest on child sex offences: FBQ v Commissioner of Police [2022] NSWCATAD 110.  The applicant complained of a breach of section 18 of the Act which, inter alia, prohibits the disclosure by a public sector agency of personal information if the disclosure is not directly related to the purpose for which the information was collected.  The Tribunal accepted the respondent's contention, however, that the disclosure fell within the exemption contained in section 27(1) of the Act, namely, that subject to section 27(2), the NSW Police Force is not required to comply with the information protection principles.  The exception to the exemption in section 27(2) relates to disclosures by certain agencies, including NSW Police, “in connection with the exercise of their administrative and educative functions”.  The Tribunal was satisfied that the disclosures were “unrelated to the administration of the NSWPF, except in so far as they assisted the media with reporting on police activities”.

Huge fine for misleading website representations

On 22 April 2022, the Federal Court of Australia ordered Trivago to pay penalties of $44.7 million for making misleading representations about hotel room rates on its website: Australian   Competition and Consumer Commission v Trivago N.V. (No 2) [2022] FCA 417.  As we have  previously reported, the Full Court of the Federal Court upheld the previous decision that Trivago had breached the Australian Consumer Law  by representing that its website allowed users to identify the cheapest hotel room rates when in fact it used an algorithm which was weighted towards booking sites which paid Trivago the highest cost-per-click fee. Trivago also used strike-through pricing which gave consumers the false impression that rates represented better savings than they actually did. Justice Moshinsky ordered $44.7 million in penalties having regard to the seriousness and “highly misleading” nature of the conduct, the length of time over which the conduct occurred, the large number of affected consumers, the “substantial loss or damage” caused to consumers, and the “substantial revenue” Trivago derived from the contravening conduct. For a more detailed article on our website, authored by Tim Creek, Jessica Sapountsis and Lachlan Sadler, view  this link.

No remedy for disaffected iPhone customer

On 29 April 2022, the New South Wales Civil and Administrative Tribunal rejected a claim for compensation from Apple by the purchaser of an iPhone 13 who experienced difficulties in uploading data from his old phone to his new phone: Acuna v Apple Pty Ltd [2022] NSWCATCD 53.  The applicant alleged that after he followed instructions provided by an Apple employee, he experienced a “complete breakdown” of his mobile phone and computer.  The Tribunal rejected the assertion that Apple had breached a consumer guarantee, implied by section 60 of the Australian Consumer Law, that its services would be rendered “with due care and skill”.  The Tribunal observed that “perhaps the most fundamental problem with the applicant's case is that the applicant has not identified at all, yet alone with any specificity, what alternative advice a reasonable person in the position of the respondent would have given to the applicant”, adding that “there is no means by which the Tribunal can determine whether there was an alternative way for the applicant to upload data onto his new phone which would have been quicker or caused less inconvenience or disruption to the applicant”.  The Tribunal also rejected an alternative assertion that Apple had engaged in false or misleading conduct in breach of section 18 of the Australian Consumer Law, noting that the respondent's advice was in the nature of an opinion, and the applicant failed to establish that the respondent or its employee did not honestly hold the opinion or did not have a reasonable basis or adequate foundation for the opinion.

Viagogo loses appeal against Federal Court penalty

On 17 May 2022, the Full Court of the Federal Court dismissed an appeal by Viagogo AG against an earlier finding that it made misleading claims on its website relating to the reselling of tickets to live music or sporting events: Viagogo AG v Australian Competition and Consumer Commission [2022] FCAFC 87.  We have  previously reported that in 2020, the Federal Court imposed a penalty of $7m on the ticket reseller, having found that it misled consumers to the effect that it was the “official” seller of tickets to particular events and that certain tickets were scarce, in contravention of sections 18, 29 and 34 of the Australian Consumer Law (ACL), and that it had also failed to disclose that a significant booking fee was incorporated within the price, in contravention of section 48 of the ACL.  In dismissing the appeal, the Full Court upheld the earlier court findings and the $7 million penalty imposed by the trial judge who described the misleading claims as having been made “on an industrial scale”.

IT contract was not “standard form” for the purposes of the ACL

On 16 June 2022, the Federal Court of Australia ruled that a contract between an IT service provider and a vocational education services provider was not a “standard form contract” for the purposes of Part 2-3 of the Australian Consumer Law (“ACL”) and that the customer was not entitled to terminate the agreement after services were suspended by the service provider due to withheld payments: AIBI Holdings Pty Ltd v Virtual Technology Services Pty Ltd [2022] FCA 696. The judgement throws particular light on how courts will assess whether IT contracts are “standard form contracts”.  Section 23(1) of the ACL provides that a term of a small business contract is void if the contract is a “standard form contract” and if the term is “unfair”. The ACL does not define what a “standard form contract” is but section 27 provides a list of mandatory matters which a court must take into account when determining whether a contract is a standard form contract.  In the context of section 27, Perram J concluded that the agreement was not a “standard form contract” because the supplier did not have “all or most of the bargaining power”, even though it may have had the “upper hand”; the contract could not be regarded as pre-prepared by the supplier, given that the terms were largely the same as previous agreements between the parties; there was no evidence that the customer was required to either accept or reject the terms, given the parties' past history of negotiations; the customer had an effective opportunity to negotiate the terms; and there was evidence that the services offered by the supplier took into account the unique requirements of the customer.  Because the contract was not a “standard form contract”, the question of whether any terms were “unfair” accordingly did not require determination.

Former NSW deputy premier wins defamation case against Google Inc.

On 6 June 2022, the Federal Court of Australia ruled that Google was liable as a publisher of defamatory material concerning deputy premier John Barilaro posted to YouTube by comedian, Jordan Shanks-Merkovina, known online as “FriendlyJordies”: Barilaro v Google LLC [2022] FCA 650. The Court found that Google's conduct in allowing and maintaining uploads of the defamatory material on its platform, in breach of its own policies and guidelines for allowable content, made it liable as a publisher. The Court further found that Google's conduct in relation to the material complained of, along with its general conduct of the proceeding, was improper, unjustifiable and lacking on bona fides so as to justify an award of aggravated damages.

New Legislation & Guidelines

New Commonwealth government acts on credit reporting code

On 7 June 2022, the Commonwealth Attorney-General published the Privacy (Credit  Reporting) Code 2014 (Version 2.3), to take effect from 1 July 2022.  The Code supersedes the Privacy (Credit Reporting) Code 2014 (Version 2.2)  which, as we have  previously reported, had only just come into effect on 22 April 2022.   The CR Code is an integral part of the regulation under the Privacy Act  1988 (Cth) of credit reporting agencies and credit providers in relation to personal credit information.  It is read in conjunction with Pt IIIA of the Privacy Act  in order to provide a range of rights and responsibilities in relation to credit information handled by credit reporting bodies and credit providers.  Version 2.2 was introduced by the previous Federal government in April 2022 with a specific focus on financial hardship and emphasising the responsibility of credit providers to identify financial hardship situations and to assess a consumer's situation holistically in order to offer them a more suitable product. The new Code introduces variations which clarify definitions (e.g. “ordinary monthly payments” and “temporary financial hardship arrangement”); clarify how repayment history information is to be reported; introduce financial hardship information into Australia's credit reporting landscape (e.g. an obligation on credit providers to explain the impact of financial hardship arrangements to individuals); and which prevent financial hardship information being used in the calculation of credit ratings or scores in accordance with section 20E(7) of the Privacy Act.

Drone noise regulations come into effect

On 14 December 2021, the former Australian Government introduced the Air Navigation (Aircraft Noise) Regulations 2018 (“Noise Regulations”), setting out a new regulatory framework to better manage noise from drones. The Noise Regulations provided ReOC holders with grace period for compliance until on 1 July 2022. With the grace period over, ReOC holders may need to seek approval under the Noise Regulations where drone operations are likely to have a significant impact on the community. The Noise Regulations provide a number of exemptions to the requirement for seeking approval. Operating a drone that is not exempt under the Noise Regulations without an approval may amount to an offence under the Noise Regulations.

Policies, Reports & Enquiries

ACCC warns of potential competition issues affecting online marketplaces

On 28 April 2022, the Australian Competition and Consumer Commission released its fourth interim report arising out of the Digital Platform Services Inquiry.  Pursuant to the Competition and Consumer (Price Inquiry – Digital Advertising Services) Direction 2020 issued by the Commonwealth government in February 2020, the ACCC is to investigate advertising technology and provide six monthly reports up until 2025. The latest interim report is entitled Interim Report No.4 – General Online Retail Marketplaces.   The report raised a number of consumer concerns, including in relation to product display and data collection and, given the reliance consumers have on the tools that help them to reduce their search costs, such as the online marketplaces' search algorithms and the featuring of offers, the ACCC considered that online marketplaces should be more transparent about the factors that influence how prominently products are displayed.    The report gave significant attention to “network effects” as being an important feature of the business models of online marketplaces: the more sellers on the platform, the more attractive the marketplace is to consumers, and the more consumers using the platform, the more attractive it is to sellers. These network effects, including both the cross-side and same-side effects, mean there was the potential for “tipping” in favour of a single dominant firm, accompanied by a risk of significant competition issues.

Queensland contemplates privacy law reform

On 24 June 2022, the Queensland Department of Justice and the Attorney-General issued a Consultation Paper calling for submissions in relation to the reform of Queensland's privacy legislation: Proposed Reforms to Queensland's Information Privacy and Right to Information Framework.  In addition to the Commonwealth Privacy Act 1988 which regulates the handling of personal information in the private sector and the Commonwealth public sector, Queensland regulates privacy and data protection by means of the Information Privacy Act 2009 (Qld) which has two sets of principles – Information Privacy Principles which apply to state public sector agencies, and National Privacy Principles which apply to Queensland Health and Queensland's Hospital and Health Services.  The Consultation Paper seeks public input on: whether the Information Commissioner should have enhanced powers to investigate privacy breaches; whether Queensland should have a mandatory data breach notification scheme; and whether Queensland should adopt a single set of privacy principles that are more aligned with those in the Commonwealth Privacy Act.

Health Privacy Issues

Attendance records may inadvertently disclose health information

On 20 April 2022, the New South Wales Civil and Administrative Tribunal ruled that a local council breached the Health Privacy Principles contained in the Health Records and Information Privacy Act 2002 (NSW) when it reported on its website that a councillor was seeking to attend Council meetings remotely for a period of 5 months due to “medical” reasons: EIG v North Sydney Council [2022] NSWCATAD 127.  The Tribunal considered that the publication infringed Health Privacy Principle 4 which requires an organisation that collects health information to take reasonable steps to ensure that the individual is made aware of the purposes for which the information is being collected and the persons to whom the organisation usually discloses information of that kind. The Respondent conceded that the Applicant was not made aware that it was proposed to include the description “Medical” as the reason for their request to attend meetings remotely.  Senior Member Dunn was of the view that “had the Respondent done so, that would have provided the Applicant with an opportunity to withdraw their request so as to avoid the disclosure” and that “as such…there has been a breach of HPP4”.  The Tribunal further concluded that the disclosure infringed HPP 11 which requires that an organisation that holds health information for a purpose (secondary purpose) other than the purpose for which it was collected (primary purpose) must not disclose that information unless, relevantly, with the individual's consent or where the secondary purpose is related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose.

A breach of an information privacy principle is not necessarily a breach of a health privacy principle

On 28 April 2022, the New South Wales Civil and Administrative Tribunal ruled that a hospital infringed the Privacy and Personal Information Protection Act 1998  (NSW), but not the Health Records and Information Privacy Act 2002 (NSW), when a manager accessed personal information about an employee which was stored on the Paediatric Emergency Transport Service network: EPT v The Sydney Children's Hospital Network [2022] NSWCATAD 137.  The Tribunal considered that the network security setting lacked reasonable security such that there was a breach of s 12(c) of the Privacy and Personal Information Protection Act which requires a public sector agency to take “such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse” of personal information.  The fact that the applicant's personal information included sick leave information did not, however, amount to a breach of the corresponding Health Privacy Principle in the Health Records and Information Privacy Act, however, because these records were properly available to the manager.  The Tribunal ordered the respondent to pay the applicant $10,000 in compensation, and to provide the applicant with “an unreserved written apology addressing and apologising for the Respondent's breach”.

Failing to check the accuracy of old information may lead to a health privacy breach

On 27 April 2022, the New South Wales Civil and Administrative Tribunal ruled that the New South Wales Police Force infringed Health Privacy Principles 3 and 9 under the Health Records Information Privacy Act 2002 (NSW) by inaccurately recording that an employee was suffering a “psychological injury”: DTN v Commissioner of Police [2022] NSWCATAD 134.  HPP 3 requires health information to be collected directly from an individual unless it is impractical to do so and HPP 9 requires a public sector agency to refrain from using personal information unless it has taken reasonable steps to ensure that it is relevant, accurate, up-to-date, complete and not misleading.  In relation to HPP 3, the Tribunal observed that the information was not collected directly from the applicant but compiled by an employee of the respondent from other records; in relation to HPP 9, the Tribunal expressed concern over the fact that the source material was up to 10 years old, meaning that the respondent should have been alert to the fact that it was not out of date or misleading.  The Tribunal ordered the respondent to pay the applicant $7,500 in compensation, and to provide the applicant with “an unreserved formal written apology” apologising for the breach and “for all harm, distress and embarrassment caused to the Applicant resulting from such”.

Western Australia's COVID-19 contact tracing system faces scrutiny

On 18 May 2022, a report from the State Auditor-General was tabled in the Western Australian Legislative Assembly which examined the process employed by the Health Department in handling and examining data from COVID-positive individuals and their contacts via its cloud-based information gathering system, Public Health COVID Unified System (PHOCUS). There were a number of issues identified by the report, including the absence of data encryption to protect personal information, inadequate recording of who has access to sensitive data, a former contractor having ongoing sensitive information, and no restrictions to prevent malicious files being uploaded, amongst several other issues. The type of medical information collected from individuals included existing medical conditions, pathology results and medications. Auditor-general Caroline Spencer expressed concerns that the Department had not adequately protected the public's information, in part arising from the fact that WA does not have comprehensive public sector privacy laws, unlike most other states. This lack of transparency, she said, can lead to “erosion of trust in government institutions”. The report made four recommendations, including to improve transparency about the sources of personal information and the purposes of its use. WA Health has agreed to implement all of the changes, but continues to defend the contact tracing system as “one of the best systems in Australia, if not the world”.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.