Australian privacy law amendments to cover data collection and use by digital platforms

The fine print offered by the likes of Facebook will no longer be good enough to collect and use the data of Australians.

While the Cambridge Analytica scandal brought to the public eye the very real act of Facebook monetising and sharing user's data with third parties, the Australian Competition and Consumer Commission (ACCC) believes Australians are still in the dark when it comes to the extent of the collection and use of their data.

"Digital platforms provide a wide range of valuable services to Australian consumers, often for zero monetary cost. The ubiquity of digital platforms in the daily lives of consumers means that many are obliged to join or use these platforms and accept their non-negotiable terms of use in order to receive communications and remain involved in community life," the ACCC said in its Digital Platforms Inquiry: Final Report [PDF].

While the ACCC said transparency over the collection and use of data is important, it said transparency is not enough.

"Consumers, once they understand what is being collected and how it is used, must be able to exercise real choice and meaningful control," the ACCC wrote.

chrome-2019-07-26-14-41-05.png

How often users read privacy policies.

Source: ACCC consumer survey. Q12. Do you normally read all the privacy policy or terms and conditions for an internet site or app?

The ACCC considers that the most efficient way to make sufficient change is to amend the existing privacy law and extend protections under consumer law.

"The ACCC's proposals will provide sufficient information to enable consumers to make informed and genuine choices, to increase the accountability of entities handling user data, and to provide the ability for consumers to exercise some control over their user data," the watchdog continued.

The federal government in March announced plans to increase the penalties within the Privacy Act.

Under the proposed changes, the current maximum penalty for serious or repeat offenders would be raised from AU$2.1 million to the greater of AU$10 million; or three times the value of any benefit obtained through the misuse of information; or 10% of a company's annual Australian turnover.

It was also proposed that the Office of the Australian Information Commissioner (OAIC) would issue new infringement notices that carry penalties of up to AU$63,000 for corporate bodies, and AU$12,600 for individuals, as well as publish prominent notices about breaches and ensure breaches have third-party reviews.

Further, the proposed changes would allow Australians to request online platforms to stop the use or disclosure of their data, with stronger provisions if the person is a minor or deemed to be vulnerable.

See also: Australia's Consumer Data Right to finally make its way through Parliament

Building on these, the ACCC in its report has recommended updating the definition of personal information in line with "current and likely future technological developments to capture any technical data relating to an identifiable individual".

It wants a strengthening of notification requirements, which would mean the collection of consumers' personal information -- either by the company directly or a third party -- is accompanied by a notice of the collection.

The notice, the ACCC said, should be provided in a manner that is concise, intelligible, and easily accessible, as well as "written in clear and plain language, provided free of charge, and accompanied by appropriate measures to reduce the information burden on consumers".

See also: Australia wonders how to tax companies cashing in on user-generated content

Consent requirements are also to be strengthened, with the ACCC asking that consents are given freely and that they are specific, unambiguous, and informed.

Under this, any settings for additional data collection must be preselected to "off".

"Consents should be required whenever personal information is collected, used or disclosed by an entity subject to the Privacy Act, unless the personal information is necessary to perform a contract to which a consumer is a party, required under law, or otherwise necessary in the public interest," the ACCC expanded.

In similar vein to Europe's GDPR, privacy law amendments would require entities subject to the Privacy Act to erase the personal information of a consumer without undue delay on receiving a request for erasure from the consumer, except in certain circumstances.

Accompanying this would also be the introduction of direct rights for individuals to bring actions or class actions before the courts to seek compensation for an interference with their privacy under the Privacy Act.

"Organisations entrusted with our personal information need to be more transparent and accountable in their handling of our data and their dealings with the public," Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

"We also need the right safeguards and settings so that Australians can manage their privacy choices and exercise control. The changes recommended by the inquiry will strengthen our ability to protect personal information under the Privacy Act.

"These initiatives will also help close the gap between community expectations and privacy practices that fall short of these standards."

According to the ACCC, digital platforms should be required to provide multi-layered notices about their data practices. This should range from a first layer containing concise statements targeted to areas of potential concern to a consumer, to a final layer which sets out all relevant details of how a consumer's data may be collected, used, disclosed, and shared by a business.

The ACCC recommends that this be achieved via an enforceable Privacy Code of Practice to be developed by the OAIC to apply to digital platforms. It should also be enforced by the OAIC and accompanied by the same penalties as are applicable to an interference with privacy under the Privacy Act.

"The nature of the services offered by Google and Facebook allow them to collect an unprecedented amount of personal data, which is then monetised by providing advertisers with highly targeted opportunities," Treasurer Josh Frydenberg said during a press conference on Friday.

"The world has never before seen so much commercially sensitive and personal data collected and aggregated in just two companies.

"Our legislative and regulatory framework could not, and did not, anticipate such a new paradigm, a paradigm which poses real challenges for authorities the world over.

"It is a time of rapid technological change and Australians need a regulatory framework that is fit for purpose and better protects and informs Australian consumers."

19.2 million Australians use Google every month; 17.6 million use YouTube, which is owned by Google; 17.3 million use Facebook; and 11.2 million use Instagram, which is owned by Facebook.

"What this report confirms is that regulation in a wide range of areas has not kept pace with the rise of digital platforms," the minister added.

Accompanying the privacy reforms is also a prohibition on certain unfair trading practices and a prohibition against unfair contract terms.

The report made a total of 23 recommendations spanning competition law, consumer protection, and media regulation, in addition to privacy law, that the ACCC said reflects the intersection of issues arising from the growth of digital platforms.

Other recommendations include a change to mergers law and advanced notice of acquisitions that potentially impact competition in Australia; changes to search engine and internet browser defaults; and a new specialist digital platforms branch of the ACCC to focus specifically on investigating, monitoring, and performing enforcement activities in markets where digital platforms operate.

It's asked for an inquiry into ad tech services and advertising agencies and for support of the implementation of a "harmonised" media regulatory framework.

Additionally, it's calling for the requirement of designated digital platforms to provide codes of conduct governing relationships between digital platforms and media businesses to the Australian Communications and Media Authority (ACMA); as well as a mandatory ACMA take-down code to assist copyright enforcement on digital platforms.

The ACMA will also be involved with ensuring digital platforms to comply with internal dispute resolution requirements, as well as through the establishment of an ombudsman scheme to resolve complaints and disputes with digital platform providers.

The report also asks that stable and adequate funding be provided to public broadcasters; journalists and publications be given grants to continue local and regional reporting capabilities; tax amendments to allow for more philanthropic support in journalism; improvements be made to digital media literacy in the community through a national endeavour with accompanying grants program; and that a review of the Australian Curriculum scheduled for 2020 include consideration of the approach to digital media literacy education in schools.

RELATED COVERAGE