Optus stung by ACMA for breach of spam laws

IMG_2064A.jpg

Australia’s second largest telecommunications provider, Optus Mobile Pty Ltd, Optus Internet Pty Limited and Optus ADSL Pty Limited (Optus) has paid a $504,000 infringement notice after being found by the Australian Communications and Media Authority (ACMA) to have committed significant breaches of Spam laws.

 Background

The ACMA found Optus sent SMS and email marketing emails to approximately 750,000 consumers after they had already unsubscribed from receiving marketing texts and emails from Optus and also sent billing notices which did not have an unsubscribe facility.

On 11 November 2019, the ACMA notified Optus that the ACMA has reasonable grounds to believe that, between 1 June and 4 December 2018 (inclusive), Optus sent or caused to be sent commercial electronic messages:

 (a)        without the consent of the relevant electronic account holder, in contravention of subsection 16(1) of the Spam Act; and/or

 (b)       that did not contain a functional unsubscribe facility, in contravention of subsection 18(1) of the Spam Act.

In addition to the $504,000 fine, the ACMA accepted a court enforceable undertaking in which Optus will appoint an independent consultant to review its systems, policies and procedures. The undertaking was imposed to significantly reduce the risk of ongoing non-compliance. The ACMA will be actively monitoring Optus’ compliance with its commitments. and will consider court action if they are not met.

Historically the fines imposed for breaches of spam laws have been modest. Although the ACMA generally takes a consultative approach with businesses, this is the largest infringement notice ever paid for spam and is indicative of the ACMA becoming increasingly active and more willing to use more forceful powers to compel compliance with spam laws. It follows a trend in recent years of Australian regulators taking a more proactive approach to enforcement.

Spam Laws

Australian spam laws were introduced in 2003 under the Spam Act 2003 (Cth) (Spam Act) and covers email, mobile phone messages (SMS, MMS) and instant messaging. The Spam Act is enforced by the ACMA. Under the Spam Act, it is illegal to send spam, which is defined as ‘unsolicited commercial electronic messaging’.

The Spam Act, the Do Not Call Register Act 2006 and the Privacy Act 1988 (Cth) contain specific provisions regarding direct marketing.

The Australian Communications and Media Authority (ACMA)

The ACMA is Australia’s regulator for broadcasting, radio, telecommunications and certain online content.

The ACMA has regulatory powers to investigate and take action against businesses and individuals in broadcasting (including radio and television) and telecommunications. These powers are granted primarily under the Australian Communication and Media Authority Act 2005 (Cth), the Broadcasting Services Act 1992 (Cth), the Telecommunications Act 1997 (Cth) and the Do Not Call Register Act 2009 (Cth).

Where the ACMA finds contraventions of the law, it can take action in the following ways:

§  issue a formal warning;

§  give an infringement notice;

§  accept court-enforceable undertakings; and

§  take the matter to the Federal Court, which can impose significant penalties.

What this means for your business

If you or someone else in your business sends out commercial emails or messages, you need to know about spam laws, what your responsibilities are and how to comply.

Before sending any commercial messages or emails such as marketing messages/emails, you must first obtain permission (either express or inferred) from the person who will receive them. After obtaining permission, you must ensure that your message identifies you as the sender, contains your correct contact details and makes it easy to unsubscribe.

If you have any questions or wish to discuss this article further, don't hesitate to contact us.

Marissa Goff

Senior Lawyer

Mandatory notification of data breaches in Australia - what you need to know

IMG_2053A.jpg

Introduction to the New Mandatory Notification Scheme

The Privacy Amendment (Notifiable Data Breaches) Act will upon its introduction on  22 February 2018, result in the Notifiable Data Breach Scheme (NDB Scheme). The amendments are designed to strengthen the protections afforded to the personal information of individuals, as well as improving transparency in the way that organisations respond to serious data breaches. This should give those individuals the opportunity to take steps to minimise the damage that can result from the unauthorised use of their personal information.
 
The NDB Scheme will apply to businesses, Australian Government agencies, and other organisations that are already required by the Privacy Act 1988 (Cth) (Privacy Act) to keep information secure. Australian Privacy Principle (APP) entities, credit reporting bodies, and tax file number recipients holding information subject to the information security requirements under the Privacy Act, will be subject to the new regime.
 
The new Act will require relevant entities to implement effective data breach assessment response and notification processes thereby reducing the risk of an “eligible data breach”.
 
When must you notify?
When there are reasonable grounds of suspicion of there being a data breach that is likely to result in serious harm to any individual to whom the information relates. 
 
All entities should prepare their data breach plan to ensure that they are able to respond quickly to suspected data breaches.
 
What must you notify?
Data breaches under the proposed scheme are likely to involve any of the following being compromised:

  • personal information; eg. health information, credit card payment details

  • credit reporting information;

  • credit eligibility; and/or

  • tax file number information.

Two types of eligible data breach
An entity must notify the Commissioner when it becomes aware on reasonable grounds that there has been an eligible data breach. There are two types of eligible data breach:

  • if there is unauthorised access to or unauthorised disclosure of information, and a reasonable person would conclude that the same would likely result in serious harm to any of the individuals to whom the information relates; or

  • if information is lost in circumstances where there is likely to be unauthorised access to, or unauthorised disclosure of the information and – if such access or disclosure were to happen – a reasonable person would conclude it likely to result in serious harm to any of the individuals to whom information relates.

Examples of an ‘eligible data breach’ include:

  • A cyber intrusion involving the online publication of individuals’ names and credit card numbers;

  • A database containing personal information being hacked;

  • Personal information that is mistakenly provided to the wrong person; and

  • Personal information from a PC or similar device being lost or stolen;

Each of these examples is likely to lead to an unauthorised access or disclosure, with results likely to occasion serious harm to affected individuals.

Breach likely to result in serious harm
Serious harm to an individual may include serious physical, psychological or emotional harm as well as economic loss and reputational damage.
 
The determination as to what falls under “serious harm” relies on a “reasonable person test’: whether a reasonable person would conclude that access to or disclosure of the personal information would be likely to result in serious harm to any of the individuals to whom the information relates. The test is satisfied if the harm is caused to any individual whose relevant information has been breached.
 
When is a breach NOT a breach?
Section 26WF states that an eligible data breach does not occur nor is it taken to occur when:

  • there has been unauthorised access or disclosure but the entity takes action before there is consequent serious harm;

  • there is a loss of information but the entity takes action in relation to the loss before any unauthorised access or disclosure occurs;

  • there is a loss of information, the entity takes action in relation to the loss after there is unauthorised access or disclosure, but a reasonable person would conclude that it would not likely result in any serious harm to any individual.

Serious harm, whether likely or not to occur and what security measures are to be employed?

Section 26WG contains a non–exhaustive list of relevant matters for assessing whether access or disclosure would be likely or not result in serious harm to occur. These matters include the kind and sensitivity of the information. Should the information be protected by one or more security measures, this Section considers the factors in determining the likelihood as to whether those security measures can  be overcome. If the security measure is encryption, an encryption key is an example of information required to circumvent the security technology.
 
What does the notification involve?
The entity must notify the Office of the Australian Information Commissioner (OAIC) and all individuals affected by the breach. If it is impractical to notify all affected individuals, the entity must publish a statement on its website with content of the statement detailing the eligible data breach. The notification statement must set out:

  • the identity and contact details of the entity;

  • a description of the eligible data breach; and

  • recommendations about the steps that individuals should take in response to the eligible data breach.

How do you notify?
By form of course!
Click here for the Notifiable Data Breach Form.

Must you always notify?
Not always. There are some exceptions to the obligation to notify including:

  • where you have taken sufficient remedial action in response to the eligible data breach before it causes serious harm to any affected individual;

  • if the eligible data breach affects more than one entity, then only one of the affected entity needs to undertake notification;

  • where the entity is already required to disclose the breach pursuant to the My Health Records Act 2012 (Cth).

When is it necessary to investigate data breaches?
The general rule is that a reasonable and expeditious assessment must be carried out within 30 days of the entity becoming aware of the reasonable grounds for suspicion. All reasonable steps should be taken to ensure that it is completed within this timeframe.
 
What happens if you fail to notify?
A failure to notify of an eligible data breach (or to carry out an assessment of a suspected eligible data breach) is an ‘interference with the privacy of an individual’ under the Privacy Act and subject to the standard penalty regime for such interferences under that Act. An interference with the privacy of an individual can lead to investigations by the Australian Information Commissioner who has the power to issue determinations, accept enforceable undertakings, bring court proceedings to enforce such determinations or enforceable undertakings or to seek an injunction. Serious or repeated interferences with the privacy of an individual can also give rise to possible civil penalties of up to $1.8 million for companies and $360,000 for individuals.
 
Where the breach involves overseas entities
An entity who discloses personal information to that overseas entity giving rise to an eligible data breach, is deemed to be accountable.
 
If a credit provider discloses credit eligibility information to entities that do not have an Australian link, the credit provider is deemed to hold that information and therefore remains accountable if the recipient suffers an eligible data breach.
 
What do you need to do?

  • Consider whether you are at risk of a data breach and how this might arise?

  • Check any internal privacy or compliance programs or policies.

  • Consider how your policies or programs might enable the escalation of a possible data breach being notified internally?

  • Check data management plans to accommodate your company’s processes in identifying and notifying of eligible data breaches.

David Conti
February 2018


If you have any questions or wish to discuss this article further, don't hesitate to contact us at the following:

hello@insideeagles.com.au