HealthEngine decision: understanding the overlap between privacy and consumer laws

We have seen a recent overseas trend by EU and US based competition regulators to address privacy related matters within a broader competition context. This is not something we have seen occurring in Australia to any great extent although the recent introduction of the Consumer Data Right has seen both the Office of the Australian Information Commission (OAIC) and the Australian Competition and Consumer Commission (ACCC) working hand in glove to regulate consumer data rights.

A recent 2020 decision now confirms the ACCC’s move into the privacy realm as part of its competition remit. In Australian Competition and Consumer Commission v HealthEngine Pty Ltd [2020] FCA 1203, the ACCC succeeded in its proceedings against HealthEngine Pty Ltd (HealthEngine), resulting in orders requiring HealthEngine to pay a penalty of $2.9 million.

HealthEngine provides an online platform through which patients can access a booking system for an online healthcare directory of over 70,000 health practices and practitioners in Australia.

In the orders agreed between the ACCC and HealthEngine, HealthEngine admitted that it engaged in misleading conduct in relation to the publication of misleading patient reviews and ratings, and the sharing of patients’ personal information to private health insurance brokers, during a period between 2015 and 2018 in contravention of sections 18, 29 and 34 of the Australian Consumer Law in Schedule 2 of the Competition and Consumer Act 2010 (Cth) (ACL).

Key takeaways

1. Businesses should be careful of making alterations to reviews. Changes that go beyond removing information that could allow consumers to be identified, or to correct typographical or grammatical errors, could increase the risk of contravening the ACL.
2. Businesses should provide adequate disclosures as to their intended use of personal information collected from consumers, particularly in cases where the personal information is to be shared or disclosed to third parties. Other than a potential contravention of the Privacy Act 1988 (Cth), this conduct could also result in a contravention of the ACL. Businesses should also review their existing privacy compliance practices and procedures in the context of the ACL, including as to whether:
   1. there are clear, unambiguous, and easily understood privacy collection statements or notices provided to consumers at appropriate times about the collection and use of their personal information;
   2. their privacy policies have been updated to reflect any disclosure of personal information to third parties, and that such changes have been communicated and explained to consumers in a clear, timely manner; and
   3. there are sufficient administrative measures in place to prompt changes to privacy collection statements or notices and privacy policies as required.
3. Other than pecuniary penalties, businesses should be aware of the significant reputational impact of enforcement action, whether by the ACCC or the OAIC. In response to reporting around the decision resulting in a misconception that it sold user databases to third parties, HealthEngine opted to release a corrective statement.

Patient reviews and ratings

The ACCC alleged that HealthEngine engaged in misleading and deceptive conduct by manipulating patient reviews and ratings published on its online platform.

In the agreed orders, HealthEngine admitted that it did not publish 17,000 negative reviews and edited a further 3,253 to make them more favourable to the health practice before publishing them on its online platform.

Examples of the unpublished negative reviews and edited reviews may be found in the Concise Statement (Public Version) filed by the ACCC.

Due to this conduct, HealthEngine admitted that it had falsely represented that:

1. the reviews published on the online platform were an accurate reflection of all reviews received from consumers about the health practices; and
2. the edited reviews were consumers’ testimonials relating to the services provided by the health practices.

In addition to the above conduct, HealthEngine also admitted that it only published ratings for health practices that have received more than 80% positive responses to the poll question ‘Would you recommend others to this practice.’ For those health practices that received a lower rating, HealthEngine chose not to publish a rating and made representations that there was insufficient data to calculate the rate or that the health practice did not have a customer satisfaction score.

Due to this conduct, HealthEngine admitted that it falsely represented the reasons it did not publish a rating for some health practices.

Sharing patients’ personal information to third parties

The ACCC alleged that HealthEngine engaged in misleading or deceptive conduct by failing to adequately disclose that consumers’ personal information would be sent to private health insurance brokers.

In the agreed orders, HealthEngine admitted that it disclosed the non-clinical personal information of 135,000 consumers over the course of a four (4)-year period to private health insurance brokers. The personal information disclosed included the consumers’ names, dates of birth, phone numbers, email addresses, whether the consumers had private health insurance, the health practices with whom consumers booked through HealthEngine, and the type of appointment booked through HealthEngine.

As part of the booking process, consumers were asked as to whether they ‘would like to receive a free call from our private health insurance experts’ but were not told that their personal information would be disclosed to a third party, and that it was a third party that would contact them.

Due to this conduct, HealthEngine admitted that this conduct would likely cause consumers to believe that HealthEngine would provide the private health insurance comparison or assistance service.

Decision

In addition to the pecuniary penalty of $2.9 million, the Federal Court also ordered HealthEngine to:

1. undertake an independent review of its Australian Consumer Law compliance program on an annual basis for a period of three (3) years;
2. implement changes identified as necessary by the independent reviewer within one (1) month of the date of each review; and
3. contact all patients whose personal information was provided to private health insurance brokers informing them that:
   1. their personal information had been disclosed to private health insurance brokers;
   2. the identity of each private health insurance broker to whom that patient’s personal information was provided;
   3. the nature of the referral arrangement between HealthEngine and the private health insurance brokers; and
   4. instructions as to how the patient can request the deletion of their personal information.

The HealthEngine decision is a timely reminder for businesses to consider the broader compliance challenges posed by consumer focussed technologies. The need to properly consider privacy related obligations and competition requirements is not something new. What is new is the approach by the ACCC to include privacy compliance elements as a major part of its enforcement strategy. It will be interesting to see whether this overlap continues to develop and to what extent the OAIC will adopt a harder enforcement line itself to support its fellow regulator.

Get in touch with Gadens’ specialist teams should you have any questions regarding privacy or competition and consumer law.

Authored by:

Dudley Kneller, Partner
Raisa Blanco, Associate