Transfer of customer's credit card data to an associated company - the associated company debited the unsettled amount from the credit card account - remedial actions taken by returning the charged sum and undertaking not to use the credit card data in future - no prima facie case of DPP3 contravention - the Commissioner had a wide discretion whether to carry out or continue investigation pursuant to section 39(2)(d)
The Complaint
In 1999, the complainant registered with a telecommunication company (company A) for telephone service and dial-up internet services. She elected to pay for the use of those services by means of autopay through her credit card account, and for that purpose provided her credit card account number to the company. In 2000, company A spun off its business of dial-up internet services to an associated company (company B) which charged the complainant through her credit card for her continued use of the services for 5 months. In 2003, the complainant applied to company B for home telephone services and chose to pay for the services by cash. In 2004, company B charged the complainant a sum of $165 for the services and debited the amount from the complainant's credit card account after her failure in settling the same by cash. The complainant claimed that she had never given her credit card account details to company B and they had no authority to debit her account for the services that she had chosen to pay by cash. The complainant lodged with the Commissioner's Office a complaint against company B for the misuse of her personal data.
Findings of the Privacy Commissioner
After the commencement of the preliminary investigation, company B took voluntary remedial steps to return the charged amount and undertook not to use the credit card information for collecting payment in the future without express authorization. The Privacy Commissioner came to the view that there was no prima facie case of breaching DPP3 and that, in view of company B's remedial actions taken, investigation or further investigation could not bring a more satisfactory results. Therefore, the Commissioner decided not to carry out or continue investigation. The complainant was dissatisfied with the Commissioner's decision and appealed to the AAB.
The Appeal
The complainant reiterated that company B had appropriated her money by misusing her personal data given to company A. The AAB decided that under section 39, the Commissioner had a wide discretion whether to carry out or continue an investigation, in particular, pursuant to section 39(2)(d). In this case, it was reasonably open to the Commissioner to come to the view that any further investigation was unnecessary in view of the voluntary remedial action taken by company B.
The AAB's Decision
The AAB upheld the Privacy Commissioner's decision and dismissed the appeal.