In today’s digital age, personal information has become a valuable commodity for businesses. This data can be used for a variety of purposes, such as providing services, targeted advertising, risk assessment, and fraud detection. However, the collection and use of personal information is not without controversy, as it raises concerns about privacy, security, and consent. In this article, we will explore the role of consent in collecting and using personal information in Australia and Europe and the possible impact of Australia’s proposed regulatory reforms arising from the Australian’s government’s February 2023 Privacy Act Review Report.
Privacy and consent
Consent is a crucial aspect of privacy law, as it allows individuals to have control over their personal information. In both Australia and Europe, privacy laws require organisations in certain circumstances to obtain consent from individuals before collecting, using, or disclosing their personal information. Generally, individuals must be informed of the purpose for which their personal information is being collected, who will have access to it, and how it will be used. They must also be given the option to opt-out or withdraw their consent at any time.
In Europe, the General Data Protection Regulation (GDPR) came into effect in May 2018, replacing the Data Protection Directive. The GDPR applies to all European Union member states and regulates the processing of personal data by organisations. The GDPR also applies to organisations outside of Europe that collect personal information from individuals in Europe. Absent some other lawful basis the GDPR requires organisations to obtain explicit consent from individuals before collecting their personal information, and to provide them with information about the purpose of the processing, the categories of personal data being processed, and the recipients or categories of recipients of the personal data.
The GDPR also gives individuals the right to access, correct, and delete their personal information held by organisations. Additionally, the GDPR requires organisations to report any data breaches to the relevant supervisory authority within 72 hours.
Consent in Australia
APP 5 requires organisations to take reasonable steps before or at the time it collects personal information, to notify an individual of the fact and circumstances of collection of personal information. If the notification requirements are met, for example through a recorded statement at the beginning of a call, on a form that an individual completes, or through a collection notice displayed for the individual at the time of collection, then in this way the individual offers implicit consent to the collection even where express and affirmative consent is not required from an individual for the collection.
In Australia consent is required under the Privacy Act for a limited range of collections of personal information. unless an exception applies, express verbal or written consent that is current and specific, is needed to collect sensitive information. Consent can also allow an organisation to use or disclose personal information for a secondary purpose. An organisation does not need express consent to collect, use or disclose personal information (including for a secondary purpose), where that is non-sensitive personal information; but it needs to reasonably believe that it has implied consent (through it use of the required notification of the collection).
Consent may be relied on to authorise the use or disclosure of personal or sensitive information for the purposes of direct marketing in certain circumstances, or as a basis for cross-border disclosures of personal information. Consent may be withdrawn at any time.
Consent under the GDPR
In Europe, the GDPR requires organisations to process personal data only where expressly allowed by law, or the data subject has consented to the processing. While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the GDPR. The others include contract, legal obligations, vital interests of the data subject, public interest and legitimate interest.
A significant distinction to the approach in Australia is that under the GDPR consent cannot be implied and must always be given expressly through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing.
Article 4(11) of the GDPR stipulates “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Article 7(4) GDPR seeks to ensure that the purpose of personal data processing is not disguised nor bundled with the provision of a contract of a service for which these personal data are not necessary. This indicates that “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable. If consent is given in this situation, it is presumed to be not freely given.
A data subject has the right to withdraw his or her consent at any time.
Consent and Direct Marketing
One of the most common uses of personal data is for marketing purposes, such as targeted advertising or direct marketing. Direct marketing involves the use and/or disclosure of personal information to communicate directly with an individual to promote goods and services. In Australia, the Privacy Act allows organisations to use personal information for direct marketing if the personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing (APP 7). Individuals must have an “opt out” option for direct marketing. Factors that may be important to determining whether an individual would reasonably expect their personal information to be used for the purpose of direct marketing include where the individual has consented to the use or disclosure of their personal information for that purpose, the organisation has notified the individual that one of the purposes for which it collects the personal information is for the purpose of direct marketing and the organisation made the individual aware that they could request not to receive direct marketing communications from the organisation, and the individual does not make such a request. An organisation is not able to simply assume an individual would reasonably expect their personal information to be used or disclosed for the purpose of direct marketing just because the organisation believes the individual would welcome the direct marketing.
Under the GDPR, the use of personal data for marketing purposes is strictly regulated. Organisations must obtain explicit consent from individuals before using their personal data for marketing purposes, including targeted advertising or direct marketing. This means that individuals must be informed about the purpose of the processing, the categories of personal data being processed, and the recipients or categories of recipients of the personal data.
The alternative legal bases for targeted advertisements under the GDPR of relying on a “legitimate interest”, or where the data processing was “necessary for the performance of a contract” lack the legal clarity that comes from express consent and were found not to assist Meta in its recent privacy litigation under the GDPR. For example, in January 2023, Ireland’s Data Protection Commission (DPC) fined Meta €390 million. In its decision, the DPC found that Meta’s basis for seeking user permission to collect data for personalised advertising was invalid and gave Meta three months to bring data processing operations into compliance with the GDPR. Meta’s terms of service included agreement by customers to data processing for “personalised services and behavioural advertising” as a condition of access its platforms. The DPC considered this “forced consent” that did not justify the data processing. Meta also failed in an argument that its data processing was ‘necessary for the performance of a contract’ (another ground that could permit the targeted advertising). Some commentators are of the view that “legitimate interest” is not an available tool to support businesses that rely on targeted advertisements as the purpose of “legitimate interest” was never intended for this use and the examples given in law are for the likes of fraud prevention or threats to public security. The only currently clear path for targeted advertising under the GDPR is the specific informed consent of the user.
The GDPR also requires organisations to provide individuals with clear and concise information about their marketing activities, including the identity of the organisation responsible for the processing, the purposes of the processing, and the individual’s right to object or withdraw consent.
Potential regulatory reform in Australia to consent
Informed consent and the choice to disclose personal information has not, as currently practiced in today’s online world offered an effective way to protect privacy. This ineffectiveness of the current notice and consent regime has led regulators to look for new mechanisms to govern collection and use of personal information.
The Australian Attorney-General’s Department released its Privacy Act Review Report in February 2023, a significant step in the reform of Australia’s privacy law. In comments made on to the Attorney General’s Department on 6 December 2020 by Facebook (Meta) as a part of the review process they stated:
“We recommend against policy proposals that would force businesses to provide long, complex or only upfront notices or seek separate consents for each use of personal information at a granular level. Under this approach, consumers switch off and do not meaningfully engage with relevant privacy notices and controls. If regulation (however well-intentioned) is more prescriptive about the form of notices or consents, it may inadvertently undermine the very policy objective it is trying to achieve. In particular, some of the previous proposals by the ACCC around consent would place a material burden on consumers, limit the benefits of innovation to Australian small businesses and consumers, and would not improve people’s understanding of privacy, or lead to better privacy protections.”
Similar concerns were shared by the Office of the Australian Information Commissioner who in its submission in the review process, according to the Privacy Act Review Report, “thought that requiring consent for reasonably expected personal information handling may reduce it to a tick-box exercise which “will detract the value of consent in higher-risk situations where it will actually be valuable””.
The Privacy Act Review Report confirmed that there will be no changes to increase the circumstances in which consent is required under the Privacy Act. Instead, the reforms are proposed to require that handle personal information fairly and reasonably, conduct privacy impact assessments before engaging in high privacy risk activities and not engage in certain personal information handling practices that pose significant risk of harm. In addition, the Privacy Act Review Report proposes additional privacy rights to give individuals more control over their personal information after collection. There are however proposals put forward which look to improve the quality of consent obtained from individuals. One is to update the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous. Another is to look at standardising or providing further guidance on the design of consent requests.
Fair and reasonable test
As discussed above, one aspect of the proposed privacy reform recommended in the Privacy Act Review Report is the “fair and reasonable test”. This is a proposed new legal standard for the collection, use, and disclosure of personal information in Australia.
Under the fair and reasonable test, organisations would be required to assess whether their collection, use, or disclosure of personal information is fair and reasonable in the circumstances. In determining whether a collection, use or disclosure is fair and reasonable in the circumstances, the following matters would be taken into account:
- whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances;
- the kind, sensitivity and amount of personal information being collected, used or disclosed;
- whether the collection, use or disclosure is reasonably necessary or directly related to the functions and activities of the organisation;
- the risk of unjustified adverse impact or harm;
- whether the impact on privacy is proportionate to the benefit;
- if the personal information relates to a child, whether the collection, use or disclosure of the personal information is in the best interests of the child; and
- the objects of the Privacy Act.
The final wording of the test is to be developed further through the legislative drafting process.
The proposal is that the requirement that collection, use and disclosure of personal information must be fair and reasonable in the circumstances should apply irrespective of whether consent has been obtained.
Benefits and challenges of the fair and reasonable test
One of the key benefits of the fair and reasonable test is that it places a greater emphasis on individual privacy rights. By requiring organisations to consider the impact on privacy, the test ensures that personal information is only collected, used, and disclosed in ways that are necessary and proportionate. This has not been seen as a precondition to collection under the current notice and consent regime. The proposal does not go as far as the requirement of specific, timely and express consent of users to the use of their information for targeted advertising required under the GDPR, but it does force a consideration of the reasons for collection and the nature of the impact on individuals to whom the personal information relates.
The test would also provide greater clarity and consistency in the application of privacy laws in Australia. By providing a clear legal standard, organisations would better understand the nature of their obligations and ideally this would aid in ensuring that they are complying with the law. The existing approach under the APPs is not currently abstracted in a single principle such as is proposed and so it may be more difficult for organisations to apply consistently in ways that align to the purpose of the privacy protection laws.
In addition, the fair and reasonable test can help to promote trust and confidence in the handling of personal information. By demonstrating that they are taking privacy seriously, organisations can build stronger relationships with their customers and stakeholders.
Despite its potential benefits, the fair and reasonable test may also pose some challenges for organisations. One of the main challenges is determining what is fair and reasonable in the circumstances. This will require organisations to have a deep understanding of the context in which they are collecting, using, or disclosing personal information. Also, the introduction of the fair and reasonable test may require organisations to make significant changes to their privacy policies and practices. This may involve investing in new technologies or processes, training employees, and engaging with stakeholders to ensure that they understand the changes, which may be a costly process.
Time frame for reform
The Privacy Act Review, including the fair and reasonable test will play an important role in shaping the future of privacy law in Australia. It is difficult at this time to predict when the regulatory reform will be introduced into law. The government sought feedback on the Privacy Act Review Report by 31 March 2023. We are still waiting an update following this public consultation process.