influence updates

Highlights of 2017 and areas to watch in 2018

Here is a round-up of some key developments in 2017:

  • The Competition and Consumer Amendment (Misuse of Market Power) Act 2017 came into effect, implementing Harper reforms in the area of misuse of market power, adding an effects test as well as the purpose test.
  • The Telecommunications Sector Security Reforms were enacted and are now in a 12 month implementation period. These reforms impose obligations on carriers and carriage service providers to take steps to ensure the security of networks and notify breaches, and provide powers to the Attorney-General to issue directions relating to security risks.
  • Business gained useful guidance on the issue of unfair contract terms in small business contracts with a case in the waste management area which provided a detailed review of some common, and some less common, standard terms.
  • Consultations closed in December on a draft bill to implement aspects of the Government’s response to the Productivity Commission’s review of Australia’s IP arrangements.
  • A controversy in relation to the Olive Cotton Award highlighted issues around copyright, commissions and collaboration.
  • The Full Federal Court dismissed Vodafone’s application for judicial review in relation to the ACCC’s decision not to declare a domestic mobile roaming service. If a domestic mobile roaming service had been declared, this would have allowed carriers to access Telstra’s regional networks in areas not covered by their own networks.

Areas to watch this year:

  • With mandatory data breach notification coming into force later this month, and the EU General Data Protection Regulation taking effect in May, 2018 is the year of privacy compliance for Australian businesses.  Check out more details here and ensure that your privacy compliance systems are up to date.
  • Also in Europe, the Trade Secrets Directive, which harmonises trade secrets protection, will be implemented by member states by the middle of the year.
  • In the FOI area, submissions to the OAIC on the Freedom of information regulatory action policy close this Friday.
  • The ACCC has foreshadowed its 2018 priorities, including criminal cartel enforcement and deterrence. In an interview in the AFR, Chairman Rod Sims suggested that there would be 3 to 4 cartel actions in 2018, including the possibility of penalties for executives. This follows the ACCC’s successful actions in financial services and in the shipping industry, with a further shipping case to be heard in July.
  • Other ACCC priorities mentioned in the interview include bank interest rate decisions, and media sector mergers.
  • On the IP front, submissions on the Copyright Amendment (Service Providers) Bill, which would extend safe harbour provisions to educational and cultural institutions, libraries, archives and organisations assisting people with disabilities, close on 30 January.

Mandatory data breach notification toolkit

All businesses that are currently subject to the Privacy Act will have new mandatory data breach notification obligations from 22 February 2018.

With new obligations under the European Union General Data Protection Regulation (EU GDPR) also applying to many Australian businesses, now is the time to finalise your updated privacy procedures.

Step 1 – understand your obligations. You will need to have an understanding of the new mandatory data breach notification requirements and, if you handle EU customer information, of the GDPR requirements.

Step 2 – audit your existing systems. Do you have clear, simple plans for changing passwords, limiting access, editing or removing online information and notifying the right people internally? Assess the likely security risks in your organisation and consider possible weak points.

Step 3 – audit your suppliers. You will need to review vendor contracts, specifically for IT vendors, to check whether you have appropriate privacy requirements in place for your suppliers.  Have you identified suppliers you can call on to help you identify, cap and respond to breaches?

Step 4 – update your plan.  Many organisations will already have data breach response plans in place. Check whether these are up to date – current people, contact details and systems need to be added. Plans will need to be updated to reflect Australian mandatory reporting obligations and GDPR requirements.  In particular, for GDPR requirements, you need to note the 72 hour timeframe for notification. Ensure that your privacy policy is up to date – we see a lot of privacy policies that were drafted before the changes of the last few years and haven’t been updated.

Step 5 – test your plan. Run through possible scenarios to ensure that you have the right procedures and systems in place.

You should ensure that your procedures are ready during the next month.

We can help you with a privacy toolkit including details of the new requirements, updated policies, procedures and reviews to ensure that you are ready for February. If you would like to discuss our privacy toolkit, contact us.

When is a contract term unfair?

Since the new unfair contracts rules protecting small businesses came into effect almost a year ago, businesses have been working to adjust their contract terms.

We now have new guidance on unfair contract terms from a recent consent decision in the waste management industry.

The ACCC took action against a large waste management company, JJ Richards, and obtained consent orders in the Federal Court. This action was part of a broader ACCC initiative to review small business contracts.

The Federal Court declared that as many as 8 terms in the company’s standard form contracts for small business were unfair. The problem areas were:

  • an auto-renewal clause, meaning that small business customers would have their contracts rolled over unless they cancelled within 30 days before the end of the term;
  • exclusivity;
  • unilateral price increases;
  • a term excluding the company’s liability where its performance was prevented or hindered in any way;
  • the company could charge for services that were not provided even when this was outside the customer’s control;
  • the company could suspend for non-payment, but continue to charge the customer;
  • an unlimited indemnity;
  • customers could not terminate if they had outstanding payments and the company could continue charging equipment rental after termination.

You can see from this list that some of these terms are obviously excessive, while others, like the auto-renewal clause, are very common in business customer contracts, so it’s important to get the specifics right.

The Court noted that each of the terms was unfair but they also interacted in a way that increased the overall imbalance between the parties.

So, in reviewing your contract terms, it’s important to look at the overall effect as well as taking the details of each clause separately, to judge whether the terms are compliant with the unfair contract rules.

We can expect further guidance from another upcoming ACCC action in the office services area.

If you would like assistance to review your standard contracts, contact us.

Here is our earlier article specifically for franchisors on updating contracts for the new rules.

The GDPR is coming – does it affect you?

Australian businesses of any size need to be aware of the new European Union General Data Protection Regulation, which will be implemented on 25 May 2018.

Small Australian businesses, with a turnover below $3 million, are used to being exempt from the Australian Privacy Act (unless they fall into specific categories). Many do not have privacy policies or procedures in place.

The GDPR does not exempt small businesses.

Which Australian businesses will be affected?

The GDPR will apply to all Australian businesses which:

  • have an establishment in the EU,
  • offer goods and services in the EU, or
  • monitor the behaviour of individuals in the EU.

The OAIC has provided some guidance, with examples of these criteria:

  • an Australian business with an office in the EU,
  • an Australian business with a website that targets EU customers,
  • an Australian business whose website mentions customers or users in the EU, or
  • an Australian business that tracks individuals in the EU online, and uses data processing techniques to profile them.

Examples of targeting EU customers include enabling the ordering of goods or services in a European language, or enabling payment in euros.

The European language factor appears broad, but the GDPR makes it clear that where a website uses a language that is generally used in the business’ home country, this will not necessarily mean that the GDPR will apply. Australian businesses offering services in community languages should be conscious of this issue, and, if necessary, make it clear that that their presence is only local.

The issue of “mentioning” customers or users in the EU arises from Recital 23 of the GDPR, which states that where a website mentions customers or users who are in the EU, this may make it apparent that a business envisages offering goods or services to EU data subjects.

What are the requirements?

Key new aspects of the GDPR are stricter accountability measures, including audits, privacy impact assessments, activity records, policy reviews, and the appointment of a data protection officer for large-scale data handling operations.

The GDPR and the Australian Privacy Act share many requirements, including the need:

  • to implement a “privacy by design” approach to compliance
  • to be able to demonstrate compliance with privacy obligations, and
  • to adopt transparent information handling practices.

There are also some significant differences.  These include data portability and a right of erasure which go considerably further than Privacy Act requirements.

What should Australian businesses do?

According to an ISACA survey of executives, as at 9 months before implementation, fewer than a third of those surveyed were satisfied with their organisation’s progress to prepare for GDPR; more disconcertingly, 35% were not aware of their organisation’s progress.

To put your business in better shape to meet this new regulatory framework, you should be acting now in the following areas.

If your business is currently below the Privacy Act threshold, but will be directly affected by the GDPR, you will need to kick start your compliance program.

To adapt a current privacy program to the GDPR, you will need to focus on the following areas:

  • compliance: classify personal data; conduct risk assessments; implement privacy protection practices for all business areas; identify an employee with responsibility for data protection, and, if your organisation handles significant amounts of data, appoint a data protection officer; implement compliance audits; and document all processes.
  • data handling: be aware that individuals under 16 cannot consent to the collection of their data; implement systems to delete data if it is no longer used for its initial purpose; delete data if the individual revokes consent.
  • transparency: put in place processes to provide individuals with full and clear information about the treatment of their personal data; review end user licence terms and customer terms; be prepared to notify regulators (within 72 hours) and affected individuals if a data breach occurs.

Even if your business is not directly affected, the ability of your EU business partners, distributors and corporate group members to provide you with information from their own operations will be affected, so you may need to adjust existing business practices to address this issue.

You should also consider whether your business relies on business data that is sourced from affected organisations.  Industry sources expect the GDPR, once implemented, will significantly affect the flow of business data which is currently processed and used for analysis by Australian businesses.

If you need help to develop privacy policies and processes, or to adapt your existing procedures to meet GDPR requirements, contact us.

Dance dance defamation

We were happy to be able to support the Arts Law Centre recently with advice to an artist, through the Arts Law volunteer panel, on copyright and defamation. We gave advice on a dance track by Moses Mcabe called “Trumpocalypse“, which presented a bit of a twist on satire and parody.

Here is a link to the Arts Law case study.

Copyright, commissions, collaboration and the Olive Cotton Award controversy

The recent controversy about the winning entry for the 2017 Olive Cotton Award is interesting in terms of the requirements of this photography portraiture prize, but also a helpful illustration of how copyright ownership can become complicated in the areas of commissions and collaboration.

Justine Varga entered a fascinating work, “Maternal Line”, which had been inspired by the sight of her grandmother seated at the kitchen table testing pens by scribbling.

She asked her grandmother to scribble directly onto a piece of film, and then handprinted the result in the darkroom. The result is a moving artwork described by the judges as “a very complex photographic portrait”.

There has been plenty of discussion about whether the result of Varga’s process was a portrait or a photograph.

However it also prompts discussion of some frequently misunderstood areas of copyright, as this article, quoting North Sullivan, former president of the Australian Commercial and Media Photographers association, and Professor Kimberlee Weatherall of the University of Sydney law school, highlights. Sullivan and Weatherall have both queried whether the copyright in the artwork is owned by Varga or her grandmother.

Collaboration

The general rule in relation to collaboration, where parties jointly create a copyright work, is that the authors own the copyright jointly.

In order to qualify as a joint author, a person must have contributed more than ideas or suggestions, because copyright applies to the expression in material form, not to the idea.

Dictation, though, is different from suggestion. The scribe who takes down dictation is not the copyright owner. This has the corollary that where one person has seen a copyright work and dictates it, copyright can be infringed even though the scribe has never seen the copyright work.

The question raised in this situation is whether Varga’s process involved a collaboration with her grandmother, or whether her grandmother was the sole author.

Importantly, joint authors cannot deal with their copyright without the consent of the other authors. Where two parties to a commercial transaction are jointly contributing to a copyright work, it’s worthwhile considering whether to agree that each party can commercialise the work without the other party’s permission, or whether they want to act jointly throughout the life of the copyright.

Commissions

The laws relating to copyright in commissions differ between jurisdictions, and it’s important to understand the Australian rules for local situations.

When you commission a copyright work – as, in this situation, Varga may have done by asking her grandmother to scribble on the film – you do not automatically own the copyright.

There are some exceptions.

Photos commissioned for private or domestic purposes, such as wedding photos or a family portrait, under a paid arrangement, are an exception to this general rule. However, it’s open to the photographer to retain copyright by agreement, so the person commissioning the photograph needs to check the photographer’s terms and conditions.

The situation is also different for copyright works commissioned by the Crown, or created in the course of employment.

In other situations – whether it’s marketing material, website content, a logo, or photographs for your business – you need a written assignment agreement from the author if you want to own the copyright. You should also consider appropriate treatment of moral rights.

There are also compromise options. If your key requirement is to be able to use the commissioned work freely, a broad licence from the author may be adequate for your situation.

If you would like us to review your terms and conditions in relation to copyright ownership and licensing, contact us.

Know your customers’ rights

In a previous post we looked at the issue of written terms and conditions so dense that it was practically impossible for consumers to understand them.

This issue was highlighted last month when Purple WiFi revealed that it had hidden community service requirements for free WiFi users inside its clickwrap terms.  Only one person claimed the prize that was also concealed in the terms, while 22,000 agreed to clean toilets, hug stray animals and paint snail shells “to brighten up their existence”.


Screenshot – Lululemon website

What about when terms and conditions don’t actually match your customers’ rights at law?

The recent Lululemon issue provides a great example. Lululemon has agreed to pay $32,400 in penalties after the ACCC issued infringement notices relating to misleading representations about consumer rights.

The Australian Consumer Law provides guarantees for faulty consumer goods and services.

Lululemon listed sale items on its website under the heading “We Made Too Much” with the statement “We made a little extra – don’t be shy, help yourself. It’s yours for keeps so no returns and no exchanges”.

Lululemon’s return policy also said “Final sale items like underwear, water bottles + We Made Too Much gear are yours for keeps”.

In addition, staff were alleged to have stated that there was no refund right for faulty products.

The ACCC alleged that these statements were representations that customers were not entitled to a refund or replacement for faulty goods, which is not the case under the Australian Consumer Law.  The consumer guarantee rights provide for refunds in the case of a major failure of goods or services.  This applies equally to full price and sale price products.

Importantly, these guarantees cannot be excluded in consumer transactions, and it’s a contravention of consumer law to attempt to exclude them in your terms and conditions.  However, they can be limited.  Check your terms and conditions to see if they include an up to date statement of your customers’ rights under the Australian Consumer Law as well as any permissible limitations.

If you would like us to review your terms and conditions, contact us.

What does the Universal v TPG decision mean?

At the end of last month, the Federal Court made orders in the Universal v TPG litigation. The results were not unexpected and the key areas of dispute related to costs of complying with the orders and costs of the litigation.

From wikiHow “How to download torrents (with pictures)”

Background

Universal and other copyright owners took action under section 115A of the Copyright Act against 20 ISPs, including TPG, to block access to a torrenting website, and associated clones, mirrors and proxy sites. The website was found to have the main purpose of allowing wide-scale downloading of copyright works, including music, movies and books.

Section 115A was added to the Copyright Act in 2015 and allows copyright owners to apply for an injunction requiring a carriage service provider to take reasonable steps to disable access to an online location – in Australia or overseas – which has the primary purpose of infringing, or facilitating the infringement of, copyright. There doesn’t need to be any fault on the part of the ISP for orders to be made.

Section 115A had already been used in the Roadshow v Telstra, Foxtel v TPG decision last year, with similar results.

The offending website in this case, KickassTorrents (KAT) had previously been blocked in Britain, Ireland, Denmark, Italy, Finland and Belgium and had then been shut down in July 2016 following the arrest of the alleged owner, but the case went ahead.

The ISPs had indicated even before that date that they were prepared to block access to the offending sites, but the key question remained as to who should bear the cost of implementing and maintaining the site blocking.

The copyright owners argued that the ISPs should bear the costs because they are subject to the regulatory framework. The ISPs argued that they are innocent parties in the infringement, that section 115A creates a no-fault regime, and that the orders under section 115A benefit the rights holders.

Orders

The Court ordered that the ISPs must:

– disable access by users of their service, to the infringing website, by DNS blocking or equivalent.

– redirect users to a page with a prominent message that the Court has determined the site infringes copyright, or facilitates infringement.

– block additional domain names if the copyright owners apply to extend the injunction.  These orders may be made without further hearing if the ISPs do not object.

The copyright owners will be required to pay the ISPs’ compliance costs, set at $50 per domain name. The Court, noting that the submissions on costs were similar to the submissions made in the Roadshow v Telstra, Foxtel v TPG case last year, supported a uniform approach to compliance costs. If costs exceed this amount, the ISPs will have to bear the additional amount.

The ISPs had also sought orders for costs of the litigation. The Court determined that the copyright owners should pay the ISPs’ costs for the limited area of evidence and submissions on compliance costs, but not the ISPs’ other costs.

Further developments

In February, Village Roadshow commenced a new action to block access to 41 websites including WatchSeries, Putlocker and MegaShare.

There have been reports that Village Roadshow and Foxtel will apply to block additional websites shortly.

There have also been reports that KAT has been revived in a new form by original staff members, with new domain names and a streamlined database, and a revised DMCA takedown procedure. The orders allow copyright owners to apply to block new domain names but this can only be reactive. With torrenting websites potentially able to use a huge number of domain names and structures, it will be interesting to see how much practical protection section 115A will provide to rights holders as cases develop over the coming months – especially when Gizmodo reports that “It’s laughably easy to circumvent Australia’s torrent site blocking”.

“Terms and conditions apply”

Photo: CHOICE

CHOICE has made a compelling case for readability of contract terms and conditions, having hired Sydney actor Laurence Rosier Staines to read the 73,198 words of the Amazon Kindle terms and conditions – aloud.

Laurence starts out with enthusiastic professionalism …


Eight hours and 59 minutes later, he’s lost the will to live.

CHOICE head of media, Tom Godfrey, said, “Right now, the law protects us from unfair legal terms. But we think the practice of expecting a customer to spend hours of their lives reading a contract for a simple product is unfair. Companies need to do better and they should be explaining any conditions in a way that’s simple and easy to read.”

It’s not just a question of overly lengthy terms being unattractive for consumers to read. Unreadably long terms and conditions:

  • are often based on an approach of throwing in everything the drafter can think of, without working through what’s applicable for your individual business and tailoring accordingly.
  • can be less effective than clear, readable terms – for example, if disclaimers are not reasonably prominent, courts may decide that your terms are misleading or deceptive.
  • can be inconsistent with the Australian Consumer Law if they purport to limit consumers’ rights in a way that is not permitted, for example if you exclude refund rights for faulty goods.
  • can actually create more potential for complaints and disputes, if consumers have found them so difficult to read, they don’t end up understanding your product or service offering – wasting your time and money to resolve.

If you would like a review of your terms and conditions to check whether they work for your business and Australian law, contact us.

Taking a long-term view of compliance

At Executive Coach Exchange last week, we were discussing how short-termism affects performance.

This discussion was prompted by the recent McKinsey Global Institute and FLCT Global report showing that surveyed US companies with a long-term view consistently outperformed their short-term peers across most financial measures from 2001 to 2014.

The long-term companies had the following results by 2014:

• average revenue growth – 47% higher;
• average earnings growth – 36% higher; and
• average market capitalisation – 58% higher.

The research focussed on companies that were large enough to be under short-term pressure from investors, boards and others, with market capitalisation of over US$5 billion in at least one year during the survey period. They were evaluated against industry peers in an attempt to remove other factors that would affect performance.

The survey was based on five key assumptions about the behaviour of companies with a long-term view. These assumptions included that long-termists would:

  • make more, and more consistent investments in their business;
  • prioritise cash flow, absolute earnings and sustainable margin growth; and
  • be less likely to make an all-out effort to hit quarterly earnings targets by small amounts, where doing so would divert resources from more important priorities.

Indicators of short-termism included:

  • cutting discretionary spending, and delaying new value-adding projects, to avoid earnings misses;
  • higher levels of stock buybacks; and
  • lower capital investment.

This ties in with our earlier discussion about how good compliance can mean good business.

An organisation with a short-term view is likely to treat compliance as a cost centre, and implement a narrow, regulatory-based compliance system.

These organisations will treat compliance as a silo, which distracts from the organisation’s key mission.

There can also be too much attention paid to the possible financial penalties, including personal penalties – the short-term negative consequences of non-compliance – rather than what non-compliance says about the management of the organisation as a whole.

Seen from a long-term perspective, meeting regulatory requirements can be more than a cost centre. Compliance programs can align with and support the achievement of business goals.

Governance, risk and compliance programs, like solid accounting practices, can promote:

  • effective oversight through clearer governance structures
  • alignment of organisational strategy across business units or departments
  • reduced costs through reduced risk exposure
  • higher quality information flow to management
  • integrated management of brand strategy and organisational reputation.

In this way, a solid governance, risk and compliance system can promote your business’ goals and brand value, and help to position you in that long-term group.

If you’d like to discuss compliance programs for your business, contact us.