The ACCC's Digital Platforms Inquiry Final Report (Report) confirms what is already clear – there is a proliferation of digital data and the broad range of ways that organisations (not only digital platforms) now use data has resulted in a complex inter-relationship between innovation, data commercialisation, privacy rights and consumer rights.
According to the ACCC, amendments to the Privacy Act are necessary to address an imbalance that have arisen in these relationships.
Although the ACCC’s review was aimed at digital platforms, its proposed reforms of the Privacy Act would have a broader economy-wide impact.
The ACCC specifically found that there is an 'information asymmetry' between digital platform organisations and consumers and that digital platforms have considerably more bargaining power than consumers. As a result, the ACCC has recommended the introduction of a specific Digital Platform Privacy Code.
The ACCC found that current Australian privacy laws do not adequately protect consumers or act as an effective deterrent. The ACCC has recommended changes that would bring Australia closer to a GDPR-style regime.
The ACCC's privacy and consumer-related findings
In the Report, the ACCC examined the role that data now has for digital platform companies (and others) and, unsurprisingly, found that data is likely to play an even more significant role in future. Against this backdrop, the ACCC found that, on the one hand, there is a lack of transparency on the part of digital platforms and, on the other, a lack of understanding and control on the part of consumers, when it comes to how digital platform companies collect and use personal information. As a result, the ACCC questioned whether the Privacy Act is still fit for purpose in the modern digital era, not only in regulating digital platform companies, but also more broadly across the economy.
The privacy recommendations
1. The need for greater transparency by organisations and consumer control and protection
The ACCC found that digital platform companies have overly long, complex and vague privacy policies and consumers have little meaningful choice about the way in which their data is collected and used. According to the ACCC, transparency over the collection and use of data is important so that users understand what data is being provided and how it is used. However, transparency alone is not enough. Consumers should have meaningful choice and control. The ACCC was particularly critical of ‘click-wrap’ agreements in the terms and conditions of digital platforms, with ‘take it or leave it’ terms and bundled consents, and the impact on some individuals as a result of consumer segmentation and profiling based on online profiles. To address these issues, the ACCC has recommended:
- strengthened Privacy Act notification requirements including concise, transparent, intelligible, easily accessible and clear notices, using a multi-layered approach;
- defining consent using a GDPR-style approach, which requires a clear affirmative act that is freely given, specific, unambiguous and informed;
- introducing a ‘right to be forgotten’ into the Privacy Act by giving consumers the right to request their personal information be deleted unless there is an overriding reason for it to be kept;
- introducing civil pecuniary penalties into the Competition and Consumer Act for the use of unfair contract terms to deter the ‘take it or leave it approach’; and
- a prohibition against unfair trading practices.
2. Broad-ranging amendments to the Privacy Act
The ACCC’s view is that strong privacy laws empower consumers and promote competition, innovation and the welfare of consumers, and that this applies beyond digital platforms alone. The ACCC expressed the view that incremental amendments to the Privacy Act since its introduction have not been sufficient to address the volume and significant of privacy and data protection issues in the current digital and broader economy. According to the ACCC, the Privacy Act now requires a broader review, including as to its objectives. The ACCC has recommended:
- amending the definition of personal information in the Privacy Act to include technical data such as IP addresses, device identifiers, location data and other online identifiers. This would bring the definition of personal information closer in line with the definition of personal data under the GDPR, which can include 'cookies'. The ACCC has also recommended giving consideration as to whether there should be greater protections for inferred, anonymised and de-identified information;
- removing the exemptions in the Privacy Act (employee records, small businesses, political parties), so that it could be considered ‘adequate’ by the European Commission for the purposes of facilitating the flow of information between the European Union and Australia more readily; and
- introducing a private right of action for individuals, as well as more substantial penalties, as a greater deterrent for organisations.
3. OAIC Privacy Code for Digital Platforms
To specifically deal with the issues raised in the Report about digital platforms’ privacy and personal information handling practices, the ACCC recommended the introduction of a Privacy Code for Digital Platforms, to be developed by the Office of the Australian Information Commissioner, in consultation with stakeholders. This would apply to all digital platforms supplying online search, social media and content aggregation services to Australian consumers.
4. Tort for serious invasions of privacy
To decrease the bargaining power imbalance between consumers and digital platforms, the ACCC has recommended (as the ALRC has done before it) the introduction of a tort for serious invasions of privacy. According to the ACCC, the tort would provide consumers with additional redress against companies for poor data practices and address gaps in the existing privacy framework. However, the ACCC did concede that the idea of the tort has previously been the subject of extensive review and controversy. In particular, the media has expressed concern about the impact such a tort would have on free speech.
Potential impact of the recommendations
Many of the recommendations would bring Australia closer in line with the European GDPR, but the ACCC stopped short of recommending that Australia adopt the GDPR wholesale. While the GDPR (and, in particular, its penalty regime) has spurred organisations in Europe and globally to pay more attention to their privacy practices, the extent of real, meaningful change remains to be seen. There has certainly been a proliferation of privacy notices and, as the ACCC referred to, ‘consent overload', however, the UK Information Commissioner has expressed concern that AdTech companies are still not meeting transparency and consent requirements under the GDPR. Further, consumers still bear some responsibility for reading notices and, as highlighted by the ACCC, many consumers feel they do not really have a choice about whether or not to use digital (especially social media) platforms. However, there would be benefits to Australian companies if Australia did receive a GDPR ‘adequacy’ decision from the European Commission.
Although the ACCC has recommended increased penalties (as referred to in the Interim Report), a call picked up by the Coalition government in March this year before the election, it is questionable how much meaningful impact this will have unless it is enforced. Indeed, a civil penalty has not been issued under the Privacy Act that has been in force since 2014. As well as the issue of enforcement, there is a question about how much of a deterrent a stricter penalty regime will have on the likes of Facebook and Google. It has been well reported recently that the Federal Trade Commission issued a $5b fine against Facebook for the Cambridge Analytica scandal. However, experts say that is just a blip on Facebook’s radar and it barely had an impact on its share price. Despite these potential issues, there is a need to modernise the Privacy Act for the digital era and the recommended amendments to the Privacy Act would likely result in Australian organisations re-examining the ways in which they collect and use personal information.
On 26 July 2019, the government announced a 12 week consultation period, calling for stakeholder comments on the Report, which will be followed by targeted meetings. The submissions will be considered by government in formulating its response to the Report, so we expect the response is some time away yet.
Given the potential breadth of the recommended privacy reforms, the group of interested stakeholders who may want to make submissions will be broader than digital platform companies.