As we reported on 29 July 2019, the Australian Competition and Consumer Commission (ACCC) has released its Digital Platforms Inquiry (DPI) Final Report. This is the second article in our series considering what the Final Report’s recommendations may mean for local and foreign businesses that deal with Australian consumers.
‘Digital platforms’ is a catch-all term for a wide variety of online businesses offering diverse services. Under the DPI terms of reference, the ACCC was directed to focus on search engines, social media and content aggregation platforms.
Many digital platforms operate under a distinct business model providing services to consumers for zero monetary cost in exchange for consumers’ attention and use of their data. The platforms then 'monetise' that data by selling targeted advertising, from which they typically earn the majority of their revenue.
Despite the focus of the terms of reference on specific types of digital platforms, five of the six recommendations in the Final Report relating to data privacy are intended to apply ‘economy-wide’, and only one is targeted solely at digital platforms.
If all of these recommendations are implemented, the aspects that extend beyond what might be seen as current global best practice could add significantly to the compliance burden for foreign firms doing business in Australia.
We also see the potential for some unintended adverse outcomes for consumers.
The ACCC’s case for economy-wide reform
The Final Report states that the detriment suffered by consumers in their dealings with digital platforms:
“…may extend to the myriad of industries across the Australian economy that collect, use or disclose the user data of Australians. This is because information asymmetries, bargaining power imbalances, and behavioural biases identified in this chapter also characterise the data practices of many other businesses beyond digital platforms.” (page 449)
Coupled with the results of certain, relatively simplistic, consumer surveys, this ‘may extend’ way of thinking forms the basis for the recommended economy-wide reforms.
The ACCC has flagged financial institutions, telcos, retailers offering rewards schemes, airlines and media businesses as potentially having data practices with many of the same features as those of digital platforms.
ACCC concerns regarding current practices
The ACCC sets the scene for reform in the Final Report as follows:
“The ACCC notes that, since the Privacy Act was passed 30 years ago, the Internet and digitalisation have radically altered the ways in which businesses and consumers interact and exchange personal information. Numerous amendments have been made to the Privacy Act, but these incremental changes may not be sufficient to address the volume and significance of privacy and data protection issues proliferating in the digital economy. The data practices of digital platforms considered in this chapter demonstrate some significant gaps in Australian privacy laws.” (page 437)
There is little doubt that the data privacy regulatory regime has not kept pace with the multiple ways in which many businesses collect, use, share and deal in data.
For the ACCC, however, this is not only about privacy – its consideration of broader consumer welfare issues has led it to extend its recommendations to changes to the Australian Consumer Law.
In its analysis of consumer welfare, the ACCC places significant weight on consumer survey data which indicates a strong consumer preference for having control over the data collected about them (especially location data and internet browsing data) and how it is used and disclosed. These results are hardly surprising, but the issue the surveys do not appear to address is whether consumers value this control more than some of the benefits that access to data drives (e.g. improvements to the quality of services or the ability to offer services for free).
The ACCC is highly focused on the importance of consumers being able to make ‘informed choices’ about the handling of their data. Some of its key findings in this context include:
- Several features of consumers’ current relationship with digital platforms prevent them from making informed choices. These features include bargaining power imbalances, information asymmetries between digital platforms and consumers, and inherent difficulties for consumers in accurately assessing the current and future consequences of providing their user data.
- Many digital platforms seek consumer consents to their data practices using clickwrap agreements with take-it-or-leave-it terms that 'bundle' a wide range of consents. These features are said to leverage bargaining power and deepen information asymmetries, preventing consumers from providing meaningful consents to collection, use and disclosure of their user data.
- Many privacy policies are long, complex, vague and difficult to navigate. Despite consumers being particularly concerned by location tracking, online tracking for targeted advertising purposes and third-party data-sharing, these data practices are generally permitted.
- Representations about consumer control and choice often overstate the ability of consumers to meaningfully control the collection, use and disclosure of their data.
The ACCC’s key recommendations
The ACCC did not propose wholesale adoption of the European Union General Data Protection Regulation (GDPR), but was influenced by the GDPR in making certain recommendations for reform, observing generally that:
“closer alignment of Australian privacy regulations with the GDPR’s higher standards of protection could significantly increase the effectiveness of Australian privacy law and increase the accountability of entities processing the personal information of Australian consumers”. (page 439)
While one could argue with the ACCC's justification for pursuing ‘economy-wide’ privacy reform, some sectors of the Australian economy (e.g. e-commerce) are taking steps towards GDPR compliance in any event. An impetus for this is global businesses wishing to avoid multiple data handling regimes across different jurisdictions and simply adopting the GDPR as the global ‘high water mark’.
Significantly, however, the ACCC’s recommendations around consumer consent appear to be stricter than the GDPR. In summary, the ACCC’s key recommendations are:
- Strengthen protections in the Privacy Act in line with the GDPR. A range of amendments are intended to broaden the definition of ‘personal information’ to encompass technical data (such as location data and IP addresses) and impose more prescriptive notification requirements at the time of collection.
- Strengthen consent requirements in the Privacy Act. Currently, consumer consent is not required where personal information is used or disclosed for a primary purpose for which it was collected (as disclosed at the time of collection). The ACCC is proposing that consumer consent be required for any collection, use or disclosure that is not necessary for the performance of a contract to which the consumer is a party (with some limited exceptions). Significantly, the ACCC does not recommend adoption of the GDPR exception for use or disclosure for the ‘legitimate interests’ of the collector. Separately, it has recommended that valid consent must be clear, affirmative (i.e. default settings should not allow collection and processing), specific (i.e. consents should not be bundled), unambiguous and informed.
- Individual rights of action and increased penalties. The ACCC has recommended that individuals be given a direct right to bring actions and class actions to seek compensation for an interference with their privacy under the Privacy Act. It has also recommended increased penalties to mirror those for breaches of the Australian Consumer Law (the greater of A$10 million, three times the value of the benefit received, or 10 per cent of annual turnover in the preceding 12 months).
- OAIC Privacy Code for Digital Platforms(the only digital platform-specific recommendation). An enforceable code of practice is to be developed by the OAIC in consultation with industry to enable proactive and targeted regulation of digital platforms’ data practices. This code would include a specified time frame for the retention of any data not required to provide core consumer-facing services as well as more prescriptive obligations regarding the form of privacy policies and consumer consents and specific protections for children.
- Statutory tort for serious invasions of privacy. This statutory cause of action would not be confined to organisations subject to the Australian Privacy Act. This will be covered in more detail in a separate article.
- Prohibition against Unfair Contract Terms. The ACCC has recommended that unfair contract terms should be prohibited and not just voidable, meaning that civil pecuniary penalties would apply to the use of unfair contract terms in any standard form consumer or small business contract. This would add significantly to the compliance burden for businesses contracting on standard terms and conditions, including requiring platforms and other global firms to adopt specific terms for Australian consumers and small businesses.
- Prohibition against certain unfair trading practices. A prohibition on certain unfair trading practices (beyond unfair contracting) has also been recommended.
Australian privacy law reform is perhaps inevitable. Global convergence towards the standards of the GDPR means that recommendations that align with the European privacy regime are unlikely to impose significant additional regulatory burdens on the majority of businesses operating in Australia.
Rather, it is the recommendations relating to consent, which are stricter than the GDPR protection standard, that are likely to present a greater compliance challenge. In particular, more stringent consent requirements coupled with unbundling consents potentially present real IT system challenges, with systems needing to be able to record and implement diverse consent patterns on an individual consumer level based on the particular services acquired.
In addition, the consent recommendations and the proposed digital platforms privacy code arguably raise some fundamental issues in relation to the way digital platforms operate. The ACCC has acknowledged that data collection drives the ability to offer valuable services without charge and to improve those services over time. In an individual case, much of the data collected may not be necessary for the provision of the particular digital service a consumer is receiving. However, the potential cumulative impact of successive decisions by consumers to refuse consent for such data collection (or a simple failure to adjust mandated default settings which would prevent the collection) has not been addressed by the ACCC, either in terms of quality of service or the ability to offer services at no charge.
Given the potential for unintended adverse outcomes in terms of consumer welfare, there is arguably substantial further work required to come to grips with these issues before the ACCC’s recommendations are adopted.
Perhaps the key takeaway from the data privacy sections of the Final Report is that the ACCC does not view data privacy as an issue solely for OAIC regulation. The ACCC is now thinking about data privacy as a consumer issue that may equally be addressed under the Australian Consumer Law as misleading or deceptive conduct, unfair contract terms or unconscionable conduct. In line with other jurisdictions, such as the US and Germany, we can expect to see the ACCC being prepared to pursue enforcement action to address data privacy issues under competition or consumer protection legislation.
The ACCC has also expressed a clear preference for consumers to be able to bring actions directly if they choose to, whether under the Privacy Act or Australian Consumer Law.