'I'll just tweet this product recommendation': ASIC's thoughts on advertising financial products and advice services using social media (or, OMG!! DBEYR - ASIC's nu RG!!)

Posted by Anthony Oxley & Tony Dhar

The Australian Securities & Investments Commission (ASIC) recently released regulatory guidance in relation to advertising financial products and advice services.

ASIC's guidance was issued to assist promoters of such products and services comply with their legal obligations, including to not make false or misleading statements, engage in misleading or deceptive conduct and to not make representations about future matters without reasonable grounds. 

What kind of ads?

The guidance applies to any communication intended to advertise financial products or financial advice services. So, the form of media is not important to ASIC. Advertisements are treated the same whether they appear in:

• traditional media (newspapers, magazines, radio, TV)
• the internet (websites, banner ads, streamed videos)
• social media and internet discussion sites
• other media, including direct mail, telemarketing and seminars.

 

Will this compromise my innovative social media strategy? We worked so hard to reduce our advertisement to 140 characters!

ASIC's guidance does not require advertisements to be self contained (this did form part of ASIC's original proposal in this area).

Having said that, the guidance requires disclaimers or warnings to be comprehensible, and, where the chosen advertising medium has inherent content limitations (such as the 140 character limitation on Twitter), promoters must consider whether that medium is appropriate if it limits providing balanced information to consumers.

So – promoters may still devise engaging and interesting campaigns, subject to their overarching legal requirements, including against campaigns or catchy taglines (or tweets...) that might confuse.

In the social media context, this would for example require consideration of the overall impression given by:

• short/sharp banner ads;
• succinct tweets with over-reaching promises;
• words that have a particular meaning in the minds of consumers (such as free, secure, or guaranteed); and
• disclaimers on websites that flash up, and then immediately off.

Thinking about Twitter specifically, in light of ASIC's guidance relating to the requirement to provide balanced information, promoters should also be careful about disclaimers and warnings in tweets, including having regard to ASIC's view that 'consumers should not need to go to another website (or other page of the website) or document to correct a misleading impression'.

Example tweet	OK?
Fee free accounts at [YourBank]! [+ link to website, or t's & c's which say fee free accounts only available to new customers]	shouldn't need to go to another website to correct a misleading impression.
No annual fees on [YourBank] transaction accounts! [+ link to t's & c's which say there are monthly fees, the cumulative effect of which is an annual fee]	as above, shouldn't need to go to another website to correct a misleading impression.
Low introductory APR and free balance transfers! [YourBank credit card] [+ link to t's & c's which state that low APR and free balance transfer offers not available concurrently]	as above, shouldn't need to go to another website to correct a misleading impression.
[YourBank]. No fees - eligibility conditions apply. [link to t's & c's]	Maybe - depends on conditions, eg. does customer need a fee paying connected account, or a loan over a certain balance? If so, probably not ok as 'no fees' is not balanced.
Get a great deal on a home loan! [link to product website]

As the examples above show, in the context of Twitter, we think it would be difficult in practice to comply with ASIC's guidance within 140 characters. From a marketing perspective, it might be more likely that Twitter is used as a 'sign post' to refer people to a website for the product. So, tweets need to be more 'sales pitch neutral' so as to not create an impression that is then later qualified or disclaimed somewhere else.

 

Other examples of what you may need to be careful about!

Specific examples given in ASIC's guidance include:

• calculation of returns using foreign currencies (and not Australian dollars)
• overstating the security of a financial product
• insurers not making potential customers aware of conditions (such as the absence of at-fault claims, or age restrictions)
• comparisons that are not like for like, or that ignore other features
• implying that past performance will continue
• celebrity endorsements where the endorser actually knows very little about the product they are endorsing
• images that might imply the company is at a more advanced stage of development that is in fact the case (eg showing a working mine where the business is still at an exploratory stage)
• conflicted remuneration structures for financial advisers.

Recently, two financial institutions have been required to withdraw or modify marketing material relating to credit card limit invitations placed in various forms of media – including on a website, on physical credit card statements and email. Further, one financial institution agreed with ASIC to cease using 'stress free' in its marketing of certain geared investment strategies. At the time, ASIC's commissioner encouraged the financial services industry:

to strive to do more than simply meet the minimum requirement of not being misleading or deceptive. Rather, [ASIC encourages] industry to actually take a role in ensuring that advertising helps investors and consumers to make decisions that are appropriate for them.

 

I'm only a publisher, so should I worry?

While defences from prosecution for publishers are available if the publisher received the advertisement for publication in the ordinary course of their publishing business and did not know, and had no reason to believe, that its publication would amount to an offence, there are still residual legal and reputational risks for publishers, including aggregator and comparison sites.

Such publishers should closely monitor 'advertorial' type content and/or the disclosure of commissions and referral fees.

 

And finally, ASIC has embraced social media itself...

Finally, just a note in passing that the use of social media to engage directly with an audience hasn't escaped ASIC itself – see ASIC's moneysmart website, launched in March 2011, together with its Twitter feed (500+ tweets), Facebook page (800+ 'likes'), mobile apps for investment calculations and YouTube videos on home loans.  This use of social media is consistent with ASIC's aims to provide independent information to educate potential investors, and more broadly is part of the government's National Financial Literacy Strategy.

Mismanaging IT projects to failure

Partner: Ron Pila

This is the last in a series of articles (Just what is causing IT project failures? and Setting-up IT projects for failure) in relation to the issues identified in the report prepared by the Victorian Ombudsman in conjunction with the Victorian Auditor-General (Own motion investigation into ICT-enabled projects released November 2011) (Ombudsman's Report) which looked into the factors that contributed to the failure of public sector ICT projects.

We had earlier commented that the factors identified by the Ombudsman's Report can be divided into:

• things done at the outset that result in the project being set up for failure (see Setting-up IT projects for failure); and
• 'mistakes' made during the course of the project.

In this post, we consider the factors and mistakes made during the course of projects that lead to those projects failing.

Accountability

The Ombudsman's Report noted that in many of the projects reviewed there were no clear lines of accountability for the progress and success of those projects. It is essential that there are senior personnel who clearly 'own' the project and are accountable for key decisions made in the course of the project. While there can be a tendency to assume that the project 'owner' should reside within the organisation's IT department, it is often more appropriate for the project 'owner' to be a senior executive within the part of the business that will be the ultimate user of the system or services.

Lack of leadership

A related issue identified by the Ombudsman's Report is a lack of leadership on these major projects. Sometimes these projects require strong leaders to step up and make hard decisions. An absence of such leadership can result in a project drifting without clear direction.

Poor governance

Good governance arrangements are essential in the conduct of major projects. However, often this governance is lacking.

Large complex projects require well functioning committees made up of people with relevant experience and appropriate skill sets. These committees must be capable, and encouraged, to ask hard questions, to look behind project management decisions and to take action to bring the project back on track.

Risk management

'Risk management' has been a catch phrase in the ICT industry for many years now. Unfortunately, it is not uncommon for those undertaking major projects to only pay lip service to risk management.

While it is good practice to list indentified risks at steering committee meetings and to have and maintain a risk register, these alone are not enough. Active steps need to be taken to manage the risks that have been identified.

Probity/conflict of interest

The Ombudsman's Report identified instances where issues of probity were not sufficiently attended to. This led to the potential for a perception of lack of fairness or conflicts of interest. Without proper attention to these issues, it is very easy to fall into difficulty and extremely hard to extricate oneself from it.

A common example of a potential probity issue is the engagement of a vendor in a pilot or requirements development stage of a project and then allowing that vendor to be a tenderer for the project. While there is no hard and fast rule that prevents this, it does create a potential probity issue that needs to be very carefully managed.

Project management

The Ombudsman's Report identified issues with project management as being a key contributor to project failure. Of particular note was a lack of strong project management skills within many agencies and departments.

Vendor management

Vendor relationships can be challenging and do need to be carefully managed. It is up to management on both sides to ensure that all parties are pulling in the same direction. Like project management, vendor management is an undertaking that requires skill, expertise and experience.

Change management

Implementing new ICT systems and services will often require significant changes within an organisation and how it conducts its operations. Managing these changes is critical but, unfortunately, often does not receive the focus required. The change process should be treated as a project in itself, subject to appropriate project management, leadership and governance.

It is clear from the Ombudsman's Report that the management of major ICT projects could be significantly improved. While most of the recommendations and observations made in the Ombudsman's Report are not new, they are a timely reminder that ICT projects are failing as a result of the same mistakes being made over and over again.

Full Federal Court finds Optus TV Now service infringes copyright

Posted by John Fairbairn and Charles Alexander

On 27 April 2012, the Full Court of the Federal Court allowed an appeal concerning the legality of the Optus TV Now service, which enables users to remotely record television broadcasts and watch them on their computer or handheld device. The Full Court held that Optus made the copies of the programs and consequently infringed copyright in the broadcasts. The decision overturns that of Rares J at first instance and has implications for providers of cloud storage services.

The service

In order to use the TV Now service an Optus customer entered into a contractual relationship with Optus and downloaded an App to a device such as a personal computer, mobile phone or iPad. By hitting a 'record button' within the App, the user would cause, via an automated process, a recording of the program to be made on servers controlled by Optus. When the user later decided to play back the recording, it would be streamed from those servers in a format appropriate to the user's device.

Trial Judge's decision

The AFL and NRL alleged that Optus infringed the copyright in broadcasts of their games by operating the TV Now service. In particular, they alleged Optus had infringed their copyright by making copies of the free-to-air television broadcasts of matches and communicating those copies to TV Now subscribers. Optus commenced proceedings against the AFL and NRL alleging wrongful threats of infringement asserting that there was no copyright infringement by reason of section 111 of the Copyright Act, which provided that, amongst other things:

(1) This section applies if a person makes a cinematograph film or sound recording of a broadcast solely for private and domestic use by watching or listening to the material broadcast at a time more convenient than the time when the broadcast is made.

The trial judge, Rares J, analogised the Optus TV Now service to a VCR or DVR. His Honour determined that it was not Optus that had made the infringing copy, but rather the user the TV Now service, and that his or her conduct fell within section 111. Read our TMTBlog post 'Federal Court finds Optus' TV Now service does not infringe copyright' summarising this decision.

Appeal

The Full Court focused on the question of whether it was Optus or the user that made the copy of the program.

In a joint judgment, the Full Court held that Optus was either the maker, or alternatively, that Optus and the subscriber were jointly the makers of the copies.

The court rejected arguments that Optus acting as an agent for the subscriber or that the subscriber was the principal making the copy using a facility provided by Optus. In particular:

• The court considered that the concept of 'making' a cinematograph film of a broadcast (ie. to make a copy of it) requires a physical embodiment of the broadcast in an article or thing. Although the TV Now service only operated when a user hit the recording button, it did not necessarily follow that the subscriber was the, or the only maker of the copy;
• In this case, the physical embodiments were stored on Optus' facilities. The court emphasised that Optus had designed the service, gave it its functionality, owned the IP in it and marketed the service to its customers. Further, as the Court stated:

'[52]Optus at all times retained possession, ownership and control of the physical copies made on the hard disc of its NAS computer ...'

[60] ... [W]e consider that the system itself has been designed in a way that makes Optus the 'main performer of the act of [copying]' (to adopt the language used in a recent Japanese decision involving a service relevantly similar to the present, which has been supplied to the Court in translation): see Rokuraku II, First Petty Bench of the Supreme Court, Japan, 20 January 2011 ...

• The court held that:

[67] ... Optus’ role in the making of a copy – ie in capturing the broadcast and then in embodying its images and sounds in the hard disk – is so pervasive that, even though entirely automated, it cannot be disregarded when the 'person' who does the act of copying is to be identified. The system performs the very functions for which it was created by Optus.

Optus' conduct in capturing, copying, storing and making available for reward, programs for later viewing by its customers meant that it exercised the exclusive rights of the copyright owner to make a copy of a broadcast.

Although it was unnecessary for the court to decide whether Optus was the sole maker of the copy or whether it was made jointly with the user, it indicated its preference for the latter view.

Implications

The judgment contains a number of sweeping statements, including at [64]:

'[64] It equally is not apparent to us why a person who designs and operates a wholly automated copying system ought as of course not be treated as a 'maker' of an infringing copy where the system itself is configured designedly so as to respond to a third party command to make that copy: see generally the criticism of Cartoon Network in Ginsburg, at 15-18.'

that will be of concern for providers of storage services, such as cloud computing. Under this decision, the provider of an automated service that allows a customer to store content on servers or other devices owned and controlled by the service provider, may be directly liable for copyright infringement. Much will depend on the nature of the service and the fact that the TV Now service had the sole purpose of recording free-to-air television broadcasts may distinguish it from other general purpose remote storage services.

Nonetheless, the decision could have a chilling effect on the development of innovative online services.

Next steps

While the Full Court's decision overturns that of the primary judge, their Honours state at [9]:

'We have found the questions raised in the appeals to be of some difficulty and considerable uncertainty'

These comments would indicate that the issues in dispute are ripe for consideration by the High Court.

Managing privacy risks in call centres

Posted by Veronica Scott ● Partner: Charles Alexander

The work of call centres involves collect, processing and disclosing a large range of personal information, including sensitive and financial information. Staff working at the centres have direct access to this information. Organisations that run or use call centres need to identify and manage risks to minimise privacy breaches.

Weaknesses range from high staff turnover and lack of privacy training to human error and lax security processes. Threats include for example third party middlemen who use staff to gain access to data which they then sell to create new false identities. They may for example engage staff in a social setting, find out what they do and who they work for and then offer cash for receiving details about customers' identities.

Robust and regular privacy training and risk management processes, together with good record keeping, are crucial to managing these issues and for enabling potential issues to be identified early and escalated. It is important to conduct regular audits and spot checks to identify and track unusual activity and for early detection of privacy breaches. Conducting regular Privacy Impact Assessments will support these processes.

Obama's move to protect online privacy: a new Consumer Privacy Bill of Rights

Posted by Yan-Li Ho ● Partner: Charles Alexander

The White House has released a paper setting out a framework for the protection of online consumer privacy adapting existing privacy principles

The paper is designed as a guide for the US Administration to work with Congress to eventually introduce legislation. It will not be mandatory. However, private sector companies that are not subject to existing data privacy laws will be encouraged to participate through codes of conduct that, once publicly and affirmatively adopted by companies subject to the jurisdiction of the US Federal Trade Commission (FTC), will be legally enforceable by the FTC.

The Bill of Rights will apply to commercial uses of personal information. This could potentially include any data, including aggregations of data, which is linkable to an individual. It could also potentially include data linked to a specific computer or other device. It gives seven key rights to users:

Individual control: a right to exercise control over what personal data companies collect from them and how they use it;

Transparency: a right to easily understandable and accessible information about privacy and security practices;

Respect for context: a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data;

Security: a right to secure and responsible handling of personal data;

Access and accuracy: a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate;

Focused collection: a right to reasonable limits on the personal data that companies collect and retain; and

Accountability: a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Bill of Rights.

While being a welcome step forward, enforcement by the FTC and a clear complaints process for consumers will be critical to ensuring that companies can be held accountable for adhering to their privacy codes of conduct. We understand the Obama Administration is encouraging the US Congress to provide the FTC with specific authority to enforce the Bill of Rights. In this area, striking the right balance involves sufficiently protecting consumers' privacy expectations while providing companies with the certainty they need to continue to grow online.

It is worth noting that the Bill of Rights does not cover any rights with regards to trans-border data flows. Currently, the US relies primarily on the FTC's case-by-case enforcement of general prohibitions on unfair or deceptive acts and practices. However, the increasing expansion of online businesses across borders arguably makes this approach unsustainable in the long-term. To this end, the White House's paper focuses on principles of enforcement cooperation between countries. It has been suggested the US Administration could jointly develop codes of conduct that support mutual recognition of legal regimes or perhaps adopt a voluntary system of cross border privacy rules, based on the existing APEC Privacy Framework.

In the coming months, we understand the US Administration will consult with various stakeholders, including other countries, to develop enforceable privacy codes of conduct that build on the draft Privacy Bill of Rights. A copy of the White House paper is available here.

Six month jail sentence for posting nude photos on Facebook

Posted by Charles Alexander and Althea Hartley

A 20 year old Sydney man, Rashan Usmanov, was recently sentenced to six months imprisonment by the NSW Local Court for posting nude images of an ex-girlfriend on his Facebook page. The images displayed the ex-girlfriend in certain positions that clearly showed her breasts and genitalia. Usmanov had refused to take down the images at the request of the ex-girlfriend and had reposted them after taking them down at the request of the police.

Usmanov was charged under section 578C of the Crimes Act 1990 (NSW), which makes it an offence to publish indecent articles. The maximum penalty for an individual found guilty of this offence is a $11,000 fine or 12 months imprisonment (or both).

In her judgment, Deputy Chief Magistrate, Jane Mottley, remarked on the importance of deterring both the defender and the community generally from committing similar crimes:

'This is a particularly relevant consideration in a matter such as this where new age technology through Facebook gives instant access to the world. Facebook as a social networking site has limited boundaries. Incalculable damage can be done to a person's reputation by the irresponsible posting of information through that medium. With its popularity and potential for real harm, there is a genuine need to ensure the use of this medium to commit offences of this type is deterred.'

This case illustrates an alternative method for redressing a breach of privacy which was not dependent upon separate privacy legislation. Although, it did not provide a means of obtaining financial compensation for any harm the ex-girlfriend may have suffered.

The full judgment can be viewed here.

iiNet wins High Court copyright battle

Posted by Paul Kallenbach and Nick Liau

 

In a 5-0 decision of the High Court, iiNet has finally won its long running legal battle with copyright holders. The Court held that iiNet was not liable for its users' downloading of copyright material.