For some time now in Australia we have witnessed a "cold war" between the consumer regulator, the Australian Competition and Consumer Commission (ACCC), and the privacy regulator, the Office of the Australian Information Commissioner (OAIC), in respect of "consumer privacy" (which in the US has traditionally been in the purview of the Federal Trade Commission). Until now this has mostly been an 'academic' discussion. However, with the launch of the "Consumer Data Right" in the banking sector (with other sectors to soon follow) and the recent successful action by the ACCC against HealthEngine Pty Ltd (HealthEngine) this is now a "real war" having (and likely to increasingly have) a material impact on businesses for privacy-related infringements in the "consumer privacy" space.
We are already seeing a more aggressive enforcement stance from the OAIC (admittedly coming off a low base) in terms of its application to the Federal Court of Australia (Court) to impose massive fines on Facebook in relation to the Cambridge Analytica activities. In ACCC v HealthEngine Pty Ltd  FCA 1208 (Case) we are seeing the ACCC stake its claim in the consumer privacy space, using consumer law to prosecute what are, effectively, privacy breaches.
HealthEngine is an online and appointment booking engine which also provides ratings and rankings of numerous health practitioners. As well as finding that HealthEngine failed to publish many of the negative comments about its paying health practitioner members (the reason for most of the rest of the A$2.9 million fine), HealthEngine offered a service to discuss an individual's health insurance needs (and make recommendations) if the individual indicated 'yes' on the online form when booking an appointment with a health practitioner (Referral Conduct).
As regards the Referral Conduct, HealthEngine did not itself provide this service (i.e. make the call to the individual). Rather, HealthEngine had a paid arrangement with nine health insurance brokers and would, on receiving a 'yes' in the online form, send the personal information of that individual to one of the nine third party brokers for that broker to call the individual to discuss their health insurance needs. While it was not claimed that HealthEngine stated anywhere that it solely performed the Referral Conduct, it was found that it was not made clear to the individual answering 'yes' that their personal information would be disclosed to anyone else or that the call to discuss their health insurance needs would not be performed by HealthEngine (but rather a third party insurance broker).
While there was no definitive statement either that HealthEngine would (a) not disclose any personal information or (b) itself respond to the 'yes' enquiry and call the individual to discuss the individual's health insurance needs, the Court held as regards the Referral Conduct that HealthEngine had not made it "adequately clear" on the online booking form (or presumably not adequately brought to the consumer's attention any disclosure made in any privacy related statement or policy) that, if an individual answered 'yes', the individual's personal information would be sent to one of nine different third party health insurance brokers who would then make contact with the individual.
This Referral Conduct occurred over a four-year period (2014 to 2018) and, while there was no compulsion on an individual to answer 'yes' to receive a call to discuss their health insurance needs, the Court confirmed that there was an obligation on HealthEngine to clearly inform individuals that (a) their personal information will be provided to a third party health insurance broker and (b) that it would be that third party health insurance broker that called them to discuss their health insurance needs. Failure to do this was found to be conduct that was likely to cause people to believe that HealthEngine provided the relevant services (i.e. the discussion of the patient's health insurance needs) and that the person's personal information was not being disclosed to do so, both of which were misleading.
As a result, for the Referral Conduct, the Court imposed a pecuniary penalty of A$1.4 million for this behaviour (out of a total fine of A$2.9 million). In addition to this significant pecuniary penalty, the Court also ordered HealthEngine to:
(i) undertake an independent annual review of its existing compliance program (which would, in this case, likely also include its relevant privacy processes and policies) for a period of three years and to implement all changes identified as necessary for compliance by that independent reviewer, with written confirmation to the ACCC that those changes had been made; and
(ii) contact all persons whose personal information was provided to a health insurance broker during the period (2014 to 2018), informing them in a prescribed form of letter of certain specified matters, indicating that the Court had found such conduct contravened the Australian Consumer Law (ACL) and providing instructions on how that individual could request his or her personal information be deleted.
While (i) above is onerous, we suspect that (ii) will be (for some companies) an extremely difficult and costly exercise. In this case, HealthEngine will need to determine for each individual that used their services if and to which broker their personal information was sent in order provide those details to the individual. Unless HealthEngine's IT systems and database are set up appropriately and capable of doing this and the relevant information has not been deleted, this will be a Herculean (and extremely expensive) task.
What this means in practice
What to do now
Given these developments and our strong belief that enforcement in the consumer privacy space this will continue to escalate, to avoid a significant fine we recommend that you urgently:
- add the review of your privacy (at least your consumer privacy) compliance to your internal audit program or, if you do not have an internal audit program, list it for review at least every two years.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.