This article was written by Michael Swinson.
On 26 July 2019, the Federal Government released the ACCC's much-anticipated final report on the Digital Platforms Inquiry (the product of over 18 months of effort). Originally framed as an inquiry into the impact of digital platforms (including search engines, social media platforms, and digital content aggregators) on the state of competition in the media and advertising services markets, the recommendations in the final report are much wider in scope and will directly affect many other sectors of the economy. Most notably, while reserving some specific recommendations for digital platform operators, the final report recommends broad-ranging changes to Australian privacy laws.
In justifying the broad reach of its recommendations, the ACCC asserts that the Australian privacy regime must "require a clear and consistent standard of data protection across different industries the data-driven digital economy to consistently protect consumers and to achieve the economy-wide potential benefits of data." Certainly if the ACCC's recommendations on privacy reform are implemented they will have a significant economy-wide impact. This will no doubt attract attention from a wide range of consumer-facing businesses that are heavy users of consumer data but may only have been keeping one eye on the Digital Platforms Inquiry, on the assumption that they would not be directly affected by its outcome.
Government's reaction still uncertain
While accepting the ACCC's overriding conclusion that some degree of reform is required, the Government has not yet committed to implementing all of the ACCC's recommendations. The Government's formal response will be informed by a public consultation process led by Treasury and involving the Department of Communications and the Arts as well as the Attorney-General's Department. The consultation process will run for 12 weeks and will enable interested stakeholders to provide feedback on the final report and its implementation. Following this consultation, the Government will finalise its response by the end of 2019. Given the reach of the ACCC's recommendations, we expect a far broader level of engagement in this consultation process compared to the Digital Platforms Inquiry itself, with submissions from many other concerned industries.
Key operational impacts
Key aspects of the ACCC's privacy-related recommendations that may have a material operational impact on any business that relies upon the collection and use of consumer data include:
- Mandatory consent requirements – the ACCC recommends that consent be required whenever a consumer's personal information is collected, used or disclosed except where necessary for the performance of a contract to which the consumer is a party (or as otherwise required under law or for an overriding public interest). Valid consents would have to be given by some clear affirmative act, with any data collection settings being defaulted to "off". If implemented, this recommendation will likely result in many organisations having to significantly increase their reliance upon consumer consent. In particular, consents may be required for any processing of personal information that goes beyond what is required to provide an organisation's core consumer-facing service. For example, this could extend to targeted advertising, which is a focus of the ACCC's report. But it could also potentially extend to other ancillary activities such as: security and fraud monitoring, performance measurement and assessment, quality control and training, and market and product research. While to some degree the ACCC's recommendations in this area align to the European GDPR (widely seen as the "high watermark" for privacy protection around the world), the ACCC has deliberately chosen to exclude the provision in the GDPR that permits processing of data by an organisation for "legitimate interests" (which the GDPR explicitly acknowledges may extend to things such as use of data to prevent fraud or for direct marketing) on the basis that this concept is too uncertain. This could lead to a stricter and more rigid regime in Australia, with the focus on consent potentially resulting in a more cumbersome, confusing and unsatisfactory user experience for consumers.
- Enhanced notice requirements – the ACCC recommends that existing obligations for organisations to notify consumers about the collection, use and disclosure of their personal information be strengthened. Notices should be designed to be concise, transparent, intelligible and easily accessible using clear and plain language. The ACCC is also critical of privacy policies that are long, complex, difficult to navigate, and potentially ambiguous or unclear in their use of language. The ACCC recommends that privacy policies be redesigned to adopt a multi-layered format, with essential information on key points covered in a concise initial layer, with consumers then able to access more detail in subsequent layers (potentially right down to very specific details, such as the name and contact information for every third party with whom personal information may be shared). This may require many businesses to revisit their current notification practices, and to update their privacy policies to align with the ACCC's design recommendations. It may also present some significant challenges, as there is an inherent tension between the objectives of (i) developing clear, concise and easily intelligible documents and (ii) providing comprehensive information about often complex data management practices. The ACCC suggests that some of these challenges may be overcome using standardised language or icons with pre-defined meanings. However, the extent to which it would be practical to do this across a wide range of different businesses that all may have unique data management practices, remains to be seen.
Other wide-ranging recommendations
Other important recommendations by the ACCC in this area include: expanding the scope of "personal information" to specifically capture technical data (e.g. IP addresses, device identifiers and location data) that may be used to identify an individual; introducing a new right for consumers to be able to require the deletion of their personal information (equivalent to the "right to be forgotten" under the GDPR); introducing a new direct right for individual consumers to bring actions for breaches of the Privacy Act (where currently they must generally rely upon the Information Commissioner to take action on their behalf); increasing the civil penalties available under the Privacy Act to align with those available for breaches of the Australian Consumer Law (consistent with changes that the Government signalled back in March 2019 that it would be proposing); and introducing a new statutory tort for serious invasions of privacy (aligning with recommendations made by the ALRC and others over a series of previous privacy-related reviews in recent years).
The ACCC's final report also includes some more targeted recommendations that apply only for digital platform operators – including that a new enforceable privacy code of practice be developed for digital platforms – and that will not directly impact on other businesses.
Recommendations for further reform
Besides the specific recommendations mentioned above, the ACCC's final report also recommends a broader review of Australian privacy law be undertaken to consider whether other changes may be necessary or appropriate to further protect consumer interests. While the report does not provide much detail on what further reforms may be required, it does recommend that any broader review should consider whether:
- the scope of the Privacy Act should be expanded to cover some entities that are currently exempt (e.g. small businesses, employers in relation to employee records, and registered political parties);
- additional regulation is required for inferred information (i.e. information that is based on assumptions drawn from some other underlying data, rather than on more specific inputs); and
- additional protections or standards should be implemented for de-identification, anonymisation or pseudonymisation of personal information.
The ACCC also recommends that any broader review should consider updating the Privacy Act to more closely align with the GDPR (as things stand Australia is not recognised by the European Commission as a jurisdiction that provides an "adequate level" of data protection, in large part because of exemptions that currently apply under the Privacy Act that do not apply under the GDPR) so as to facilitate freer flow of information between Europe and Australia.
If implemented, the ACCC's recommendations would require substantial changes to an area of law that was reviewed in-depth only a short time ago (with the last major revision of the Privacy Act coming into effect in 2014). This in some part reflects the challenges faced by the legislature to keep pace with quickly-changing data collection and processing technologies. It also reflects recent significant developments in this area of law in other important economies, including through the implementation of the GDPR in Europe. The growing influence of global businesses that are potentially exposed to a range of different local regulatory regimes means that any push to seek a degree of harmony on key points has a strong appeal.
If you would like to know about any of the recommendations made by the ACCC in the Digital Platforms Inquiry final report, including the potential implications for your business, in any more detail we would be happy to assist.