Commercial Transactions Module 7 Electronic Commerce Summer 2016 17

Commercial Transactions Module 7 Electronic Commerce Summer 2016/17 ©MNoonan 2009

This presentation and Copyright therein is the property of Maureen Noonan and is prepared for the benefit of students enrolled in the Commercial Transactions course conducted by the Law Extension Committee and is available for their individual study. Any other use or reproduction, including reproduction by those students for sale without consent is prohibited. ©MNoonan 2009

In this module, we will look at e-commerce and related legal fields: -Communications in negotiations and contract formation -Relevance and application in legal practice and proceedings -Aspects of Contract in relation to Sale of goods and services -Data management and security, including privacy -Electronic commerce in action-electronic banking and payment methods-including their avenue of ADR. In assignment or examination questions, facts may occur in a physical or virtual environment, or both. This reflects real life and issues students will deal after completing their course. ©MNoonan 2009

What is e-commerce? An exchange of goods, services, information or other assets between suppliers and buyers facilitated by electronic means Telephone, fax, videoconferencing Sound, vibration, email Barcodes, tracking and stocktaking recognition Webpage display and advertisements Online sales Data storage Electronic data exchange Intranets and extranets Billing systems Accounting data transfer Smartcards Management Information Systems Electronic orders, comparative searching Automatic document production ©MNoonan 2009

Electronic Commerce We can see Electronic Commerce at work in many ways - a communications perspective - a business process perspective - a service perspective - an online perspective - a transaction perspective - a legal perspective - a business-to-business and business-to-consumer perspective. ©MNoonan 2009

Communications What is communicated? To whom? How? Why? ©MNoonan 2009

Communications Perspective From a communications perspective, electronic commerce is the delivery of information, products / services, or payments via telephone lines, computer networks, websites or any other electronic or wireless means. When looking at the arrangements in place, we normally look to contract law. For example, offer and acceptance may occur electronically via the telephone, or an exchange of emails or faxes. It can also be a service and ACL ss. 6063/(old s. 74 TPA) can be relevant. If misleading or deceptive s. 18 ACL can be very relevant. ©MNoonan 2009

Take Care-Visscher v. Maritime Union of Australia (No 6) [2014] NSWSC 350 In ecommerce communications can include hyperlinked material. Upheld Mr. Visscher’s claim for defamation and confirmed Australian approach to liability for defamation via hyperlinked material. Feb 2011 during Cyclone Dianne, Mr. V, commanding an ocean tugboat made the decision to anchor at Shark Bay as the cyclone hit. MUA published an article expressing concern about this decision and included a hyperlink to an article in the Cootamundra Herald which expanded the concerns. The Herald article was found to contain defamatory imputations. Held that the MUA, by way of the hyperlink had accepted responsibility for the linked publication and at the very lest had adopted or promoted it. Note that hyperlinked content can be updated by third parties at any time, affecting your liability. ©MNoonan 2009

Communications As well as communication between individual parties, we should recognise the expanding role of electronic means in the dissemination of information or communication between multiple persons and networks. FOCUS---- social networks They pose problems for law enforcement-beyond national boundaries---e. g. a suspect name was suppressed by a court, but was already widely known via Facebook (murder of family at Kapunda). They also provide new opportunities-e. g. expanding investigative processes, gathering ideas or evidence, finding information and those with information, sorting information, serving legal process, targeted marketing, IP harvesting, new businesses using capabilities. ©MNoonan 2009

Liability and Social Media If a business uses social media as part of its marketing strategy, it needs to manage the risk of liability for misleading deceptive or defamatory words by ocarefully monitoring platforms (using people with the appropriate skills) and odealing with any dangerous material. o. Take care that use of social media is not in conflict with occupation or role. ©MNoonan 2009

Lawyers and social media o In the UK, a juror contacted a defendant through o o Facebook during proceedings, used internet to conduct research, updated her page with inappropriate material…contempt. UK Magistrate tweeted details of criminal cases he had dealt with. Live streaming of court proceedings Court may order communication via social media Lawyers should resist using updates on Facebook to provide details of current cases to avoid prejudice to case or construct such updates carefully. E. g. class actions ©MNoonan 2009

ACCC v. Allergy Pathway In 2009, ACCC took court action against a company for misleading and deceptive statements. A number of orders were made including undertakings by the company and its Director not to repeat the statements. In ACCC v. Allergy Pathway Pty Ltd (No 2)(2011) FCA 74, the ACCC again took action for contempt of court for material published on their website and publication on Twitter by means of links (admitted) and for testimonials posted by clients on the “wall” and “fan” page Allergy had set up on Facebook (denied). Federal court found Allergy had published the testimonials because it knew of the testimonials and although Allergy and the Director Kerr could have removed them, they did not. Fined $7, 500 each and ordered to pay ACCC’s costs and extensive orders for corrective advertising, including on Facebook and Twitter. ©MNoonan 2009

Social Media Policy Do businesses need a Policy? Many believe they do and have implemented them. E. g. Telstra “In brief, the 3 Rs ask that when engaging in social media you be clear about who you are representing, you take responsibility for ensuring that any references to Telstra are factually correct and accurate and do not breach confidentiality requirements and that you show respect for the individual and communities with which you interact” What if employees give away information, discuss business, staff, management on social media? See Data Management also. What if employees put an enterprise at risk of legal action? What if they are active on Linkedin during their employment and take those connections with them to the next employer? ©MNoonan 2009

Activities on social media incompatible with work obligations In Bradford Pedley v. IPMS Pty Ltd T/A peckvonhartel [2013] FWC 4832 the Fair Work Commission upheld a complaint that an architect was using Linked. In to solicit business from clients of his employer in order to increase his private client basis for his own practice. He was dismissed and complained to FWC that his dismissal was unfair. Clearly incompatible with his employment contract So, private activity outside work hours not always “private”. ©MNoonan 2009

Social media issues o Beware that tweets, posts, comment etc may be defamatory or in contempt of court o There are risks that confidential information may be disclosed in such communications accidentally, or, on purpose. o Unintended client relationships may be created by communications with clients or colleagues. o Are Linked In profiles and contacts created by your employees your trade secrets or theirs? ©MNoonan 2009

Employment contracts o What clauses /policies would you include regarding social media and its use? o Only use Linked. In for private use o Use specific branded profile set up by employer for benefit of employer only and not mix with private profile? o Delete employer related connections? Is this practical? o Request social media provider to preserve data? ©MNoonan 2009

Workplace surveillance Common issues: Can a business implement electronic surveillance of employees? -to prevent theft, to monitor access, safety, to enable remote monitoring Can a business access private emails sent using workplace facilities-to use for disciplinary purposes or to collect evidence? ©MNoonan 2009

Surveillance In NSW, Workplace Surveillance Act 2005 [NSW] 14 days notice required which indicates: Kind of surveillance (e. g. camera) How it will be carried out When it will start Whether it will be continuous or intermittent Whether it will be for a specified time or always ©MNoonan 2009

Email and Internet Policy o The usual policies state that the email and computer systems belong to the employer and employer reserves the right to monitor them. o The right to access private information in such systems and use the information is separate and must be gained by contract ©MNoonan 2009

Venting on social media Seafolly P/L v. Madden Ms M thought she had original swimwear designs. She noticed a Seafolly catalogue with designs similar to hers and took to Facebook posting…”the most sincere form of flattery”…plus photos of her designs next to the Seafolly designs and comments…”seriously, almost an entire line-line ripoff of my Shipwrecked collection”…and emailed media. Ms M liable for misleading and deceptive conduct. She could have done some simple fact checking before venting…did not care whether statements were true or false. After seeing her Facebook posts, Seafolly had issued press releases describing her claims as “completely false and without foundation” and “made maliciously to injury Seafolly”. Ms M sued S for defamation. S also succeeded on defamation claim as Court found press releases justified as true in substance and fact. Moral of the story…. check your facts before taking to Facebook or Twitter. ©MNoonan 2009

Legal practice and procedure Increasing use of ecommerce in all aspects-filing, serving, dispute resolution, noticeboards, analysis of discovery documents, communications. Development of interaction and delivery platforms. Lawyers will need more than basic knowledge in future as technology platforms become more important in delivery of legal services. Scope for lawyers with creativity, programming and application skills and training to specialise. ©MNoonan 2009

Legal Perspective/Issues arising v Applications to court and other dispute resolution processes e. g. Electronic service, electronic discovery, gathering information, publicising/linking participants in class action proceedings, remote proceedings, evidence by videolink and decisions. v Evidence Act provisions about best evidence. Other evidentiary Matters including elements of contract formation, effect of service of notices by electronic means, attribution of electronic conduct and Intellectual property issues. v When does an electronic signature suffice? v Consumer protection in relation to business-to-consumer transactions or business-to-business (small business) transactions carried out electronically, rather than physically. Consider the role of the End User Licence Agreement for these transactions. o Potential liability e. g. platforms-auctions, Google ©MNoonan 2009

Service of legal documents o Generally, in NSW personal service is required for originating process, such as a statement of claim. (See Uniform Civil Procedure Rules 2005 NSW). o Sometimes this is not possible because the party to be served cannot be located or is a celebrity surrounded by security cordons. o Substituted service is possible by order of the court-methods? -post to last address-post on electronic Facebook page? ©MNoonan 2009

Service on Facebook There are cases where courts have permitted or refused substituted service via social network sites. If the court is satisfied that personal service is impracticable and the site is that of the person, they are likely to grant service. However, if they are not satisfied that a party created a particular page, because identity can be mimicked, they are likely to decline. ©MNoonan 2009

Service via Facebook In September 2010 Victorian police were asked to assist in service of an intervention order where an individual was being bullied via Facebook…cyberbullying. All papers etc were typed out into private messages and sent to his account. In addition, a video of Senior Constable Walton reading the order was also sent. ©MNoonan 2009

Service on Facebook approved MKM Capital P/L v. Cobo & Poyser, unreported judgement of ACT Supreme Court. Substituted service permitted by lender on two defaulting mortgagees. Lenders lawyers able to match personal ID by way of their Facebook profiles…e. g. birth dates, email addresses. In May 2012, NSW DC permitted promoter of an Australian music festival to serve a statement of claim on Flo Rida, an American rapper, via Facebook. He did not appear despite being paid a $55, 000 performance fee. ©MNoonan 2009

Service on Facebook denied o Citigroup P/L v. Weerakoon [2008] QDC 174. QLD D C refused to permit substituted service via Facebook, but permitted it via post to last known address. Judge was not satisfied that some of the information on the Facebook page “does not show me with any real force that the person who created the Facebook page might indeed be the defendant, even though practically speaking it may well indeed be the person who is the defendant”. ©MNoonan 2009

Taken from the news-1 Aug 14 Texan woman suing Facebook for $123 m claiming it failed to remove a “revenge porn” profile created in her name by a former friend…which contained photoshopped pictures of her head on naked bodies…”clearly offensive, disparaging and defamatory”…accused the social media site of serious privacy violation for failing to deactivate the profile……identity of poster revealed when Houston police subpoenaed Facebook to reveal the creator of the profile…damages of $123 m calculated by charging 10 c for every one of Facebook’s 1. 23 billion users. NOTE that US privacy laws different to ours. This example clearly shows how people can create a false profile pretending to be someone else. ©MNoonan 2009

Electronic contracts and changes in conveyancing practice Colin Biggers & Paisley has reported dramatic slashing of costs and improving efficiency (up to 90%) of high volume contract production, transmission, signing, receipt storage, archiving. Docu. Sign digital transaction platform eliminates the need to manually check each page and improves security. Purchasers can read and sign on any digital device, anywhere in the world and soft copies are immediately available for download to all parties. ©MNoonan 2009

Aspects of contract Sales and supplies of goods and services. ©MNoonan 2009

Business Process Perspective From a business process perspective, electronic commerce is the application of technology to the automation of business transactions and work flows…e. g. ordering processes, payments, machine software. In order to analyse the process/transactions for legal purposes, we need to understand what is being achieved, the steps and the relationships. If a new way of doing something, it may be IP, protected by Copyright and/or be entitled to a Patent. E. g. Amazon. com ordering system, subjects of Apple/Samsung patent disputes. ©MNoonan 2009

Service Perspective From a service perspective, electronic commerce is a tool that addresses the desire of firms, consumers and management to cut service costs while improving the quality of goods and increasing the speed of service or delivery. ©MNoonan 2009

Online Perspective From an online perspective, electronic commerce provides the capability of buying and selling products, services and information on the internet. This can save businesses from having the costs and inconvenience associated with physical premises and permit them to have a much wider reach. By use of logistical services…. transport and storage…that need not be theirs…. they can have large operations and cover wide areas more easily than formerly. They can also sometimes do things which were not possible /very difficult before-e. g. online auctions, avoid GST. There can also be new dangers for business e. g. Hacktivism, loss of information/data. ©MNoonan 2009

New businesses and new legal challenges Consider Qui. Bids business model. o It is different to normal auction houses in that it charges 60 c to customers each time they bid. o The amount collected enables them to sell products for less than retail. A marketing gimmick? o It combines a game with an auction…working out what to bid and how many times is the game. Each time someone bids, no more than 20 c added to auction clock. Last person to bid claims the right to purchase the item at the discounted price. Those who lose have the option to purchase at the retail price (less the amount they spent on bidding). ©MNoonan 2009

Reflection on new businesses and legal complications which can arise. UBER A recent article discussed the link between a Microsoft Windows 10 app and Uber…voice related…easier to tell the app by voice that I need an Uber ride than manipulate fingers. Increasing link between software and other functions-e. g. assisted parking, cruise control, driverless cars, remote control of household appliances and services, implanted health devices. ©MNoonan 2009

UBER again Is UBER a taxi company or a platform that enables customers to find drivers? Raises issues regarding regulation and competition with other business models providing the same or similar services. Court of Justice of the European Union to decide question for Europe in approx. April 17. Is AIRbnb a hotel chain or a platform? ©MNoonan 2009

E-Commerce - Contract Formation · · · · Ways of forming contracts Exchange of written correspondence by post, fax Oral in person or by telephone Written formal agreement or Exchange of emails Acceptance of an offer by conduct Types of Contracts Sale/supply of physical goods Licences (e. g. software, music, film) Supply of services…banking, shares, advice. Combination contracts ©MNoonan 2009

Contract formation - exchange of emails Evolving area Caution is required with communications during negotiations lest a court finds a contract has been formed prior to the formal contract being signed, even where specified in an email as “subject to contract”. See the following non NSW cases. Stellard Pty Ltd & Anor v. North Queensland Fuel Pty Ltd [2015] QSC 119 Vantage Systems Pty Ltd v. Priolo Corporation Pty Ltd [2015] WASC 21 ©MNoonan 2009

Stellard Pty Ltd v. North Queensland Fuel Pty Ltd [2015]QSC 119 Negotiations to buy service station (ss) +freehold land. 30/10 -V emailed draft contract (C) -willing to sell at price, deposit amt, stock at cost, fuel tank, line testing, environmental investigations, settlement place and date. 31/10 -telephone conversations-use one C for ss & land, and C in form supplied. V asked for offer in writing. P sent email with offer “subject to contract”. 45 minutes later, V sent email confirming acceptance but subject to execution of C with agreed amendments. 3/11 -P emailed amended contract identifying purchaser, removing a guarantee and adding special conditions re due diligence and environmental investigations. 7/11 V emailed that it was not accepted as it contained changes that were not agreed and sold it to someone else. P argued that 30 and 31/10 emails and conversations were binding C. V said not. Court found YES for P after looking at all surrounding emails, conduct and previous conversations. ©MNoonan 2009

How do we protect a V in a similar situation? Be very clear at the beginning of negotiations that V will not be bound in any way until final contract agreed, signed and exchanged. Note the issues that can arise with this…. saying things that one does not think can be binding…. but might be vulnerable to s. 18 ACL claims. ©MNoonan 2009

Vantage Systems Pty Ltd v. Priolo Corporation Pty Ltd [2015] WASC 21 Landlord and Tenant negotiating renewal by email. Found to be a binding agreement, despite subsequent negotiations, dealings and communications. Intention to create contractual relations-objective, not subjective test…. previous conversations, email exchanges and surrounding circumstances. ©MNoonan 2009

Formation of contract-From the news 9/8/2013 Daily Telegraph London Dmitry Argarkov was sent a letter offering him a credit card in the usual way. Instead of binning it, he scanned it into his computer, altered the terms and sent it back to Tinkoff Credit Systems duly signed. His version contained a 0% interest rate, no fees and no credit limit. Every time the bank failed to comply with the rules, he would fine them 3 m roubles AUD 100, 000 and if Tinkoff tried to cancel the contract it would have to pay him 6 million roubles. Tinkoff failed to read the amended contract and sent DA a credit card. The Russian court found the contract binding on Tinkhoff. They had signed the contract and were legally bound to it. They said what borrowers usually said…. We have not read it…. . but, this did not help them. ©MNoonan 2009

Reflection point Consider e. Bay auctions/transactions. Does e. Bay provide a platform or participate as an auctioneer? Who is the contract between? Some differences with physical auctions-e. g. no physical presence to check bona fides or conducted ethically, sometimes over a considerable period, proxy/maximum bids enable online system to place bids, anonymity of sellers/buyers etc. A problem can arise with enforcement of a contract ©MNoonan 2009

Peter Smythe v. Thomas (2007) NSWSC 844 PS bid $150, 000 for a 1946 Wirraway plane, one of only 5 in the world still flying. T refused to deliver as he had changed his mind and sold to another buyer for $250, 000. He argued there was no contract to enforce between PS and him because the only contracts were between each of them and e. Bay. Court ordered T to complete the sale-granted specific performancebecause it found a contract between them based on the e. Bay rules. . Court examined e. Bay Rules…”if you receive at least one bid at or above your stated minimum price (or in the case of reserve auctions, at or above the reserve price), you are obligated to complete the transaction to the highest bidder upon the item’s completion”. Offer accepted when PS made highest bid, even though payment terms had not yet been concluded. Auction and therefore a sale of goods. Court also intimated that e. Bay was agent of Vendor and therefore under an obligation to monitor and superintend the conduct of vendors. ©MNoonan 2009

Decisions outside Australia Note that there had been various inconsistent overseas decisions re obligations of e. Bay concerning the sale of counterfeit items US-Tiffany (NJ) In. v. e. Bay Inc -Lars Gentry v. e. Bay Inc - fake sports memorabilia Germany-Rolex SA v. e. Bay Gmb. H 2004 France- e. Bay v. Dior LV 2008 ©MNoonan 2009

Effect of Peter Smythe decision re consumer protection Because online “auctions” were auctions, they were excluded from TPA protections. See now ACL –e. g. s. 54…guarantee as to acceptable quality…. sale by auction excluded…definition of “sale by auction” in s. 2…in relation to the supply of goods by a person means a sale by auction that is conducted by an agent of the person (whether the agent acts in person or by electronic means) See s. 60 SOGA. ©MNoonan 2009

e. Bay NOTE that e. Bay terms and conditions vary from time to time and are not the same now as they were in the Peter Smythe decision. See current T&C-e. g. 7 -”…You acknowledge that we are not an auctioneer. Instead, our sites are venues to allow anyone to offer, sell and buy…. We are not involved in the actual transaction…We have no control over and do not guarantee the quality, safety or legality of items…When you enter into a transaction you create a legally binding contract with another user, unless the item is listed …under the Nonbinding Bid Policy…. ” ©MNoonan 2009

Ecommerce. Subject to the same laws as physical transactions Some need for special legislation Electronic Transaction Acts from about 2000. In 2010 a model Electronic Transactions Act was agreed to by all State and Territory Attorneys General and the Commonwealth Attorney General and relevant amendments passed to existing Acts. The laws post 2010 reflect the most recent UN convention on the use of electronic communications in business, are meant to ensure rules are consistent to support growth of ecommerce Electronic Transactions Act 1999 –Commonwealth Electronic Transactions Act 2000 -NSW ©MNoonan 2009

Electronic Transaction Acts These Acts generally (but, subject to some exceptions) provide equivalence to electronic and physical requirements of Federal and State law. However, drafting of individual contract provisions remains very important so as to enable parties to determine the rights between themselves and cover particular circumstances. ©MNoonan 2009

Electronic Transactions Act 1999 Cth Electronic Transactions Act 2000 NSW The following requirements imposed under NSW law can generally be met in electronic form--A requirement to give information in writing, to provide a signature, to produce a document, to record information, to retain a document. Provision is made for determining time and place of dispatch and receipt of electronic communication. ---NSW s. 13, 13 A, 13 B Cth s. 14, 14 A, 14 B. Originator only bound if sent by, or with authority of, purported originator. NSW s. 14 Cth. s. 15 ©MNoonan 2009

Electronic Transactions Acts Contain provisions which clarify: An unaddressed proposal to form a contract is to be regarded as an invitation to make offers rather than as an offer that if accepted would result in a contract A contract formed automatically is not invalid, void or unenforceable because there has been no human review or intervention ©MNoonan 2009

Electronic Transactions Act 2000 NSW Time of dispatch s. 13 (1) For the purposes of a law of this jurisdiction, unless otherwise agreed between the originator and the addressee of an electronic communication, the time of dispatch of the electronic communication is: (a) the time when the electronic communication leaves an information system under the control of the originator or of the party who sent it on behalf of the originator, or (b) if the electronic communication has not left an information system under the control of the originator or of the party who sent it on behalf of the originator-the time when the electronic communication is received by the addressee. (where parties use same system) (2) Subsection (1) applies even though the place where the information system supporting an electronic address is located may be different from the place where the electronic communication is taken to have been dispatched under section 13 B. ©MNoonan 2009

Electronic Transactions Act 2000 NSW Time of receipt s. 13 A (1) o o (2) (3) For the purposes of a law of this jurisdiction, unless otherwise agreed between the originator and the addressee of an electronic communication: (a) The time of receipt of the electronic communication is the time when the electronic communication becomes capable of being retrieved by the addressee at an electronic address designated by the addressee, or (b) the time of receipt of the electronic communication at another electronic address of the addressee is the time when both: (i) the electronic communication has become capable of being retrieved by the addressee at that address, and (ii) the addressee has become aware that the electronic communication has been sent to that address. For the purposes of subsection (1), unless otherwise agreed between the originator and the addressee of the electronic communication, it is to be assumed that the electronic communication is capable of being retrieved by the addressee when it reaches the addressee’s electronic address. Subsection (1) applies even though the place where the information system supporting an electronic address is located may be different from the place where the electronic communication is taken to have been received under section 13 B ©MNoonan 2009

Electronic Transactions Acts Issues What is an electronic communication? What is an information system? Who is the originator? Who is the addressee? ©MNoonan 2009

What is an information system? Contrast Smith FM in American Express Ausralia Limited v. Michaels [2010] FMCA 103, paras 26, 27, 28 with Associate Justice Macready in Reed v. Eire [2009]NSWSC 678 paras 29 -35 incl. ©MNoonan 2009

NOTE that there are exceptions to the general rule that electronic communications are equivalent to physical by virtue of the Electronic Transactions Acts e. g. Insurance Contracts Act The Insurance Contracts Act specifies that some communications must be in writing. Most provisions impose obligations on the insurer to advise the insured of something in writing (ss. 22, 35, 37, 39, 40, 44, 49, 58, 62, 68 and 74). s, 69 permits oral information, provided later given in writing. The ETA 1999 (Cth) provides that in general where a commonwealth law requires a notice in writing, it may be given by electronic means provided that the recipient consents. However, the ET regulations exclude the ICA from the scope of these provisions! Because of the seriousness of some of these notices e. g. cancellation, in a Treasury review of the ICA in 2004, a recommendation was made that E communications be possible with consent and provided a record could be printed. See later insurance module for more details. Increasing scope in all aspects of legal practice. E. g. Land conveyancing practice See Regulations to the Acts ©MNoonan 2009

Discussion point Is it wise to use email to communicate formal notices under contracts? In Reed Constructions Pty Limited v. Eire Contractors Pty Limited [2009] NSWSC 678 time of receipt of an email attaching a payment claim was crucial to the validity of an adjudicator’s determination under the Building and Construction Industry Security of Payment Act 1999. Recipient wanted court to conclude it was received 6 Nov. Evidence indicated that the email was sent 6 November and read on 7 th. Recipient did not produce evidence that email was received by its email server on 6 th, so NSWSC refused to overturn adjudicator’s determination against recipient. ©MNoonan 2009

Using email to send notices Bauen Constructions Pty Ltd v. Sky General Services P/L [2012]NSWSC 1123 What was time of receipt of an email of an adjudication response under Security of Payment Act? Sent by email 21 June 2012 to Adjudicate Today, but they were unaware of it until it was discovered on 12 September in their spam filter. Court decided that “lodged” in s. 20 BCISPA meant “presented” and relied on the rues in the Electronic Transactions Act to establish receipt was when the email was capable of being retrieved…. 21 June. ©MNoonan 2009

What is the solution? o Prohibit use of email for contractual communications when drafting contracts? o Draft detailed clause setting out when receipt deemed, methods of proving time of receipt, permissible formats for attachments? ©MNoonan 2009

Evidence Meta data-data about data-e. g. when prepared or changed Becoming common in litigation to ask for it as part of discovery to check claims concerning documents. Student in former semester gave example of a case where a plaintiff made certain claims but did not produce meta data for the relevant documents. Negative inference possible. ©MNoonan 2009

E-commerce Is there a valid Contract? Valid offer? o Wording and display? . Limits? Systems? Interactive or active site? o Automated interactive sites? Vending machines…offer made when proprietor holds it out as being ready to receive money. Contract formed when consumer places money into the slot and selects item. Acceptance? o Effective at the time communicated to offeror. When is it communicated? Email? Instantaneous? Press Send, goes to ISP, goes via a number of servers and received when recipient logs on and downloads. May go around the world to get to the next building. Is it similar to the postal system? Difficulties with certainty in time of communication. EDI is instantaneous. Fax? What if noone there to receive it? Intention to create legal relations? Capacity? Consideration? Terms are certain? ©MNoonan 2009

Discussion point Can e. Bay change the terms and conditions of its contract by posting a notice on its Website? See e. Bay terms of use ©MNoonan 2009

Electronic Dispute Resolution Various procedures can be carried out electronically Some dispute resolution tribunals etc choose electronic proceedings e. g. Domain Name disputes. Some Arbitrations reliant on documents can be carried out remotely and thereby lower costs. Our courts regularly use various electronic methods-for service (e. g. on parties via their Lawyer, or if personal service not feasible on respondent’s Facebook page), discovery, videoconferencing for overseas witnesses or parties. ©MNoonan 2009

Electronic Signatures Electronic Signature A signature used on an electronic document or transaction. Digital Signature ©MNoonan 2009

Electronic signatures When dealing with a company one is normally entitled to rely on s. 127 of the Corporations Act 2001 and assume that the document has been duly executed and is binding. A company may sign a document by having any 2 directors, a director and company secretary or a sole director who is also the sole company secretary, sign the document. ETA does not apply to the Corporations Act but s 127 does not prohibit electronic signatures. Directors upload their signatures electronically for convenience. Only liable if use of that electronic signature authorised. Onus therefore back on you to check whether the signatories have agreed to / authorised the electronic affixing of their signature. ©MNoonan 2009

Shrinkwrap, Clickwrap and Browsewrap licences Usually encountered when purchasing (shrinkwrap) or downloading and using software applications and electronic information distributed online (clickwrap and browsewrap) Shrinkwrap…on the clear plastic wrapper Clickwrap…I agree button Browsewrap…appears on site somewhere…by using this site…. you agree etc… ©MNoonan 2009

Shrinkwrap Quite often order is made by phone and company promises to send the item. Contract usually formed when order made, accepted, payment etc, and cannot add terms later. However, may be situation where “on consider and agree/or return” basis…sophisticated user with knowledge usual terms…licence terms shown each time program loaded with offer of refund if not acceptable…. If terms desired, need to be made known and agreed to by contracting party at time of contract…conditional on acceptance…return possible? ©MNoonan 2009

Good rap for browsewrap in USA: Register. com Inc v Verio Inc Authors: Leaellyn Rich and Irene Zeitler of Freehills Agreement to terms and conditions? Decision affirming the enforceability of browsewrap licences, the U S Court of Appeal for the Second Circuit has upheld a preliminary injunction issued against Verio Inc. (Verio), a website developer and hosting firm, for breaching the browsewrap-style terms of use for the services of the plaintiff, Register. com (Register): Register. com Inc v Verio Inc. 356 F. 3 d 393 (2 d Cir. N. Y. 2004), 2004 U. S. App. LEXIS 1074. ©MNoonan 2009

Facts in Verio Register, a provider of domain name registration services, had agreement with Internet Corporation for Assigned Names and Numbers (ICANN). Register was required to maintain and update a publicly available 'WHOIS' database of registrants' contact information, was not to impose restrictions on use of data, except re electronic spamming. Register established WHOIS database, updated on a daily basis, and provided free public inquiry service for the information it contained. Register's responses to WHOIS queries were captioned by a 'legend' stating that by submitting a query, the user agreed to refrain from using the data to conduct mass solicitations of business by email, direct mail or telephone (a more stringent restriction that envisaged under the ICANN Agreement, which was only in relation to the restriction of mass solicitation by email). Verio developed an automated software program or 'robot' (Robot) to access WHOIS database and compile massive lists of new registrants, who Verio then subjected to a barrage of unsolicited marketing by email, direct mail and telephone. Register demanded Verio stop, but Verio only partially complied, ceasing email solicitations, but continuing direct mail and telephone. Register sued for breach terms. Verio argued not contractually bound because it never received legally enforceable notice of Register's conditions because the restrictive legend did not appear until after Verio had submitted the query and received the WHOIS data. ©MNoonan 2009

Decision in Verio Court upheld the preliminary injunction, concluding that online contracts do not always require formal acceptance by the offeree. In the circumstances, Register's browsewrap-type terms of use, combined with Verio's actions in repeatedly accessing the WHOIS database constituted a valid offer and acceptance, thereby resulting in a legally enforceable contract. Court distinguished case Specht. Court also disagreed with the Ticketmaster, expressly rejecting that terms were unenforceable because user had not clicked an 'I agree' icon: n'[w]e recognize that contract offers on the Internet often require the offeree to click on an "I agree" icon … no doubt in many circumstances, such a statement is essential to the formation of a contract. But not in all circumstances. . . It is standard contract doctrine that when a benefit is offered subject to stated conditions, and the offeree makes a decision to take the benefit with knowledge of the terms of the offer, the taking constitutes an acceptance of the terms, which accordingly become binding on the offeree. ' Particular significance was attached to the fact that Verio was a commercial entity that was making numerous, successive inquiries of Register's database, as a result of which it had become well aware of the terms exacted by Register. ©MNoonan 2009

Implications of VERIO US decision As electronic commerce has developed, courts have been confronted with the task of applying age-old principles of contract law to various online permutations of the classic idea of agreement between parties. While, in recent years, courts have become comfortable with enforcing agreements supported by 'clickwrap' procedures, Verio is an authority in relation to the enforceability of 'browsewrap' or 'Web wrap' agreements. This case helps to elucidate contract principles as they apply to browsewrap agreements and, in particular, clarifies the circumstances in which the provisions of browsewrap agreements will be held to be enforceable. Although Australian courts are not bound by American case law, the decision in Verio provides a useful guide as to how an Australian court might deal with the issue. ©MNoonan 2009

Specht v Netscape Communications Corp. , 306 F. 3 d 17 (2 d Cir. 2002), The Court declined to enforce terms specified by Netscape against a user of Netscape's software due to insufficient evidence that the user had seen the terms when downloading the software. The terms of Netscape's offer of software were posted on the website from which the user downloaded the software. However, the user would not have seen them without scrolling down their computer screen, and there was no reason for them to do this. ©MNoonan 2009

Ticketmaster Corp. v Tickets. com Inc. , No. CV 99 -7654, 2000 U. S. Dist. LEXIS 12987, 2000 WL 1887522 The Court, noting that the taker of the information was not provided with an 'I agree' icon to click (although fully aware of the terms on which information was offered on Ticketmaster's site), concluded that there was insufficient proof of agreement to support a preliminary injunction. The Court Verio commented that '[u]nder the circumstances of Ticketmaster, we see no reason why the enforceability of the offeror's terms should depend on whether the taker states (or clicks), "I agree". ' June, 2004 ©MNoonan 2009

Unconscionability, Unfairness and Standard terms used in ecommerce contracts. Consider the application to: o Choice of law clauses o Arbitration clauses o Forum clauses o Payment/fees clauses o Term of contract/renewal clauses o Resulting damage ©MNoonan 2009

ACL s. 18/S. 52 TPA and e-commerce misleading or deceptive conduct Consider also ancillary liability ( aids, induces, conspires, knowingly concerned) e. g. executives or salespeople, manufacturers, retailers associated with a particular transaction. See expansion in ACL. . . As long as some conduct taken place in Australia, can involve T&C between Australia and overseas. Where were the representations made? . . relevant conduct… not the state of mind. No need for an active representation. Can be silence e. g. incomplete information, changes noted or where reasonable expectation of information. Examples of possible problem areas: o. Advertising o. Website design, logos, product description, Domain names o. Metatags and cyberstuffing-keywords to attract search engines o. Linking and framing o. Distributing software without permission o. Contract terms ©MNoonan 2009

Jurisprudence of TPA still relevant to ACL because provisions almost* the same Misleading and deceptive conduct Taco Bell Inc. v. Taco Bell P/L (1982) 42 ALR 177 4 step approach to whether conduct is misleading and deceptive in all the circumstances (1) Identify relevant section of public who may be mislead/deceived. (2) What is effect of conduct on all those within that section…would a reasonable member of that section be mislead? (3) Evidence that consumers are in fact suffering from a misconception may be persuasive but is not essential (4) It must be established that the misconception has arisen as a result of conduct complained of and not some other factor NOTE that intent of defendant not relevant and not enough to cause mere confusion. Conduct must actually mislead or deceive or be likely to…different to passing off action where confusion enough. *extended to person and not just corporation, T&C expansion. ©MNoonan 2009

Google See Google Inc. v. Australian Competition and Consumer Commission [2013]HCA 1 Re “organic search results” (links to web pages ranked in order of relevance to search items entered) and “sponsored links” (advertisements). ACCC claimed sponsored links conveyed misleading and deceptive representations contrary to s. 52 TPA (now s. 18 ACL). Primary judge found representations misleading and deceptive but not made by Google, as ordinary reasonable members of the relevant class of consumers affected would have understood them to be advertisements. Full Federal Court unanimously found that Google had itself engaged in misleading or deceptive conduct by publishing and displaying the sponsored links. High Court allowed appeal and found ordinary and reasonable users of the Google search engine would have understood that they were advertisements. ©MNoonan 2009

Sales of goods over the internetterms and conditions Results of a survey of on line retail sites by ACCC 2004 Terms and conditions compulsory viewing Require positive consent before completion Written contract easy to find Clause attempting to disclaim warranties in breach TPA Clause attempting to limit liability Clause attempting to limit responsibility for inaccuracy Clause stating that use of site is agreement to T&C Both clauses attempting disclaimer warranties and limits to liability 14. 7% 32. 80% 17. 4% 50. 9% 66. 00% 54. 3% 48. 7% 43. 8% 70% of online sites surveyed raised concerns for ACCC ©MNoonan 2009

Foreign web scheme banned Peter James and Andrew North of Allens Arthur Robinson Example also of ACCC and FTC co-operation ACCC case against US based Sky. Biz. com Inc, illustrating that web-based activities can be subject to laws where information accessed, not just the law of home country operations. . ACCC alleged in Federal Court that Sky. Biz. com Inc contravened TPA 61 through its operation of a pyramid selling scheme and had engaged in misleading and deceptive conduct and referral selling, prohibited by ss. 52, 59 and 57. Sky. Biz. consented to orders that: The Skybiz scheme was a pyramid selling scheme. Skybiz represented the scheme could be used to engage in ecommerce when it could not; Sky. Biz attempted to induce people to take part by representing that those who joined would later receive money if they introduced new consumers, contingent on those new consumers recruiting further consumers, thereby engaging in referral selling. Sky. Biz represented the scheme would be a profitable business for all persons who took part and could be carried on at/ from, their home, when in fact this was not the case, thereby making false or misleading representations and Sky. Biz attempted to induce persons to take part by representing that those who joined would later receive payments. ©MNoonan 2009

Sales of goods over the Internet Same as physical sales plus some Goods to correspond with description Do the goods delivered correspond with description, picture? Important to check pictures and descriptions to make sure they match those delivered. Any tendency to vary should be clearly noted on site so as to be clear to the customer prior to the decision to purchase being made. ©MNoonan 2009

Sale of Goods Act Fitness for Purpose Has the customer made known, expressly or impliedly, the purpose to the Vendor? Expressly Ordered by description? Surrounding negotiations? What is the usual purpose? Impliedly One purpose only? Advertised as being appropriate for particular purpose? ©MNoonan 2009

Sale of Goods Act Merchantable Quality As people do not see goods before they buy when bought over the Internet, it will be particularly important to point out any defects. Note Grays auction site. When they sell factory seconds, they list some or all of the faults, a note that they have not been properly assessed, no warranty etc. ©MNoonan 2009

Sales over the Internet Australian Consumer Law Note the difference in approach in the Australian Consumer Law, such as: Guarantees, rather than implied terms. Acceptable, rather than merchantable quality. Unfair terms in standard form contracts. ©MNoonan 2009

Sale of Goods over the Internet Capacity Normally there is a presumption at common law, that a person who enters a contract has full capacity to do so. Some exceptions for those under a disability-might include minors (under 18), mentally disable, drunkards, bankrupts. It is impossible to be sure of identity of Internet Customer. Consider the situation with Minors: A contract made by a minor is “voidable”, at the minor’s option. One exception involves “Necessities”-food, clothing, education or goods/services fit to maintain them in station of life in which they move. Even so, unenforceable if contains harsh, unreasonable terms or price is unreasonable. Burden of proof with supplier. What is the situation with “Luxury items”? CDs, computer games? ©MNoonan 2009

Sale of Goods over the Internet Purchase by a minor The minor uses their own debit card The account would be debited before goods received. Therefore, once, goods received, minor would have to litigate to recover the money. However, if they changed their mind prior to delivery and informed supplier they wished to withdraw, the supplier would not be able to rely on contract terms and conditions. Minor would be entitled to a full refund. The minor uses adult debit/credit card without permission Should be treated same as if card stolen. When adult becomes aware, might choose to ratify; in which case contract would be with adult and fully enforceable. If they denied validity, child could be prosecuted for theft. Credit company would most likely seek to recover the money and the supplier would lose out. The minor might be obliged to pay after receipt of goods Seller could not enforce contract to recover money. Unless fraud, they could not recover the goods either. ©MNoonan 2009

Sale of Goods over the Internet Sale by a minor In NSW law has altered CL position and is different to that in the other States. See the Minors (Property and Contracts Act) 1970. o If for their benefit, it is presumptively binding o The Supreme Court can make an order granting them capacity o A minor cannot enforce a contract that is not presumptively binding o On reaching 18, minor can affirm an act they participated in during minority o On repudiation, courts have wide discretion to produce a fair result. o Where a disposition of property occurs and minor receives at least part of consideration, it is presumptively binding. ©MNoonan 2009

Protection of IP in electronic commerce Issues to consider: Ease of copying Ease of manipulation once copied. Can have positive outcome-use of that information to spur creativity. Hacking and hacktivism Loyalty of staff, customers and Leaking Note copyright and royalty issues highlighted by music publishers, electronic books…. Development of new technology and new businesses…e. g. tablets with apps, text books recorded so students can listen on their ipod instead of reading, cloud storage, comparison shopping, analysis. ©MNoonan 2009

DATA MANAGEMENT An increasingly relevant field for lawyers: -their own files and data -client ownership/control of data as property -storage and retrieval rights -ramifications for discovery / litigation -responsibilities of clients and client Directors Limited reference materials. See Office of the Australian Information Commissioner for draft guide on big data. ©MNoonan 2009

Data Management Emerging issues for new businesses & their legal advisers and potential legal liability arising from o o o o o Unauthorised access to systems/data by third parties Use of that data causing damage Accidental data leakage Unauthorised access and use of data and systems by internal users. Loss of availability of physical assets e. g. theft of laptops, malicious code attacks Loss of availability of data Loss of availability of services Loss of data integrity Disclosure of sensitive information ©MNoonan 2009

i. Phone v. Black. Berry taken from an article by Dylan Welch smh Oct 20, 2010 Global obsession with the i. Phone is not only becoming a threat to security; an entire criminal industry has sprung up around it, says the head of the Australian Crime Commission (John Lawler). Rapidly replacing the Black. Berry, but unlike it and other smartphones, the i. Phone does not allow a company’s IT staff to install and upgrade its own security software, leaving business networks at risk of penetration. Criminals are finding more and more opportunities to use it to intrude, steal and defraud. Even the desire for the phone is creating a burgeoning black market. ©MNoonan 2009

Data Management Potential legal liability Misleading and deceptive conduct example: Theft or leakage of credit (or debit) card information resulting in online fraud. Was there an implied representation that X had taken the security measures required by industry practice to safeguard personal and financial information? US example of TJX Consider also the Vodafone situation in January 2011 and other examples (e. g. Telstra) in Australia of lax security and controls leading to loss of personal data. ©MNoonan 2009

Vodafone “Sitting in a western Sydney business with a laptop and someone who knew a login for Vodafone’s customer database, I handed over my mobile number to be punched …in seconds, we could see all my personal details…my full name, address, driver’s licence number, date of birth, the pin number to access and change details…my entire call list…was visible…” Natalie O’Brien Sun Herald January 9, 2011 ©MNoonan 2009

From the news…. SMH 20 January, 2011 The detailed records of thousands of Uo. S students past and present are being stored online where they can be easily downloaded and read via an internet connection…reported that Uo. S was told about this security problem in February 2007, but did not move to rectify it. The website was sabotaged weekend of 15/16 January. NSW acting privacy commissioner John Mc. Alteer said it indicated a breach of s. 12 © of the NSW Privacy and Personal Information Protection Act 1998. ©MNoonan 2009

From the news……. Espionage fears at CSIRO 4/12/2013 smh “Australian intelligence and security agencies are investigating a suspected industrial espionage case at the CSIRO…. the man, a post-doctoral student, is being investigated for allegedly accessing sensitive CSIRO data. A focus of the intelligence probe is determining whether the man sent CSIRO information to a foreign power. The CSIRO’s nanotechnology area works closely with Australia’s Defence Science and Technology Organisation. ©MNoonan 2009

TJX example-facts TJX was a retail chain with 3, 500 stores. In Dec 2006, it disclosed that hackers had gained unauthorised access to its computer and customer credit and debit card records had been compromised. Hackers first accessed July 2005 and intrusions undetected for 18 months, during which time 45 million records stolen-credit card details, drivers licence numbers, social security numbers of 451, 000 TJX customers. Hackers exploited one initial weakness and then built from there…weak wireless protocol used to transfer data between hand held price checking devices, cash registers and main computer. Hackers sat in a car park close to a store and used basic equipment. Also weak firewall and failure to implement further security equipment available. Data sold on the internet and used by online fraudsters from Sweden, Ukraine, Turkey, Australia, HK and Mexico. 2 class actions-by consumers and by issuing banks ©MNoonan 2009

Data Management Potential legal liability A credit card transaction: Merchant Acquiring Bank Consumer Credit Card Co Issuing Bank *Diagram from Gifford, Information Security Managing the Legal Risks, CCH ©MNoonan 2009

A credit card transaction 1. Consumer uses a credit card to pay for a purchase with 2. 3. 4. 5. 6. merchant. The card has been issued to consumer by a financial institution (“issuing bank”) e. g. ANZ Merchant sends consumer account info to bank that handles all merchant’s transactions (“acquiring bank”) for validation Acquiring bank sends info to issuing bank for payment authorisation via networks operated by Visa or Mastercard. Issuing bank authorises transaction and remits funds to acquiring bank. Acquiring bank remits funds to merchant Issuing bank bills consumer and consumer pays issuing bank ©MNoonan 2009

A credit card transaction Contractual relationships? Acquiring bank with Mastercard and Visa Acquiring bank with Merchant Consumer and Issuing Bank No contractual relationship between consumer and Mastercard, or Issuing Bank and Mastercard/Visa ©MNoonan 2009

TJX example-legal actions By Issuing Bank Issuing banks had no idea transactions were fraudulent and so paid out, but unable to recover from customers because they had not made purchases. As well as losses from fraudulent transactions, issuing banks incurred millions of admin costs in replacing compromised cards and providing enhanced monitoring of compromised customer accounts No realistic prospect of targeting fraudsters Original hackers never found No legal basis for recovery against Mastercard or Visa Action taken against TJX and Acquiring Bank-breach of contract, negligence (dismissed), misrepresentation and violation of Massachusetts General Laws Chap 93 A. Settlement reached USD 65 M ©MNoonan 2009

TJX example-legal actions By Consumers Class action against TJX for “distress” at prospect and risk of identity theft. Loss had been absorbed by their issuing bank. TJX agreed to provide consumers with vouchers, cash, credit monitoring services, identity theft insurance and reimbursement of proven out of pocket expenses (e. g. replacing licences). Total cost (USD 10 -20 m) ©MNoonan 2009

Sony $15 m settlement of class action due to 2011 Sony Play. Station data breach. More recently, Sony Pictures. On 15/12/2014, current and former Sony employees filed a class action alleging Sony failed to protect their personal information. Were leaked personal information of employees stored in excel files, not encrypted or password protected? . Were passwords for computer and social media accounts stored in folder labelled “Password”. If so, these data storage practices would not meet APP 11 of Privacy Principles ©MNoonan 2009

Industry practice Is there a relevant standard? Was there an implied representation that X had taken the security measures required by industry practice to safeguard personal and financial information? In this situation there is the Payment Card Industry Data Security Standard (PCI DSS), a security standard developed and administered collectively by the leading credit card companies (Amex, Visa, Mcard, Diners, JCB) Is it reasonable to infer organisations impliedly rely on other organisations accepting credit card payments taking appropriate security measures? What about other industries? E. g. Health, Legal services, Retail. ©MNoonan 2009

Confidential information Theft or leakage of confidential information Was there a contract to safeguard info? If so, may be action for breach of contract. If not, may be negligence or express or implied representation that security measures in place. Should one check that they are, or make it a term of a relevant contract, …. . as an aspect of risk management when negotiating a contract? ©MNoonan 2009

Other potential liability Directors and Officers Corporations Act-duty of care and diligence…discharge their duties with the degree of care and diligence that a reasonable person would exercise if there were a director in the corporations circumstances. Company operating online-Duty? ASIC v. Macdonald (No 11) NSWSC 287 -James Hardie-a Director/Officer with specialist skills will be judged differently to one without. Note business judgement rule-good faith, proper purpose, no personal interest, informed judgement and believed rationally it was in best interests of company. Duty owed to company, not world at large. Note increase in actions by Shareholders. ©MNoonan 2009

Directors and Officers liability Shareholder have sued directors of Target in the US (filed Jan 2014) following a major data breach…. alleging: Ø they have failed to ensure company had adequate data security Ø they made false and misleading statements and Ø they failed to protect company after breach. Target was victim of cyber attack in 2013…stole credentials from a contractor who had access to online invoicing system. They were able to map the network and instal malware on point of sale terminals in stores across USA. This malware captured credit card information and customer personal data, encrypted it and transmitted it to the hackers…. 40 m credit cards and up to 70 million customer records. ©MNoonan 2009

ASIC Report on Cyber resilience and cyber guidance…see ASIC site. 1. 2. 3. 4. 5. 6. 7. 8. Are cyber risks an integral part of risk management framework? How often is cyber resilience reviewed by Board? What risk is posed by cyber threats to business? Does Board need more expertise to manage? Monitoring required? Triggers? People strategy around cybersecurity? What is in place to protect critical information? What needs to happen in the event of a breach? ©MNoonan 2009

Other potential liability CRIMINAL Consider Wikileaks situation and calls for criminal prosecution Australian Cybercrime Act 2001 VICARIOUS LIABILITY Employer for employee actions e. g. sexual harassment or discrimination by offensive emails, text messages, pictures ©MNoonan 2009

Issue-Data as property o Ownership or control? o What if I am unhappy with an existing service, can I insist on my customer record being made available to a rival supplier? No if records are property of supplier at the moment, but yes, if mine. See open access regime re banking via application programming interfaces proposed. o One person using data (personal property? ) does not necessarily prevent another person using it, so exclusivity different to physical property. ©MNoonan 2009

Privacy “Privacy is dead-get over it…” said CEO Sun Microsystems in 2000 Concept relates to individuals and not organisations Limited protection given in Australia under Cth Privacy Act. (Also NSW Privacy and Personal Information Protection Act 1998. ) Focus is conciliation between aggrieved individual and organization, rather than compensation If conciliation not possible, Privacy Commissioner able to make a “determination” which can include compensation-but rare and modest. No incentive to improve. ©MNoonan 2009

Privacy Principle 4 of NPP Data Security 4. 1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure 4. 2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed. ©MNoonan 2009

Privacy Act Compensation Rare and miniscule Rummery v. Federal Privacy Commissioner (2004) AATA 1221 Whistleblower at ACT Dept of Justice. DOJ sought to discredit Rummery by relating information of a personal nature to Ombudsman. Flagrant attempt by senior public servant to discredit a whistleblower. AAT found conduct a “serious breach” of Privacy Act but awarded only $8, 000. ©MNoonan 2009

New statutory tort? Emerging Common law remedy? ALRC and NSW Law Reform Commission have both recommended introduction of new statutory cause of action for “tort of serious invasion of privacy”. May emerge incrementally in the common law due to indications in various HC cases ©MNoonan 2009

Privacy Amendment (Enhancing Privacy Protection) Act 2012 Cth Became law Dec 2012, in force 12 March 2014. Australian Privacy Principles (APPs) combine and replace National Privacy Principles and information Privacy Principles in Privacy Act 1998. APPs apply to all direct selling organisations with min annual turnover of $3 m Greater enforcement powers given to the Australian Privacy Commissioner Changes to credit reporting ©MNoonan 2009

The relevant Privacy law See website of Office of Australian Information Commissioner for useful information on this topic. http: //www. oaic. gov. au ©MNoonan 2009

The 13 APPs 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Open and transparent management of personal information Anonymity and pseudonymity Collection of solicited personal information Dealing with unsolicited personal information Notification of collection of personal information Use or disclosure of personal information Direct Marketing Cross border disclosure of personal information Adoption, use disclosure of government related identifiers Quality of personal information Security of personal information Access to personal information Correction of personal information ©MNoonan 2009

Who does it apply to? o Direct selling organisations with annual turnover of $3 m or more o Direct selling organisations with annual turnover less than $3 m if they trade in personal information, are related to a larger company o Those organisations who wish to voluntarily reassure customers that they treat personal information appropriately and securely. ©MNoonan 2009

Privacy Policy must state: o Details of kind of PI collected o How it is collected and held o The purposes of collection o How individuals can seek access to it or correct it o How a complaint may be made o Whether the personal information will be disclosed to overseas recipients and if so, the countries ©MNoonan 2009

“Mobile Security Outrage-private phone details of millions accessible over the Internet”-Vodafone Sun Herald 9 January, 2011 Customer information accessed through a secure web portal accessible to authorised employees and dealers via a secure login and password. Unauthorised use of password and then sharing of information? Because customer database is not an intranet and instead is on internet users with a password can log in from anywhere and access any customer information -name, address, driver licence number, D. O. B. , pin number to access and change details on account, call list. Up to 4 m customers affected. Potential exposure for customers? -criminal activity, identity theft, spouses checking up on each other. Already a 12, 500 customer class action against Vodafone over service issues. Best legal remedies for customers? ©MNoonan 2009

Privacy and “big data” o Office of Australian Information Commissioner (OAIC) has adopted the Gartner definition of “big data” “…high-volume, high velocity and/or high variety information assets that demand cost-effective, innovative forms of information processing for enhancing insight, decision making and process optimisation…” o Increasing use of data-e. g. no sooner do we search for something on Google than we get pop up advertisements related to what we were searching…. so targeting me for what I am interested in…data is mined…for trends, preferences, patterns, associations in human behaviour of market behaviour. Where personal information is involved, Privacy Act applies…. e. g. consent to use required if identifiable. o Increasing abuse of big data ©MNoonan 2009

Cloud computing Discussion points: 1. Who owns / has possession/control of files stored in a cloud storage system? 2. Can Dropbox and email be used to serve documents? 3. What issues arise in litigation and investigations if relevant information is stored in the cloud? ©MNoonan 2009

Who owns/possesses/controls data? o The creator? o The intermediary o The remote facility For example- to whom should orders be addressed in litigation, an investigation? ©MNoonan 2009

Dropbox and service Conveyor & General Engineering P/L v. Basetec Services P/L [2014] QSC 30 Basetec sent an email to CGE and their solicitors attaching an adjudication application form and including a Dropbox link to Basetec’s submissions. Sent 23 August, but not accessed until 2 September. CGE out of time for response Found not to be duly served. Requirements of s. 11 of Qld ETA not met…. ”the material within the Dropbox was not part of an electronic communication as defined. None of the data, text or images within the documents in the Dropbox was itself electronically communicated, or in other words communicated “by guided or unguided electromagnetic energy”. Rathere was an electronic communication of the means by which other information in electronic form could be found, read and downloaded at and from the Dropbox website”. ©MNoonan 2009

Issues arising Access-stored in remote infrastructure shared by multiple organisations, contract provisions re access and retrieval Risk of data (including metadata) modification or loss Data sovereignty-what privacy and other laws govern the data, access, storage etc ©MNoonan 2009

Electronic Banking Specific study of one type of ecommerce we all use and which is vital in commerce Our focus is: o. Consumer liability. When will we be liable for problems/loss in electronic banking (Chapter C e. Payments Code)? o. Dispute Resolution mechanisms-Internal and (Chapter F e. Payments Code) and external (Ombudsman). o. See ASIC site for e. Payments Code ©MNoonan 2009

Credit Cards & Electronic Banking Contract between Banker and Customer Students are expected to have a good working knowledge of the terms and conditions of a bank customer contract for electronic banking, credit cards, internet banking, the application of Chapters C and F of the e. Payments Code to them, and be able to work through and resolve a problem with such services. The e. Payments Code is available on the ASIC website. Useful summaries and copies of policy guidelines for the Financial Services Ombudsman are available on their website. ©MNoonan 2009

CARDS and ELECTRONIC BANKING Contract between Banker and Customer Contract may consist of more than one set of terms and conditions and terms may be implied by other instruments or by Statute. See: Electronic Banking Conditions of Use / Terms and Conditions Note that there are frequent variations from time to time for both Code of Banking Practice (disclosure mostly) e. Payments Code See also: misleading and deceptive conduct Contract Review-harsh/unconscionable/unfair Tort Negligence Misrepresentation Dispute Resolution Methods Internal-See Terms&Conditions of Contract and Codes of Conduct External-See Financial Services Ombudsman Court Other ©MNoonan 2009

e. Payments Code What happens if there is an unauthorised transaction on your account? o There is an obligation to check your statements. o Contact your account institution as soon as possible. o There will be some instances where you will be liable for them, and others where you will not be, and some in between; where you will be liable to a limited extent. o See e. Payments Code Chapter C ©MNoonan 2009

e. Payments Code When will you get your money back for unauthorised transactions? Refer Clause 10 e. PC When: - there is fraudulent or negligent conduct by employees or agents of the account institution, third networking party, or merchant; - a forged, faulty, expired card, PIN or password was used; - the transaction took place before your received your card, PIN, password; - a merchant incorrectly debited your account more than once; - the transaction took place after you told your account institution your card had been stolen or lost, or someone else may know your PIN or password; - no PIN or password was required to conduct the transaction; - it is clear you have not contributed to the loss; - the account institution expressly authorises the conduct. ©MNoonan 2009

EFT Code cont. When will you not get your money back? Ref: Clauses 11, 12, 13 e. PC Where the account institution can prove on the balance of probability that: - you contributed to the loss by acting fraudulently, or not keeping your PIN or password secret; - you unreasonably delayed before telling your account institution that your card had been misused, lost or stolen or that someone else might know your PIN or password. ©MNoonan 2009

e. Payments Code sample issues What is the extent of my liability? When will liability be split between the account institution and the customer? ©MNoonan 2009

Pass code security requirements Ref: Clause 12 e. PC User must not: o Voluntarily disclose it to anyone-including family o Record the code on an access device o Record it on anything carried with the device or liable to loss or theft simultaneously with the device o Where no device required, record it in the same place without making a reasonable attempt to protect security of code…. extreme carelessness includes recording it in a diary, Black. Berry or computer that is not password protected under “internet banking codes”. o Choose a code that represents birth date, recognisable as part of name, one they were specifically instructed not to use or warned against. ©MNoonan 2009

COMPLAINT INVESTIGATION / DISPUTE RESOLUTION INTERNAL SCHEME Chapter F e. Payments Code Internal Complaint handling procedures to comply with AS ISO 10002 -2006 consistent with ASIC Regulatory Guide 165 o Limitation period 6 years o Financial Institution (FI) to obtain information set out in clause 38. 2 o Investigation within 21 days unless advice given that more time is required o Investigation to be concluded within 45 days of receipt of complaint unless exceptional circumstances (e. g. foreign merchant causing delays). o FI to respond to requests for info from another FI within 15 days o Outcome must be explained o If complaint settled within 5 business days to satisfaction of user, no advice in writing required. o If complaint not settled within 5 days, advice in writing must be given ©MNoonan 2009

INTERNAL COMPLAINT PROCEDURE Clause 38. 2 e. PC INFORMATION TO BE OBTAINED in case of unauthorised transaction Type of facility, an identifier, type of device and code used Name and address Name of any other users Whether device used Whether device lost stolen or misused or security of code breached and if so, details. 6. Where pass codes required to perform transactions, details of how it was recorded 7. Whether pass code disclosed to anyone 8. Where and how loss, theft, misuse, or breach pass code security occurred 9. Details of transaction to be investigated 10. Details of surrounding circumstances 11. Any steps taken by user to ensure security of device or pass code 12. Details of the last authorised transaction 1. 2. 3. 4. 5. ©MNoonan 2009

External Dispute Resolution – via the Financial Ombudsman service -merger of 3 financial industry schemes See www. fos. org. au TERMS OF REFERENCE o Considers disputes between an individual, partnership, corporate trustee of a SMSF, small business, club, strata title owners corporation of residential or small business premises. o Can consider a privacy dispute if it relates to credit, debt collection, credit reporting or banker-customer relationship or is part of a broader dispute. o Limit of $500, 000, but caps on individual claims. $280, 000 for things we would consider. Consequential loss, legal fees capped at $3, 000. o Will consider a dispute if lodged within 6 years claimant first became aware or 2 years of a response from an internal dispute resolution mechanism ©MNoonan 2009

Types of disputes that FOS can consider o Arising from contract o Arising from or relates to the provision of a Financial o o Service by the Financial Services Provider to the Applicant The provision by the Applicant of a guarantee or security An entitlement or benefit under a General Insurance Policy Various other Life Insurance and Investment situations not covered in our syllabus See clause 5 of Chapter F for exclusions from jurisdiction ©MNoonan 2009

Ombudsman Procedure when handling a complaint Ombudsman examines letter Decides whether in a position to consider it Allocates a case number And perhaps an investigator (who liaises with the bank) Sends details to FSP and permits opportunity to resolve by internal dispute resolution mechanism. May use negotiation, conciliation or mediation or make decision with process set out in clause 8. Not bound by rules of evidence Decides what is fair in all the circumstances, having regard to legal principles, industry codes, good practice, previous relevant decisions (although not bound by precedent). May consult and seek specialist input Must ensure parties are provided with access to documentation and information on which it will base a decision ©MNoonan 2009

Process o FOS makes Recommendation. If both parties accept within 30 days, dispute resolved o If within 30 days, FSP does not accept the Recommendation, either party requests a Determination, or FOS thinks it appropriate, FOS proceeds to a Determination by either Ombudsman or FOS Panel. o If Applicant accepts Determination within 30 days, it is binding on FSP. ©MNoonan 2009

Recommendation/Determination o Must be in writing o May either reach a conclusion or say it would not be appropriate o Set out reasons for any conclusion on the merits o Specify any remedy determined that FOS considers fair and appropriate o Provided to all parties ©MNoonan 2009

Remedies See clause 9 e. PC o Payment of money o Forgiveness or variation of a debt o Release of a security o Repayment, waiver or variation of a fee or other amount, o o including interest on a loan Reinstatement or rectification of a contract Variation of the terms of a Credit contract in cases of financial hardship That a claim under an insurance policy be met That the FSP should not repeat conduct with interferes with privacy or should correct information ©MNoonan 2009

Simultaneous legal proceedings o FSP cannot commence proceedings after application unless limitation period expiring soon o FSP must not continue proceedings relating to debt recovery other than as necessary to preserve legal rights o FSP must not take action to recover a debt the subject of a Dispute o FSP must abandon proceedings inconsistent with a Determination and cannot commence defamation actions with respect to allegations ©MNoonan 2009

Ombudsman Policies - Bank Cheques When considering a complaint about the stopping or dishonouring of bank cheques, O has regard to the guidelines of ABA and Law Society of NSW. Banks will only dishonour bank cheques in limited circumstances: n Forged or counterfeit instruments n Materially altered bank cheques n Bank cheques reported lost or stolen n A court order restraining payment n Failure of consideration for issue of a bank cheque NOTE a complaint by payee/holder falls outside terms of reference because drawing bank did not provide a banking service to payee. ©MNoonan 2009

Ombudsman Policies - Cheques Payment and collection of cheques The Drawer receives a “banking service” from the paying bank The Payee receives a “banking service” from the collecting bank If the Drawer wishes to complain about the collecting bank, they would not be able to do so to O even though the collecting bank has certain statutory obligations under the Cheques Act, because collecting bank not providing “banking service” to Drawer. ©MNoonan 2009

Ombudsman Policies - Third Party Cheques A third party cheque is a cheque deposited for payment into an account operated by someone other than the Payee. In these circumstances, the collecting bank is providing a “banking service” to the person who presents the cheque for payment. The O does not, however, have power to investigate a complaint by the Payee or a person otherwise claiming to be the true owner because the collecting bank did not provide a “banking service” them. ©MNoonan 2009

Ombudsman Policies - Late Dishonours Sometimes, banks advise a customer that a cheque has been dishonoured outside 3 day clearing period but still within clearance rules within banks. Customers may not have been provided with clear information about steps involved in cheque clearance. May not be aware of notation on account permitting release of uncleared funds or a commercial decision has been made to permit them access to uncleared funds. In these situations, O may consider whether bank actions are misleading, deceptive. ©MNoonan 2009

Ombudsman Policies Mistake and change of position in good faith O takes the view that where uncleared funds have been released to customer because of human or system error, bank is entitled to recover the money paid under mistake except where customer, in reliance on the payment, changed their position in good faith. Bank must establish it made a mistake of fact or law, it acted on the mistake in releasing the funds and the recipient has been unjustly enriched. Customer must establish they acted in good faith (actual belief in the security of the receipt), they relied on the mistake and they changed their position. A person can still be foolish, but honest. Customer must act to their detriment on faith of receipt. Mere expenditure not sufficient-must appear they would have acted differently had they not mistakenly believed they were richer than they were. e. g. not enough to simply spend the money on ordinary living expenses. Must be a genuine change of condition. E. g. making a bad investment that would not otherwise have been made, lending money to a third party that is irrecoverable, taking overseas trip that would not otherwise have been taken. ©MNoonan 2009

SAMPLE A BIO 2002 A Hasty Return Mr and Mrs S went to Europe for their honeymoon. They intended to stay for 1 month, but after 2 days, their credit card stopped working. They cut short their holiday and returned to Australia. They lodged a dispute with ABIO, claiming that the bank should compensate them for their loss of enjoyment of their holiday. When ABIO referred the dispute to the bank for its consideration, it offered an ex-gratia payment of $3, 000. Mr and Mrs S did not accept this offer, and it was subsequently withdrawn by the bank. Investigation The information provided by the bank did not establish why the credit card had stopped working. However, it was the case manager's view that as the bank represents to customers that the particular type of card can be used in most countries, the bank would be potentially liable for losses resulting from the failure of the card to work. ©MNoonan 2009

A Hasty Return Cont. The case manager then investigated whether, according to the Ombudsman's guidelines for assessing non-financial loss, Mr and Mrs S were entitled to any compensation from the bank. The case manager noted that: · Mr and Mrs S did not contact the bank to try to rectify the problem with the credit card; and · Whilst the credit card did not work, they could still have accessed alternative funds by using Mr S's Keycard. This would have allowed them to make EFTPOS purchases and ATM withdrawals of up to $A 800 per day, which appeared to be more than adequate for their travelling needs. Resolution The case manager concluded that Mr and Mrs S acted with extreme haste. As they had not given the bank an opportunity to resolve the matter, and did not take any reasonable steps to minimise the inconvenience they were suffering, the case manager found that it was not reasonable for Mr and Mrs S to expect to be compensated by the bank. ©MNoonan 2009

SAMPLE A BIO 2002 Disputed ATM Withdrawals Mr B and Ms C disputed a large number of ATM withdrawals, totalling $27, 000, made from their line-of-credit account over a three-year period with their debit cards. They acknowledged receiving monthly statements, but said they were only concerned with the closing balance. They only made a detailed check when they noticed that the home loan was not reducing as quickly as expected. They provided a detailed list of disputed transactions, but conceded that some of the withdrawals would have been their own. They claimed that access to their account could have been gained internally by the bank, or via a hacker on the internet. The bank declined to make any refund. It said it was not clear why some transactions were disputed and others were not. It also noted that Mr B and Ms C had not disputed any transactions on their credit card account, yet on some days, valid credit card purchases occurred in the same suburb as disputed debit card withdrawals. ©MNoonan 2009

Disputed ATM Withdrawals cont. Facts that came up during the investigation included that: both debit cards were used, but most of the disputed withdrawals were made with Mr B's card; both cards had bank-generated PINs; on two occasions it seemed that disputed ATM withdrawals had been used to make payments to the credit card account; on one occasion a disputed withdrawal was followed by a valid withdrawal only one minute later; and on at least one occasion there was a disputed cash withdrawal using a debit card on the same day that one of the disputants used a credit card to purchase goods in the same shopping centre. The case manager found nothing to support the contention that access was gained internally by the bank or via an internet hacker. There was also no information to support a possibility that an unauthorised third party had gained access to the cards and PINs. On the weight of information, the case manager concluded that the most probable explanation for the disputed transactions was that they had been made by the disputants ©MNoonan 2009 themselves. The bank was not asked to compensate the disputants.

Merchant EFTPOS Facility Disputant partnership selling giftware. 1 partner in business sinception. 1 bought share from partner who retired. All documentation signed by retired partner. A customer frequently telephoned over 5 weeks to order gift hampers. To process, disputants keyed customer card number into EFTPOS terminal. Did not swipe card or obtain signature, nor did customer ever come into shop. By keying “off Line”, disputants by-passed electronic system which prevented transactions over $100 limit if cardholder’s account did not have sufficient funds. Bank attempted to levy chargebacks because transactions not authorised. Case manager reviewed merchant agreement. Bank entitled to charge back transactions if not valid or not processed in accordance with relevant procedures. Found that disputants had contravened procedures by processing “off line” at a time when electronic system functioning, failing to seek authorisation and failing to take reasonable care to detect unauthorised use of the card…given the size, frequency and nature of transactions. Disputants argued they were not bound because neither had signed. However, after review of partnership agreements and partnership legislation, found original partner bound continuing partner and new partner had assumed equal liability. Finding was that bank could rely on merchant agreement and charge back all of the transactions. ©MNoonan 2009

Unauthorised Withdrawals Finding 6 on 2 August 2005 X had line of credit facility, with card access. Had never used the card in 10 years. Stored it with PIN in a drawer. Stolen 24 November, 2004. Unauthorised withdrawals on 24/11$2, 800 and 25/11 -$3, 000. Bank debited him for the lot. Reasons: he failed to protect PIN, failed to notify immediately, daily limit correct. He complained to O. Investigator found he failed to protect PIN with reasonable methods to prevent unauthorised access, AAPT records showed he rang bank 24/11 and spoke for 8 minutes-did notify bank, limit correct-See EFT Code 5. Liable for $2, 800 (amount taken before notification) but not $3, 000 (after notification). ©MNoonan 2009

Limits where compensation sought Ombudsman does not award punitive damages or compensation for time spent on the complaint An illustration of this was where Y sold investment property with settlement planned for 22 Nov. On 11 Nov, his bank informed him that they had lost the deeds. There followed several anxious days of calls and complaints, an application for a new CT, before the old one was found and settlement effected on 22 Nov as planned. Y claimed his expenses and $15, 000 punitive damages for all the stress. The bank offered $300 in compensation. The O policy was that a person must be moderately robust in the way they deal with unexpected problems. O does not award punitive damages and does not award compensation for time spent pursuing a complaint. ©MNoonan 2009

Exam Questions March 2008 QB 3 o David is a postman who steals a few envelopes containing cheque books during the year. He signs and cashes one or two cheques, then discards the books. Who bears the loss of this fraud? o Describe 3 ways in which electronic commerce can create new legal dilemmas. ©MNoonan 2009

Exam Questions-March 2007 o Is it , or is it not, a reasonable attempt at “disguise” for the purposes of the EFT Code of Conduct to put your PIN giving access to your bank account in your electronic organiser protected by a code? Explain why or why not. ©MNoonan 2009

Exam Questions-indirect As well as by direct questions, knowledge of this module can be examined indirectly. Questions dealing with other topics can involve use of electronic commerce…e. g. for transactions, banking, payment, formation of contract emails, advertisements or conduct leading to formation of agreements or action by one party. ©MNoonan 2009