Data breaches are a common occurrence in the tech world. In the past, if you wanted to steal information, you would have had to buy a crowbar, break a window and jimmy open a filing cabinet. These days, however, stealing data is as easy as guessing a password. Whether your breach is due to a phishing scam, a patchy security system, or Janet in accounting, most modern companies have to deal with the issue of digital security. ...
From 22 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme. Under the scheme, entities governed by the Privacy Act, often referred to as APP entities will be required to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals of ‘eligible data beaches’. ...
Each year, the Office of the Australian Information Commissioner (OAIC) holds a week of events to promote privacy and encourage best practices by companies and organisations on how they can keep your personal information safe. Each year has a different theme: This year, the focus of the week is “trust and transparency”. ...
In February 2017, the much anticipated Mundine/Green fight took place. This long-awaited match was expected to be an intense fight between two rivals, however, Australias received more than just one fight when a dispute over copyright emerged between Foxtel, the official broadcaster, and two Facebook users.
It is alleged, that approximately 300,000 people viewed the fight via Facebook’s live-streaming service when the two men streamed the fight through their Facebook accounts. Foxtel, being the official broadcaster, alleges that the streaming of the fight violates their copyright as they held the exclusive rights to air the fight. Foxtel threatened legal action against the Facebook users.
The unofficial follow-up fight, however, did not last long as the two Facebook users issued public apologies the following week.
So why did the streaming of the fight cause such a disagreement?
Copyright law in Australia
Copyright law has a long history in Australia. Within the area of intellectual property law, copyright is one of the few rights bestowed automatically. This means that unlike trade marks or patents, the person or company seeking the legal protection afforded by copyright law does not need to apply or be approved, it simply exists over the published work.
As the rightful owner or creator of the work, you get to decide how and whom may re-publish your work. In the case of Foxtel, the organiser chose Foxtel to exclusively broadcast the fight. This means that Foxtel was the only entity that had permission to air the fight. Foxtel argues that streaming the fight is the same as broadcasting and therefore when the two men streamed the fight, they were violating Foxtel’s exclusive rights.
Whether you view Foxtel’s actions as extreme or not, the potential legal issues relating to live-streaming will make headlines again as the service becomes more popular.
While this situation ...
Digital security is a hot topic in the news right now. From celebrities to nation states, everybody has data they’d like to keep private. For software providers, that means having up-to-date security measures.
In Australia, software providers need to adhere to the Australian Consumer Law (ACL), which applies to all suppliers of goods and services to customers in Australia.
Australian law requires businesses to secure the personal information of their clients and customers. Businesses must also protect this information from being lost, misused, or given away.
If your business collects clients’ personal information, you are required to take reasonable steps to secure it. Unfortunately, Australian privacy law is rather broad when defining ‘reasonable steps’. Nevertheless, here’s a list of things you should consider:
• whether you collect very, very personal information – known as ‘sensitive information’;
• whether there could be negative consequences if the information is breached;
• the size and quantity of the information;
• the time and cost involved in implementing security measures; and
• whether a security measure itself is invasive;
Australian Consumer Law
The ACL requires that software:
• achieves the desired results of the client;
• is ‘fit for purpose’ and consistent with the client’s desires; and
• is delivered with appropriate care and adequate skill.
Remember that some requirements of the ACL are binding no matter what. These requirements are known as ‘guarantees’. You can read more about them here.
Fit for Purpose?
As with “reasonableness”, the ACL is quite broad in the definition of ‘fit for purpose’.
For example, if a client fails ...
Earlier this month, the government released a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill) for public comment. If the Bill is passed without major changes, it will have a significant impact on businesses in Australia.
Effect of the Bill if Passed
The Bill will apply to any businesses or agencies already subject to the Privacy Act 1998 (Cth).
If the Bill is passed through parliament, it will become legally mandatory for businesses or agencies to ‘notify individuals when a serious breach of security leads to the disclosure of personal information’ – but only for data breaches that cause a ‘real risk of serious harm.’
Examples of “serious harm” include financial loss or identity theft, and more broadly, physical, psychological and emotional harm.
Breaches are not just limited to theft or ‘hacking' – the concept includes internal errors that cause accidental loss of an individual’s personal information.
If there is reasonable belief that a serious data breach has occurred, businesses would be required to notify both the Commissioner and each affected individual - using whatever customer communication tools they normally use.
If it is not practical to contact every individual, the business must take reasonable steps to publicise the notification – including on social media, on the business’ website or through print media.
Failure to Notify Penalties
If a business fails to notify the affected individuals of a serious data breach – the business will be subject to the penalties outlined in the Privacy Act.
The Commissioner can investigate the issue and direct the business to notify the affected individuals. The current drafting allows businesses to seek a review of the Commissioner’s directions in the Administrative Appeals Tribunal.
For businesses that ...
The Federal Government has announced its plan to spend almost $1.1 billion over the next four years as part of a new "innovation package". The package aims to promote a significant increase in business-based development and growth Australia-wide.
Industry Minister Christopher Pyne has stated that the bulk of the innovation package will come into effect from July 2016. The most relevant initiatives for existing businesses, investors and start-ups are identified below.
Bankruptcy and Insolvency
- The period of bankruptcy will be reduced from three years to one year.
- Insolvency laws will be wound back in recognition of the fact that most entrepreneurs fail several times before they succeed.
- Companies in difficulty will be able to call a business adviser to help restructure their business, without being subject to insolvency laws.
- Existing contracts will remain in place when a company goes into voluntary administration.
- Company directors will not be personally liable for insolvent trading if they appoint a restructuring adviser.
Early stage investors in new start-up businesses will get:
- a non-refundable tax offset equivalent to 20% of the value of invested capital (capped at $200,000 a year); and
- zero capital gains tax if the investment is held for more than three years.
For example, if an investor invests $200,000 and claims the offset, they will reduce their taxable income by $40,000. If the investor sells his or her shares three years later, the initial $200,000 will be exempt from capital gains tax.
The government will also provide funding to help Australian entrepreneurs travel to booming technology hubs like Silicon Valley and Tel Aviv.
The ‘innovation package’ is likely to have a significantly positive impact on business development and growth in Australia.
However, there ...
This article was first published in the Internet Law Bulletin 2013 17(7) at 174.
- When reviewing advertising for legal compliance consider:
- Does the advertising have a dominant message?
- Are there any conditions that impact the dominant message and if so are they sufficiently clear and prominent?
- For internet advertising, it is not sufficient that a consumer can “click” on the advertisement to learn about any conditions that vary the dominant message.
By now many of you have will have heard about the High Court’s decision in the long running misleading advertising dispute between the Australian Competition and Consumer Commission (ACCC) and TPG Internet Pty Ltd (TPG). In its decision handed down on 12 December 2013,1 the High Court reinstated a $2 million pecuniary penalty imposed on TPG for a misleading advertising campaign about TPG’s unlimited broadband bundle.
The 4—1 majority judgment sent a clear message to advertisers to be careful in ensuring that the dominant message of their advertising and marketing is not misleading and deceptive. Advertisers cannot always rely on the fine print of an advertisement to avoid liability under the Australian Consumer Law (ACL), where the dominant message of an advertisement may be considered misleading or deceptive.
TPG’s multimillion dollar advertising campaign consisted of advertising in various forms of media, including online. So, what does this decision mean for businesses advertising on the internet?
In late September 2010, TPG launched a substantial and extensive advertising campaign in relation to its broadband Internet product with unlimited downloads know as “Unlimited ADSL2+”. The campaign was run in various different mediums including television, radio, print, billboard and internet advertising, at a total cost of ...
It’s easy for businesses, particularly technology businesses, to underestimate the risks they’re taking on when they provide services. It's a little known fact that there's real potential for businesses to use consumer law to aggressively pursue consequential loss claims where they would always otherwise be excluded, since in many circumstances, you can't contract to exclude liability for consequential loss under the Australian Consumer Law (ACL).
Suppliers of software and data management services are usually unaware that, under the Australian Consumer Law, even large corporations can be ‘consumers’ in certain circumstances.
When are Your Customers ‘Consumers’?
Even if you are involved in arms-length commercial dealings with large players, your customer may still be able to use consumer rights against you.
If a customer purchases a good or service of a value of $40,000 or less, for use within the business, for the purposes of the ACL the customer is a ‘consumer’ who will be able to rely on the guarantees and protections provided under the ACL. The guarantees include a guarantee that the product must be safe, durable, free from defects, fit for purpose, acceptable in appearance, matches its description and matches sample/demonstration models of the good.
Even where the goods or services are of a value that is greater than $40,000, under the ACL a customer may still be a ‘consumer’ for the purposes of the ACL if the goods or services are ordinarily used for personal, domestic or household purposes.
Imagine you are a small startup providing customer relationship management services. You have several contracts worth $1,000 or $2,000. Business goes well, and you attract a very large corporate customer, who pays you $39,000 to take over their CRM. That customer is likely a ‘consumer’ for the purposes of the ACL.
Potential Liabilities for Suppling Goods or Services
Two factors combine to allow consumers to make potentially ...
A New Right for Individuals to Control their Online Information
On 14 May 2014, the Grand Camber of the European Court of Justice (Court) delivered a judgment that could widely affect how search engines (such as Google) process, record, store and present information relating to individuals. The judgment addressed and confirmed the right of an individual to request that information relating to that individual be removed from search engines.
In Google Inc v Agencia Espanola de Proteccion de Datos, the Court held that search engines are involved in processing personal data; and that operators of search engines are data controllers for the purposes of the Data Protection Directive(DPD).
The Court held that search engines have a duty to ensure that published search results are compatible with the rights of individuals. The Court recognised that there is also a public interest and right to access information that needs to be protected, but on balance, the Court found that the rights of individuals, about whom data is collected, override the public interest (with a few recognised exceptions such as public figures).
The Court went on to find that the DPD includes a right for individuals to be forgotten - which extends to include a right for individuals to demand that search engines remove information that an individual does not want to be published about them. Interestingly, the Court held that the right existed irrespective of the individual’s ability to show any prejudice. The Court found support for its position in Articles 7 and 8 of the European Union Charter of Fundamental Rights.1
The Effects of the Judgment
While the judgment does not directly apply to Australia or jurisdictions outside the European Union, it does represent a significant step in allowing individuals greater control over information that is published about them on the Internet.