This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in Australia.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
Are communications networks or services regulated?
There are two key pieces of legislation which regulate communications networks and associated matters in Australia, the Telecommunications Act 1997 (Cth) (Telecommunications Act) and the Radiocommunications Act 1992 (Cth) (Radiocommunications Act).
The Telecommunications Act regulates the provision of telecommunications services in Australia. The owner of a network unit used to supply carriage services to the public (a carrier) must hold a carrier licence and comply with the conditions attached to that licence (or alternatively ensure another licensed carrier takes on those carrier obligations pursuant to a Nominated Carrier Declaration). An organisation which uses but does not own a network unit (a carriage service provider) is not required to hold a licence. Instead, a carriage service provider is required to comply with a range of obligations set out in Schedule 2 of the Telecommunications Act.
A key objective of the Telecommunications Act is to encourage industry self-regulation. The Communications Alliance Ltd (CA) is an industry owned and operated company formed to implement and manage self-regulation. The CA drafts industry codes and equipment standards which are then registered and enforced by the Australian Communications and Media Authority (ACMA). The ACMA itself also makes technical standards for specified items of telecommunications customer equipment, together with Cabling Provider Rules.
The Radiocommunications Act regulates the radiofrequency spectrum in Australia. Access to the radiofrequency spectrum is facilitated through licensing. There are three forms of licences available:
(a) apparatus licences, which regulate the operation of large scale radiocommunications equipment. Apparatus licences generally apply to equipment used by stations operating in Outpost, Amateur, Broadcasting, Maritime, Aircraft and Land Mobile services. The operation of equipment under such licences involves the payment of licence fees;
(b) class licences, which are open, standing authorities allowing anyone to operate particular radiocommunications equipment within the conditions of the licence. No applications are necessary and no fees are payable. Class licences regulate low power devices such as individual radios, mobile phones, cordless phones and garage door remotes; and
(c) spectrum licences, which are a tradeable and technology neutral spectrum access right for a fixed, non-renewable term. These licences authorise the use of spectrum space, allowing a licensee to deploy any device from the spectrum space which is compatible with the licence conditions.
The Radiocommunications Act also extends the traditional concept of radiocommunications to include radio transmission and transmitters, astronomical and meteorological observations, and the operation of lighthouses, lightships, beacons and buoys.
If so, what activities are covered and what licences or authorisations are required?
See the answer to the question above.
Is there any specific regulator for the provisions of communications-related services?
The ACMA is an independent statutory authority that regulates non-competition aspects of the telecommunications industry, including:
(a) issuing carrier licenses under the Telecommunications Act;
(b) issuing apparatus, class and spectrum licences under the Radiocommunications Act;
(c) enforcing carrier licence conditions, service provider rules, industry codes and standards, and carriers' rights and immunities including the carrier-to-carrier access regime;
(d) drafting and enforcing technical standards for radiocommunications transmitters and receivers;
(e) enforcing the universal service obligation and customer service guarantee;
(f) technical regulation (for example, cabling rules); and
The ACMA may be subject to ministerial directions in relation to the performance of its functions and the exercise of its powers. However, such directions cannot be general in nature subject to limited exceptions.
The Australian Competition and Consumer Commission (ACCC) is an independent statutory authority that regulates competition aspects of the telecommunications industry, including:
(a) access and interconnection, including arbitration of access disputes between parties; and
(b) enforcement of general and telecommunications specific legislation aimed at preventing anti-competitive conduct.
Similarly to the ACMA, the ACCC may be subject to ministerial directions given in connection with the performance of its functions or the exercise of its powers. However, the Minister cannot give directions with respect to anti-competitive conduct and record keeping rules in the telecommunications industry or the telecommunications access regime.
Are they independent of the government control?
See the answer to the question above.
Does a telecoms operator need to be domiciled in the country?
There is no requirement that a carrier or carriage service provider be domiciled in Australia. However, the Telecommunications Act provides that a condition of a carrier licence may relate to the extent of foreign ownership or control of the carrier, whether direct or indirect.
There are also further restrictions in place for Australia's dominant public carrier, Telstra. Foreign shareholding and participation in the activities of Telstra are restricted in a number of ways, including:
(a) limits on individual foreign ownership and total foreign ownership;
(b) that a majority of directors and the chair must be Australian citizens; and
(c) that head office, base of operations and place of incorporation must remain in Australia.
Are there any restrictions on foreign ownership of telecoms operators?
See the answer to the question above.
Are there any regulations covering interconnection between operators?
Parts 3, 4 and 5 of Schedule 1 to the Telecommunications Act comprise the carrier-to-carrier access regime. This makes it mandatory for carriers to provide other carriers with access to the following in certain circumstances:
(b) certain information relating to the operation of telecommunications networks in Australia;
(c) telecommunications transmission towers and the sites of such towers; and
(d) underground facilities designed to hold lines.
This regime promotes the long-term interests of end-users of carriage services or of services supplied by means of carriage services, and enables the provision of competitive facilities and carriage services, or alternatively for carriers to establish their own facilities.
The Competition and Consumer Act 2010 (Cth) also contains a telecommunications access regime. This regime does not provide a general right of access. Rather, the ACCC must first declare a service following a public inquiry. Where a service is declared, the carrier must provide access to other providers subject to standard access obligations. Current declared services in Australia include:
(a) wholesale ADSL and line rental;
(b) local telephone services;
(c) certain access to the public switched telephone network; and
(d) certain access to the National Broadband Network.
If so are these different for operators with market power?
See the answer to the question above.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Telecommunications Consumer Protections Code (TCP Code) is a code of conduct for the telecommunications industry and applies to all carriers and carriage service providers in Australia. The TCP Code sets out clear rules which carriers and carriage service providers must following when communicating and dealing with consumers, covering areas such as:
(e) advertising and point of sale;
(g) payment methods;
(h) complaints handling; and
(i) changing carriage service providers.
A revised TCP Code came into effect on 1 August 2019, which amongst other things, provides increased protections for telecommunications consumers. The revised TCP Code was developed with input from consumers, government and industry and includes requirements for carriers and carriage service providers to promote and sell their products in a fair and reasonable manner and clearly explain terms and conditions relating to the provision of such products.
The obligations of a carrier and carriage service provider under the TCP Code are in addition to those contained in the Australian Consumer Law, which comprises Schedule 2 to the Competition and Consumer Act 2010 (Cth).
What legal protections are offered in relation to the creators of computer software?
In Australia computer-related IP can potentially be protected in three key ways, depending on the circumstances:
(a) by obtaining a standard or an innovation patent under the Patents Act 1990 (Cth), which will protect the way the software makes a computer work;
(b) through copyright under the Copyright Act 1968 (Cth), which will protect the source code of the computer software as a literary work; or
(c) through circuit layout rights under the Circuit Layouts Act 1989 (Cth), which will protect the design and layout of an electronic circuit.
Where obtainable, patents generally offer the strongest form of protection for computer software. Whilst it is accepted that computer-implemented inventions may form the basis of patentable subject matter in Australia, providing that the contribution of the invention is not abstract, protection can still be difficult to obtain. It is not enough to simply put a computer based method into a patent claim; the invention must lie in the computerisation and technical result. Accordingly, any drafting of patent specifications for computer software should suitably outline, discuss and claim the technical features that solve the technical problem.
Do you recognise specific intellectual property rights in respect of data/databases?
There are no specific intellectual property rights which apply to data and databases. However, the Copyright Act 1968 (Cth) recognises copyright subsistence in a collection of data, a dataset or a database provided it is original, expressed in material form and the other elements of copyright protection are established. Copyright protection is limited however, given copyright cannot subsist in the underlying data itself. Furthermore, the physical design and layout of an electronic circuit automatically attracts intellectual property rights under the Circuit Layouts Act 1989 (Cth). However, as recently outlined in Lumen Australia Pty Ltd v Frontline Australasia Pty Ltd  FCA 1807 ('Lumen'), one key consideration under the Circuit Layouts Act 1989 (Cth) is whether the circuit constitutes an 'integrated circuit'. In Lumen, the relevant PCBA was not considered an integrated circuit as the active and passive elements were not 'integrally formed in or on a piece of material' as required by the statutory definition of 'integrated circuit'.
What key protections exist for personal data?
The Privacy Act 1988 (Privacy Act) regulates the collection and handling of personal information. The Australian Privacy Principles (APPs), which comprise Schedule 1 to the Privacy Act, contain 13 key protections for personal information, and regulate the following activities with respect to personal and sensitive information (as those terms are defined in the Privacy Act):
(a) collection, use and disclosure;
(b) direct marketing (to the extent the provisions of the Spam Act 2003 (Cth) or the Do Not Call Register Act 2006 (Cth) do not apply);
(c) cross-border disclosure; and
Consent is not always needed for the collection of personal information, however it must be lawfully obtained in accordance with the requirements of the Privacy Act. Once collected, subject to limited exceptions, APP 6 provides that personal information may only be used or disclosed by an organisation where an individual has either expressly or impliedly consented to such activities or would reasonably expect their personal information to be used for such purposes. Breach of an APP is considered an interference with privacy, and such a breach is subject to the same penalties as any other contravention of the Privacy Act.
The APPs are binding on government agencies and organisations, with small businesses being exempt. However, it is considered good practice to comply with the APPs despite not being bound to do so.
Are there restrictions on the transfer of personal data overseas?
APP 8 regulates the disclosure of an individual's personal information overseas as opposed to the transfer of such information overseas. As a consequence, APP 8 applies to personal information held in Australia but accessed from overseas.
APP 8.1 provides that, subject to limited exceptions, an organisation must take reasonable steps to ensure the overseas recipient of personal information does not breach the APPs with respect to that information. If an organisation does disclose personal information to an overseas recipient and that recipient engages in conduct amounting to a breach of APP 8.1, section 16C of the Privacy Act 1988 (Cth) deems the disclosing organisation to have itself engaged in the conduct and breached the APPs. This leaves the disclosing organisation liable for an interference with privacy and subject to the penalties contained in the Privacy Act.
To avoid the APP 8.1 obligation and potential liability as a consequence of section 16C, an organisation must obtain informed consent to the disclosure of their personal information overseas from the affected individual(s).
What is the maximum fine that can be applied for breach of data protection laws?
Currently the maximum penalty that can be imposed by the Federal Court or Federal Circuit Court for serious or repeated interferences with privacy is $2.1 million. However, such a penalty can only be imposed where the Privacy Commissioner makes an application to the court. This is not a common occurrence, with the Privacy Commissioner more likely to follow a conciliatory approach and issue determinations and directions. Some of the typical remedies directed by the Privacy Commissioner include payment of compensation to individuals, issuing an apology to affected individuals, and undertaking a review of information handling procedures.
This situation could change if the Federal Government implements its proposed amendments to the Privacy Act. The proposal includes increasing the penalty for serious or repeated interferences with privacy to the greater of $10 million, three times the value of any benefit gained by the entity through misusing personal information, or 10% of the entity's annual domestic turnover. In addition, the Privacy Commissioner could be given new powers to issue infringement notices of up to $63,0000 where entities fail to cooperate with efforts to resolve minor breaches. This would not require a court application. The government is yet to introduce legislation to this effect.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
There are no specific cloud laws in Australia. The Privacy Act is principles-based, rather that pre or proscriptive with respect to specific technologies and how they relate to the collection and handling of personal information. Given the nature of cloud-based services, organisations should be particularly wary of the obligations they may have under APP 8 (discussed at question 9) and APP 11 (discussed at question 15).
Are there specific requirements for the validity of an electronic signature?
The Electronic Transactions Act 1999 (Cth) sets out the validity requirements for electronic signatures in Australia. Under the Commonwealth Act, an electronic signature has the same effect as a handwritten signature where the following criteria are satisfied:
(a) the recipient has consented to receiving information electronically;
(b) the method of signing identifies the person sending the information and indicates that the person approves of the content of the electronic document signed; and
(c) having regard to all the circumstances of the transaction, the method of signing is as reliable as appropriate for the purposes for which the electronic document was generated. Alternatively, the identity of the signor and their approval of the content must be self-evident within the document or be otherwise available in some manner.
Each State and Territory has also introduced legislation which set out the above validity requirements in the same or similar terms.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
Unlike the operation of the Transfer of Undertakings (Protection of Employment) Regulations 1981 (UK) (in the case of employees), there is no automatic transfer of employees, third party contracts or assets by operation of law when outsourcing IT services. Generally the parties to an outsourcing agreement negotiate detailed contractual provisions to facilitate such transfers where required.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
In the consumer landscape, under the Australian Consumer Law, a supplier guarantees its product is fit for purpose. Where an AI product malfunctions in circumstances which enliven this regime, the supplier would bear liability for the defective product. However, this interpretation relies on a linear scenario where the supplier has held out its AI product can do A but it instead does B.
In addition to the above, a supplier may also be potentially liable in tort relating to malfunctions of an AI software program. Potential liability would involve an assessment of whether a duty of care has arisen and the impact of any potential disclaimer in relation to the AI software program.
In the business scenario, generally contractual provisions related to defects or malfunction will be negotiated between the parties. Such provisions will allocate the risk and any consequential liability to the appropriate party.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) What key laws exist in terms of obligations as to the maintenance of cybersecurity?
APP 11 outlines the obligations of an organisation to maintain cybersecurity with respect to an individual's personal and sensitive information. It requires an organisation to take reasonable steps to protect an individual's information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
The Notifiable Data Breach Scheme (NDB Scheme) in the Privacy Act requires organisations to notify the Privacy Commissioner and affected individuals of 'eligible data breaches'. An eligible data breach includes any breach that a reasonable person would conclude would be likely to cause serious harm to the affected individuals.
In addition to the above, there is also industry specific legislation. APRA's Prudential Standard CPS 234 came into effect on 1 July 2019 and applies to all APRA regulated entities (e.g. authorised deposit taking institutions, insurers and superannuation licensees). CPS 234 requires those APRA regulated entities to regularly review and invest in effective data security practices, and notify APRA within 72 hours of becoming aware of data security incidents.
b) What key laws exist in terms of obligations as to the criminality of hacking / DDoS attacks?
Chapters 10.6 and 10.7 of the Criminal Code Act 1995 (Cth) govern the criminality of telecommunications services and cybercrime in Australia. The penalties range from 1 year to 10 years imprisonment based on the nature of the offence committed. The various offences created in these chapters include:
(a) computer intrusions;
(b) unauthorised modification of data, including data destruction;
(c) DDoS attacks using botnets;
(d) creation and distribution of malicious software; and
(e) interference with telecommunications services.
There are also a number of offences relating specifically to telecommunications services in the Telecommunications Act. These include the contravention of carrier licence conditions or cabling requirements, and each offence carries a specified number of penalty units with a maximum of 20,000. Under the Crimes Act 1914 (Cth), a penalty unit is presently valued at AUD210.
What technology development will create the most legal change in your jurisdiction?
The increased use of plant and equipment capable of operation with limited or no human intervention across industries raises many complex challenges to traditional legal concepts. It is unclear how established legal principles, including negligence, contract, privacy, cybersecurity, telecommunications and radio communications, will apply to the use of such technology. For example, information-sharing between automated products may increase the efficacy of such technology in the avoidance of hazards. However, such sharing may amount to an interference with privacy, leave the technology open to cybersecurity attacks, or raise questions with respect to intellectual property rights.
Use of automated technology also raises ethical questions with respect to liability allocation, particularly in instances where plant and equipment has been pre-programmed to interpret and respond to surrounding sensory information in specific ways. For example, it is unclear whether a manufacturer's duty of care should extend from the end user of an automated product to third parties impacted by its malfunction, particularly in the case of autonomous vehicles and road accidents. Negotiated contractual provisions may not adequately address this issue given the existence of established privity principles as against the likely presence of third party stakeholders.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
The information-privacy dichotomy has been consistently debated in recent years. Recent findings from the ACCC Digital Platforms Inquiry Final Report (DPI Report) highlight consumer concerns around current data practices, especially in relation to the collection of location data, online tracking and the sharing of data with third parties. The DPI Report suggests that there is a broken consumer bargain – the bargaining power imbalance between large organisations and consumers means that such organisations are provided with too much information at the expense of the privacy of individuals.
Since 2014 there has been increased regulation of information privacy, together with an increase in tension between the value of data and the value of privacy. Pro-privacy regulations have been (or will be) introduced as a response to this tension. In February 2018 the Notifiable Data Breach Scheme was introduced, which requires organisations to report 'eligible data breaches' to the Privacy Commissioner and affected individuals. Further, the privacy recommendations in the DPI Report are sweeping. If the recommendations are passed into law, regulation in this area is set to tighten further. For example, the definition of personal information could be expanded and entities could be required to comply with stricter consent and notification requirements when handling personal information.
Another example is open banking. Following the Review into Open Banking in 2017, the Government recently legislated a Consumer Data Right, which empowers individuals to specify the parties to whom they authorise disclosure of their data, and the purposes for which their data may be used. The banking sector will be the first sector to be regulated, likely to be closely followed by the energy and telecommunications sectors.
Despite the increased regulation of privacy in Australia, government and regulators understand the value of data to the Australian economy. Looking through that prism, increased regulation can be seen as an opportunity to unlock the value of data as an asset in a more certain way. Current regulatory responses have generally been conciliatory in enforcement approaches, and permissive in issuing guidance around the achievement of compliance where roadblocks to economic development have been perceived. However, organisations will need to closely monitor the Federal Government's proposal to strengthen the Privacy Commissioner's enforcement powers in the Privacy Act, as well as its response to the Digital Platforms Inquiry, to assess whether this approach will continue.
Do you believe your legal system specifically encourages or hinders digital services?
From a privacy perspective, Australia's legal system encourages the development of digital services. The Privacy Act 1988 (Cth) has been drafted on a principles basis, meaning the law facilitates advancement in digital services as it is not technologically specific. Furthermore, most potential liability under the APPs can be avoided by an organisation obtaining express consent from the individuals whose personal information it intends to collect, hold, use and disclose. Finally, the Privacy Commissioner is known to approach privacy breaches in a conciliatory manner, and has demonstrated a focus on changing attitudes toward privacy compliance.
From a business perspective, Australia is generally considered a hub for start-ups and scale-ups, with market conditions conducive to innovation and growth. This includes the availability of government grants and tax allowances for innovative projects. Digital services are also becoming increasingly used by government agencies, with the My.Gov platform in particular being pivotal toward this transition. There is, however, some industry concern regarding the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Assistance and Access Act) which was enacted in December 2018. The Assistance and Access Act provides a framework for national security and law enforcement agencies to compel a wide array of technology providers (such as carriers, carriage service providers, providers of electronic services with more than one end user in Australia, certain software providers and equipment manufacturers) to provide access to encrypted communications and devices. Although the Assistance and Access Act was enacted to address the difficulties that encrypted communications and devices pose for law enforcement and national security agencies seeking to combat terrorism, organised crime and other national security threats, some industry groups are lobbying for changes, claiming that the broad provisions of the Act are discouraging technology investment in Australia.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
There is no exclusive artificial intelligence (AI) regulatory system or ethical standard in Australia. This means that, as the law stands, AI needs to fit within a pre-existing legal framework comprising privacy, competition and consumer law.
Australia's privacy laws are readily able to address the implementation of AI given an organisation's obligations under the APPs will continue to apply irrespective of the technology used to collect, use and disclose personal information.
Competition laws are only moderately prepared to deal with the legal issues associated with AI. Data itself is becoming an increasing source of market power, and this issue is yet to be addressed in a significant way.
The Australian Competition and Consumer Act 2010 (Cth) prohibits a number of anti-competitive practices, including cartel conduct, anti-competitive agreements and the misuse of market power. There is a risk that certain algorithms may engage in anti-competitive behaviour, particular when they are involved with making decisions in relation to the pricing of products or services. The ACCC has highlighted such concerns as a particular area of focus and the Competition and Consumer Act has previously been amended in an attempt to negate such practices.
In its present form, the Australian Consumer Law does not clearly allocate liability between the supplier and the consumer where an AI product malfunctions on its own accord. Finally, Australia's criminal law is generally slow to develop in contrast with technological advancement. The introduction and increasing use of AI in the community may call into question whether new offences that better address negative exploitation of AI by individuals and organisations are necessary.