This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Australia.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
There are two key pieces of legislation which regulate communications networks and associated matters in Australia, the Telecommunications Act 1997 (Cth) (Telecommunications Act) and the Radiocommunications Act 1992 (Cth) (Radiocommunications Act).
The Telecommunications Act regulates the provision of telecommunications services in Australia. The owner of a network unit used to supply carriage services to the public (a carrier) must hold a carrier licence and comply with the conditions attached to that licence (or alternatively ensure another licensed carrier takes on those carrier obligations pursuant to a Nominated Carrier Declaration). An organisation which uses but does not own a network unit (a carriage service provider) is not required to hold a licence. Instead, a carriage service provider is required to comply with a range of obligations set out in Schedule 2 of the Telecommunications Act.
A key objective of the Telecommunications Act is to encourage industry self-regulation. The Communications Alliance Ltd (CA) is an industry owned and operated company formed to implement and manage self-regulation. The CA drafts industry codes and equipment standards which are then registered and enforced by the Australian Communications and Media Authority (ACMA). The ACMA itself also makes technical standards for specified items of telecommunications customer equipment, together with Cabling Provider Rules.
The Radiocommunications Act regulates the radiofrequency spectrum in Australia. Access to the radiofrequency spectrum is facilitated through licensing. There are three forms of licences available:
(a) apparatus licences, which regulate the operation of large scale radiocommunications equipment. Apparatus licences generally apply to equipment used by stations operating in Outpost, Amateur, Broadcasting, Maritime, Aircraft and Land Mobile services. The operation of equipment under such licences involves the payment of licence fees;
(b) class licences, which are open, standing authorities allowing anyone to operate particular radiocommunications equipment within the conditions of the licence. No applications are necessary and no fees are payable. Class licences regulate low power devices such as individual radios, mobile phones, cordless phones and garage door remotes; and
(c) spectrum licences, which are a tradeable and technology neutral spectrum access right for a fixed, non-renewable term. These licences authorise the use of spectrum space, allowing a licensee to deploy any device from the spectrum space which is compatible with the licence conditions.
The Radiocommunications Act also extends the traditional concept of radiocommunications to include radio transmission and transmitters, astronomical and meteorological observations, and the operation of lighthouses, lightships, beacons and buoys.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The ACMA is an independent statutory authority that regulates non-competition aspects of the telecommunications industry, including:
(a) issuing carrier licenses under the Telecommunications Act;
(b) issuing apparatus, class and spectrum licences under the Radiocommunications Act;
(c) enforcing carrier licence conditions, service provider rules, industry codes and standards, and carriers' rights and immunities including the carrier-to-carrier access regime;
(d) drafting and enforcing technical standards for radiocommunications transmitters and receivers;
(e) enforcing the universal service obligation and customer service guarantee;
(f) technical regulation (for example, cabling rules); and
The ACMA may be subject to ministerial directions in relation to the performance of its functions and the exercise of its powers. However, such directions cannot be general in nature subject to limited exceptions.
The Australian Competition and Consumer Commission (ACCC) is an independent statutory authority that regulates competition aspects of the telecommunications industry, including:
(a) access and interconnection, including arbitration of access disputes between parties; and
(b) enforcement of general and telecommunications specific legislation aimed at preventing anti-competitive conduct.
Similarly to the ACMA, the ACCC may be subject to ministerial directions given in connection with the performance of its functions or the exercise of its powers. However, the Minister cannot give directions with respect to anti-competitive conduct and record keeping rules in the telecommunications industry or the telecommunications access regime.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
There is no requirement that a carrier or carriage service provider be domiciled in Australia. However, the Telecommunications Act provides that a condition of a carrier licence may relate to the extent of foreign ownership or control of the carrier, whether direct or indirect.
There are also further restrictions in place for Australia's dominant public carrier, Telstra. Foreign shareholding and participation in the activities of Telstra are restricted in a number of ways, including:
(a) limits on individual foreign ownership and total foreign ownership;
(b) that a majority of directors and the chair must be Australian citizens; and
(c) that head office, base of operations and place of incorporation must remain in Australia.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
Parts 3, 4 and 5 of Schedule 1 to the Telecommunications Act comprise the carrier-to-carrier access regime. This makes it mandatory for carriers to provide other carriers with access to the following in certain circumstances:
(b) certain information relating to the operation of telecommunications networks in Australia;
(c) telecommunications transmission towers and the sites of such towers; and
(d) underground facilities designed to hold lines.
This regime promotes the long-term interests of end-users of carriage services or of services supplied by means of carriage services, and enables the provision of competitive facilities and carriage services, or alternatively for carriers to establish their own facilities.
The Competition and Consumer Act 2010 (Cth) also contains a telecommunications access regime. This regime does not provide a general right of access. Rather, the ACCC must first declare a service following a public inquiry. Where a service is declared, the carrier must provide access to other providers subject to standard access obligations. Current declared services in Australia include:
(a) wholesale ADSL and line rental;
(b) local telephone services;
(c) certain access to the public switched telephone network; and
(d) certain access to the National Broadband Network.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Telecommunications Consumer Protections Code (TCP Code) is a code of conduct for the telecommunications industry and applies to all carriers and carriage service providers in Australia. The TCP Code sets out clear rules which carriers and carriage service providers must following when communicating and dealing with consumers, covering areas such as:
(e) advertising and point of sale;
(g) payment methods;
(h) complaints handling; and
(i) changing carriage service providers.
The obligations of a carrier and carriage service provider under the TCP Code are in addition to those contained in the Australian Consumer Law, which comprises Schedule 2 to the Competition and Consumer Act 2010 (Cth).
What legal protections are offered in relation to the creators of computer software?
In Australia computer-related IP can potentially be protected in three key ways, depending on the circumstances:
(a) by obtaining a standard or an innovation patent under the Patents Act 1990 (Cth), which will protect the way the software makes a computer work;
(b) through copyright under the Copyright Act 1968 (Cth), which will protect the source code of the computer software as a literary work; or
(c) through circuit layout rights under the Circuit Layouts Act 1989 (Cth), which will protect the design and layout of an electronic circuit.
Where obtainable, patents generally offer the strongest form of protection for computer software. However, protection is still difficult to obtain, and will not apply to software developed to make a computer work in the same way any other software does, even where the source code of the software itself is different.
Do you recognise specific intellectual property rights in respect of data/databases?
There are no specific intellectual property rights which apply to data and databases. However, the Copyright Act 1968 (Cth) recognises copyright subsistence in a collection of data, a dataset or a database provided it is original, expressed in material form and the other elements of copyright protection are established. Copyright protection is limited however, given copyright cannot subsist in the underlying data itself. Furthermore, the physical design and layout of an electronic circuit automatically attracts intellectual property rights under the Circuit Layouts Act 1989 (Cth).
What key protections exist for personal data?
The Privacy Act 1988 (Privacy Act) regulates the collection and handling of personal information. The Australian Privacy Principles (APPs), which comprise Schedule 1 to the Privacy Act, contain 13 key protections for personal information, and regulate the following activities with respect to personal and sensitive information (as those terms are defined in the Privacy Act):
(a) collection, use and disclosure;
(b) direct marketing (to the extent the provisions of the Spam Act 2003 (Cth) or the Do Not Call Register Act 2006 (Cth) do not apply);
(c) cross-border disclosure; and
Consent is not always needed for the collection of personal information, however it must be lawfully obtained in accordance with the requirements of the Privacy Act. Once collected, subject to limited exceptions, APP 6 provides that personal information may only be used or disclosed by an organisation where an individual has either expressly or impliedly consented to such activities or would reasonably expect their personal information to be used for such purposes. Breach of an APP is considered an interference with privacy, and such a breach is subject to the same penalties as any other contravention of the Privacy Act.
The APPs are binding on government agencies and organisations, with small businesses being exempt. However, it is considered good practice to comply with the APPs despite not being bound to do so.
Are there restrictions on the transfer of personal data overseas?
APP 8 regulates the disclosure of an individual's personal information overseas as opposed to the transfer of such information overseas. As a consequence, APP 8 applies to personal information held in Australia but accessed from overseas.
APP 8.1 provides that, subject to limited exceptions, an organisation must take reasonable steps to ensure the overseas recipient of personal information does not breach the APPs with respect to that information. If an organisation does disclose personal information to an overseas recipient and that recipient engages in conduct amounting to a breach of APP 8.1, section 16C of the Privacy Act 1988 (Cth) deems the disclosing organisation to have itself engaged in the conduct and breached the APPs. This leaves the disclosing organisation liable for an interference with privacy and subject to the penalties contained in the Privacy Act.
To avoid the APP 8.1 obligation and potential liability as a consequence of section 16C, an organisation must obtain informed consent to the disclosure of their personal information overseas from the affected individual(s).
What is the maximum fine that can be applied for breach of data protection laws?
Currently the maximum penalty that can be imposed by the Federal Court or Federal Circuit Court for serious or repeated interferences with privacy is $2.1 million. However, such a penalty can only be imposed where the Privacy Commissioner makes an application to the court. This is not a common occurrence, with the Privacy Commissioner more likely to follow a conciliatory approach and issue determinations and directions. Some of the typical remedies directed by the Privacy Commissioner include payment of compensation to individuals, issuing an apology to affected individuals, and undertaking a review of information handling procedures.
Are there any restrictions applicable to cloud-based services?
There are no specific cloud laws in Australia. The Privacy Act is principles-based, rather that pre or proscriptive with respect to specific technologies and how they relate to the collection and handling of personal information. Given the nature of cloud-based services, organisations should be particularly wary of the obligations they may have under APP 8 (discussed at question 9) and APP 11 (discussed at question 15).
Are there specific requirements for the validity of an electronic signature?
The Electronic Transactions Act 1999 (Cth) sets out the validity requirements for electronic signatures in Australia. Under the Commonwealth Act, an electronic signature has the same effect as a handwritten signature where the following criteria are satisfied:
(a) the recipient has consented to receiving information electronically;
(b) the method of signing identifies the person sending the information and indicates that the person approves of the content of the electronic document signed; and
(c) having regard to all the circumstances of the transaction, the method of signing is as reliable as appropriate for the purposes for which the electronic document was generated. Alternatively, the identity of the signor and their approval of the content must be self-evident within the document or be otherwise available in some manner.
Each State and Territory has also introduced legislation which set out the above validity requirements in the same or similar terms.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
Unlike the operation of the Transfer of Undertakings (Protection of Employment) Regulations 1981 (UK) (in the case of employees), there is no automatic transfer of employees, third party contracts or assets by operation of law when outsourcing IT services. Generally the parties to an outsourcing agreement negotiate detailed contractual provisions to facilitate such transfers where required.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
In the consumer landscape, under the Australian Consumer Law, a supplier guarantees its product is fit for purpose. Where an AI product malfunctions in circumstances which enliven this regime, the supplier would bear liability for the defective product. However, this interpretation relies on a linear scenario where the supplier has held out its AI product can do A but it instead does B.
In the business scenario, generally contractual provisions related to defects or malfunction will be negotiated between the parties. Such provisions will allocate the risk and any consequential liability to the appropriate party.
What key laws exist in terms of obligations as to the maintenance of cyber security?
APP 11 outlines the obligations of an organisation to maintain cybersecurity with respect to an individual's personal and sensitive information. It requires an organisation to take reasonable steps to protect an individual's information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Furthermore, in February 2018 the Notifiable Data Breach Scheme (NDB Scheme) took effect. The NDB Scheme requires organisations to notify the Privacy Commissioner and affected individuals of 'eligible data breaches'. An eligible data breach includes any breach that a reasonable person would conclude would be likely to cause serious harm to the affected individuals.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
Chapters 10.6 and 10.7 of the Criminal Code Act 1995 (Cth) govern the criminality of telecommunications services and cybercrime in Australia. The penalties range from 1 year to 10 years imprisonment based on the nature of the offence committed. The various offences created in these chapters include:
(a) computer intrusions;
(b) unauthorised modification of data, including data destruction;
(c) DDoS attacks using botnets;
(d) creation and distribution of malicious software; and
(e) interference with telecommunications services.
There are also a number of offences relating specifically to telecommunications services in the Telecommunications Act. These include the contravention of carrier licence conditions or cabling requirements, and each offence carries a specified number of penalty units with a maximum of 20,000. Under the Crimes Act 1914 (Cth), a penalty unit is presently valued at AUD210.
What technology development will create the most legal change in your jurisdiction?
The increased use of plant and equipment capable of operation with limited or no human intervention across industries raises many complex challenges to traditional legal concepts. It is unclear how established legal principles, including negligence, contract, privacy, cybersecurity, telecommunications and radiocommunications, will apply to the use of such technology. For example, information-sharing between automated products may increase the efficacy of such technology in the avoidance of hazards. However, such sharing may amount to an interference with privacy, leave the technology open to cybersecurity attacks, or raise questions with respect to intellectual property rights.
Use of automated technology also raises ethical questions with respect to liability allocation, particularly in instances where plant and equipment has been pre-programmed to interpret and respond to surrounding sensory information in specific ways. For example, it is unclear whether a manufacturer's duty of care should extend from the end user of an automated product to third parties impacted by its malfunction, particularly in the case of autonomous vehicles and road accidents. Negotiated contractual provisions may not adequately address this issue given the existence of established privity principles as against the likely presence of third party stakeholders.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
The information-privacy dichotomy has been consistently debated in recent years. The recent debate in Australia surrounding the introduction of My Health Record – an electronic record of each Australian citizen's health records to be accessible by medical practitioners, hospitals and various government agencies – is testament to the distrust a significant percentage of the community have in the use of their personal information by corporates and the government.
Since 2014 there has been increased regulation of information privacy, together with an increase in tension between the value of data and the value of privacy. Pro-privacy regulations have been (or will be) introduced as a response to this tension. In February 2018 the Notifiable Data Breach Scheme was introduced, which requires organisations to report 'eligible data breaches' to the Privacy Commissioner and affected individuals. Following the Review into Open Banking in 2017, the Government recently announced its intention to legislate a Consumer Data Right, which empowers individuals to specify the parties to whom they authorise disclosure of their data, and the purposes for which their data may be used. The first sector to be regulated is likely to be financial services, closely followed by the energy and telecommunications sectors.
Despite the increased regulation of privacy in Australia, government and regulators understand the value of data to the Australian economy. Looking through that prism, increased regulation can be seen as an opportunity to unlock the value of data as an asset in a more certain way. In that respect, regulatory responses have generally been conciliatory in enforcement approaches, and permissive in issuing guidance around the achievement of compliance where roadblocks to economic development have been perceived.
Do you believe your legal system specifically encourages or hinders digital services?
From a privacy perspective, Australia's legal system encourages the development of digital services. The Privacy Act 1988 (Cth) has been drafted on a principles basis, meaning the law facilitates advancement in digital services as it is not technologically specific. Furthermore, most potential liability under the APPs can be avoided by an organisation obtaining express consent from the individuals whose personal information it intends to collect, hold, use and disclose. Finally, the Privacy Commissioner is known to approach privacy breaches in a conciliatory manner, and has demonstrated a focus on changing attitudes toward privacy compliance.
From a business perspective, Australia is generally considered a hub for start-ups and scale-ups, with market conditions conducive to innovation and growth. This includes the availability of government grants and tax allowances for innovative projects. Digital services are also becoming increasingly used by government agencies, with the My.Gov platform in particular being pivotal toward this transition.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
There is no exclusive artificial intelligence (AI) regulatory system or ethical standard in Australia. This means that, as the law stands, AI needs to fit within a pre-existing legal framework comprising privacy, competition and consumer law.
Australia's privacy laws are readily able to address the implementation of AI given an organisation's obligations under the APPs will continue to apply irrespective of the technology used to collect, use and disclose personal information. However, competition laws are only moderately prepared. Data itself is becoming an increasing source of market power, and this issue is yet to be addressed in a significant way. Furthermore, there is a risk that data-sharing through AI may constitute cartel conduct in certain circumstances without further legislative clarification.
In its present form, the Australian Consumer Law does not clearly allocate liability between the supplier and the consumer where an AI product malfunctions on its own accord. Finally, Australia's criminal law is generally slow to develop in contrast with technological advancement. The introduction and increasing use of AI in the community may call into question whether new offences that better address negative exploitation of AI by individuals and organisations are necessary.