OAIC vs ACCC: Who’s leading the fight for data protection?

What can we learn from the HealthEngine case? Is the ACCC taking over from the OAIC as the enforcer of protection of consumer privacy?

In two recent posts, we put a spotlight on the OAIC (Office of the Australian Information Commissioner)’s approach to awarding damages for privacy breaches, the lack of jurisprudence to support privacy regulation and the barriers to justice for those who have suffered emotional or economic distress as a result of a data breach.

This raised several questions, namely whether the OAIC is asserting their authority in advancing the protection of the privacy of Australians and in the absence of means of redress for privacy breaches under their scope, is there someone who can do this better?

The recent ACCC (Australian Competition and Consumer Commission) Digital Platforms Inquiry highlighted the intersection of privacy, competition, and consumer protection considerations. Specifically, it emphasised that the lack of deterrence under current laws is compounded by individual consumers’ inability to bring direct actions under the Privacy Act or for serious invasions of their privacy that cause financial or emotional harm.[1]

Shortly after publishing their Digital Platforms Inquiry Report in 2019, flagging increased interest in privacy issues, the ACCC commenced proceedings in the Federal Court against online health booking platform HealthEngine Pty Ltd (HealthEngine), for misleading and deceptive conduct relating to the sharing of patient data with insurance brokers and for the manipulation of patient reviews and ratings published on their platform.

Background

The ACCC claimed that from 31 March 2015 to 1 March 2018, HealthEngine engaged in a practice of not publishing negative patient feedback, editing patient feedback before it was published as a review, and misrepresenting the reasons why it did not publish a rating for some health practices.

Additionally, they claimed that from 30 April 2014 to 30 June 2018, HealthEngine provided personal information supplied to it by patients to third party private health insurance brokers (in return for a referral fee), without adequately disclosing that this would occur.[2]

The claim was settled in October 2020. The terms of HealthEngines’ settlement with the ACCC included HealthEngine making admissions that it had engaged in false or misleading conduct in contravention of sections 18, 29 and 34 of the Australian Consumer Law (ACL). HealthEngine was found to have breached sections 18, 29(1)(b) and 29(1)(e) of the ACL by implementing a practice of manipulating patient reviews, and failing to disclose this conduct to consumers.

HealthEngine’s Misleading or Deceptive Conduct

HealthEngine also admitted engaging in misleading or deceptive conduct in relation to patient referrals in the period between April 2014 and June 2018. During that period, HealthEngine had arrangements with nine different private health insurance brokers and was paid fees when referring patients to them. As part of its online booking process, HealthEngine asked patients whether they had private health insurance, and whether they wished to receive a call about health insurance comparison services or to assess their private health insurance needs. It was not necessary to answer these questions, however if a patient answered “yes” to receiving a call and subsequently made a booking, HealthEngine provided the patient’s non-clinical personal information (including their name, phone number, date of birth and private health insurance details) to one of the insurance brokers.

By engaging in this conduct, the Court held that HealthEngine “used language which did not make it adequately clear that a third party (rather than HealthEngine) would provide the relevant services to Patients. Further, HealthEngine did not make it adequately clear that, if the Patient answered “yes”, the Patient’s non-clinical personal information would be sent to one of the Insurance Brokers.”  Consequently, the Court found that Health Engine had engaged in misleading conduct about the services being provided in contravention of s 18 and s 34 of the ACL.[3]

Outcome

In total, HealthEngine was ordered to pay $2.9million dollars in penalty plus $50,000 toward the legal costs of the ACCC.  $1.4million of the total penalty sum was related to the disclosure of patient information to external insurance brokers They were also subject to non-financial penalties such as annual external compliance reviews and an order to contact every patient who was referred to an external insurance broker, informing them that their information had been provided to an external insurance broker and how to request that their information be deleted.

More than 135,000 Australians were affected by this breach of privacy. There was no evidence of significant emotional or financial distress to individuals arising out of HealthEngine’s conduct, yet the penalty they were ordered to pay dwarfed some of those most recently handed down by the OAIC under the Privacy Act 1988 (Cth), even in instances where privacy breaches had demonstrably negative ramifications for individuals.

Other action

And the ACCC has now aimed higher.

The  Federal Court decision in the HealthEngine case was handed down less than one month after the ACCC commenced proceedings against one of the world’s on-line giants, Google LLC.  This ACCS case alleges that Google misled Australian consumers to obtain their consent to expand the scope of personal information that Google could collect and combine about consumers’ internet activity, for use by Google, including for targeted advertising. In particular, the ACCC alleges that Google misled consumers about a change to their privacy policy about the way consumer personal data is collected and used.[4]

We watch with interest.

Setting an example for the OAIC

With the ACCC increasing their commitment to the protection of consumers engaging with digital platforms as part of their 2020 enforcement and compliance priorities[5], it raises the question of who is doing a better job of protecting the privacy of Australians, the ACCC or the OAIC?

The recent success of the ACCC may well serve as an incentive for the OAIC to step up and increase the accessibility to redress mechanisms for privacy breaches under the Privacy Act 1988 and in turn, to do a better job of protecting the privacy of Australians.

Alternatively, the protection of personal data may become a consumer protection matter, policed more rigorously by the ACCC but perhaps changing the lens through which Australians look at privacy protections forever.

Other relevant posts:

OAIC Determinations 2020: What can we learn?

Footnotes

[1] Australian Competition and Consumer Commission Digital Platforms Inquiry Final Report (ACCC, 2019) at p. 23)

[2]https://www.accc.gov.au/system/files/ACCC%20v%20HealthEngine%20Pty%20Ltd%20_Concise%20Statement.pdf

[3] Australian Competition and Consumer Commission v HealthEngine Pty Ltd [2020] FCA 1203

[4] https://www.accc.gov.au/media-release/correction-accc-alleges-google-misled-consumers-about-expanded-use-of-personal-data-0

[5] https://www.accc.gov.au/about-us/australian-competition-consumer-commission/compliance-enforcement-policy-priorities#2020-priorities