Better safe than sorry: a cautionary tale about Customer Data Sharing Agreements

Two companies enter into a franchising agreement.  Amongst other things, the franchisor agrees to provide the franchisee with customer data for marketing purposes “subject to relevant privacy legislation”.  Say that such customer data sharing would be in breach of privacy laws.  Will the franchisee still be able to enforce the franchisor’s obligation to provide customer data in these circumstances?

A first of its kind

This issue was recently considered by the South Australian Supreme Court in Shahin Enterprises Pty Limited v BP Australia Pty Limited [2019] SASC 12 – notable also as the first case in Australia to interpret a contractual term dealing with customer data sharing with respect to the Privacy Act 1988 (Cth) (Privacy Act).

In this case, the Court held that BP Australia Pty Limited (BP) was not in breach of its contractual obligation in refusing to provide Shahin Enterprises Pty Limited (Shahin) with customer data and, in doing so, imparted the following important lessons for the privacy savvy practitioner:

  • Australian Privacy Principles (APPs) 6 and 7 are mutually exclusive such that where the use or disclosure of personal information is for the purpose of direct marketing, it is governed solely by APP 7 – even where the direct marketing will be done by a secondary entity (i.e. who is not making the disclosure). However, this means that some provisions of APP 7 will not be applicable in the latter scenario; and
  • Entities intending to engage in customer data sharing should clearly stipulate their respective obligations in a written contract, particularly as to complying with privacy legislation. Depending on customer consents and notices, a mere obligation expressed as “subject to relevant privacy legislation” (as was in this case) may not be sufficient to ensure customer data sharing between contracting parties.

These issues are detailed below.

Background facts

In September 2013, after purchasing 25 of BP’s service stations in South Australia, Shahin entered into an agreement with BP to provide for the supply of petroleum products by BP to Shahin and the grant of a licence to Shahin to use BP branding on certain service stations owned by Shahin (Agreement).

Clause SC21 of the Agreement stated:

“Subject to relevant privacy legislation, BP will regularly provide to the Dealer information reasonably requested about BP card customers who visit the Dealer sites so that the Dealer may market goods and services to these customers.”

In August 2016, Shahin wrote to BP requesting the name, contact details, industry, purchase volume and non-fuel product purchase information of BP cardholder customers who had made purchases from Shahin’s service stations in the previous 24 months.  Shahin said that its purpose in making this request was to market goods and services at its service stations directly to BP cardholder customers.

BP refused Shahin’s request in a meeting between the two parties in December 2016, stating that it would breach applicable privacy legislation.

Relevantly, the use of BP cards by BP cardholders was governed by terms and conditions (BP Cardholder Terms), to which BP cardholders agree upon their application for a BP card.  Although consent is provided by BP cardholders under the BP Cardholder Terms in relation to certain uses and disclosures of their personal information, the Court found that, as a matter of contractual construction, this did not encompass disclosure by BP to (or use by) BP’s dealers of personal information for the purpose of direct marketing by the dealers.

Does APP 6 or APP 7 apply in relation to direct marketing?

APP 6.7(a) makes it clear that APP 6 (use or disclosure of personal information) does not apply in relation to direct marketing.

Further to this, the Court here confirmed that APP 7 exclusively governs all uses and disclosures of personal information for the purpose of direct marketing – regardless of whether the direct marketing is done by that entity (“primary entity”) or another entity (“secondary entity”).  In other words, APP 7, and not APP 6, will apply in the case of disclosure of personal information by a primary entity for the purpose of direct marketing by a secondary entity.

However, in doing so, the Court recognised that not all principles in APP 7 will be applicable in such a case.  Specifically, the Court held that:

  • APP 7.2 only authorises the use or disclosure of personal information for the purpose of direct marketing by the organisation which collected the information from the individual; and
  • sub-principles (c)–(e) of APP 7.3 (which set out the opt-out mechanism required for the availability of this exception) will be inapplicable to the question of disclosure by a primary entity for direct marketing by a secondary entity.

As a consequence of the above, only APP 7.3 was available to Shahin to permit the disclosure of personal information by BP (or the use by Shahin) for the purpose of direct marketing by Shahin.  However, as noted above, the Court found that the requisite consent in APP 7.3(b)(i) had not been obtained from the BP cardholders for this disclosure to Shahin – nor, pursuant to the alternative option in APP 7.3(b)(ii), was there any impracticability in obtaining such consent.

The meaning of “impracticable” is not given in the Privacy Act, so it is notable here that the Court considered that a mere lack of power by BP to amend the BP Cardholder Terms would not make obtaining consent “impracticable” for the purposes of APP 7.3.  As the Court stated:

“if BP lacks power to amend the Cardholder Terms to provide for the requisite consent (the premise of Shahin’s contention, which I do not decide), it would be truly ironic if the very lack of power obviated the need to obtain consent in the first place. Conversely, if BP has power to amend the Cardholder Terms to provide for the requisite consent, there is no impracticability in obtaining consent.”

Accordingly, the Court held that BP would breach the Privacy Act by disclosing the requested information to Shahin for direct marketing by Shahin and Shahin would breach the Privacy Act by using the requested information for direct marketing.

Was there an implied contractual obligation in relation to customer data sharing?

As an alternative to the above, Shahin contended that there was an implied obligation on BP to amend the BP Cardholder Terms to avoid BP’s disclosure, and Shahin’s use, of personal information from breaching the Privacy Act.  Shahin argued that this obligation arose from the implied duty by parties to cooperate and by each party to do all that is necessary to be done on his or her part for the carrying out of the agreed matter to ensure that the other party receives the intended contractual benefits.

Unfortunately, this issue was not decided by the Court because Shahin had not pleaded the case.

There are, however, key insights to be taken away from this decision.

Practical take away points

  • If parties to a contract wish to share customer data that is in compliance with relevant privacy laws, the recommended and safe course of action is to include express contractual obligations on each party to take reasonable steps to give notices, obtain consents or perform any other action as appropriate so as to achieve the desired commercial outcome.
  • Practitioners should consult APP 7 (noting the adjustments discussed above) for all uses and disclosures of personal information for direct marketing purposes – even where the direct marketing will be performed by an entity other than the one making the disclosure.