Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre


Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

August 9, 2013

Case note: contract terms declared unfair

Under Part 2.3 of the Australian Consumer Law (ACL) unfair contract terms in standard form consumer contracts are void. The contract will continue to bind the parties, however, if it can still operate without the unfair term.

In Australian Competition and Consumer Commission v Bytecard Pty. Limited (judgment not yet available online) the Federal Court declared that a number of clauses in ByteCard's standard form consumer contracts for internet access services were unfair and therefore void.

The Federal Court declared, by consent, that 4 clauses of ByteCard’s standard terms and conditions are unfair contract terms. The unfair contract terms:

  • enabled ByteCard to unilaterally vary the price under an existing contract without providing the customer with a right to terminate the contract;
  • required the consumer to indemnify ByteCard in any circumstance, even where the contract has not been breached and the liability, loss or damage may have been caused by ByteCard’s breach of the contract; and
  • enabled ByteCard to unilaterally terminate the contract at any time with or without cause or reason.

The terms were considered unfair as they:

  • created a significant imbalance in the parties’ rights and obligations;
  • were not reasonably necessary to protect ByteCard’s legitimate interests; and
  • if applied or relied upon by ByteCard, would cause detriment to a customer.

The decision gives an indication of what types of clauses the ACCC is taking an interest in and guidance when determining whether similar terms could be unfair or not.

“Standard form” is not defined in the legislation, but it usually means that the same terms are offered to all without negotiation.

In May 2013 the ACCC published a report on the outcome of its industry review of unfair contract terms.

The ACCC reviewed standard form consumer contracts in the airline, telecommunications, fitness and vehicle rental industries, as well as some contracts commonly used by online traders. A select number of standard form contracts used by prominent travel agents were also examined.

The law does not apply to insurance contracts, because the Insurance Contracts Act 1984 (Cth) provides that an insurance contract cannot be the subject of relief under any Commonwealth Act on grounds of unfairness. However the Commonwealth Government introduced the Insurance Contracts Amendment (Unfair Terms) Bill 2013 into Parliament prescribing that general insurance contracts are also subject to the Australian Consumer Law. The Bill lapsed with the calling of the election.

Print This Post Print This Post

Posted 9th August 2013 by David Jacobson in Consumer Law, Insurance, Web/Tech

Queensland Health Payroll System Commission of Inquiry Report: contract management lessons

The Queensland Health Payroll System Commission of Inquiry Report by Richard Chesterman QC is a rare analysis of government decision making and insight into project management and lessons learned.

The Commission was established to consider the adequacy and integrity of the procurement, contract management, project management, governance and implementation process for the Queensland Health Payroll System.

The 264 page report concludes that:

"This Project serves as an example of serious failure, both because of the sharp increase in the price paid and the waste of public sector resources dedicated to achieving the system Go Live, some two and a half years later than contracted for. That cost continued afterwards, and continues in the need for its stabilisation and maintenance.

Added to this was the distress and inconvenience caused to QH staff, many of whom could not afford the financial consequences of a dysfunctional payroll system.

I have identified two principal causes of the inadequacies which led to the increase in contract price, the serious shortcomings in contract and project management, and in the State’s decision to settle with IBM.

Those causes were: unwarranted urgency and a lack of diligence on the part of State officials. That lack of diligence manifested itself in the poor decisions which those officials made in scoping the Interim Solution; in their governance of the Project; and in failing to hold IBM to account to deliver a functional payroll system."

The report contains interesting insights into contract negotiation, probity assessments and dispute resolution.

Print This Post Print This Post

Posted 9th August 2013 by David Jacobson in Risk Management, Web/Tech

August 5, 2013

South Australia Verification of Identity Policy for Mortgagees

South Australia has introduced a Verification of Identity Policy as part of its preparations for electronic conveyancing.

The policy has being introduced for documents executed on or after 1 July 2013 with a 6 month transitional period. Full compliance is required by 1 January 2014.

The SA Registrar-General's Notice to Lodging Parties and the Verification of Identity Policy requires mortgagees to take reasonable steps to verify the identity of each mortgagor at or before the mortgagor executes the mortgage unless the mortgagee has a face-to-face in-person interview with the mortgagor AND has verified the identity of that mortgagor in accordance with the policy in the previous 24 months.

Mortgagees will need to consider what changes are necessary to their systems, template documents, and procedures to prepare over the 6 month transitional period and be able to fully comply by 1 January 2014. Mortgagees without branch networks or that deal with customers in rural or remote areas will need to ensure appropriate arrangements are made with appropriate agents (such as Australia Post).

Our experience in working with clients with the implementation of similar verification of identity procedures recently in Western Australia has shown that the earlier mortgagees prepare for and implement any required changes the smoother the process is.

Langes+ can assist you with your preparations for the Verification of Identity policy. Contact Shannon Adams on (08) 8168 9601 or Joshua Annese on (08) 8168 9604.

Print This Post Print This Post

Posted 5th August 2013 by David Jacobson in Financial Services, Property, Web/Tech

July 29, 2013

Protecting email communication

In the Privacy Act amendments that commence on 12 March 2014, Australian Privacy Principle 11 will require an entity to take reasonable steps to protect personal information from ‘interference’ (eg hacking), as well as from misuse, loss, unauthorised access, modification or disclosure.

As email communication becomes more commonplace and convenient than postal communication for businesses and their customers the question arises as to what are reasonable safeguards for the protection of personal information (whether financial, health or otherwise) contained in emails.

Many statutory notices and account statements can now be sent electronically but there is no prescription as to how this can be done securely.

If the email is sending an attachment then whether the attached document is in Word or the like or is in PDF, the attachment can be password protected with a password given separately to the receiver.

Alternately the email can send a password-protected link to a secure web portal with download access to the relevant information or document.

But what about the email itself?

The Office of the Australian Information Commissioner (OAIC)'s Guide to Information Security: ‘Reasonable steps’ to protect personal information refers to encryption.

While most businesses use a securely encrypted webpage for individuals who carry out transactions with the business’s website, such as making payments which also involve individuals providing their banking information, there is less consideration of whether they should encrypt email communications.

In case your systems are accessed, are your saved email folders encrypted?

Most email systems (including Outlook) offer encryption options.

Do you know how secure your emails are?

More about encryption from How Stuff Works: Encryption.

Print This Post Print This Post

Posted 29th July 2013 by David Jacobson in Business Planning, Compliance, Financial Services, Privacy, Web/Tech

July 12, 2013

HP misleading advertising penalty

Australian Competition and Consumer Commission v Hewlett-Packard Australia Pty Ltd [2013] FCA 653 confirms the approach of the Federal Court in Apple and Optus in assessing and imposing consumer law penalties proposed by consent of the parties.

The Federal Court declared that Hewlett-Packard Australia Pty Ltd made false, misleading or deceptive representations in breach of the Australian Consumer Law to consumers and retail suppliers of its products.

The ACCC and HPA agreed on a $3million penalty and $200,000 costs order against HPA which the court approved.

The parties also reached agreement on the terms of an injunction and corrective advertising (including on HP's website).

HPA admitted to six contraventions of sections 18 (Misleading or deceptive conduct) and 29(1)(m) (False or misleading representations about goods or services) of the ACL.

HPA admitted that when consumers contacted helpdesks operated by HPA (HPA Helpdesks) in relation to HPA Computer Products not of merchantable or acceptable quality, staff employed at the HPA Helpdesks made representations, in accordance with the internal policies, guidelines and scripts developed and implemented by HPA (HPA Guidelines), to the effect that:

  • the remedies available to consumers for those HPA Computer Products were limited to remedies available from HPA at its discretion (Remedy Limitation Representation);
  • consumers must have HPA Computer Products not of merchantable or acceptable quality repaired by HPA multiples times before consumers were entitled to receive a replacement HPA Computer Product (Repair Condition Representation);
  • the warranty period for those HPA Computer Products was limited to a specified express warranty period (Limited Warranty Period Representation); and
  • after the expiry of a specified express warranty period, HPA would repair HPA Computer Products not of merchantable or acceptable quality on condition that consumers paid for such repairs (Payment Condition Representation).

HPA also admitted that when retail suppliers contacted HPA, from time to time staff employed at HPA made representations to the effect that HPA was not liable to indemnify the retail suppliers if, without HPA’s prior authorisation, retail suppliers provided consumers with a refund or replacement (Retail Supplier Representation).

Further, HPA represented on a webpage of the HPA Online Store that consumers could not return or exchange HPA Computer Products purchased through the HPA Online Store not of acceptable quality unless otherwise agreed by HPA, at its sole discretion (Online Remedy Discretion Representation).

Justice Buchanan stated:

"It is accepted by the respondent not only that the contraventions identified by the statement of agreed facts and by the outline of joint submissions were serious ones but that declarations, injunctions and other coercive orders should be made as a result....

I see no reason to doubt that the pecuniary penalty agreed by the parties is an appropriate one. The maximum penalty available for the totality of the six contraventions admitted by the respondent is $6.6 million. The parties have agreed that the admitted contraventions should be the subject of a pecuniary penalty of $3 million. A penalty of that order of magnitude is the equivalent of $500,000 for each admitted contravention, if the matter was to be assessed in that fashion. In my view, that reflects an acknowledgement of the seriousness of the respondent’s conduct, both with respect to the individual contraventions and with respect to the total penalty to be imposed, which penalty I am satisfied does not contravene the totality principle. I am also satisfied that the penalty is sufficient to mark the Court’s disapproval of the respondent’s conduct and to satisfy the requirements of general and specific deterrence....

The parties have agreed that the respondent should pay the applicant’s costs in the amount of $200,000. There is no reason to think that an order for costs in this amount is inappropriate."

Print This Post Print This Post

Posted 12th July 2013 by David Jacobson in Consumer Law, Marketing, Trade Practices, Web/Tech

July 9, 2013

Refer-a-friend marketing: legal issues

Referrals (where one person recommends a business to another person) are recognised as an effective form of marketing.

But what about when a person gives a friend's contact details to a business?

The business needs to consider whether it can use personal information about the friend without their consent.

If the person is on the Do Not Call Register it cannot call them.

It also needs to ensure that it does not contact the friend electronically (such as by email or SMS) as that would constitute spam.

ACMA says that one of the most common types of complaint it deals with comes from people who've received a marketing message to their personal email address from a business they've never heard of.

An unsolicited electronic message by a business is spam.

A business must not send an electronic message to a person unless they have consent.

What if you want the friend to make a referral from your website direct to their friend by using a plugin like ShareThis?

In 2012 ACMA issued a warning to McDonalds over a "refer a Friend" campaign that did not have the recipient's consent. And the emails did not contain an unsubscribe facility.

McDonalds had a “Send to Friend” facility on its Happy Meal website which encouraged visitors to email links to promotional games on the website to their friends.

ACMA decided that McDonald’s had caused those messages to be sent by providing the facility, in circumstances where ACMA was not satisfied that the recipients of those messages had consented to receiving the messages.

In ACMA's opinion

  • Including your customer's email address as the sending address for your message doesn't absolve you of responsibility.
  • Telling your customer that they should only send a message to someone they think would want it doesn't prove that the recipient consented.
  • The fact that two people know one another or have each other's email address does not mean the recipient would reasonably expect to receive marketing emails about your business.

If you run refer-a-friend campaigns then you need to review them for Spam Act, Privacy Act and Do Not Call Register Act compliance.

Print This Post Print This Post

Posted 9th July 2013 by admin in Do Not Call Register, Marketing, Privacy, Web/Tech

June 19, 2013

Electronic offers of securities

ASIC has released Consultation Paper 211, Facilitating electronic offers of securities: Update to RG 107 (CP 211) , which includes a proposed update to Regulatory Guide 107 Electronic Prospectuses (RG 107) to ensure that ASIC's guidance reflects current market practices and technological advancements.

ASIC's proposed guidance will cover:
(a) how to make electronic disclosure documents easy for investors to access, read, retrieve and save; and
(b) how to minimise exposure to the risks associated with electronic distribution, such as unauthorised tampering and security risks.

ASIC thinks it is good practice for offerors and distributors to continue to make free paper copies of disclosure documents and application forms available to investors on request.

ASIC also proposes that:
(a) to comply with the requirements of Chapter 6D, electronic disclosure documents must contain the same information in the same sequence and with the same prominence as the paper disclosure document lodged with ASIC; and
(b) it is good practice for electronic disclosure documents to only contain hypertext links within the disclosure document itself or to documents lodged with ASIC and incorporated by reference under section 712.

Print This Post Print This Post

Posted 19th June 2013 by David Jacobson in Corporations Act, Web/Tech

Regulation reviews to help tech start-ups

The Government has announced two reviews designed to assist tech start-ups.

The Government will undertake consultation on Australian crowd-sourced equity funding (CSEF), which will consider whether Australia’s corporations law properly regulates and facilitates CSEF.

This follows ASIC's guidance published last year to promoters of crowd fundraising.

Treasury has separately announced a review into employee share schemes to help address the barriers faced by start-up companies in attracting and retaining staff.

Print This Post Print This Post

Posted 19th June 2013 by David Jacobson in Corporations Act, Funds, Web/Tech, Workplace

June 11, 2013

Privacy Data Breach Bill update

The Privacy Amendment (Privacy Alerts) Bill 2013 has been passed by the House of Representatives and will now be considered by the Senate.

UPDATE 20 June 2013: The Bill has been referred to the Senate Legal and Constitutional Affairs Legislation Committee which is due to report on 24 June 2013.

UPDATE 24 June 2013: The committee recommends that the Senate pass the Bill.

To comply with your obligations in the Privacy Act to keep customers' personal information secure and to avoid being put in the situation of notifying your customers of a hacking of your system you should consider the Commonwealth Department of Defence's Strategies to Mitigate Targeted Cyber Intrusions.

It lists the top 35 measures to counter risk, in order of efficacy and categorised by user resistance and cost. Its top 4 strategies are the place to start.

The Top 4 mitigations are: application whitelisting; patching applications and operating systems and using the latest versions; and minimising administrative privileges.

"While no single strategy can prevent malicious activity, the effectiveness of implementing the Top 4 strategies remains very high. At least 85% of the intrusions that DSD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package. ...

The combination of all four strategies, correctly implemented, will help protect an organisation from low to moderately sophisticated intrusion attempts. Put simply, they will make it significantly more difficult for an adversary to get malicious code to run on your ICT system, or continue to run undetected. This is because the Top 4 strategies enable multiple lines of defence against cyber intrusions."

Print This Post Print This Post

Posted 11th June 2013 by David Jacobson in Compliance, Privacy, Web/Tech

May 30, 2013

Mandatory data breach notification provisions introduced

The Government has introduced the Privacy Amendment (Privacy Alerts) Bill 2013 into the House of Representatives.

If passed the Bill will introduce mandatory data breach notification provisions for agencies and organisations that are regulated by the Privacy Act.

The Bill will commence immediately after the amendments to the Privacy Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence on 12 March 2014.

Notification would be provided to those whose privacy had been infringed when data breaches relating to their personal information causing ‘a real risk of serious harm’ occurred. Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest.

There are specific provisions relating to serious data breaches by credit providers and credit reporting bodies of credit eligibility information and credit reporting information. There is also a requirement relating to tax file number information.

A data breach arises where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure.

Data breaches can be the result of hacking, poor security and sometimes carelessness.

Serious harm, in this context, includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm. The risk of harm must be real, that is, not remote, for it to give rise to a serious data breach.

It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation.

In the event of a serious data breach, the regulated entity is required to provide notification to the Commissioner and affected individuals as soon as practicable after the entity believes on reasonable grounds that there has been a serious data breach.

The notice must include:

  • the identity and contact details of the entity
  • a description of the serious data breach
  • the kinds of information concerned
  • recommendations about the steps that individuals should take in response to the serious data breach, and
  • any other information specified in the regulations.

The Privacy Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements.


Print This Post Print This Post

Posted 30th May 2013 by David Jacobson in Compliance, Financial Services, Privacy, Web/Tech
« Newer PostsOlder Posts »