Data Protection in the Pacific: Obligations for Telecommunications and Banking Businesses

By John Ridgway, Dirk Heinz and Brad Phillips

In comparison with most of the world, coordinated data protection and privacy legislation in the Pacific is relatively unsophisticated – in fact, it is pretty much non-existent. With this in mind as a starting point, can companies operating in key sectors such as telecommunications and banking in the Pacific do what they want with confidential customer information and data? Of course not!

Businesses who collect, store and use personal information of consumers in Pacific jurisdictions are likely to be bound by:

(a) a common law duty of confidentiality; and

(b) obligations contained in local telecommunications/banking legislation.

Generally, the obligations contained in local telecommunications/banking legislation will mirror common law confidentiality obligations.

What is the common law duty of confidentiality?

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent: where required by law; or if it is in the public interest to disclose such information. Each of the jurisdictions considered in this article is a common law jurisdiction, and businesses in those jurisdictions will be bound by their common law duty of confidentiality.

General comment regarding legislation specific to telecommunications and banking

Generally, local telecommunications and banking legislation will impose a duty on operators in those sectors (where such operators are bound by that legislation) to:

protect confidential information;

disclose confidential customer information only in prescribed circumstances (that is, with customer consent or where required by law or by the telecommunications or banking regulator); and
use such confidential customer information for disclosed purposes/for the purposes of supplying telecommunications or banking services to the customer only.

Legislation specific to telecommunications service providers/licensees in the Pacific

Jurisdiction	Legislation specific to telecommunications providers / operators
Fiji	Section 54(1)(e) of the Telecommunications Act 2008 provides that any service provider must keep information about consumers confidential, including billing information and call information, except to the extent necessary to publish any public telecommunications directory, enable billing of the consumer or to address fraud or bad debt. Section 73(2) of the Telecommunications Act 2008 provides that a licensee must, in connection with the operation of telecommunications networks or the supply of telecommunication services, give officers and authorities of the Government such help as is reasonably necessary for the following purposes: enforcing the criminal law and laws imposing pecuniary penalties; protecting the public revenue; and safeguarding national security. The Telecommunications Authority of Fiji (TAF) has power to require disclosure of information and documents reasonably required by it from persons or licensees (section 31 of the Telecommunications Act 2008).
PNG	The National Information and Communications Technology Act 2009 (NICT Act) does not explicitly require telecommunications service providers to hold customer information confidentially. The NICT Act envisages that some information, including customer information, could be confidential in nature and so when disclosed to the National Information and Communications Authority (NICTA) a person may request that the information not be disclosed to the public due to its confidential nature. Under section 44 of the NICT Act, NICTA has the ability to exclude information from publication, where it is satisfied that it is necessary or desirable to do so. However, NICTA has the power to do all things necessary or convenient to be done for or in connection with, the performance of its functions (section 10 of the NICT Act). Although not explicitly stated this power is far reaching and would likely include the ability to require disclosure of information (including confidential information) and documents from licensees, where disclosure is necessary to perform its functions under the NICT Act. Relevantly, service providers should also be aware that pursuant to section 5(2) of the SIM Card Registration Regulation 2016, subscriber data shall not be transferred outside PNG except under a warrant issued pursuant to the Mutual Assistance in Criminal Matters Act 2005.
Solomon Islands	Section 73(1) of the Telecommunications Act 2009 requires that service providers take all reasonable steps to ensure the confidentiality of consumer communications. Section 72(2) of the Telecommunications Act 2009 provides that service providers may collect, use, maintain or disclose user information only with the consent of that user (except in certain prescribed circumstances, for example, disclosure of certain information in a printed or electronic phone directory). Appropriate safeguards must be applied to prevent the collection, use, maintenance or disclosure of such information. The Telecommunications Commission may order the production of specified documents and information or classes of documents and information by service providers and any other persons (section 28(1) of the Telecommunications Act 2009).
Vanuatu	Section 73(1) of the Telecommunications Act 2009 requires that service providers take all reasonable steps to ensure the confidentiality of consumer communications. Section 72(2) of the Telecommunications Act 2009 provides that service providers may collect, use, maintain or disclose user information only with the consent of that user (except in certain prescribed circumstances, for example, disclosure of certain information in a printed or electronic phone directory). Appropriate safeguards must be applied to prevent the collection, use, maintenance or disclosure of such information. The Telecommunications Commission may order the production of specified documents and information or classes of documents and information by service providers and any other persons (section 28(1) of the Telecommunications Act 2009).
Samoa	Section 48 of the Telecommunications Act 2005 provides that a service provider must not disclose information concerning a customer without the customer’s written consent or unless disclosure is required by the Regulator or by law. Section 50 of the Telecommunications Act 2005 provides that a service provider is responsible for customer information and customer communications in the service provider or the service provider’s agent’s custody or control. To this end, a service provider must: operate its telecommunications network with due regard for its customers’ privacy; and not collect, use, maintain or disclose customer information or customer communication for undisclosed purposes except as permitted or required by law. The Telecommunications Regulator has broad powers to make orders respecting any matter or thing within the jurisdiction of the Regulator (section 8(r) of the Telecommunications Act 2005). Although not explicitly stated, this power is far reaching and would likely include the ability to direct disclosure of information (including confidential information) and documents from licensees, where disclosure is necessary in performing its functions under the Act.

Legislation specific to banking businesses in the Pacific

Jurisdiction	Legislation specific to banking businesses in the Pacific
Fiji	The Banking Act 1995 is silent regarding the handling of confidential customer information by licensed financial institutions; therefore the common law duty of confidentiality applies (as articulated above). Section 26(1)(c) of the Banking Act 1995 provides that a licensed financial institution must submit to the Reserve Bank of Fiji any information as may be required by the Reserve Bank of Fiji in the proper implementation of banking and related laws, rules and regulations.
PNG	Section 52 of the Banks and Financial Institutions Act 2000 provides that a person must not, except for the purposes of the Act, directly or indirectly disclose to any person, any protected information or protected document acquired by the first-mentioned person. “protected document” means a document given or produced under, or for the purposes of the Act, and containing information relating to the affairs of any person other than a document that has already been lawfully made available to the public. “protected information” means information, data or forecasts disclosed or obtained under, or for the purposes of the Act, and relating to the affairs of any person other than information that has already been lawfully made available to the public. A person may disclose a protected document or protected information: where the person to whose affairs the information or document relates or, where different, the person from whom the information or document was received, agrees in writing to the disclosure or production of the document; where disclosure is required to assist the Central Bank of Samoa to perform its functions or exercise its powers; where required by law; or where the information, or the information contained in the document is in the form of a statistical summary or collection of information that is prepared so that information relating to any particular person cannot be found out from it.
Solomon Islands	The Financial Institutions Act 1998 is silent regarding the handling of confidential customer information by licensed financial institutions; therefore the common law duty of confidentiality applies (as articulated above). Section 8(2) of the Financial Institutions Act 1998 provides that the Central Bank of the Solomon Islands may require a licensed financial institution to submit information as it considers necessary for the purposes of the Act. As an additional point, the Central Bank of the Solomon Islands has the power to issue directions to licensed financial institutions where the Central bank is of the opinion that the licensed financial institution is following unsound or unsafe practices in the conduct of its business that are likely to jeopardise its obligations to its depositors or other creditors (section 16 of the Financial Institutions Act 1998). It is likely that the failure of a licensed financial institution to abide by their common law duty of confidentiality would be an unsound practice.
Vanuatu	The Financial Institutions Act 2006 is silent regarding the handling of confidential customer information by licensed financial institutions; therefore the common law duty of confidentiality applies (as articulated above). Section 58 of the Financial Institutions Act 2006 provides that the Reserve Bank of Vanuatu may request a licensee to submit such information as the Reserve Bank of Vanuatu determines necessary for the purposes of the Act. As an additional point, section 56 of the Financial Institutions Act 2006 provides that the director, manager or another officer of a licensee does not incur any liability as a result of making a disclosure of information if: he or she makes the disclosure in good faith to the Reserve Bank of Vanuatu, an appropriate person or a police officer; and the disclosure is of information regarding any customer or transaction which he or she believes to be connected to illegal activity.
Samoa	The Financial institutions Act 1996 is silent regarding the handling of confidential customer information by licensed financial institutions; therefore the common law duty of confidentiality applies (as articulated above). Section 9 of the Financial Institutions Act 1996 provides that the Central Bank of Samoa may require a licensed financial institution to submit information as it finds necessary for the purposes of the Act.

As an additional point, the Central/Reserve Bank in all of the aforementioned jurisdictions have broad powers to make prudential guidelines/standards that may also impact upon a banking business’ obligations and duties regarding customers’ personal information.

What are the consequences of non-compliance for an operator?

An operator who fails to comply with its common law duty of confidentiality may find itself exposed to a breach of contract claim by the relevant customer, and that operator may be liable to pay damages.

Breach of an operator’s obligations under the relevant telecommunications or banking legislation may result in:

penalties (which may be imposed on the operator/its officers);
remedies being imposed on the operator (in addition to/in lieu of a penalty); and/or
civil liability (resulting in operator/its officers being required to pay damages),

by the telecommunications or banking regulator and/or the relevant Court.

Ultimately, the telecommunications or banking regulators in each of the jurisdictions discussed in this article have the power to amend the terms and conditions of licences or revoke a license altogether for material failure to comply with a licence term or condition, or the relevant telecommunications or banking legislation.

How can we help?

The Pacific Legal Network can assist businesses by:

reviewing customer terms and conditions to ensure that they comply with local legislation and obligations with respect to confidentiality of customer information;
reviewing internal policies and procedures which deal with collection, use and storage of customer information;
advising in relation to requests for disclosure, including assessing the suitability of customer consent, or the validity of an external request for information; and
providing general advice in relation to the privacy of customer information and disclosure under the laws of the Pacific.