The ACCC's Digital Platforms Inquiry Final Report (Report) confirms what is already clear – there is a proliferation of digital data and the broad range of ways that organisations (not only digital platforms) now use data has resulted in a complex inter-relationship between innovation, data commercialisation, privacy rights and consumer rights.
According to the ACCC, amendments to the Privacy Act are necessary to address an imbalance that have arisen in these relationships.
In the Report, the ACCC examined the role that data now has for digital platform companies (and others) and, unsurprisingly, found that data is likely to play an even more significant role in future. Against this backdrop, the ACCC found that, on the one hand, there is a lack of transparency on the part of digital platforms and, on the other, a lack of understanding and control on the part of consumers, when it comes to how digital platform companies collect and use personal information. As a result, the ACCC questioned whether the Privacy Act is still fit for purpose in the modern digital era, not only in regulating digital platform companies, but also more broadly across the economy.
The ACCC found that digital platform companies have overly long, complex and vague privacy policies and consumers have little meaningful choice about the way in which their data is collected and used. According to the ACCC, transparency over the collection and use of data is important so that users understand what data is being provided and how it is used. However, transparency alone is not enough. Consumers should have meaningful choice and control. The ACCC was particularly critical of ‘click-wrap’ agreements in the terms and conditions of digital platforms, with ‘take it or leave it’ terms and bundled consents, and the impact on some individuals as a result of consumer segmentation and profiling based on online profiles. To address these issues, the ACCC has recommended:
The ACCC’s view is that strong privacy laws empower consumers and promote competition, innovation and the welfare of consumers, and that this applies beyond digital platforms alone. The ACCC expressed the view that incremental amendments to the Privacy Act since its introduction have not been sufficient to address the volume and significant of privacy and data protection issues in the current digital and broader economy. According to the ACCC, the Privacy Act now requires a broader review, including as to its objectives. The ACCC has recommended:
To specifically deal with the issues raised in the Report about digital platforms’ privacy and personal information handling practices, the ACCC recommended the introduction of a Privacy Code for Digital Platforms, to be developed by the Office of the Australian Information Commissioner, in consultation with stakeholders. This would apply to all digital platforms supplying online search, social media and content aggregation services to Australian consumers.
To decrease the bargaining power imbalance between consumers and digital platforms, the ACCC has recommended (as the ALRC has done before it) the introduction of a tort for serious invasions of privacy. According to the ACCC, the tort would provide consumers with additional redress against companies for poor data practices and address gaps in the existing privacy framework. However, the ACCC did concede that the idea of the tort has previously been the subject of extensive review and controversy. In particular, the media has expressed concern about the impact such a tort would have on free speech.
Many of the recommendations would bring Australia closer in line with the European GDPR, but the ACCC stopped short of recommending that Australia adopt the GDPR wholesale. While the GDPR (and, in particular, its penalty regime) has spurred organisations in Europe and globally to pay more attention to their privacy practices, the extent of real, meaningful change remains to be seen. There has certainly been a proliferation of privacy notices and, as the ACCC referred to, ‘consent overload', however, the UK Information Commissioner has expressed concern that AdTech companies are still not meeting transparency and consent requirements under the GDPR. Further, consumers still bear some responsibility for reading notices and, as highlighted by the ACCC, many consumers feel they do not really have a choice about whether or not to use digital (especially social media) platforms. However, there would be benefits to Australian companies if Australia did receive a GDPR ‘adequacy’ decision from the European Commission.
Although the ACCC has recommended increased penalties (as referred to in the Interim Report), a call picked up by the Coalition government in March this year before the election, it is questionable how much meaningful impact this will have unless it is enforced. Indeed, a civil penalty has not been issued under the Privacy Act that has been in force since 2014. As well as the issue of enforcement, there is a question about how much of a deterrent a stricter penalty regime will have on the likes of Facebook and Google. It has been well reported recently that the Federal Trade Commission issued a $5b fine against Facebook for the Cambridge Analytica scandal. However, experts say that is just a blip on Facebook’s radar and it barely had an impact on its share price.
Despite these potential issues, there is a need to modernise the Privacy Act for the digital era and the recommended amendments to the Privacy Act would likely result in Australian organisations re-examining the ways in which they collect and use personal information.
On 26 July 2019, the government announced a 12 week consultation period, calling for stakeholder comments on the Report, which will be followed by targeted meetings. The submissions will be considered by government in formulating its response to the Report, so we expect the response is some time away yet.
Given the potential breadth of the recommended privacy reforms, the group of interested stakeholders who may want to make submissions will be broader than digital platform companies. If you would like assistance with a submission or to discuss the potential implications of the Report, please contact our team.