The boundary between consumer protection and privacy regulation is being scrutinised and challenged by the Australian Competition and Consumer Commission (ACCC), as the collection and use of customer information plays an increasingly important role in customer service and profitability.
This week, the ACCC commenced proceedings against the online health booking platform HealthEngine Pty Ltd (HealthEngine) for misleading and deceptive conduct relating to the sharing of patient's personal information with different third party insurance brokers, as well as other allegations concerning the publishing of patient reviews and ratings.
The ACCC alleges that HealthEngine provided the personal information of over 135,000 patients across a four year period to private health insurance brokers in return for a fee without prior adequate disclosure of this to the relevant patients. The personal information disclosed included patient's names, email addresses, phone numbers, and date of birth.
The ACCC alleges that patients were not adequately informed that their personal information would be disclosed to third parties in return for a fee, and alleges that those patients whose personal information was disclosed to the third party insurance brokers were ultimately misled into believing that their personal information would remain secure and only held by HealthEngine.
Following on from the ACCC's heavy involvement in the Consumer Data Right law and its recent Digital Platforms Inquiry Final Report, it is clear that one of the ACCC's top priorities moving forward is the importance of consumers being able to make fully informed choices concerning the handling of their personal information by different businesses in Australia.
The ACCC has clearly expressed their desire to reform Australia's data protections laws in its Digital Platforms Inquiry Final Report to ensure that consumers have more informed choice over the handling and disclosure of their personal information by businesses:
"The ACCC notes that, since the Privacy Act was passed 30 years ago, the Internet and digitalisation have radically altered the ways in which businesses and consumers interact and exchange personal information. Numerous amendments have been made to the Privacy Act, but these incremental changes may not be sufficient to address the volume and significance of privacy and data protection issues proliferating in the digital economy. The data practices of digital platforms considered in this chapter demonstrate some significant gaps in Australian privacy laws." (page 437)
For the ACCC, the handling and disclosure of personal information is not limited to the Privacy Act 1988 (Cth) (Privacy Act). The ACCC considers that there are wider consumer welfare issues arising from the increased collection and use of consumers' personal information. As a result, in addition to the recommendations to strengthen consent and notification requirements under the Privacy Act, the recommendations in the Digital Platforms Inquiry Final Report also include proposed amendments to the Australian Consumer Law.
To read more on the Digital Platforms Inquiry Final Report, click here.
The ACCC's position on the collection and use of personal information is consistent with views of the Federal Communications Commission in the USA which has for decades taken action to enforce representations made in relation to the collection and use of customer information as a component of consumer protection regulation.
In addition to the obligations under the Privacy Act concerning the appropriate collection, use, storage and disclosure of personal information, the case against Health Engine and the Digital Platforms Inquiry Final Report demonstrate that businesses must be conscious of the fact that the ACCC considers that businesses operating in Australia will fall foul of the Australian Consumer Law if they are not transparent as to how they collect and use consumers' personal data.
To ensure that consumers are adequately informed of the handling and use of their personal information, businesses should ensure that they have adequate privacy policies in place which are not overly complex, long, vague or difficult to navigate.