We have seen a recent overseas trend by EU and US based competition regulators to address privacy related matters within a broader competition context. This is not something we have seen occurring in Australia to any great extent although the recent introduction of the Consumer Data Right has seen both the Office of the Australian Information Commission (OAIC) and the Australian Competition and Consumer Commission (ACCC) working hand in glove to regulate consumer data rights.
A recent 2020 decision now confirms the ACCC’s move into the privacy realm as part of its competition remit. In Australian Competition and Consumer Commission v HealthEngine Pty Ltd  FCA 1203, the ACCC succeeded in its proceedings against HealthEngine Pty Ltd (HealthEngine), resulting in orders requiring HealthEngine to pay a penalty of $2.9 million.
HealthEngine provides an online platform through which patients can access a booking system for an online healthcare directory of over 70,000 health practices and practitioners in Australia.
In the orders agreed between the ACCC and HealthEngine, HealthEngine admitted that it engaged in misleading conduct in relation to the publication of misleading patient reviews and ratings, and the sharing of patients’ personal information to private health insurance brokers, during a period between 2015 and 2018 in contravention of sections 18, 29 and 34 of the Australian Consumer Law in Schedule 2 of the Competition and Consumer Act 2010 (Cth) (ACL).
The ACCC alleged that HealthEngine engaged in misleading and deceptive conduct by manipulating patient reviews and ratings published on its online platform.
In the agreed orders, HealthEngine admitted that it did not publish 17,000 negative reviews and edited a further 3,253 to make them more favourable to the health practice before publishing them on its online platform.
Examples of the unpublished negative reviews and edited reviews may be found in the Concise Statement (Public Version) filed by the ACCC.
Due to this conduct, HealthEngine admitted that it had falsely represented that:
In addition to the above conduct, HealthEngine also admitted that it only published ratings for health practices that have received more than 80% positive responses to the poll question ‘Would you recommend others to this practice.’ For those health practices that received a lower rating, HealthEngine chose not to publish a rating and made representations that there was insufficient data to calculate the rate or that the health practice did not have a customer satisfaction score.
Due to this conduct, HealthEngine admitted that it falsely represented the reasons it did not publish a rating for some health practices.
The ACCC alleged that HealthEngine engaged in misleading or deceptive conduct by failing to adequately disclose that consumers’ personal information would be sent to private health insurance brokers.
In the agreed orders, HealthEngine admitted that it disclosed the non-clinical personal information of 135,000 consumers over the course of a four (4)-year period to private health insurance brokers. The personal information disclosed included the consumers’ names, dates of birth, phone numbers, email addresses, whether the consumers had private health insurance, the health practices with whom consumers booked through HealthEngine, and the type of appointment booked through HealthEngine.
As part of the booking process, consumers were asked as to whether they ‘would like to receive a free call from our private health insurance experts’ but were not told that their personal information would be disclosed to a third party, and that it was a third party that would contact them.
Due to this conduct, HealthEngine admitted that this conduct would likely cause consumers to believe that HealthEngine would provide the private health insurance comparison or assistance service.
In addition to the pecuniary penalty of $2.9 million, the Federal Court also ordered HealthEngine to:
The HealthEngine decision is a timely reminder for businesses to consider the broader compliance challenges posed by consumer focussed technologies. The need to properly consider privacy related obligations and competition requirements is not something new. What is new is the approach by the ACCC to include privacy compliance elements as a major part of its enforcement strategy. It will be interesting to see whether this overlap continues to develop and to what extent the OAIC will adopt a harder enforcement line itself to support its fellow regulator.
Dudley Kneller, Partner
Raisa Blanco, Associate