European Court of Justice invalidates EU–US Privacy Shield
The European Court of Justice (ECJ) recently considered the validity of the European Commission’s 12 July 2016 decision to approve the so-called EU–US “Privacy Shield”: Facebook Ireland Ltd v Maximillian Schrems C-311/18. The Privacy Shield was approved by the European Commission as a mechanism to satisfy a requirement under Article 45 of the General Data Protection Regulation (GDPR), which provides that member states can only transfer personal data to a country outside the EU if that country “ensures an adequate level of protection”. Whilst the US lacks “adequate” data protection laws for EU purposes, the effect of the European Commission’s approval was that data transfers were permitted from the EU to US organisations which had self-certified that they had implemented adequate data protection measures. The ECJ invalidated the European Commission’s decision principally out of a concern that US law enforcement agencies continue to have wide-ranging access to personal data held by US organisations participating in the Privacy Shield scheme, and this was not equivalent to protections afforded to personal data under the GDPR. Specifically, access to personal data by US law enforcement agencies was not subject to the principle of proportionality. The Privacy Shield also lacked a suitable complaints mechanism regarding the processing of personal data. As a result of the ECJ decision, for the time being at least, US corporations (like Australian corporations) will have to commit to the more cumbersome GDPR Standard Contractual Clauses if seeking to receive personal information from Europe.
UK awaits GDPR “adequacy” decision
As part of facilitating the implementation of Brexit, the EU’s GDPR will continue to form part of United Kingdom domestic law until 31 December 2020. After that date, Article 45 of the GDPR will apply to data transfers between the EU and UK, and EU member states will only be able to transfer personal data to the UK if the UK “ensures an adequate level of protection”. As a result, to ensure that personal data exchanges from the EU to the UK will continue seamlessly after 31 December 2020, the UK is currently awaiting a ruling from the European Commission as to whether the UK’s Data Protection Act 1998 is “adequate” for GDPR purposes. On 17 March 2020, the UK submitted that it had a “world-class data protection regime”, which provides “comprehensive protections for data subjects equivalent to those in EU law”. However, on 15 June 2020, the European Data Protection Board wrote to the European Parliament outlining its concerns about an agreement between the UK and US Governments which facilitates access to electronic evidence in criminal investigations, which the Board noted may not be fully compatible with EU primary and secondary law. Concerns have also been expressed about British surveillance laws (e.g. the Investigatory Powers Act 2016) and the UK’s membership of the “Five Eyes” Intelligence alliance. If the UK does not secure an “adequacy decision” by the end of 2020, UK corporations will need to rely upon the existence of “appropriate safeguards”, as defined in Article 46 of the GDPR, in order to continue to freely receive personal data from the EU. This would mean, in effect, that UK corporations (like Australian corporations) would have to commit to the more cumbersome GDPR Standard Contractual Clauses if seeking to receive personal information from Europe.
Medical clinic breached privacy by sending information to wrong email address
The Australian Information Commissioner has ordered a medical clinic to pay compensation to two complainants after the clinic emailed sensitive information to an incorrect email address: SD and SE and Northside Clinic (Vic) Pty Ltd (2020) AICmr21. In a decision delivered on 12 June 2020, the Commissioner held that the clinic’s oversight amounted to a beach of Australian Privacy Principle 6 (Use or disclosure of personal information) because it involved the disclosure of sensitive information without consent and for a purpose not related to the reason for collection. The disclosure also amounted to a breach of APP 11.1 (Security of personal information) on the basis that the mistake was indicative of inadequate security measures to guard against unauthorised disclosure. The Commissioner found that the breach has caused distress and psychological damage to the first complainant, and had negatively impacted on the life of the second complainant. Compensation of $13,400 was awarded to the first complainant and $3,000 to the second complainant was awarded under section 52(1)(b)(iii) of the Privacy Act. The award took account of the fact that it was uncertain whether the email had been opened by the unknown recipient, the respondent had followed up the incorrect address seeking to have the email deleted, and the respondent had also engaged with Google to have the email destroyed.
Penalty for misleading website testimonials
On 22 July 2020, the Federal Court of Australia ruled that an online tasking platform, which helped connect businesses with potential customers, had engaged in false and misleading conduct in contravention of sections 18 and 29(1)(e) of the Australian Consumer Law by publishing what appeared to be (but were not) genuine customer reviews of the relevant businesses profiled on its website: Australian Competition and Consumer Commission v Service Seeking Pty Ltd (2020) FCA 1040. A person who accessed the site in search of a business would be presented with the business’s profile, purported reviews and star ratings. In fact, many of the reviews were created by the businesses themselves through a “fast feedback” feature on the website and which were published automatically by a “default publish mechanism”. The effect of the publications was to create the false impression as to the number of favourable reviews and overall star rating of a business. Jackson J considered that “it may be inferred that the extent of the harm caused to consumers and businesses was significant”. In addition to issuing an injunction and an order for the publication of a corrective notice, his Honour imposed a $600,000 pecuniary penalty pursuant to section 224(1) of the Australian Consumer Law.
ACCC tackles Google on “misleading” consumer notification
On 27 July 2020, the Australian Competition and Consumer Commission (ACCC) announced that it had commenced proceedings against Google Inc. in the Federal Court of Australia, alleging that Google had misled consumers when obtaining their consent to expand the scope of personal information it collects and the use of that information for targeted advertising: Australian Competition and Consumer Commission v Google Inc NSD 816/2020. The issue arises out of a move by Google to combine personal information in consumers’ Google accounts with certain information about those consumers on non-Google sites which use Google’s ad-serving technology formerly known as DoubleClick. The ACCC alleges that a notification from Google to consumers in 2016, inviting them to click “I agree” in order to acquire new optional features, did not adequately disclose the extent of the proposed usage of personal information under the new arrangement. Among other things, the case will raise questions about the meaning of “consent” under the Privacy Act 1988 (which is simply defined as meaning “express or implied consent” but which the OAIC Australian Privacy Principles Guidelines state must be “adequately informed”); it may also raise questions about the effectiveness of the use of “I agree” clicking as a means of obtaining consent (an issue which has been intensely debated in the United States but which has received little judicial attention in Australia).
NSW Tribunal registrar not bound by privacy legislation
On 27 July 2020, the New South Wales Civil and Administrative Tribunal ruled that the Privacy and Personal Information Act 1998 (NSW) had no application to conduct undertaken by the Tribunal’s Registrar: Skiba v Department of Communities and Justice (2020) NSDWCATAD 191. The Applicant had initially sought the review of a decision by the Registrar in relation to an application to amend the name of a party in proceedings before the Tribunal. When that application failed, she applied under Part 5 of the Act for external review of the Registrar’s refusal. Section 6(1) of the Act provides that a court or tribunal is exempt from compliance with the Act’s Information Privacy Principles when exercising a judicial function. In the present case, the conduct under review was that of the Tribunal’s Registrar in circumstances where there were proceedings before the Tribunal that required determination. Senior Member Montgomery described the naming of parties bound by a determination as being “a central and important feature of any adjudicated decision” and, similarly, a refusal to amend the name of a party in proceedings before the Tribunal is related to those proceedings. On this basis, the Tribunal concluded that it had no jurisdiction to review the Department’s decision.
Mobile payment plan was not misleading
On 30 July 2020, the Full Federal Court rejected the ACCC’s appeal against the trial judge’s decision that TPG Internet (TPG), a retailer of mobile, internet and home telephone services, had not engaged in false and misleading conduct when advertising plans that required consumers to make a “prepayment” for excluded services (i.e., for any services the consumers wanted to use during the term of their plans that were not covered by their plans): Australian Competition and Consumer Commission v TPG Internet Pty Ltd (2020) FCAFC 130. The ACCC’s case was effectively that by using the term “prepayment”, TPG had represented to consumers that they could use all prepaid amounts in full and they would not forfeit any prepaid amounts if they cancelled their contracts. The Full Court upheld the trial judge’s decision that TPG’s use of the word “prepayment” did not convey the meaning suggested by the ACCC, for reasons including that “the word prepayment is silent on how any balance of the prepayment would be treated at the end of the contract”. The Full Court was satisfied that the balance of the information provided by TPG to consumers, including a “Critical Information Summary”, made it clear that any remaining prepaid amounts at the end of the contract would be forfeited to TPG. The case turned largely on the application of familiar principles, but the Full Court took the opportunity to record its disagreement with the primary judge’s suggestion that one test of whether conduct is misleading or deceptive turns on whether a significant number of persons to whom the conduct was directed would be led into error. In the Full Court’s opinion, that test is “at best, superfluous … and, at worst, erroneous”. Where the relevant conduct is directed to the public generally or a section of the public (such as in this case), the appropriate test involves assessing the likely effect of the conduct on ordinary or reasonable members of the relevant class, disregarding reactions that might be regarded as extreme of fanciful.
Privacy Commissioner reminds video teleconference providers of privacy obligations
On 22 July 2020, the Australian Information Commissioner published an open letter to video teleconference providers, reminding them of their obligations to comply with the law and handle people’s information responsibly. The Commissioner noted that the COVID-19 pandemic had resulted in a sharp uptake in the use of video teleconferencing software, and that this had increased risks around the collection and use of personal information. Published in conjunction with six overseas data protection authorities, the letter targeted all video conferencing companies, but was also sent directly to Microsoft, Cisco, Zoom, House Party and Google. The letter was expressed as being a non-exhaustive list of the data protection and privacy issues associated with video teleconferencing, and specifically set out five principles under the headings: (1) Security, (2) Privacy-by-design and default, (3) Know your audience, (4) Transparency and fairness, and (5) End-user control. The letter concluded with the observation that “ease of staying in touch must not come at the expense of people’s data protection and privacy rights”. Our website article provides an overview of the Commissioner’s advice.
CDR expansion into energy sector gathers momentum
On 8 July 2020, the Australian Government released a consultation paper titled Energy Rules Framework in connection with the new Consumer Data Right (CDR), and more specifically in relation to the suitability of the Competition and Consumer (Consumer Data Right) Rules 2020 in their application to the energy sector. The CDR is a data portability mechanism for enabling individual and business consumers to access information about themselves and their service providers’ products, and to direct their existing service provider to share that information with other service providers. As reported in our last update, the CDR commenced in respect of the banking sector on 1 July 2020. The Consumer Data Right (Energy Sector) Determination 2020, made on 26 June 2020, established the scope of the expansion of the CDR into the energy sector. The intention is that the Rules will be regularly updated to reflect the requirements of this and other new sectors in the future. Against this background, the objective of the consultation paper is to seek stakeholder views on the preliminary positions taken by the government, as outlined in the paper, regarding the need for specific sectoral rules for CDR in energy and any necessary amendments to the Rules to accommodate the energy sector.
NSLM report on Telecommunications Interception and Access Act
On 9 July 2020, the Parliamentary Joint Committee on Intelligence and Security released a review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), which was conducted by the National Security Legislation Monitor (NSLM). The Amendment Act, which as previously reported was passed by Parliament on 6 December 2018, provides police and intelligence agencies with new powers to agree or require significant industry assistance from communications providers, and ASIO is given significant new powers to seek and receive both voluntary and compulsory assistance. The NSLM’s review focussed on whether these expanded powers were proportionate to the threats they seek to meet. Recommendations in the NSLM’s report included the removal of the power of agency heads to issue Technical Assistance Notices (TANs) and of the Attorney-General to approve Technical Capability Notices (TCNs), and to vest these powers in the Administrative Appeals Tribunal. The review also contained a recommendation for the creation of a new statutory office – the Investigatory Powers Commissioner – to assist in approving the issue of TANs and TCNs while monitoring the operation of Schedule 1 and issuing guidelines.
Queensland government agencies urged to guard against re-identification of de-identified public sector data
On 16 July 2020, the Queensland Information Commissioner published a report relating to the risks of re-identification of de-identified public sector data: Office of the Information Commissioner, Queensland, Privacy and Public Data: Managing Re-identification Risk (Report No.1 to the Queensland Legislative Assembly for 2020-21). The report outlined how two Queensland government agencies manage privacy risks when releasing de-identified data. Stressing the need for a “methodical and robust risk management approach when releasing de-identified data on public platforms”, the report made four recommendations to all agencies that publish de-identified data: (1) assign a custodian to each published de-identified dataset; (2) implement and maintain policies or procedures that govern de-identified data releases; (3) regularly review existing de-identified datasets for changes in re-identification risk; and (4) when publishing de-identified data adequately capture, assess and treat re-identification risk.
Privacy risks associated with transport technology highlighted by Queensland committee
On 20 July 2020, the Queensland Parliament Transport and Public Works Committee published the report of its inquiry into transport technology. The inquiry reviewed the current state of Queensland transport technologies, and considered what might be needed in the future as these evolving technologies are introduced onto Australian roads and into Australian airspace. The report gave particular focus to technologies involving connected and automated vehicles and autonomous aircraft (including drones). It noted concerns about the vast amounts of personal information which would be generated by these technologies, and the need to address the security of data systems and privacy protections in general. It recommended that the State government work with the Federal government to develop and implement legal, policy and operational frameworks to deal with privacy breaches involving the tracking and location of individuals; the access by law enforcement agencies to transport data; the potential for privacy breaches involving conversations in vehicles; and generally, to strengthen State and Federal privacy legislation where necessary.
ABS considers privacy issues associated with 2021 census
On 21 July 2020, the Australian Bureau of statistics (ABS) released the findings of two independent Privacy Impact Assessments conducted in relation to the 2021 Census: 2021 Census Privacy Impact Assessment and 2021 Census Administrative Data Privacy Impact Assessment. The key findings are contained in the former document, which incorporated three major structural recommendations and 17 detailed recommendations. The detailed recommendations included suggestions for compliance with Australian Privacy Principles 1 (Openness and Transparency), 3 (Collection), 5 (Notification), 11 (Security) and 12 (Access), and also compliance with the Australian Government Agencies Privacy Code. Much attention was paid to the Census Time Capsule – the Capsule is a full copy of the Census forms which individuals agree may be held by the National Archives of Australia and only released after 99 years. An independent security risk assessment was recommended in relation to the Capsule, together with greater clarity regarding an individual’s access rights. It was also recommended that responses to a new long-term health question be excluded from the Capsule. Whilst accepting all other recommendations, the ABS has rejected the recommendation regarding the exclusion of the health question from the Capsule, on the basis that participation of individuals in the Capsule is voluntary.
WA Government releases draft blueprint on digital inclusion
On 28 July 2020, the Western Australian Office of Digital Government released a draft Digital Inclusion Blueprint on how to make Western Australia more digitally inclusive. Minister for Innovation and ICT Dave Kelly defined the objectives of digital inclusion as “giving people of all ages, cultural and linguistic backgrounds, abilities, income levels and locations, the skills and tools to access and engage with digital technology and online services”, noting further that 11.6% of Western Australian households and 26% of the state’s lowest income earners do not access the internet. The draft blueprint identifies four key priority areas for digital inclusion, namely, digital connectivity, affordability, digital skills, and the design of online government services. Connectivity is seen as a major issue, with many regional communities in the state having access only to costly, poor-quality and low bandwidth internet. Affordability becomes an issue if financial stress is caused to people who rely on government services and support which is only accessible online. A deficiency in digital skills renders individuals more vulnerable to cyber-attacks, online scams and bullying, and misleading news, whilst many technologies “are simply not designed for a diversity of users and skills in mind, and as a result do not empower all Western Australians”. The Government is seeking feedback by 18 September 2020.
Algorithm Charter for New Zealand government agencies
On 28 July 2020, the New Zealand government released a Charter, signed by 21 agencies, relating to the use of algorithms by government: Algorithm Charter for Aotearoa New Zealand. The Charter notes that government agencies use algorithms in a variety of ways, ranging from the simple standardisation of business processes to the complex analysis of large datasets in support of decision-making. Properly utilised, algorithms could help government improve efficiency and eliminate human biases; but improperly implemented, the process could also perpetuate or even amplify bias whilst obscuring transparency and accountability. The Charter is expressed as a commitment by government agencies to carefully manage how algorithms will be used to strike the right balance between privacy and transparency, prevent unintended bias and reflect the principles of the Treaty of Waitangi. Charter signatories agree to assess algorithm decisions, using a colour-coded risk matrix, by specifically considering risks associated with the categories “transparency”, “partnership”, “people”, “data”, “privacy, ethics and human rights” and “human oversight”. The Charter will be reviewed after 12 months to assess whether it is achieving its intended purpose.
Businesses need to take care when collecting COVID-19 data from visitors to their premises.
It has become commonplace during the COVID-19 restrictions for businesses to require contact tracing information from visitors to their premises. Information sought by businesses from visitors may involve just a name and contact details, or it might extend to temperature checks or particulars of symptoms which have become synonymous with the coronavirus. Our website article provides a 14-point checklist for businesses of issues of potential relevance to the collection and retention of such contact tracing information.
Businesses need to take care when collecting health information from their employees.
Many business owners are uncertain about their rights and responsibilities in relation to collecting and handling health information about employees and workplace visitors in the context of the coronavirus pandemic. Common questions include: (1) am I permitted to collect this information; (2) how much can I reveal to others about the information collected; and (3) in the case of employees, does the employee record exemption in the Privacy Act in some way alleviate my responsibilities as an employer. Our website article summarises the key issues.