Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterest

HealthEngine: The intersection of privacy and consumer protection

19 August 2019

#Competition & Consumer Law, #Data & Privacy

Published by:

HealthEngine: The intersection of privacy and consumer protection

The Australian Competition & Consumer Commission (ACCC) announced on 8 August 2019 that it had commenced legal proceedings in the Federal Court against the online platform, HealthEngine Pty Ltd (HealthEngine) alleging that a number of its practices constitute misleading and deceptive conduct in breach of the Australian Consumer Law.

HealthEngine is an online platform that enables Australians to book healthcare providers online. Until this practice ceased in June 2018, patient reviews of member health care providers were also published on HealthEngine’s site.

Reviews and ratings

The first aspect of the ACCC’s claim is that HealthEngine did not publish negative patient reviews, manipulated the patient reviews that it did publish (creating a misleading impression) and also that it misrepresented why ratings were not published for some health practices. In that respect, the case is unremarkable and is similar to other cases that the ACCC has instituted in the past, including in relation to Meriton serviced apartments. In that case, Meriton was ordered by the Federal Court to pay penalties of $3 million for manipulating client feedback to stop negative reviews of its properties being published on TripAdvisor. 

Disclosure of personal information

However, the second element of the ACCC’s claims is interesting as it demonstrates the intersection of consumer protection and privacy regulation. The ACCC has alleged that for a period of just over two years HealthEngine provided personal information of users of its site to third party private health insurance brokers without adequately disclosing to those users that this would occur. The personal information disclosed to the insurance brokers included names, phone numbers, email addresses, type of health care practice the patient had made a booking with and the private health insurance status of the user. The ACCC has alleged HealthEngine engaged in misleading and deceptive conduct as its conduct indicated to users that it provided private health insurance advisory services itself (which it did not) and did not indicate that HealthEngine would provide users’ personal information to third parties.

If these allegations of the ACCC are correct, HealthEngine’s conduct would also potentially found a case for breach of the Australian Privacy Principles (APPs) as contained in the Australian Privacy Act. For example, these actions may be a breach of APP 6. Under APP 6, if a regulated entity such as HealthEngine collects personal information for a particular purpose, it cannot use it for a secondary purpose unless, as relevant here, consent is obtained or it would reasonably be expected by the individual that the information would be used for that purpose (and that purpose is related to the primary purpose). 

Digital Platforms Inquiry

The close relationship between consumer protection and privacy regulation is also made clear by the ACCC’s recently completed Digital Platforms Inquiry. In its Final Report from that Inquiry, the ACCC commented on the intersection of privacy, competition and consumer protection considerations including for example because transparent and accurate, comprehensible information regarding data practices is required to be provided to Australians for both privacy and consumer protection reasons. 

The ACCC made numerous recommendations in the Final Report for the strengthening of protections in the Privacy Act. A number of investigations that the ACCC has referred to in the Final Report further demonstrate the overlap between privacy and consumer protection. For example, the ACCC is investigating whether it should take action in relation to Facebook’s privacy policy under the unfair contract terms provisions of the Australian Consumer Law. To take another example, the ACCC is also investigating whether representations by Google about its privacy policy, and the level of disclosure about subsequent privacy policy changes that enabled Google to combine or match different sets of user data, raise issues under the Australian Consumer Law. 

A closer relationship between the ACCC and the Office of the Australian Information Commissioner (OAIC)

The OAIC worked with the ACCC in relation to the Digital Platforms Inquiry and welcomed the recommendations of the ACCC’s Final Report in relation to the strengthening of privacy protections for Australians. The OAIC is also working closely with the ACCC in relation to the implementation of Australia’s new consumer data rights regime, as the two regulators both have roles in the implementation and enforcement of that regime. 

Given the intersection of consumer protection and privacy issues, particularly in the online world, it is likely that we will continue to see close cooperation between the ACCC and the OAIC.

Author: Angela Flannery

The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.

Published by:

Share this