The High Court today revoked Facebook’s special leave application. The transcript is not available yet and reasons have not been published but the key argument for this volte face was a change to the Federal Court Rules on overseas service.

The Information Commissioner released a media release providing:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Full Court of the High Court of Australia’s decision to revoke Facebook Inc’s special leave to appeal to the High Court.

The High Court granted the Commissioner’s application to revoke special leave due to a change in the Federal Court Rules in relation to overseas service.

This clears the way for proceedings to return to the Federal Court. The substantive proceeding seeking civil penalties against Facebook Ireland and Facebook Inc over the Cambridge Analytica matter will now progress.

“Today’s decision is an important step in ensuring that global digital platforms can be held to account when handling the personal information of Australians,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Entities operating in Australia are accountable for breaches of Australian privacy law, and must ensure that their operations in Australia comply with that law,” Commissioner Falk said.

Background

On 9 March 2020, the Commissioner lodged proceedings against US-based Facebook Inc and Facebook Ireland (collectively, Facebook) in the Federal Court, alleging the social media platform had committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.

The Commissioner alleges that from 12 March 2014 to 1 May 2015: Read the rest of this entry »

The Federal Trade Commission (the “FTC”) has announced enforcement action against GoodRX for a range of signficant breaches of customer’s information.  This the first time it is using its powers under the Health Breach Notification Rule.

This case highlights the temptations of monetising personal information to generate sales even if that meant disclosing personal health related information.  It also demonstrates that large operations can and often do ignore privacy and data security obligations when using data for financial gain. When the regulator takes action the flaws become very apparent and often make a bad situation much worse.
While the law differs in Australia it is very useful considering these actions because of the methodology the FTC deploys in framing their cases.  The technology is the same in Australia and the United States.  The issues are the same.

According to the FTC:

• since  2011, GoodRx Holdings, Inc is a “consumer-focused digital healthcare platform” based in Santa Monica, California.
• GoodRx advertises, distributes, and sells:
  • health-related products and services directly to consumers, including purported prescription medication discount products branded as “GoodRx” and “GoodRx Gold.”
  • telehealth services, branded as “GoodRx Care,” and previously as “HeyDoctor by GoodRx,” and “HeyDoctor,” through its subsidiary HeyDoctor, LLC (“HeyDoctor”) [2].
• since at least 2017, GoodRx  promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties [3]
• GoodRx offers a platform, available through its website (www.GoodRx.com) or mobile application (“Mobile App”), to search for and compare prescription medication pricing at nearby pharmacies, and to obtain prescription discount cards (the “GoodRx Coupon”). Since January 2017, 55.4 million consumers have visited or used GoodRx’s website or Mobile App [16]
• GoodRx  collects:
  • users’ personal and health information, and prompts users to provide their email address or phone number, to access electronic coupons and refill reminders [19].
  • personal and health information when users register for an account, which is required for GoodRx Gold, the product charging a monthly subscription fee. [20]
  • personal and health information from PBMs. When users purchase medication using GoodRx Coupons, the PBM processes the transaction and sends a claims record to GoodRx (“Medication Purchase Data”), containing name, date of birth, and information about the prescription filled [21]

On February 25, 2020, Consumer Reports published Read the rest of this entry »

In Re Straightline Construction Co Pty Ltd [2022] VSC 708 the Supreme Court, per Gardiner AsJ, considered an application to set aside a statutory demand on the grounds that the applicant was not a party to the agreement giving rise to a liability which formed the basis of a statutory demand.  This is quite a common issue where parties are involved in the building and construction industry.  It is not uncommon for builders to work through multiple entities, many of whose names are quite similar.   As this case demonstrates, it is not simply enough for the Applicant to allege that the wrong party was served with a demand as another entity was a party to the contract. As this case shows such a contention can be successfully challenged if the respondent has contemporaneous documentation and concessions by representatives of the applicant .

FACTS

 On 9 December 2021, Hansen Yuncken Pty Ltd (‘Hansen Yuncken’), as head contractor, engaged Straightline Civil Pty Ltd (‘Straightline Civil’), as subcontractor, (‘the Hansen Yuncken Contract’) to carry out retention and foundation piling works as part of a large residential construction project at Bills Street, Hawthorn (‘the Project’) [6]

Straightline Construction’s evidence was that:

• it defined the issue as

[Straightline Construction] disputes that the debt claimed in the Statutory Demand is due and payable, by reason of there being a genuine dispute that the debt is owing as the Company is not the entity which contracted with [Browns] to perform the services detailed in the Invoices, and the debts have not been sufficiently particularised.

•  Straightline Construction was incorporated in March 2020
• Straightline Construction performs civil construction works in metropolitan Melbourne, partiuclarly in  Brighton and Clayton
• there are various ‘Straightline’ entities with different controllers, each having its own role in different projects & that Straightline Construction is not involved in the Hansen Yuncken contract at all [38]
• where it is said that Browns had dealings with ‘Straightline’ for several years, it was in fact engaged by four separate Straightline entities depending on the project and the entity involved in the Project was Straightline Civil, not Straightline Construction [40].
• a direction should have been issued to make it clear that invoices were to be issued to Straightline Civil and not Straightline Construction [41] invoices addressed to Straightline Construction should have been requested to be reissued to Straightline Civil.
• on 20 September 2022, Peter Greenstreet, an Operations Manager of Browns, sent an email enquiring as to whom the invoices for the remaining works on the Project should be issued to & Oltan Yemez, representing Straightline Civil, responded, stating that all invoices should be issued to Straightline Civil [42].
• an ASIC search of Straightline Civil  records Tarkan Gulenc as the sole director & the correspondence referred to between Mr Gulenc and representatives of Browns confirms that Straightline Civil admits it owes the debt [43]
• in regard to correspondence relied on by Browns to support their proposition that Straightline Construction owes the debt, the reference to intentions to pay  does not refer to Straightline Construction being liable to pay the debt [46].
• the communications containing promises to pay in the text message exchanges on 8 July 2022 were in the context of a statutory demand having been served by Browns approximately one month before and no reference to the identity of the contracting party as Straightline Civil [47]
• an agreement has been reached (which he refers to as the ‘Tri-Partite Deed’) between representatives of Hansen Yuncken, Straightline Civil, and Browns in relation to the payment of outstanding amounts, whereby Hansen Yuncken agrees to pay progress payments due to Straightline Civil in respect of the Project directly to Browns, in satisfaction of outstanding invoices rendered by Browns in relation to the Project (including those the subject of the Demand) and that a total of $193,775.56 has been paid to date, being the payment of $105,739.93 (including GST) in relation to the July Payment Schedule and $88,035.63 (including GST) in relation to the August Payment Schedule [51] – [52].
• Staightline Construcion has never been contracted to perform subcontract work on any sites in Hawthorn [12]

The respondent’s evidence Read the rest of this entry »

In Re J Build Developments Pty Ltd [2022] VSC 434 Hetyey AsJ set aside a statutory demand on the basis that there was a genuine dispute in the context of a notice being issued under the Building and Construction Industry Security of Payment Act 2002.

FACTS

The facts in applications to set aside statutory demand relating to construction contracts and building works invariably have complicated and involved factual issues.  This case is no exception.

On 26 June 2020, J Build entered into a $2.9 million building contract with Abboud Corporates Pty Ltd to construct three double-storey residential dwellings at 10 Glyndon Road, Camberwell, Victoria (‘the head contract’ and ‘the property’, respectively) [2].

AES is a mechanical and electrical services provider specialising in heating, ventilation, air conditioning and associated electrical work [2].

On or about 24 February 2020, Jamiel Daou (“Daou”),  a director of J Build, texted Wright, the sole director of AES, asking for  a quotation  for the supply and installation of ducted heating and cooling air-conditioning systems in each of the units at the property (‘the sub-contracting works’).  There was a subsquent telephone conversation between the two the contents of which are in contention.

On 5 March 2020, AES provided JB Build with a quotatio of $88,002.64 inclusive of GST.

Prior to 22 October 2020, JB Build requested that revisions be made to the quotation. On 22 October 2020, AES issued a second quotation for $101,507.09 (inclusive of GST) [6].

On or around 27 October 2020, the parties discussed a further variation which would provide a cost saving to the plaintiff of between $5,000 and $6,000 and reduce the contract price contained in the second quotation [7]. On 28 October 2020, Wright emailed Daou requested confirmation of the revised second quotation with Daou responding via email  with the word ‘[a]pproved’ [8].

On 31 October 2021, AES issued an invoice for $16,874.55 (inclusive of GST) regarding work performed between 28 October 2020 and 31 October 2020,  payable by 14 November 2020 but paid on 7 December 2020 [10].

Wright and Daou  had a site meeting at the property on or around 5 February 2021 where they discussed the need for further variations to AES’ scope of work [11]. AES issued J Build with a further revised quotation on 14 May 2021, documenting additional proposed revisions to the scope of work and increasing the contract price to $109,047.31 (inclusive of GST) (‘the third quotation’). A signed acceptance of the third quotation was returned to AES via email later that day [12].  AES rendered an invoice in the sum of $81,504.61 (inclusive of GST) (‘the second invoice’)  to J Build by email on 14 On 31 May 2021. AES required payment by 30 June 2021. J Build didn’t pay by this date and in or around July 2021, AES stopped work [13]. J Build paid AES $41,504.61 on 22 July 2021 and $5,000 on 20 September 2021 [15], leaving $35,000 owing in respect of the second invoice.

On 4 October 2021, AES served a notice under s 18(2) of the Building and Construction Industry Security of Payment Act 2002 (Vic) (‘the SOP Act’) on J Build,   J Build responded the next day by sending AES a payment schedule informing AES that it proposed paying nil in respect of the second invoice on the basis that works had not been completed. No adjudication application was ultimately pursued by AES [16].

On 14 October 2021 AES instructed its solicitors to issue and serve the statutory demand claiming the  $35,000 as ‘monies due and owing pursuant to [AES’] tax invoice no 6394 dated 31 May 2021,’ which refers to the second invoice. The statutory demand did not annex a copy of the second invoice [17].

J Build commenced this application  on 3 November 2021 [18].

The defendant contended that:

• the second invoice referred to in the statutory demand constitutes a ‘payment claim’ within the meaning of s 14 of the SOP Act which was not effectively challenged by way of a ‘payment schedule’ served within time and is therefore due and payable by force of statute and beyond challenge.
• J Build was precluded from contending the existence of any genuine dispute about the subject of the statutory demand in this proceeding.

DECISION

The court, at [21],defined the issues for determination as:

(a) is there a genuine dispute under s 459H(1)(a) of the Act that the defendant’s invoice the subject of the demand (ie the second invoice) is a ‘payment claim’ which satisfies the requirements of s 14 of the SOP Act? In particular, is there a genuine dispute whether: Read the rest of this entry »

The Standing Committee on Access to Information, Privacy and Ethics has been examining investigation tools used by the Royal Canadian Mounted Police (“RCMP”), including spyware. Not surprisingly the Commissioner is playing catch up as the RCMP have not consulted/liased with the Commissioner notwithstanding the clear privacy issues and potential for misuse.  It is a classic and typical case of police and other agencies grabbing a new tool and then having to deal with the real policy issues of when and how to use it, usually after some publicity about its use. Such an investigation long overdue in Australia at the Federal and State level as the police forces embrace privacy intrusive technology and engage in ways inconsistent with respecting privacy.

The history of the enquiry is well described in Read the rest of this entry »

Given the tight time frame to report it was not a surprise that the Royal Commission would set up a homepage promptly.  Of course the commissioner was approached long before the announcement and has no doubt organised her team and had started preliminary work.  Nevertheless the alacrity in setting up the homepage is impressive. It is found here.

At this stage the published material from the Commission is limited to the Letters Patent.  That will no doubt change in the very near future.

The Letters Patent provides Read the rest of this entry »

The Robodebt program, for want of a better word, animated those who have an interest in privacy.  Data matching, through the use of algorithms, was a key function of the program.  The Australian Privacy Foundation as well as other civil society groups raised concerns from an early date.

The Federal Government today announced the Robodebt Royal Commission.  The media release provides:

The?Governor-General His Excellency General the Honourable David Hurley AC DSC (Retd) has issued Letters Patent establishing a Royal Commission into the?former?debt assessment and recovery scheme?commonly known as Robodebt. 

The inquiry will examine, among other things:  Read the rest of this entry »

The UK Information Commissioner has highlighted the case of Christopher O’Brien who was prosecuted for unlawfully accessing patient records of 14 patients of the South Warwickshire NHS Foundation Trust, all of whom were known to him.  The media release provides:

and

A former health adviser has been found guilty of accessing medical records of patients without a valid legal reason.

Christopher O’Brien, 36, was working at the South Warwickshire NHS Foundation Trust when he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust.

One of the victims said the breach left them worried and anxious about Mr O’Brien having access to their health records, with another victim saying the breach put them off from going to their doctor.

Mr O’Brien pleaded guilty to unlawfully obtaining personal data in breach of section 170 of the Data Protection Act 2018 when he appeared at Coventry Magistrates’ Court on 3 August 2022. He was ordered to pay £250 compensation to 12 patients, totalling £3,000.

Stephen Eckersley, ICO Director of Investigations, said:

“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.

“Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.

“I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.”

This sort of misbehaviour is not confined to the United Kingdom. The National Public Radio in 2015 did a piece on hospital workers snooping on celebrities medical records, including George Clooney, Kim Kardashian and Michael Jackson, to name a few.  It is a chronic problem in Australia within the health sector.  Last year the Health Care Complaints Commission prosecuted a complaint against registered nurse Ms Cody Rae Payne at the NSW Civil and Administrative Tribunal (‘the Tribunal’). Between January and August 2019  Payne accessed her own medical records as well as those of 34 other persons, including family members involved in family court legal proceedings without lawful authority. She provided information to her husband that she acquired as a result of that unauthorised access.

The hearing before the NSWCAT occurred after Payne had been criminally prosecuted for Read the rest of this entry »

The Australian Competition and Consumer Commission (ACCC) issued the Bank of Queensland with a penalty of the $133,200 for breaching the Consumer Data Right Rules in failing to have available a service to enable consumers to share their data. The breach was that the BOQ failed to meet its implementation deadline.The ACCC is a practiced litigant and active in enforcing legislation for which it is responsible. So while the breach is actual it relates to a technical breach rather than a breach resulting in material prejudice to any one consumer.  The fine plus the publicity acts as a deterrent against others breaching the Rules. 

The statement from the ACCC relevantly Read the rest of this entry »

As part of its Shifting Powers series Lloyds has released a timely and very thorough report on cyber security with Shifting powers: Physical cyber risk in a changing geopolitical landscape. The Report sets out scenarios and likely responses which are very helpful and practical (and which are too involved to summarise or analyse in this post).

The press release provides:

In a highly digitised economy, cybersecurity sits at the top of the agenda for businesses, boards, risk managers and governments alike.

At 38 pages it is a significant, and long, report which defies easy summary however some highly pertinent points it makes includes:

• the potential impacts on businesses are:
  • 1. Asymmetric Attack Exchange: A rudimentary cyber power sponsors non-state ransomware
    attacks by cybercriminals targeting another nation’s critical infrastructure
    2. Offensive Cyber Retaliation: Regional tensions over nuclear development programmes spill
    over into cyber-physical sabotage of critical infrastructure
    3. Symmetric Attack Exchange: Two sophisticated cyber powers engage in an escalation of
    destructive cyber attacks on critical infrastructure

Physical cyber risk

Read the rest of this entry »