Data Protection in the Pacific: Obligations for Telecommunications Businesses
By Andrew Kidu
In contrast to most parts of the world, the Pacific region lacks sophisticated and coordinated data protection and privacy legislation, leaving a significant gap in safeguarding personal information. However, this does not imply that companies operating in critical sectors like telecommunications in the Pacific have free rein to handle confidential customer information and data as they please. Quite the contrary! Despite the current gaps in legislation, ethical business practices and responsible data handling remain essential for these companies. Adherence to international best practices and self-regulation is vital to ensure the protection of customer privacy and data integrity in the absence of comprehensive legal frameworks.
Businesses that collect, store and use personal information of customers in Pacific jurisdictions are likely to be bound by:
(a) a common law duty of confidentiality; and
(b) obligations contained in local telecommunications legislation.
Generally, the obligations contained in local telecommunications legislation will mirror common law confidentiality obligations.
What is the common law duty of confidentiality?
The general position is if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot be disclosed without the information provider’s consent: where required by law (e.g. via a search warrant); or if it is in the publicinterest to disclose such information. Each of the jurisdictions considered in this article is a common law jurisdiction, and businesses in those jurisdictions will be bound by their common law duty of confidentiality as well as any duty under local law.
General comment regarding legislation specific to telecommunications
Generally, local telecommunications legislation will impose a duty on operators in those sectors to:
protect confidential information;
disclose confidential customer information only in prescribed circumstances (that is, with customer consent or where required by law); and
use such confidential customer information for disclosed purposes/for the purposes of supplying telecommunications services to the customer only.
Legislation specific to telecommunications service providers/licensees in the Pacific
Jurisdiction | Legislation specific to telecommunications service providers/licensees in the Pacific |
---|---|
Fiji | Section 54(1)(e) of the Telecommunications Act 2008 provides that any service provider must keep information about consumers confidential, including billing information and call information, except to the extent necessary to publish any public telecommunications directory, enable billing of the consumer or to address fraud or bad debt. Section 73(2) of the Telecommunications Act 2008 provides that a licensee must, in connection with the operation of telecommunications networks or the supply of telecommunication services, give officers and authorities of the Government such help as is reasonably necessary for the following purposes:
The Telecommunications Authority of Fiji (TAF) has power to require disclosure of information and documents reasonably required by it from persons or licensees (section 31 of the Telecommunications Act 2008). |
Papua New Guinea | The National Information and Communications Technology Act 2009 (NICT Act) does not explicitly require telecommunications service providers to hold customer information confidentially. The NICT Act envisages that some information, including customer information, could be confidential in nature and so when disclosed to the National Information and Communications Authority (NICTA) a person may request that the information not be disclosed to the public due to its confidential nature. Under section 44 of the NICT Act, NICTA has the ability to exclude information from publication, where it is satisfied that it is necessary or desirable to do so.
Under the Consumer Protection Rule 2014, service providers are obligated to provide a Consumer Guide which deals with consumer relations, including their policies and processes to protect customer information. Under the SIM Card Registration Regulation 2016, which makes it mandatory to register customers, customer data is confidential and cannot be disclosed unless authorised, including disclosure to a security agency. Further, customer data shall not be transferred outside PNG except under a warrant issued pursuant to the Mutual Assistance in Criminal Matters Act 2005. |
Solomon Islands | Section 73(1) of the Telecommunications Act 2009 requires that service providers take all reasonable steps to ensure the confidentiality of consumer communications. Section 72(2) of the Telecommunications Act 2009 provides that service providers may collect, use, maintain or disclose user information only with the consent of that user (except in certain prescribed circumstances, for example, disclosure of certain information in a printed or electronic phone directory). Appropriate safeguards must be applied to prevent the collection, use, maintenance or disclosure of such information.
The Telecommunications Commission may order the production of specified documents and information or classes of documents and information by service providers and any other persons (section 28(1) of the Telecommunications Act 2009). |
Vanuatu | Section 73(1) of the Telecommunications Act 2009 requires that service providers take all reasonable steps to ensure the confidentiality of consumer communications. Section 72(2) of the Telecommunications Act 2009 provides that service providers may collect, use, maintain or disclose user information only with the consent of that user (except in certain prescribed circumstances, for example, disclosure of certain information in a printed or electronic phone directory). Appropriate safeguards must be applied to prevent the collection, use, maintenance or disclosure of such information. The Telecommunications Commission may order the production of specified documents and information or classes of documents and information by service providers and any other persons (section 28(1) of the Telecommunications Act 2009).
|
Samoa | Section 48 of the Telecommunications Act 2005 provides that a service provider must not disclose information concerning a customer without the customer’s written consent or unless disclosure is required by the Regulator or by law. Section 50 of the Telecommunications Act 2005 provides that a service provider is responsible for customer information and customer communications in the service provider or the service provider’s agent’s custody or control. To this end, a service provider must:
The Telecommunications Regulator has broad powers to make orders respecting any matter or thing within the jurisdiction of the Regulator (section 8(r) of the Telecommunications Act 2005). Although not explicitly stated, this power is far reaching and would likely include the ability to direct disclosure of information (including confidential information) and documents from licensees, where disclosure is necessary in performing its functions under the Act. |
What are the consequences of non-compliance for an operator?
An operator who fails to comply with its common law duty of confidentiality may find itself exposed to a breach of contract claim by the relevant customer, and that operator may be liable to pay damages.
Breach of an operator’s obligations under the relevant telecommunications legislation may result in:
penalties (which may be imposed on the operator/its officers);
remedies being imposed on the operator (in addition to/in lieu of a penalty); and/or civil liability (resulting in operator/its officers being required to pay damages),
by the telecommunications regulator and/or the relevant Court.
Ultimately, the telecommunications regulators in each of the jurisdictions discussed in this article have the power to amend the terms and conditions of licences or revoke a license altogether for material failure to comply with a licence term or condition, or the relevant telecommunications legislation.
How can we help?
The Pacific Legal Network can assist businesses by:
reviewing customer terms and conditions to ensure that they comply with local legislation and obligations with respect to confidentiality of customer information;
reviewing internal policies and procedures which deal with collection, use and storage of customer information;
advising in relation to requests for disclosure, including assessing the suitability of customer consent, or the validity of an external request for information; and
providing general advice in relation to the privacy of customer information and disclosure under the laws of the Pacific.
For the purposes of this article, we have considered the nature of such obligation in Fiji, PNG, the Solomon Islands, Vanuatu and Samoa.
Comments