Katarina Klaric, Principal, Stephens Lawyers & Consultants
Digital economy including digital platforms and on-line market-places continue to be compliance and enforcement priorities for regulators in Australia[1], with court enforcement action resulting in significant penalties. This update provides a review of recent Australian technology cases and ensuing compliance and risk management issues.
The Australian Competition and Consumer Commission (ACCC) is actively involved in monitoring the digital economy and taking enforcement action to deal with unfair trade practices, misconduct, anti-competitive conduct and privacy and cybersecurity breaches.
The Australian Securities and Investments Commission (ASIC) is focussed on protecting consumers from harm caused by digital technologies and platforms in the financial markets and services sector including cyber and digitally enabled misconduct and on-line investment scams. ASIC is also monitoring the development and application of artificial intelligence in the financial market sector and financial products and the associated risks[2].
Online platforms, social media and high privacy impact technologies and the security of personal information remains a regulatory focus of the Office of the Australian Information Commissioner (OAIC), the regulator responsible for privacy law compliance. The OAIC is prioritising its regulatory activities to deal with “technologies and business practises that record, monitor, track and enable surveillance, and the use of algorithms to profile individuals” in ways which may not be understood or expected, with adverse consequences[3].
The review of recent Australian technology dispute cases provides useful insights for businesses operating in the digital economy and areas of potential risks. Businesses can minimise the risk of enforcement action or court proceedings by regulators or parties affected, with the implementation of appropriate governance and compliance programs. The cases highlight:
- that compliance with Australian laws cannot be avoided by having servers located outside Australia, where affected users of the digital platform are located in Australia;
- the importance of drafting or reviewing terms and conditions for on-line platforms, digital market places and technology agreements to ensure compliance with Australian laws;
- the importance of ensuring that the terms and conditions and Privacy Policies make accurate disclosure in respect of the data that is collected and its use, with sufficient clarity and prominence so that they are brought to the notice of the class of consumer at which they are aimed;
- the importance of monitoring and review of on-line platforms and digital market places for accuracy of information displayed;
- the importance of monitoring algorithms for accuracy;
- the importance of pre-market assessment of technology and advertising and marketing material for compliance with Australian laws;
- that Australia’s privacy laws will extend to technology companies which are not registered in Australia, do not have servers in Australia but are involved in collection and use of personal data of individuals in Australia;
- that the use of web-crawlers to collect sensitive information about individuals comprising of biometric information being images and associated metadata of individuals, without the consent of the individual, is a breach of Australia’s privacy laws;
- that before offering crypto-related products to consumers in Australia, entities should ensure that the proposed product complies with the Australian Corporations Act and regulations and other relevant laws. Crypto-related products may be financial products requiring entities to meet the design and distribution obligations so that they meet the needs of the consumer and are distributed in a target manner[4]; and
- the importance of compliance programs and training of company staff, contractors and representatives in respect of compliance with Australian Consumer Law.
Review of Australian Technology Cases: December 2022 to March 2024
The courts are imposing significant penalties on global technology companies for contravention of the Australian Consumer Law.
ACCC v Airbnb Ireland UC (Airbnb) [2023] FCA 1633 (20 December 2023)
The Federal Court ordered Airbnb Ireland UC, the operator of the Airbnb online peer-to-peer short-term rental accommodation service, to pay a penalty of $15 million and undertake a compliance program for contravention of Australian Consumer Law in making misrepresentations in respect of the pricing of accommodation to Australian consumers who accessed the service through the Airbnb website or App.
The ACCC alleged that during the period between 1 January 2018 and 30 August 2021, Airbnb displayed to some Australian consumers the total price for accommodation in Australia, without clearly disclosing that the price was in United States Dollars (USD) and misrepresented to those consumers that the total price was the displayed amount in Australian Dollars (AUD), when this was not the case. At the time, there was a material difference in the exchange rates between the two currencies. The ACCC received over 2000 complaints from consumers about being charged in US dollars. After court proceedings had commenced, Airbnb admitted that it had engaged in conduct that was misleading or deceptive or likely to mislead or deceive within the meaning of ss 18(1) and 29(1)(i) and of the Australian Consumer Law. Airbnb and ACCC submitted to the court for approval agreed orders for a penalty and compliance program.
Australian Competition and Consumer Commission v. Fitbit LLC [2023] FCA 15 (12 December 2023)
The Federal Court ordered Fitbit LLC, a US based manufacturer and supplier of electronic health and fitness devices, including wearable trackers, to pay a penalty of $11 million for contravention of Australian Consumer Law and to implement various compliance measures. After court proceedings had been commenced by the ACCC, Fitbit LLC admitted to making false and misleading representations regarding the consumer guarantee entitlements and remedies where devices were not compliant with the consumer guarantees provided under Australian Consumer Law, in contravention of sections 18 and 29(1)(m) of the Australian Consumer Law. The parties also agreed to the penalty amount which was approved by the court.
In Australia, Fitbit devices could be purchased on the Fitbit website or from third party retailers. Fitbit LLC used customer service representatives located in the Philippines to deal with Australian consumers having problems with Fitbit devices. Fitbit LLC’s customer service representatives misrepresented to Australian consumers that they did not have a right to a refund in respect of defective devices unless the devices were returned within 45 days of purchase, when in fact they did where there was a major failure of the device. Fitbit LLC’s customer service representatives also made misrepresentations to Australian consumers that they did not have a right to a replacement product because Fitbit’s 2 year warranty had expired, when in fact they did. Consumer rights and remedies for defective products are provided to Australia consumers under the consumer guarantee provisions of the Australian Consumer Law, which cannot be excluded, restricted or modified.
Australian Competition & Consumer Commission v. Meta Platforms Inc. & Ors [2023] FCA 842 (26 July 2023)
The Federal Court of Australia ordered two wholly owned subsidiaries of Meta Platforms Inc. – Facebook Israel Ltd and Onavo Inc. – to pay penalties of $10million for contravention of Sections 18 and 33 of the Australian Consumer Law. The Court declared that Facebook Israel and Onavo had contravened the law when advertising and promoting the Onavo Protect on the Google Play Store and Apple App Store listings, by failing to adequately disclose that the users’ data would be used for purposes other than providing the Onavo Protect services. Facebook Israel and Onavo had admitted to the contravention and the Court had to determine whether the penalty that the parties had agreed to was appropriate and should be imposed by the Court [5].
Onavo Protect, a downloadable software application for mobile devices which provided a virtual private network (VPN) once installed on the devices, was offered free by Onavo and Facebook Israel to Australian consumers on the Google Play Store and Apple App Store. Onavo Protect was promoted and advertised as a product which would keep the users’ data protected and safe and used statements that included language such as :-
“With Protect, you can – Get alerts when apps are using lots of data – Use a free, fast and secure VPN to protect personal information … – Add an extra layer of security and data encryption”
“Onavo Protect helps keep you and your data safe when you browse and share information on the web.
“It also helps secure your details when you login to websites or enter personal information such as bank accounts and credit card numbers.”
“To provide this layer of protection, Onavo establishes a secure connection used to direct all of your network communications through Onavo’s servers. As part of this process, Onavo receives and analyzes information about your mobile data and app use”.[6]
Facebook Israel and Onavo in providing users the Onavo Protect VPN service collected extensive data from users through the app which was provided to Meta Platforms. If the user also had a Facebook account, Meta Platforms using an algorithm was able to combine the user’s data collected from Facebook usage with data collected from the usage of Onavo Protect. The personal data collected and provided to Meta Platforms included:
- information about the user’s device including – operating system, mobile carrier or network, IP address and location information;
- information about the user’s mobile applications and data usage including names and details of applications installed on the user’s device, the user’s use of those applications and the websites visited;
- log information and other data from the user’s device;
- metadata about volume of traffic, user agent and domain when mobile data was transferred to Onavo Protect Servers;
- location related information when user accessed location-based services, or IP addresses[7].
Meta Platform used the anonymised and aggregated data for a range of commercial purposes including – advertising and marketing activities and improving its products and services. Meta Platforms’ and Facebook Israel’s internal documents described Onavo Protect as “a business intelligence tool” for Meta Platforms, which provided Meta Platforms with “a sample of users who we are able to know nearly everything they are doing on their mobile device”[8].
The Onavo Protect Terms of Service did not disclose that data from Australian users of Onavo Protect would be provided to Meta Platforms. The Terms of Services included a link to Onavo’s Privacy Policy which disclosed that the data would be used for purposes other than providing the Onavo Protect service. This disclosure was considered to be not sufficiently prominent or proximate to the product listing on Apple app store and Google play store. The Terms of Service and Privacy Policy were accessible via a link on the website promoting the Onavo Protect[9].
The court in imposing the $20million civil penalty proposed by the parties, considered the contraventions of Australian Consumer Law to be serious. The listings on the Apple App Store and Google play store about Onavo Protect users’ data were misleading in that they conveyed to the users that data would be protected and would only be used for the purposes of providing the Onavo Protect, VPN and data management services. These listings failed to mention that Onavo Protect also collected and supplied user’s data relating to online activities to Facebook Israel and Meta Platforms for other purposes. The failure to make such disclosure to hundreds of thousands of Australians who had installed and used the Onavo Protect app had deprived them of the opportunity to make an informed choice about the collection and use of their personal data[10].
Australian Competition and Consumer Commission v. Uber B.V. [2022] FCA 1466 (7 December 2022)
The Federal Court of Australia ordered Uber B.V to pay penalties totalling $21 million for breaches of s29(1)(i) of the Australian Consumer Law in respect of false or misleading representations made in trade or commerce:
- during the period from about 20 June 2018 to 31 August 2020, with respect to the price for an Uber taxi by displaying on the Uber app and Uber website an estimated price range for the ride at the time of the booking, when the actual price for the ride was not likely to be the price range displayed;
- during the period from approximately 8 December 2017 and 20 September 2021, with respect to the price that would apply when the “Cancel Trip” option had been selected for a ride booked for UberX, Uber Premier, Uber Comfort or UberPool using the Uber platform by displaying on the Uber app and Uber website a message stating that they may be charged a small fee, when in fact such consumers would not be charged a fee, if they cancelled their trip during the free cancellation period stated in the terms and conditions.
The court also granted an injunction restraining Uber B.V. – for a period of three years from the date of court orders (7 December 2022) – in trade or commerce in connection with the supply or possible supply or promotion of rideshare services, from making any representation to the effect that a consumer may be charged a cancellation fee in circumstances where the relevant terms and conditions or cancellation policies applicable in Australia to the rideshare services stipulate that the consumer would not be charged a cancellation fee. Uber was also ordered to make a contribution towards the ACCC’s costs.
The price range calculations of fares displayed on the Uber platform were dependent on the accuracy of pricing algorithms used by Uber. The court accepted that consumers do not have visibility over algorithm inputs and relied on Uber to provide fare estimates based on accurate pricing information. Consumers also relied on Uber to provide truthful information regarding when a fee might in fact be imposed for the cancellation of a trip. The court in considering the appropriate penalty took into account the fact the employees of the Uber group were aware that there were limitations as to the accuracy of the algorithm for calculating fare range estimates, however did not monitor the workings of the algorithm for accuracy of calculation of price ranges. Uber was required to provide the court with further evidence concerning the nature and extent of employee’s knowledge of the accuracy limitations of the algorithm[11].
In relation to cancellation representations, certain employees and senior management of the Uber group knew that the cancellation warnings were being incorrectly displayed during the free cancellation period and that Uber would be profiting from this. Senior Management were aware that more accurate cancellation messaging would have a negative financial impact on Uber and drivers. The court took these factors into account in determining the appropriate penalty to impose[12].
Australia’s privacy laws will extend to technology companies which are not registered in Australia, do not have servers in Australia but are involved in collection and use of personal data of individuals in Australia.
Clearview AI Inc. and Australian Information Commissioner [2023] AATA1069 [8 May 2023]
Clearview AI, a company incorporated in Delaware, United States of America offers facial recognition software services to law enforcement agencies to assist with the identification and location of victims and suspects in criminal investigations. Clearview used a computer program known as a web-crawler to build a database of images of faces of Australians (including metadata) from servers located in Australia. Clearview promoted and offered the facial recognition services to Australian enforcement agencies on a free trial basis.
Following the publication in January 2020, of an article titled “The Secretive Company that Might End Privacy As We Know It” in the New York Times detailing the capabilities of the Clearview AI system, the Australian Privacy Commissioner commenced investigations into the companies’ activities and whether it had breached the Privacy Act.
The Privacy Commissioner found that although Clearview was based in the US, did not have an office in Australia and had not generated any revenue in Australia, it had sufficient links to Australia for the Privacy Act to apply. The Privacy Commissioner found that Clearview breached a number of Australian Privacy Principles (APP) by:
(a) Failing to take reasonable steps to implement practices, procedures and systems relating to the entities’ functions or activities, that will ensure compliance with the APPs (APP 1.2).
(b) Interfering with the privacy of Australian individuals in:
- collecting sensitive information about an individual where consent for such collection had not been obtained and exceptions did not apply (APP 3.3 and APP 3.4);
- failing to collect personal information by lawful and fair means (APP 3.5);
- failing to take such steps as were reasonable in the circumstances to notify individuals of the collection of personal information (APP 5);
- failing to take steps as were reasonable in the circumstances to ensure that personal information is used or disclosed, was having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant (APP 10.12)[13] .
Clearview sought a review of the Privacy Commissioner’s decision in the Administrative Appeals Tribunal (Tribunal) claiming that it was not bound by the Australian Privacy Act because it does not have an ‘Australian link’ for the law to apply to a foreign company. In the alternative, Clearview claimed that if the Australian Privacy Act applied, it was a small business operator and was exempt from its operation or it had not breached the APPs. Clearview’s review application was unsuccessful.
The Tribunal found that Clearview carried on business in Australia and had Australian links for the purposes of the Privacy Act, having regard to the key elements of the business which involved:
- the collection of a large number of images and associated metadata from all over the world including servers located in Australia for its image library and associated meta database;
- the development and use of software with the capacity to enable searching of those images to produce usable results consisting of images which match a probe image and the associated metadata;
- the promotion and licensing of the Clearview system to law enforcement agencies including agencies located in Australia, for searching of images on the database by reference to the probe image uploaded.
Without the harvesting of images and associated metadata from servers there would be no system or business.
The Tribunal found that Clearview had collected from Australian servers, sensitive information about individuals comprising of biometric information[14] being images and associated metadata of individuals, without their consent in breach of APP 3.3. The individual’s images and associated metadata were collected by Clearview for biometric identification of individuals[15]. By reason of the APP 3.3 breach, the Tribunal found that Clearview had breached APP1.2 in failing to have taken reasonable steps to implement practices, procedures and systems relating to its activities and operations to ensure that it was compliant with Australian privacy laws[16].
The Tribunal noted that if Clearview wanted to operate its business beyond the operation of Australia’s privacy laws it had to cease the practice of collecting images and associated metadata from servers in Australia for biometric identification[17].
Regulation of Crypto-related products in Australia – Recent Enforcement Action
Australian Securities and Investment Commission v. Bit Trade Pty Ltd (Federal Court of Australia)[18] 20 September 2023.
On 20 September 2023, the Australian Securities and Investments Commission (ASIC), the law enforcement agency responsible for regulating companies and the financial services market, commenced court proceedings seeking injunctive relief and pecuniary penalties against Bit Trade, the provider of the Kraken crypto exchange to Australian customers. Bit Trade’s customers can purchase and sell certain digital assets including crypto-assets and flat currencies via the website www.kraken.com and a mobile application.
ASIC alleges that Bit Trade has contravened the design and distribution requirements relating to financial products for retail clients of the Corporations Act by offering a crypto-related product known as “ Margin Extension” without first making a “target market determination” as required by the Act[19]. ASIC alleges that Bit Trade’s margin trade product is a credit facility as it offers customers credit for use in the sale and purchase of certain crypto assets on the Kraken crypto exchange. ASIC alleges that Bit Trade, by offering the margin trade product without a “target market determination” since 9 January 2020, has exposed retail clients to the product, and the risk of loss that use of the product carries through both the leverage inherent in the product and the volatile investments available on the Kraken crypto exchange. ASIC alleges during the period 9 January 2020 to 11 August 2023, 1,160 retail clients have used the margin trade product and 968 of those have suffered losses on their trading accounts, totally over $12 million.
In June 2022, ASIC had notified Bit Trade of its concerns regarding the margin trade product and Bit Trade’s failure to comply with the design and distribution obligations, however Bit Trade continued to offer the product without a target market determination.
Disclaimer: This update is not intended to replace obtaining legal advice
Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants
© 23 October 2023 and 30 March 2024 — Stephens Lawyers & Consultants
For Further Information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Melbourne Head Office
Suite 205, 546 Collins Street, Melbourne, VIC. 3000
Phone: +61 3 8636 9100 Fax: +61 3 8636 9199
Sydney Office
Level 29, Chifley Tower, 2 Chifley Square, Sydney, N.S.W. 2000
Phone: +61 2 9238 8028
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
To register for newsletter updates and to send your comments and feedback, please email [email protected]
[1] ACCC, Compliance and Enforcement Priorities 2024-25, 7 March 2024 ; Compliance and enforcement priorities 2024-25 | ACCC
[2] ASIC Corporate Plan 2023-27; pp.7and 9.
[3] https://www.oaic.gov.au/about-us/our-regulatory-approach/oaic-priorities-for-regulatory-action-2022-23
[4] ASIC Information Sheet 225: Crypto Assets. The information Sheet provides guidance as to when crypto related products may be financial products.
[5] [2023]FCA 842, [3]
[6] Ibid, [7]
[7] Ibid, [8]and[36]
[8] Ibid, [9]
[9] Ibid, [10]
[10] Ibid [32] and [34]. The number of users that had viewed the listings was not known. At the time of the contravention there were 271,220 users that had installed the Onavo Protect app.
[11] ACCC v. Uber B.V [2022 FCA 1466, [100]-[103]
[12] Ibid, [104]-[109]
[13] [2023]AATA 1069, [4]
[14] Privacy Act (Cth) 1988, s6 –“Sensitive information” is defined in the Privacy Act to include biometric information that is to be used for the purpose of automated biometric verification or biometric identification and biometric templates. The inclusion of “biometric information” in the definition of “sensitive information” arose out of concerns raised by the Australian Law Reform Commission that biometric technologies, such as facial recognition technologies may be used to identify individuals without their consent or knowledge.
[15] [2023]AATA 1069, [126]-[131]
[16] Ibid, [199]
[17] Ibid, [200]
[18] Federal Court of Australia – Concise Statement
[19] Corporations Act (Cth), Part 7.8A ss994B(1) and (2)