Google says consent over every aspect of data processing would be burdensome

Tells the review into Australia's Privacy Act that expanding the 'toggles of control' to individuals could affect the ability of a business to earn revenue and create 'consent fatigue' for the consumer.

Google believes individuals should not be penalised for exercising their privacy rights, but said some choices offered to individuals may affect the ability of a business to earn revenue.

The comments were made in a submission [PDF] to the Attorney-General's review of Australia's Privacy Act 1988.

"[We] urge the government to think clearly through the issue of under what conditions businesses and organisations may make services contingent on a user's acceptance of some processing of their personal information," it wrote.

"Individuals should not be penalised for exercising their privacy rights, but some choices offered to individuals may affect the ability of a business to earn revenue, and even the financial viability of products and services that are of tremendous benefit to users and to society."

See also: Google sued by ACCC for allegedly linking data for ads without consent

Google considers a one-size-fits-all approach to mandating how personal information can be handled to be not overly applicable, as people have different preferences about how they want their information to be used.

How the Act currently requires businesses and organisations to provide appropriate mechanisms for individual control does not require a specific consent or toggle for every use of data. Google said inserting such a requirement could overburden the experience.

"In many cases, the processing of personal information is necessary to simply operate the service the user requested," it wrote. "Requiring individuals to control every aspect of data processing can create a burdensome and complex experience that diverts attention from the most important controls without corresponding benefits.

"Individual control over data processing should apply wherever it can be reasonably offered, not just certain categories."

Google wants more "narrow and specific consent requirements", saying they would avoid "consent fatigue"; that it would promote innovation; and allow regulators to focus on "priority issues".

On the issue of default settings, Google said strict rules requiring "extensive" opt-in actions limit its ability to provide "meaningful options that support ideal product functionality while also being comprehensible to Google users".

"Much like consent-fatigue, requiring a lot of 'opt-in' settings can overwhelm users and diminish the significance of the most important settings," it wrote.

The search giant also welcomes the introduction of an explicit age threshold which parents or guardians could exercise on behalf of their children, making the suggestion that this be set to 13 years of age.

Google is supportive of a right to delete data that is provided to an organisation and the ability for a user to request data be ported to another service.

In contrast to Google's view, the Cyber Security Cooperative Research Centre (CSCRC), which is based out of Edith Cowan University in Western Australia, said in its submission [PDF] that it is "appropriate and necessary" that under the Act, entities must take "reasonable steps to notify individuals of the collection of their personal information".

"While amendments should be made to better define 'reasonable steps' in a bid to ensure the wording is fit-for-purpose, a key advantage of the proliferation of communication technologies ultimately means that notification of collection is easier to achieve than ever before," it wrote.

The CSCRC supports the idea that a regulated entity be required to provide a notice for all collections of personal information, with limited exceptions. It said this would build consumer confidence and awareness of when information is being collected.

It said an individual should always be provided with notice when their personal information is being collected, and cited the ACCC's action against Google for its third-party data collection activities.

The CSCRC also called for the definition of personal information to be amended to align with the EU's General Data Protection Regulation (GDPR).

Under this definition, personal data is: "Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person".

"Adopting such a definition would effectively expand the constitution of 'personal information' and help allay concerns related to privacy risks arising from new forms of 'personal information' like IP addresses and social media profiles," CSCRC CEO Rachael Falk said.

ANZ Bank, meanwhile, is questioning whether defining personal information in line with the GDPR would provide legal certainty in Australia and cautions against imposing obligations which overly restrict the use and disclosure of de-identified information.

"We believe the current scope of regulating personal information in the Privacy Act is appropriate and that the constraints in the law are sufficient to protect the privacy of individuals," it said in its submission [PDF].

HERE'S MORE