Key recent developments in the area of Technology, Media and Telecommunications are summarised below.
JUDGMENTS
Ruling on how to calculate IT employee's
commission
On 31 January 2019, the Supreme Court of New South Wales
upheld an appeal by a software sales and services company against
the method by which a magistrate had calculated an employee's
entitlement to commission: Dialog Pty Ltd v Sklar [2019]
NSWSC 15. The decision serves as a reminder that parties to an
employment contract should ensure there is no ambiguity as to the
manner in which sales commission is to be calculated. The dispute
centred on whether, when calculating the employee's entitlement
to commission on the "gross margin" of revenue which he
generated for the company, his base salary and the cost incurred by
the employer in providing technical services to clients should be
deducted. The employment agreement provided no elaboration on what
was intended by "gross margin". Fagan J determined the
meaning of the expression in the context of a business by reference
to the Oxford Dictionary, being the "difference between the
sales revenue of a business and the costs of sales". As the
employee's base salary and superannuation, along with the
service costs of the company's technical staff and software
engineers, were "specifically and directly a cost of
generating the revenue", they were therefore to be deducted
from the revenue generated by the employee's sales prior to the
calculation of commission.
Penalty imposed on Optus for misleading billing
information
On 6 February 2019, the Federal Court ordered Optus
Mobile Pty Ltd to pay a $10 million penalty to the Commonwealth for
making false and misleading representations about an Optus billing
service: Australian Competition and Consumer Commission v Optus
Mobile Pty Ltd [2019] FCA 106. The Optus billing service
enabled Optus customers to purchase digital content from third
parties and the associated charges would be billed to them via
their Optus accounts. Over a long period of time, a significant
number of customers unintentionally purchased digital content
through the service and were billed by Optus without their consent.
This was due to a range of factors, including Optus failing to
implement adequate safeguards against unintentional purchases
(customers were not required to verify their identity and/or the
details of a purchase in all cases) and by Optus failing to
adequately inform customers they had been automatically opted into
the relevant service. By applying the associated charges to
customer accounts, Optus admitted it made false and misleading
representations to customers that they had agreed to acquire the
service when that was not the case. Optus admitted it had
contravened prohibitions against false and misleading
representations in relation to a financial service under the
Australian Securities and Investment Commission Act 2001
(Cth). In deciding whether to make the orders sought by the
parties, the Court considered whether the amount of the penalty
Optus had agreed to pay was appropriate in light of the relevant
considerations, including the need for specific and general
deterrence and the public interest in parties resolving matters
with regulators. The Court considered that Optus was liable for a
substantial penalty and ultimately decided $10 million was an
appropriate amount. The Court took into account several matters,
including that a portion of Optus' revenue earned through the
billing service would have been earned from customers who had in
fact agreed to be charged for relevant content (ie, not all
customers charged were non-consenting), Optus has already paid
around $8 million in refunds and Optus had begun to implement a
customer refund program.
No privacy breach by government in its use of prisoner
information
On 6 February 2019, the Victorian Civil and Administrative
Tribunal (VCAT) dismissed a complaint that a State
government department had misused sensitive information relating to
a prison inmate: SET v Department of Health and Human
Services [2019] VCAT 113. The complainant was concerned that
personal information relating to his criminal history, contained in
a report prepared by the Department for a conciliation conference
relating to the placement of his grandchildren, had been provided
to his son. He asserted that this contravened Information Privacy
Principle 2.1(a) which limits the disclosure of personal
information to the primary purpose of collection and, in the case
of sensitive information, secondary purposes directly related to
the primary purpose. The Tribunal concluded that the disclosure was
in fact confined to the primary purpose of collection, namely, the
welfare of the children. The Department's investigative role
included reporting any welfare concerns to the Children's
Court, and it was obliged to provide a copy of its report to the
father of the children in accordance with Guidelines issued by the
Court. The question of whether the disclosure amounted to use of
the information for a secondary purpose accordingly did not
arise.
Software copyright decision by Federal Circuit Court
overturned
On 26 February 2019, the Federal Court of Australia remitted a
software copyright infringement decision for rehearing by the
Federal Circuit Court after finding that the primary judge's
rulings were unsupported by sufficient evidence: CPL Notting
Hill Pty Ltd v Microsoft Corporation (No 2) [2019]
FCA 223. The matter concerned the award of $2.5m damages by the
primary judge who found that the appellants had, amongst other
things, reproduced certain unlicensed Microsoft software when
selling computers with pre-installed Microsoft programs.
O'Callaghan J determined that the primary judge had made
findings of fact which were not open to the court. It followed that
an award of damages by the primary judge under section 115(2) of
the Copyright Act for infringement of copyright was not an
available remedy, nor was the award of additional damages under
section 115(4). In the latter regard, his honour observed that the
discretion of the court to award "additional" damages
meant damages which were "additional to damages assessed and
awarded under section 115(2)" and hence, if no damages could
be awarded under section 115(2), section 115(4) could not be
enlivened. Noting that the primary judgement had been delivered
ex tempore, his honour commented that whilst there were
some occasions when the delivery of ex tempore reasons may
be necessary or desirable, "this was not one of
them".
NEW LEGISLATION AND GUIDELINES
Bill seeks to curb exemptions for unwanted direct
marketing activity
On 13 February 2019, legislation was tabled the Senate by
Senator Stirling Griff of the Centre Alliance Party which sought to
address mounting customer complaints about two existing exemptions
from direct marketing communications – unwanted calls from
politicians and charities, Under the Spam Act 2003,
unsolicited commercial electronic messages (that is, emails and
text messages) are prohibited unless categorised as a
"designated electronic message" under Schedule 1, and
this category includes communications from a "registered
political party". Under the Do Not Call Register Act
2006, an exemption applies to telemarketing calls made by
registered charities to numbers listed on the Do Not Call Register.
Under the Telecommunications Legislation Amendment (Unsolicited
Communications) Bill 2019, all electronic messages containing
electoral matter, as defined in section 4AA of the Electoral
Act 1918, would be required to contain a functional
unsubscribe facility, whilst consumers would be given the ability
to specifically "opt out" of telemarketing calls from
registered charities by specifying that their number is not a
"charity-contactable number".
Legislation tabled to introduce Consumer Data
Right
On 13 February 2019, the Treasury Laws Amendment
(Consumer Data Right) Bill 2019 was tabled in the House of
Representatives.
As previously reported, the CDR will give both individual and
business consumers expanded rights of access to data held about
them by businesses. It will also give such consumers access to data
about products and enable them to share such data with accredited
third party recipients. The CDR is a mechanism for enabling
individual and business consumers to access information about
themselves and about their service providers' products, and to
direct their existing service provider to share that information
with other service providers. It is proposed that initially the CDR
will be confined to the banking sector, with telecommunications
providers and energy companies to follow. The CDR enables consumers
to access a broader range of information than is currently provided
for by Australian Privacy Principle (APP) 12 in
the Privacy Act 1988 (Cth). While APP 12 allows
individuals to access "personal information" about
themselves, the CDR applies to data that relates to businesses as
well as individuals and provides access to information about a
service provider's products as well. As the CDR embraces
competition and consumer matters, the new scheme would be regulated
jointly by the Australian Competition and Consumer Commission and
the Office of the Australian Information Commissioner. The Bill was
referred to the Economics Legislations Committee for report by 18
March 2019.
Queensland criminalises "revenge
porn"
On 21 February 2019, the Criminal Code (Non-consensual Sharing
of Intimate Images) Amendment Act 2019 came into effect in
Queensland, amending the Criminal Code by introducing a
range of new offences relating to what is loosely described as
"revenge porn". A new section 223 establishes a
misdemeanour of "distributing intimate images" which
attracts a maximum penalty of 3 years' imprisonment, whilst
penalties are increased by sections 227A and 227B for the existing
offences of relating to "observations or recordings in breach
of privacy", and the distribution of "prohibited visual
recordings". A new section 229A penalises threats to
distribute intimate images or prohibited visual recordings. The
term "intimate image' is defined in section 207A, and
extends to photoshopped images and section 223(2) expressly
provides that a person under the age of 16 years is incapable of
providing consent for the distribution of intimate images.
POLICIES, REPORTS AND ENQUIRES
Treasury Issues Paper seeks feedback on "Initial
Coin Offerings"
In January 2019, the Treasury released its Initial
Coin Offerings Issues Paper. The paper emphasised the
Australian government's aspiration of becoming a global leader
in financial innovation, including with respect to the regulatory
aspects of an Initial Coin Offering (ICO).
Although ICOs have some parallels with Initial Public Offerings,
venture capital and crowdfunding, the ways in which they are
structured can be quite distinct from existing forms of capital
raising. These distinctions are seen to be testing regulatory
frameworks around the world. The Issues Paper sought the views of
interested parties on the opportunities and risks posed by ICOs for
Australia; whether Australia's regulatory framework is well
placed to allow those opportunities to be harnessed whilst
appropriately managing the associated risks; and, whether there are
other actions that could be taken to best position Australia to
capitalise on new opportunities. Specifically, the Issues Paper
posed questions relating to the categorisation of ICO tokens, the
drivers of the ICO market (including distributed ledger technology,
investor speculation and the growth of digital token exchanges),
and the opportunities and risks for industry, consumers, investors,
and the economy at large. Responses to the Issues Paper were sought
by 28 February 2019.
Consultation paper on "Software as a Medical
Device"
The Therapeutic Goods Administration
(TGA) recently issued a consultation paper
outlining proposed regulatory reforms to software used as a medical
device which is not associated with a physical device. Software of
this kind is known as "Software as a Medical Device" or
"SaMD". SaMD operates on general
computing platforms (including mobile devices) and is used for a
purpose which is consistent with the definition of a "medical
device" in the Therapeutic Goods Act 1989 (Cth). A
SaMD product may be used, for example, to analyse medical images
and provide information to assist a clinician diagnose and treat a
patient. SaMD may be contrasted with medical device software which
is embedded into and/or which controls a physical medical device.
The proposed reforms seek to address several regulatory problems,
including the ability of individuals to currently acquire SaMD
products from overseas suppliers which are not included in the
Australian Register of Therapeutic Goods (ARTG)
and which do not therefore have a local sponsor with responsibility
for the product. The TGA proposes a new classification system for
SaMD products based on their associated risk of harming patients,
excluding SaMD products from the personal importation exemption
provisions (which would require all SaMD to be included on the ARTG
and have a local sponsor), and clarifying the relevant regulatory
requirements for demonstrating the safety and performance of SaMD
products. We have reported in more detail on the TGA's proposed
reforms
here. The consultation period is due to end on 31 March
2019.
Queensland Information Commissioner assesses the
adequacy of privacy training for government
employees
On 12 February 2019, the Office of the Information Commissioner in
Queensland issued a report under section 135 of the Information
Privacy Act 2009 (Qld) on the adequacy of privacy training by
three Queensland government agencies – the Department of
Communities, Disability Services and Seniors, TAFE Queensland and
the Public Trustee: Awareness of Privacy Obligations: How three
Queensland Government Agencies Educate and Train their Employees
about their Privacy Obligations. The Commissioner concluded
that the effectiveness of training varied amongst the agencies
concerned, reflecting different training content, different
requirements for completing the training and different processes
for ensuring that employees completed the training. The content of
training I formation was accurate in the case of each agency, but
did not necessarily include all relevant elements. Furthermore,
whilst the agencies ran various internal awareness campaigns, their
ultimate utility was questionable in the absence of mandatory,
periodic refresher training. The Commissioner's findings
contain a relevant message not only for Australian governments but
also for the private sector in relation to the need for appropriate
and effective privacy awareness training.
ACCC releases discussion paper on extension of Consumer
Data Right to the energy sector
On 25 February 2019, the Australian Competition and Consumer
Commission (ACCC) issued a discussion paper as
part of the consultation process on how best to apply the new
Consumer Data Right (CDR) to the energy sector:
Consumer Data Right in Energy: Consultation paper – Data
Access Models for Data Energy. As we have
previously reported, and as mentioned also in this Update, the
CDR data portability scheme will be phased into the banking sector
over a period of two years from 1 July 2019, to be followed by a
CDR applicable to the energy and telecommunications sectors. The
ACCC is now seeking comments on three proposed models for consumers
to access their data in the energy market, noting that one
complication unique to the energy sector is that energy data
relating to an individual may be held by a number of organisations
and it may not be possible for a single entity to provide
sufficient data alone. "Model 1" proposed by the ACCC
contemplates a centralised model under which the Australian Energy
Market Operator (AEMO) would be the sole holder of
a centralised data set, to be shared by AEMO with accredited data
recipients via Application Programming Interfaces. Model 2
contemplates AEMO performing a gateway function, acting as a
pipeline for the provision of CDR data from data holders which may
include retailers and potentially also distributors, to accredited
data recipients. Model 3 is described as "the economy-wide CDR
model", involving existing data holders (e.g. retailers) being
responsible for providing CDR data directly to accredited data
recipients and/or consumers (this is in effect the model used for
the banking sector). Submissions on the options were due to close
on 22 March 2019.
Treasury releases Privacy Impact Assessment on proposed
Consumer Data Right
On 1 March 2018, the Treasury released the second version of its
Privacy Impact Statement for the proposed CDR in accordance with
the Privacy (Australian Government Agencies – Governance)
APP Code 2017 and the Office of the Australian Information
Commissioner's Guide to Undertaking Privacy Impact
Assessments (PIA). In addition to our comments
above, we have commented previously on the
CDR and the Commonwealth agencies'
APP Code. Whilst acknowledging that the CDR offered individuals
a range of benefits relating to privacy, competition, convenience
and choice, the PIA also highlighted a number of potential threats
which "could lead to substantial financial, personal and
emotional loss" if not carefully monitored. The PIA contained
10 recommendations, emphasising the need for ongoing behavioural
research and consumer testing regarding the design of the CDR
system (Recommendation 1), the creation of rules which would ensure
that consent is genuine and protects vulnerable individuals
(Recommendation 3), the importance of rules and standards remaining
across sectors as the scheme progresses beyond the banking industry
(Recommendation 5) and the need to ensure that CDR data held by
data recipients is not inappropriately accessed by the data
recipient's employees (Recommendation 6).
Government releases data sharing guide
On 15 March 2019, the Department of the Prime Minister and Cabinet
released a Best Practice Guide to Applying Data Sharing
Principles. The guide is intended to assist government
agencies in determining how to share public sector data under their
control in a manner which maintains the requisite degree of privacy
and security. The Guide draws upon five Data Sharing Principles
developed by the Office of the National Data Commissioner and the
Australian Bureau of Statistics, an initiative which in turn drew
upon the internationally recognised Five Safes Framework. The five
Data Sharing Principles are:
- Projects: Data is shared for an appropriate purpose that delivers a public benefit;
- People: The user has the appropriate authority to access the data;
- Settings: The environment in which the data is shared minimises the risk of unauthorised use or disclosure;
- Data: Appropriate and proportionate protections are applied to the data; and
- Output: The output from the data sharing arrangement is appropriately safeguarded before any further sharing or release.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.