Australian Competition and Consumer Commission succeeds in alleging Google misled consumers regarding its location history settings. Privacy law enforcement via the Consumer Law

April 16, 2021

In a very significant decision of Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 the Federal Court, per Thawley J, has found that Google breached sections 18, 29 and 34 of the Australian Consumer Law (the “ACL”).  At 341 paragraphs it is a significant and detailed judgment.

Privacy policies and settings remain problematical in terms of practical, as opposed to theoretical, compliance with the Privacy Act 1988 and in providing consumers with a clear understanding of what the settings actually mean for them.  It does not help that settings are changed regularly and often without notice, with Facebook being particularly notorious in this regard.

It appears that the ACCC is stepping into the regulatory void that would otherwise be occupied by the Australian Information Commissioner in enforcing privacy protections.  By relying on misleading and deceptive conduct provisions of the ACL the ACCC is following the long established approach taken by the US Federal Trade Commission in bringing proceedings for misleading conduct where companies claim to protect privacy or have proper data security when in fact they do not.  That has led scholars to suggest that the FTC has developed a new common law of privacy. It would be a welcome development if the ACCC used its experience and superior litigation skills to enforce privacy protections in Australia.  The Information Commissioner has thus far had a dismal record in the Federal Court regarding consideration of the Privacy Act 1988.

The proceedings commenced in October 2019. Final orders will not be made for at least 14 days as the parties are to provide orders to reflect the court’s conclusions.  Given the nature of the findings it is reasonable to expect Read the rest of this entry »

Australian Information Commissioner v Facebook Inc; Federal Court rejects application to set aside ruling granting the Commissioner leave to serve process on the US Based Facebook

September 14, 2020

The Federal Court today dismissed an application by Facebook against a previous ruling granting the Australian Information Commissioner leave to serve legal documents on Facebook USA.

The issue in the application was Facebook contending that it did not carry out business in Australia.

The terms of the application and the supporting affidavit are not publicly searchable, yet. The hearing took place on 6 May 2020.

The orders of Justice Thawley are:

  1. The interlocutory application dated 6 May 2020 be dismissed.
  2. The written reasons for judgment not be published beyond the parties until further order.
  3. The parties have until 12 pm on 16 September 2020 to advise the Court of any orders for redactions sought, together with a concise written explanation as to why those redactions ought be made.
  4. Unless any party applies within 7 days for a different order with respect to costs, the first respondent pay the applicant’s costs of the interlocutory application.

The Commissioner had a restrained Read the rest of this entry »

ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security

August 22, 2020

Today the Australian Securities and Investments Commission (“ASIC”) commenced proceedings against RI Advice Group Pty Ltd (“RI”).   It has been filed in the Federal Court Victorian Registry.  

RI holds an Australian Financial services licence and at all relevant times was a wholly owned subsidiary of the Australia and New Zealand Banking Group Limited (the ANZ).

According to the Concise Statement :

  • on 3 January or 3 March 2017 RI became aware of a ransomware attack on the computer systems of one of RI’s authorised representatives in 2016 which made files inaccessible [5];
  • on 30 May 2017 RI became aware another authorised representative’s files were hacked which affected 226 client groups [6]. 

ASIC alleges that in relation to each of those incidents RI should have but failed to:

 (a) properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and incident response controls; and (b) ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.

  • between 30 December 2017 and 15 April 2018 an unknown malicious agent obtained and retained remote access to an authorised representative’s remote access to its file server and spent 155 hours accessing sensitive client information.  That resulted in 27 clients reporting unauthorised use of their personal information with that there were 3 attempts to redirect mail and multiple bank accounts being opened upon without consent.  There was a notification to the Australian Information Commissioner.  An investigation revealed that 8,104 individuals were exposed to the breach.

ASIC alleges that the risk management systems and resourcing relating to cybersecurity and cyber resilience were inadequate Read the rest of this entry »

Australian Competition & Consumer Commission sues Google for misleading and deceptive conduct… but it really is a breach of data privacy case

July 27, 2020

Last Friday the Australian Competition & Consumer Commission (“ACCC”) announced that it has commenced proceedings against Google LLC alleging misleading and deceptive conduct in failing to inform consumers and obtain their informed consent  from 2016 that it was combining their personal information in Google accounts with information gleaned from their activities in non Google sites which use Google technology.  The ACCC also alleges that Google misled consumers about changes to its privacy policy.

The ACCC has not released the concise statement and the case has not appeared on the Federal Court website as yet.  It is interesting, and something of a relief, that the ACCC is stepping up and taking on privacy related cases instead of the Australian Information Commissioner.  Unfortunately the Commissioner has a lamentable track record in enforcing privacy breaches, particularly in the Federal Court.

The nature of the case as described by the ACCC seems to follow a tried and true approach used by the Federal Trade Commission in the United States, attacking privacy and data breaches through breaches of contractual terms or misleading and deceptive conduct.  It is also an approach that the Federal Court is more comfortable with.  To date the Federal Court has produced judgments that betray a bewildering befuddlement regarding privacy principles; namely Read the rest of this entry »

HQ Insurance Pty Limited v Stonehatch Risk Solutions Limited (No 2) [2020] FCA 1010 (16 July 2020): application for preliminary discovery, rule 7.23 Federal Court rules, claim for relief under s 1324(1) Corporations Act, reasonable enquiries

July 22, 2020

In HQ Insurance Pty Limited v Stonehatch Risk Solutions Limited (No 2) [2020] FCA 1010 the Federal Court per Thawley dismissed an application for preliminary discovery on the grounds that the applicant failed to establish that reasonable inquiries were made.

FACTS

The dramatis personae are:

  • HQ,  an Australian bloodstock and livestock insurance broker specialising in equine insurance. It holds an AFSL which authorises it to advise and deal in general insurance [17].
  • Stonehatch,  a United Kingdom (UK) based insurance broker specialising in bloodstock insurance. It does not hold an AFS [17]]
  • Ausure (Upper Hunter) Pty Ltd trading as Ausure Insurance Solutions (NSW),  an insurance broker which brokered equine thoroughbred insurance through Stonehatch as its wholesale broker in the UK where the equine risks were underwritten by various Lloyd’s syndicates [18].

On 25 September 2018, HQ completed its purchase of Ausure’s client book of insurance policies. HQ transferred the insurance files to their own wholesale broker, Integro Brokers Limited, in the UK, on 18 October 2018 [19].

Under the agreement between Read the rest of this entry »

Lewis (liquidator), in the matter of Concrete Supply Pty Ltd (in liq) [2020] FCA 841 (16 June 2020): s 477(2B) Corporations Act 2001 application, approval for liquidator to retain solicitor who act for creditor of the company in liquidation

July 16, 2020

In Lewis (liquidator), in the matter of Concrete Supply Pty Ltd (in liq) [2020] FCA 841 White considered the relevant principles in considering an application under section 477(2B) of the Corporations Act 2001.

FACTS

Between August 2009 and November 2017, ABCL had supplied concrete to Concrete Supply [5].

In October 2017, ABCL discovered that it had been underpaid about $12 million by Concrete Supply.  The underpayment was disguised by false entries made by one of its employees.  ABCL sought payment of the shortfall from Concrete Supply. On 14 November 2017, the directors of Concrete Supply resolved that it was, or was likely to become, insolvent and appointed Messrs Cooper and Cantone at Worrells as administrators. On 19 December 2017, the creditors of Concrete Supply resolved that it enter into a Deed of Company Arrangement (” DOCA”) [5].

ABCL opposed the Read the rest of this entry »

Yeo, in the matter of Ready Kit Cabinets Pty Ltd (in liq) v Deputy Commissioner of Taxation [2020] FCA 632 (15 May 2020); deed of company arrangement, Corporations Act sections 588FA and 588FE, voidable transactions

June 11, 2020

In Yeo, in the matter of Ready Kit Cabinets Pty Ltd (in liq) v Deputy Commissioner of Taxation [2020] FCA 632 Middleton J considered the operation of the sub sectin 588FE(2B) involving the voidable transactions and whether payments were made under the administrator of a deed of company arrangement.

FACTS

On 29 October 2013, Mr Yeo and Mr Rambaldi were appointed as joint and several administrators of Ready Kit Cabinets Pty Ltd (in liq) (” the Company”) [8].

The DCT  commenced proceedings seeking to wind up the Company before the appointment of  Yeo and Rambaldi as voluntary administrators [9].  The first meeting of the Company’s creditors was convened and held on 7 November 2013 [10].  On 14 November 2013,  Yeo and Rambaldi issued a circular to creditors in which they advised that the second meeting of the Company’s creditors would be held on 22 November 2013. Yeo and Rambaldi provided creditors with a copy of a s 439A report with the circular [11].  At the second meeting of creditors  a resolution was passed that the Company should execute a deed of company arrangement [12].

On or about 11 December 2013, the DOCA was executed by:

  • each of the Company (by its then administrators,  Yeo and Rambaldi),
  •  Yeo and Rambaldi as deed administrators, and
  • the Director [13].

His Honour identified key provisions of the DOCA as:

  • Recital H. [14], that:

This Deed binds all Creditors of [the Company] pursuant to Section 444D of the Corporations Act and [the Company], all officers and members of [the Company], and the Administrators pursuant to Section 444G of the Corporations Act.

  •  management and control of the Company’s day-to-day business affairs were returned to the Director;
  • a fund was established and controlled by the Deed Administrators which constituted the whole of the property available for distribution to participating creditors [15];
  • the Company and Director made certain covenants and undertakings, including in respect of the Company’s compliance with its taxation obligations [15]; and
  •  upon default of the DOCA by the Company or the Director, the Deed Administrators were to convene a meeting of creditors to determine whether to terminate the DOCA and wind up the Company [15].

Between 11 December 2013 and 5 July 2017, the Company was returned to the management and control of the Director and continued to trade [16]. During this time the Company incurred fresh liabilities Read the rest of this entry »

The Australian Information Commissioner commences civil penalty proceedings against Facebook under section 13G of the Privacy Act

March 10, 2020

Yesterday, 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook in the Federal Court.  The actual citation is Australian Information Commissioner v Facebook Inc & Facbook Ireland Limited (court number NSD 246/2020).

It has taken 2 years for the Information Commissioner to conclude her investigations regarding Facebook’s actions in permitting personal information to be misused through the This is Your Digital Life app which was disclosed to Cambridge Analytica. The UK Information Commissioner resolved its investigation and issued a monetary penalty notice of 500,000 pounds in October 2018.  The US Federal Trade Commission imposed $5 billion penalty for its breach of the previous order in July 2019.

This litigation will be significant as it is the first consideration of the operation of section 13G of the Privacy Act, a civil penalty proceeding for serious or repeated interference with privacy.  Unfortunately the Information Commissioner has not proven to be an adept litigator to date though Facebook’s egregious conduct in permitting its users personal information to be misused is well documented.  What is less clear is how the Commissioner will convince the Court that the statutory limit of $1.7million for an infraction is a limit on each breach.  That will be a significant Read the rest of this entry »

Federal Court Criminal Proceedings Rules in effect and Federal Court releases forms for lodgment

December 18, 2017

The Federal Court announced today that forms used in proceedings under the Federal Court criminal Proceedings Rules are now accessible and can be lodged by external users.  The Rules can be found Read the rest of this entry »

Federal Court issues practice notes on interest on judgments

September 20, 2017

Properly determining the interest component in an award is an important calculation.  And one that is done poorly more often than Read the rest of this entry »