After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office.  Previously the Commissioner has been represented by HWL Ebsworth.  Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs.  GIlbert & Tobin represented RI Advice in the Federal Court case of  Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A.  While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level.  Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and Read the rest of this entry »

Senate Estimates are an invaluable way of scrutinising government departments and asking questions on issues that do not find their way into Government reports. So it was with the Senate Legal and Constitutional Affairs Legislation Committee asked some long overdue questions of the Information Commissioner on 23 October 2023.  With the Information Commissioner top of the list of questions is the delay in investigating complaints and the lack of vigorous enforcement by the Commissioner.  Compared to other privacy regulators the Australian Information Commissioner’s Office is tardy and timid.

Senator Shoebridge asked questions relating to those very issues.  The answers were not particularly inspiring.  The good Senator hightlighted what privacy practitioners have long suspected, that the Commissioner doesn’t do enforcement.  This extract is revealing:

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

The regulatory strategy is not to take enforcement action.  In the US or the UK the enforcement would very much to the fore.  Here is is not the “right tool.”  Little wonder that there is a very poor privacy culture.  If enforcement is off the table there is Read the rest of this entry »

Justice Keogh in Turner v Bayer Australia Ltd (No 6) [2023] VSC 244 considered the application of the Victorian law and the European Privacy law, the General Data Protection Regulation (GDPR). The issue was whether releasing and reporting on personal information of individuals in documents generated in the EU attract protections that the Court should consider in the context of media reporting of a Victorian proceeding.

FACTS

The  proceeding is a product liability action concerning implanted permanent contraceptive medical devices identified collectively as the Essure device [1].

The trial commenced on 11 April 2023 and is estimated to run for 12 weeks [2].

Media organisations sought access to transcript and some of the documents relied on by the parties at trial.

The second defendant, Bayer Aktiengesellschaft,  is a corporation registered in Germany [4].

Some of the defendant’s discovery was of documents that originated from Germany (‘EU documents’), which some of which contained  personal data of natural persons residing in the European Union (‘EU’), including:

• names,
• job titles,
• signatures,
• business email addresses,
• street addresses and phone numbers, and
• personal email addresses,
• street addresses and phone numbers (‘EU data’) [4].

The defendants opposed the media having general access to transcript and EU documents used at trial because, they argue, the release of EU data would be a breach of the GDPR [4].

The defendants sought orders requiring that media apply to the Court for release of transcript and any EU documents tendered at trial and give details of the context and purpose underpinning their request when applying for access, provide the parties with time to object to media access, and provide the parties further time  to redact personal information from documents to be released [5].

The defendants relied on a report of Professor Dr Gregor Thüsing, a jurist and professor at the University of Bonn in Germany who has has expertise in the European law of data protection and data security [12].

The court summarised Read the rest of this entry »

The Victorian Supreme Court in Re Lifestyle Residences Hobsons Bay Pty Ltd (recs & mgrs apptd) [2023] VSC 179 considered a range of issues; whether a director can bring an application when receivers appointed, the operation of section 109X(1)(a) of the Act and the calculation of service. it makes it clear that there is an immutability of filing an application out of time making the application is a nullity.

FACTS

The facts relating to service were:

• on 22 November 2022, Ms Celia Luki, the solicitor with carriage of the matter for the defendant, ascertained the registered office address of the Company from an Australian Securities and Investments Commission (‘ASIC’) company search [35].
• Luki requested the Office Services Clerk in her firm in Redfern, New South Wales, to organise for the documents to be couriered to Melbourne for delivery to the registered office address.
• a Client Services Assistant at McCullough Robertson received Luki’s instructions on the service of the statutory demand in the sum of $213,166.89 in an email forwarded to her by the Office Services Clerk, who also provided the statutory demand and accompanying affidavit.
• the assistant logged into the Toll Priority (Aus) system and inputted those details, recording Luki’s email address as the contact person to receive email updates on the progress of the delivery of the demand. She printed a label from the Toll system, which included all of the recipient’s details which she affixed the label onto a Toll Express Services priority satchel and obtained a tracking number and manifest document.
• in the afternoon of 22 November 2022, a courier from Toll attended the McCullough Robertson office and collected the sealed envelope and two copies of the manifest document [35]
• on 16 December 2022 the tracking log records the documents were delivered to the company at the registered office address on 23 November 2022 at 9:46am. The proof of delivery document clearly records the registered office at which delivery occurred and the signature of Paula accepting delivery of the envelope [36]. Paula was a receptionist an accounting firm engaged by the company, whose business address is the registered office address of the company.
• Paula was unsure who to forward the demand to and sought confirmation from her principal, Mr Sam Cimino. However, because Cimino was extremely busy that day, she was only able to email him and unable to speak to him in person [37].
• on 24 November 2022, Paula had a discussion with Cimino, who instructed her to immediately send the statutory demand to Mr Burgess, Mr Dale Harrison and Mr Peter Van De Steeg, who are nominated contact people at the company. 
• Paula emailed the nominated people at the company, attaching an electronic copy of the statutory demand but erroneously stated the demand had arrived by courier at the registered office address on 24 November 2022 when, in fact, it was delivered by courier the day prior [38]. 

Read the rest of this entry »

Tonight ABC’s Media watch broadcast a segment on the Attorney General’s Report on a Review of the Privacy Act, titled “Media and privacy”, with a focus on a proposed statutory tort of privacy. The coverage followed the traditional line adopted by media commentators in Australia, yes there are breaches but a tort of privacy would suppress free speech and so reform is a bad idea. Being Media Watch it was a reasonably comprehensive story, within the time alloted. But still quite predictable and overall not particularly sophisticated. The usual suspects came out against, such as Justin Quill with the usual lines about how such a reform will help the rich and kill investigative journalism. The supporters were also predictably supportive, being Michael Douglas and Barbara McDonald, but a good deal less shrill. Between now and the release of a draft bill expect strident stories from the participants in the Right to Know Coalition. In the past Chris Merritt (Privacy tort a blow to free speech 18 March 2009), Ainslie Van Onsolen (Push for a tort is misguided and wrong 21 September 2012), The Australian) and Micheal Stutchbury (Lawsuits no way to defend privacy or free speech 26 July 2011), among many others, have dipped their thumbs into the ink barrel when a privacy tort is mentioned and penned jeremiads about the end of journalism, the end of freedom of speech and no more public interest exposes if there such a privacy tort is enacted. There is a sameness about the columns; pictures of a grim future with judges wielding their gavels with abandon crushing story after story and villainous reprobates being protected. The offerings tended to be long on emotion and short on analysis. That does not mean it has not had an effect. Governments of both persuasions have steered clear of adequate privacy law reform for decades.

It is entirely understandable that the media would have an interest in privacy reform.  The problem is that it does not accept that the defence of public interest and freedom of expression in any tort will be given any weight.  That is fear based on emotion not logic.  On a more practical level given the gaping lacuna in the law regarding privacy, and the practical inability of the aggrieved to take any legal action for invasions of their privacy, it is in the media’s interests to keep  the status quo. 

The Media Watch report is quite a reasonable analysis, albeit limited by the fact that as the title suggests it focuses on media and privacy. Which is not the whole issue.  What is lost in this story is that there are many circumstances where the media is not involved, the interference with privacy is one person intruding on the seclusion of another.  Or interfering government officials.  Or organisations and businesses surveilling customers or just ordinary individuals.  With new and increasingly intrusive technology not having legal recourse is a failure of public policy.  None of this will convince the media and the fact that Australia is an outlier in this area of law causes it no concern at all.

The transcript of the story Read the rest of this entry »

The date for submissions to the Attorney General’s Review of the Privacy Act Report closed on 31 March 2023.

I will be undertaking a detailed review of the Report, by related chapters, between now and when the draft Bill is released by the Government, probably before or after the Winter Recess.

This analysis relates to Chapters 3 and 4. The proposals contained in both chapters are not controversial and address weaknesses in the Privacy Act drafting that were identified for some time.  The recommendations regarding de identified and anonymised information attempt to address what remains a very difficult issue. The extent to which de identification is possible in a practical sense is matter of significant debate.  Those issues may come into sharp relief if a data breach involved theft of de identified information which was subsequently re identified.

CHAPTER 3 OBJECTS OF THE ACT

The Report notes that Privacy is not defined in the Act. It is a concept that can be broadly construed and may be understood as comprising a number of related concepts including informational privacy, bodily privacy, privacy of communications, and territorial privacy.

The Report proposes:

The rationale for the amendment is that as the focus of the Act is to provide a framework for the handling and protection of personal information, the objects should more clearly reflect this.

The Report then states that the Act implements Australia’s international obligations in relation to privacy in part by providing a framework for regulating the collection, use, storage, disclosure and destruction of personal information but does not cover all aspects of privacy as the term is commonly understood.

The Report recommends:

The Report notes that:

• protection of privacy sits alongside other important interests: this is recognised in Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and reflected in paragraph 2A(b) of the objects which are are sometimes, but not always, in tension.
• paragraph 2A(b) of the objects should continue to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities.
• the recognition of a public interest, as well as individual interest, in privacy will inform the balancing exercise, retaining sufficient flexibility for ‘countervailing interests to be given the weight they deserve’
• the protection of privacy and the interests of entities in carrying out their functions and activities, including private commercial activities, are not necessarily in conflict. It is not a zero-sum game.
• businesses that use data in a fair and responsible manner may serve the public interest indirectly, and deliver benefits to individuals and the broader economy, as well as their own commercial interests.

4.   Personal information, de-identification and sensitive information

The Report identifies a problem with principles-based definition of a lack of understanding  how to apply it to information in practice.

The Report notes that the definition has to be seen in context in the Act and as such the Act:

• does not prohibit the collection, use and disclosure of personal information.
• requires that the principles around personal information handling set out in the APPs must be followed, including only collecting reasonably necessary information and only using or disclosing it for the purposes for which it was collected unless the individual consents or another exception applies.

The definition of personal information is intentionally broad which ensures that APP entities keep privacy and risk-based personal information handling at the forefront of their minds when conducting their functions or activities,

Section 6 of the Privacy Act defines personal information as follows:

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Individual is defined as a ‘natural person’.

The current definition of personal information has two limbs:

• the information is about an individual, and
• the individual is identified or reasonably identifiable.

The Report identifies two categories of uncertainty about the definition:

1. it is unclear which types of information can be personal information. For example, there is confusion about whether technical information that records service details about a device is the personal information of the owner of the device. Further, there is uncertainty about whether inferred information about an individual, for example in an online profile, will be personal information.
2. there should be more clarity about how to ‘reasonably identify’ an individual and correspondingly how to know when an identifiable individual becomes ‘de-identified’.

The Report proposes to clarify the two categories of uncertainty through proposals that address the two limbs of the test for Read the rest of this entry »

The High Court today revoked Facebook’s special leave application. The transcript is not available yet and reasons have not been published but the key argument for this volte face was a change to the Federal Court Rules on overseas service.

The Information Commissioner released a media release providing:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Full Court of the High Court of Australia’s decision to revoke Facebook Inc’s special leave to appeal to the High Court.

The High Court granted the Commissioner’s application to revoke special leave due to a change in the Federal Court Rules in relation to overseas service.

This clears the way for proceedings to return to the Federal Court. The substantive proceeding seeking civil penalties against Facebook Ireland and Facebook Inc over the Cambridge Analytica matter will now progress.

“Today’s decision is an important step in ensuring that global digital platforms can be held to account when handling the personal information of Australians,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Entities operating in Australia are accountable for breaches of Australian privacy law, and must ensure that their operations in Australia comply with that law,” Commissioner Falk said.

Background

On 9 March 2020, the Commissioner lodged proceedings against US-based Facebook Inc and Facebook Ireland (collectively, Facebook) in the Federal Court, alleging the social media platform had committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.

The Commissioner alleges that from 12 March 2014 to 1 May 2015: Read the rest of this entry »

The Federal Trade Commission (the “FTC”) has announced enforcement action against GoodRX for a range of signficant breaches of customer’s information.  This the first time it is using its powers under the Health Breach Notification Rule.

This case highlights the temptations of monetising personal information to generate sales even if that meant disclosing personal health related information.  It also demonstrates that large operations can and often do ignore privacy and data security obligations when using data for financial gain. When the regulator takes action the flaws become very apparent and often make a bad situation much worse.
While the law differs in Australia it is very useful considering these actions because of the methodology the FTC deploys in framing their cases.  The technology is the same in Australia and the United States.  The issues are the same.

According to the FTC:

• since  2011, GoodRx Holdings, Inc is a “consumer-focused digital healthcare platform” based in Santa Monica, California.
• GoodRx advertises, distributes, and sells:
  • health-related products and services directly to consumers, including purported prescription medication discount products branded as “GoodRx” and “GoodRx Gold.”
  • telehealth services, branded as “GoodRx Care,” and previously as “HeyDoctor by GoodRx,” and “HeyDoctor,” through its subsidiary HeyDoctor, LLC (“HeyDoctor”) [2].
• since at least 2017, GoodRx  promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties [3]
• GoodRx offers a platform, available through its website (www.GoodRx.com) or mobile application (“Mobile App”), to search for and compare prescription medication pricing at nearby pharmacies, and to obtain prescription discount cards (the “GoodRx Coupon”). Since January 2017, 55.4 million consumers have visited or used GoodRx’s website or Mobile App [16]
• GoodRx  collects:
  • users’ personal and health information, and prompts users to provide their email address or phone number, to access electronic coupons and refill reminders [19].
  • personal and health information when users register for an account, which is required for GoodRx Gold, the product charging a monthly subscription fee. [20]
  • personal and health information from PBMs. When users purchase medication using GoodRx Coupons, the PBM processes the transaction and sends a claims record to GoodRx (“Medication Purchase Data”), containing name, date of birth, and information about the prescription filled [21]

On February 25, 2020, Consumer Reports published Read the rest of this entry »

In Re Straightline Construction Co Pty Ltd [2022] VSC 708 the Supreme Court, per Gardiner AsJ, considered an application to set aside a statutory demand on the grounds that the applicant was not a party to the agreement giving rise to a liability which formed the basis of a statutory demand.  This is quite a common issue where parties are involved in the building and construction industry.  It is not uncommon for builders to work through multiple entities, many of whose names are quite similar.   As this case demonstrates, it is not simply enough for the Applicant to allege that the wrong party was served with a demand as another entity was a party to the contract. As this case shows such a contention can be successfully challenged if the respondent has contemporaneous documentation and concessions by representatives of the applicant .

FACTS

 On 9 December 2021, Hansen Yuncken Pty Ltd (‘Hansen Yuncken’), as head contractor, engaged Straightline Civil Pty Ltd (‘Straightline Civil’), as subcontractor, (‘the Hansen Yuncken Contract’) to carry out retention and foundation piling works as part of a large residential construction project at Bills Street, Hawthorn (‘the Project’) [6]

Straightline Construction’s evidence was that:

• it defined the issue as

[Straightline Construction] disputes that the debt claimed in the Statutory Demand is due and payable, by reason of there being a genuine dispute that the debt is owing as the Company is not the entity which contracted with [Browns] to perform the services detailed in the Invoices, and the debts have not been sufficiently particularised.

•  Straightline Construction was incorporated in March 2020
• Straightline Construction performs civil construction works in metropolitan Melbourne, partiuclarly in  Brighton and Clayton
• there are various ‘Straightline’ entities with different controllers, each having its own role in different projects & that Straightline Construction is not involved in the Hansen Yuncken contract at all [38]
• where it is said that Browns had dealings with ‘Straightline’ for several years, it was in fact engaged by four separate Straightline entities depending on the project and the entity involved in the Project was Straightline Civil, not Straightline Construction [40].
• a direction should have been issued to make it clear that invoices were to be issued to Straightline Civil and not Straightline Construction [41] invoices addressed to Straightline Construction should have been requested to be reissued to Straightline Civil.
• on 20 September 2022, Peter Greenstreet, an Operations Manager of Browns, sent an email enquiring as to whom the invoices for the remaining works on the Project should be issued to & Oltan Yemez, representing Straightline Civil, responded, stating that all invoices should be issued to Straightline Civil [42].
• an ASIC search of Straightline Civil  records Tarkan Gulenc as the sole director & the correspondence referred to between Mr Gulenc and representatives of Browns confirms that Straightline Civil admits it owes the debt [43]
• in regard to correspondence relied on by Browns to support their proposition that Straightline Construction owes the debt, the reference to intentions to pay  does not refer to Straightline Construction being liable to pay the debt [46].
• the communications containing promises to pay in the text message exchanges on 8 July 2022 were in the context of a statutory demand having been served by Browns approximately one month before and no reference to the identity of the contracting party as Straightline Civil [47]
• an agreement has been reached (which he refers to as the ‘Tri-Partite Deed’) between representatives of Hansen Yuncken, Straightline Civil, and Browns in relation to the payment of outstanding amounts, whereby Hansen Yuncken agrees to pay progress payments due to Straightline Civil in respect of the Project directly to Browns, in satisfaction of outstanding invoices rendered by Browns in relation to the Project (including those the subject of the Demand) and that a total of $193,775.56 has been paid to date, being the payment of $105,739.93 (including GST) in relation to the July Payment Schedule and $88,035.63 (including GST) in relation to the August Payment Schedule [51] – [52].
• Staightline Construcion has never been contracted to perform subcontract work on any sites in Hawthorn [12]

The respondent’s evidence Read the rest of this entry »

In Re J Build Developments Pty Ltd [2022] VSC 434 Hetyey AsJ set aside a statutory demand on the basis that there was a genuine dispute in the context of a notice being issued under the Building and Construction Industry Security of Payment Act 2002.

FACTS

The facts in applications to set aside statutory demand relating to construction contracts and building works invariably have complicated and involved factual issues.  This case is no exception.

On 26 June 2020, J Build entered into a $2.9 million building contract with Abboud Corporates Pty Ltd to construct three double-storey residential dwellings at 10 Glyndon Road, Camberwell, Victoria (‘the head contract’ and ‘the property’, respectively) [2].

AES is a mechanical and electrical services provider specialising in heating, ventilation, air conditioning and associated electrical work [2].

On or about 24 February 2020, Jamiel Daou (“Daou”),  a director of J Build, texted Wright, the sole director of AES, asking for  a quotation  for the supply and installation of ducted heating and cooling air-conditioning systems in each of the units at the property (‘the sub-contracting works’).  There was a subsquent telephone conversation between the two the contents of which are in contention.

On 5 March 2020, AES provided JB Build with a quotatio of $88,002.64 inclusive of GST.

Prior to 22 October 2020, JB Build requested that revisions be made to the quotation. On 22 October 2020, AES issued a second quotation for $101,507.09 (inclusive of GST) [6].

On or around 27 October 2020, the parties discussed a further variation which would provide a cost saving to the plaintiff of between $5,000 and $6,000 and reduce the contract price contained in the second quotation [7]. On 28 October 2020, Wright emailed Daou requested confirmation of the revised second quotation with Daou responding via email  with the word ‘[a]pproved’ [8].

On 31 October 2021, AES issued an invoice for $16,874.55 (inclusive of GST) regarding work performed between 28 October 2020 and 31 October 2020,  payable by 14 November 2020 but paid on 7 December 2020 [10].

Wright and Daou  had a site meeting at the property on or around 5 February 2021 where they discussed the need for further variations to AES’ scope of work [11]. AES issued J Build with a further revised quotation on 14 May 2021, documenting additional proposed revisions to the scope of work and increasing the contract price to $109,047.31 (inclusive of GST) (‘the third quotation’). A signed acceptance of the third quotation was returned to AES via email later that day [12].  AES rendered an invoice in the sum of $81,504.61 (inclusive of GST) (‘the second invoice’)  to J Build by email on 14 On 31 May 2021. AES required payment by 30 June 2021. J Build didn’t pay by this date and in or around July 2021, AES stopped work [13]. J Build paid AES $41,504.61 on 22 July 2021 and $5,000 on 20 September 2021 [15], leaving $35,000 owing in respect of the second invoice.

On 4 October 2021, AES served a notice under s 18(2) of the Building and Construction Industry Security of Payment Act 2002 (Vic) (‘the SOP Act’) on J Build,   J Build responded the next day by sending AES a payment schedule informing AES that it proposed paying nil in respect of the second invoice on the basis that works had not been completed. No adjudication application was ultimately pursued by AES [16].

On 14 October 2021 AES instructed its solicitors to issue and serve the statutory demand claiming the  $35,000 as ‘monies due and owing pursuant to [AES’] tax invoice no 6394 dated 31 May 2021,’ which refers to the second invoice. The statutory demand did not annex a copy of the second invoice [17].

J Build commenced this application  on 3 November 2021 [18].

The defendant contended that:

• the second invoice referred to in the statutory demand constitutes a ‘payment claim’ within the meaning of s 14 of the SOP Act which was not effectively challenged by way of a ‘payment schedule’ served within time and is therefore due and payable by force of statute and beyond challenge.
• J Build was precluded from contending the existence of any genuine dispute about the subject of the statutory demand in this proceeding.

DECISION

The court, at [21],defined the issues for determination as:

(a) is there a genuine dispute under s 459H(1)(a) of the Act that the defendant’s invoice the subject of the demand (ie the second invoice) is a ‘payment claim’ which satisfies the requirements of s 14 of the SOP Act? In particular, is there a genuine dispute whether: Read the rest of this entry »