ACCC calls for significant reforms in Digital Platforms Inquiry Final Report (Part II): A platform for sweeping privacy reform

In brief 20 min read

This is the second of a two-part series in which we consider the ACCC's findings and recommendations in the final report of the Digital Platforms Inquiry. In this article, we unpack the ACCC's sweeping recommendations to strengthen privacy protections for individuals and to improve transparency and accountability in data handling practices for both digital platforms and other organisations regulated by the Privacy Act 1998 (Cth) (Privacy Act).

How does this affect you?

The Inquiry's recommendations for reform of privacy regulation in Australia are not limited to digital platforms – they are largely economy-wide and are likely to have implications across all businesses and commercial relationships.

• Significant changes to the Privacy Act. The ACCC proposed significant changes to the Privacy Act, which, if implemented, will require businesses to reconsider how they define personal information and revisit the operation of their consents and notification mechanisms for collecting, using and disclosing it. These recommendations include:
  • Expanding the definition of personal information to include technical data (such as IP addresses, location data, device identifiers and any other online identifiers);
  • Increasing minimum notification and consent requirements, including requiring consent to any secondary use and requiring data collection settings to be pre-set to 'off'; and
  • Requiring erasure of data on request, subject to limited exceptions.  
• A new approach to privacy policies and collection notices. In light of its findings that digital platforms' privacy policies were often 'long, complex, vague, and difficult to navigate', the ACCC proposed more rigorous obligations both as to the content and form of privacy policies and collection statements. These recommendations include:
  • Mandating that all APP entities provide notice on collection of personal information (whether collected directly or 'indirectly as a third party'), subject to limited exceptions;
  • Requiring these notices to be more informative, including the purpose for which each type of data is collected and disclosed, and the types of third parties to whom it will be disclosed;
  • Format measures to limit the 'information burden' on consumers, including the adoption of a multi-layered formats and standardised wording for categories of third parties; and
  • Categorising privacy policies as contracts, based on the ACCC's suggestion in its findings that privacy policies may be subject to the unfair contracts regime. Given privacy policies have arguably never previously been considered contracts, this interpretation would represent a new and potentially significant expansion of the application of that regime. 

• Specific regulation for digital platforms with the proposal to introduce an enforceable OAIC Privacy Code for digital platforms to cover multi-layered notice requirements, specific opt-in controls, adequate information security management and requirements to establish a time period for the retention of personal information not required for providing the core consumer-facing service.
• New and larger sticks to punish and deter privacy breaches. The ACCC recommended:
  • increasing the penalties for breaches of the Privacy Act to mirror the increased penalties for breaches of the Australian Consumer Law (ACL) (which the Government is already planning on implementing based on its April 2019 announcements - see Government proposes major changes to privacy law).
  • giving individual consumers a direct right to bring actions for breaches of their privacy under the Privacy Act; and
  • introducing a statutory tort for serious invasions of privacy.
• More change to privacy regulation on the horizon. The ACCC also recommended broader reforms of privacy laws to ensure effective protection of consumers' personal information, including in relation to the scope of the Privacy Act and the current small business, employee records and registered political party exemptions, protections for inferred information and de-identified data, and pursuing an adequacy determination for EU data information flows.
• Data portability could deliver long-term benefits in digital markets. The ACCC indicated it has further work to do to consider how data portability mechanisms – including through the application of the Consumer Data Right (CDR) – could help improve competition in relevant markets by enabling competitive entry and consumer switching, but declined to make any short-term recommendations in this respect. It also noted its proposed uplifts to the Privacy Act are not intended to, and would not, conflict with the privacy and information security protections outlined under the CDR framework.

Who else in your organisation needs to know about this?

• Legal, risk and compliance. The recommended changes to the Privacy Act would, if implemented, require significant changes to the ways in which legal teams advise on what types of information fall within the regulatory net and what constitutes satisfactory notification and consent for collection, use and disclosure of personal information. They would also require these teams to carefully communicate to the business the change in enforcement approach and its flow-on impact on risk and privacy impact assessments undertaken within the organisation.  
• Board and senior management. In Australia, we are seeing a broad trend in regulation that enhances board responsibility and accountability (see our latest updates on these trends here and here). It will be crucial for boards and senior management, across all industry sectors, to ensure they are well informed of the recommendations made by the ACCC and that they keep a close eye on the Government's response to these recommendations so they can address the changes in their business models for data handling and ensuring appropriate messaging is flowed down to the rest of the organisation.

The current system is broken

A key finding of the ACCC's Inquiry – and the key premise on which their associated recommendations are based – is that consumers are currently unable to make informed choices that align with their privacy and data collection preferences. According to the ACCC, this is due to three market and regulatory failures:

• the information asymmetry between digital platforms and consumers – customers are not generally aware of the extent to which their data is collected, used, shared and disclosed by digital platforms, which inhibits consumers' ability to ascertain which products align with their product preferences;
• bargaining power imbalances between digital platforms and consumers – digital platforms hold significant bargaining power compared with their users, which is reflected in their deployment of bundled consents and click-wrap agreements with take-it-or-leave-it terms that prevent consumers from providing well-informed and freely given consent to the way their data is collected, used and disclosed; and
• lack of effective deterrence – the lack of effective deterrence for exploitative data practices offered by existing Australian data protection laws has undermined consumers' ability to select a product that aligns with their individual privacy preferences.  

These findings led the Inquiry to conclude that:

Australian consumers are better off when they are both sufficiently informed about the collection and use of their data and have sufficient control over their data, so that they can make informed choices that align with their privacy and data collection processes.¹

Significant changes to the Privacy Act

The ACCC recommended the following uplifts to the Privacy Act to address these findings.

Expand the definition of personal information

Recommendation

The definition of personal information should be amended to clarify that it captures all technical data such as 'IP addresses, device identifiers, location data, and any other online identifiers that may be used [to] identify an individual'.

Rationale

The ACCC considers that there is significant legal uncertainty as to whether the definition of 'personal information' in the Privacy Act includes metadata such as IP addresses and other technical data (for a summary of the findings in Privacy Commissioner v Telstra Corporation Ltd, which discussed this issue, see our article here). The proposed update would also align with the definition of 'personal data' in the GDPR.

Impact

• The proposed change would, on its face, significantly expand the types of information that fall within the scope of the Privacy Act, and would require substantial changes to the way certain types of data is handled in Australia (particularly cookies and metadata).
• It will also likely leave organisations to resolve the issue of when a profile linked to a particular IP address or other online identifier 'may be used to identify an individual', in combination with technical data collected by trackers, such as cookies. However, while the formulation is superficially similar to the GDPR definition of personal information, the final wording of any change to the definition will be critical, as it currently also appears to assume these named categories of data (such as IP addresses) do in fact 'identify an individual'.

Enable the erasure of personal information

Recommendation

The ACCC recommended the introduction of an obligation for APP entities to erase the personal information of individuals without undue delay upon request by the individual, unless the retention of personal information is necessary for the performance of a contract with the individual, required by law or is otherwise necessary for an overriding public interest reason.

Rationale

The ACCC considers that this would give consumers greater control over their personal information and help mitigate the bargaining power imbalance between consumers and organisations. This is in line with the principles outlined in Article 17 of the GDPR which enshrines a 'right to be forgotten' where it is no longer necessary, or the data subject has withdrawn consent, with certain limited exceptions.

Impact

Compliance with this requirement would involve a major compliance burden for APP entities, who would need to implement administrative and operational processes to ensure they can respond to consumers' requests to erase their data (eg by keeping track of the various locations and instances where data is stored and having technical mechanisms for secure deletion across those locations).

Strengthen notification requirements – a new approach to privacy policies and collection notices

Recommendation

• (When notice is required) The ACCC proposed that all APP entities should be required to provide notice of collection of personal information (whether the collection of information is directly from the consumer, or 'indirectly as a third party'), unless the individual already has the information which would be contained in the notice or an overriding legal or public interest reason applies. This would uplift the current requirements under APP 5 of the Privacy Act that APP entities 'take such steps (if any) as are reasonable in the circumstances' to notify the individual.
• (Content and form of notice) The ACCC also made recommendations designed to make these notices more informative, including requirements to outline the purpose for which each type of data is collected and, where the data will be disclosed to any third parties, the types of third parties and the purposes of disclosure. Finally, the ACCC has proposed changes to the manner in which these notices and consents are delivered (including to relieve the 'information burden' on consumers), suggesting the adoption of a multi-layered format, standardised icons and phrases and standardised wording for categories of third parties.

Rationale

As part of the Inquiry, the ACCC undertook a comprehensive review of various digital platforms' collection notices and privacy policies, and noted the tendency for such notices (and accompanying privacy policies) to be vague, general and broadly worded. It concluded that a clear, transparent and accessible notice would 'significantly decrease the information asymmetry between consumers and businesses who collect, use and disclose personal information'.2

Impact

• In practice, it is likely that most organisations collecting personal information directly from an individual are already providing some form of collection statement (on the basis that there are very few circumstances where it would be 'unreasonable' to do so). However, the proposed uplifts are likely to pose various operational difficulties for organisations, both in adding sufficient detail to, and amending the form of, their current notices, and ensuring that the same notification requirements are being strictly observed by 'first party' organisations that collect personal information from individuals on their behalf.
• Practically, it will be interesting to see:
  • how organisations manage to effectively balance greater and more specific disclosure (and consent) obligations with requirements to be clear and concise; and
  • whether the suggestions to develop standard approaches to disclosure will be borne by regulators or expected to be developed by the market. 

Strengthen consent requirements

Recommendation

• (Conditions for valid consent) The ACCC recommended the definition of 'consent' in the Privacy Act be updated to reflect the standard imposed by the EU GDPR (and currently set out in the non-binding APP Guidelines). That is, consent should be:
  • by clear affirmative act: an affirmative act such as ticking a box is required and any settings that enable data collection must be pre-selected to 'off';
  • freely given: the provision of a service must not be conditional on consent to processing personal information that is not necessary for the provision of the service;
  • specific and unambiguous: consents must be separately obtained and unbundled from other consents; and
  • informed.
• (Consent required for secondary use) The Final Report also recommends that all collection, use and disclosure of personal information should require consent from consumers unless the personal information is necessary for the performance of a contract to which the individual is a party, required by law or is otherwise necessary for an overriding public interest reason. This is a much stricter requirement than the current rules under APP 3 and APP 6, respectively, which allow collection of information that is reasonably necessary for an entity’s functions or activities; and use or disclosure in accordance with the primary purpose for collection as well as for secondary purposes that an individual would 'reasonably expect'.

Rationale

The ACCC considers that the current framework for collection, use and disclosure of personal information under the Privacy Act is broad enough to permit an entity to describe, in general terms, the functions or activities for which it collects personal information – and each of these functions or activities could be a 'primary purpose'. This would then mean the entity could use (or disclose to a third party) personal information for any of those functions or activities (even where they are not strictly necessary for the provision of the relevant service) without being required to seek consent from the consumer. This state of play, according to the ACCC, significantly undermines consumer control.

Impact

• This change would impact a wide variety of businesses that process personal information on the basis of their consumers' 'reasonable expectation'. Organisations have often sought to establish a reasonable expectation through disclosures in an organisation's privacy documentation (which, as noted above, has been criticised for often being overly vague and general and enshrining broad discretions for use of personal information in ways that are not essential to the provision of the service).
• Moreover, the ACCC does not propose an exception to the requirement to obtain consent equivalent to the GDPR's 'legitimate interests' ground, which allows processing of personal data in the legitimate interests of the organisation. Pointing to the 'considerable uncertainty' which surrounds that test, the upshot of the ACCC's (largely unfettered) recommendation is that the consent requirements under the Privacy Act could, in fact, be more rigorous than those imposed under the GDPR.
• This is bolstered by the fact that the boundaries of what is 'necessary for the performance of a contract' are likely to be limited to use of data which is integral to delivering the contractual service or taking the requested action (and much narrower than any current 'secondary purpose'). Notably, the reforms would require organisations to obtain separate consent to collect, use or disclose personal information for targeted advertising purposes, which could not be made a requirement (ie a 'take it or leave it') of providing the service.

Privacy policies as contracts? The proposed application of unfair contract terms to privacy policies

In the Final Report, the ACCC expresses the view that:

digital platforms consumer-facing terms of use and privacy policies would likely be considered standard form contracts, which would mean they must comply with the unfair contract term provisions in the ACL.³

This is more than empty words, with the ACCC disclosing it is currently investigating whether terms of use and privacy policies used by Facebook contain unfair contract terms; and recommending that unfair contract terms be prohibited (rather than just voidable) (For more detail, see our findings in Part 1).

This view presents a significant development, given that privacy policies have arguably never previously been described as contracts, with the OAIC consistently referring to them as 'a key tool for meeting APP 1’s objective of ensuring that APP entities manage personal information in an open and transparent way'.⁴ It may indicate the ACCC will follow the path of regulators overseas in using consumer law to prosecute opaque, unfair or misleading data handling practices. This is particularly significant given the Final Report's recommended reforms to the ACL, some of which (eg the introduction of a prohibition on certain unfair trading practices) are likely to add additional regulatory layers to certain data handling practices. It will certainly be an area to watch.

Specific Privacy Code for digital platforms

In addition to the proposed industry-agnostic reforms, the ACCC also recommended the introduction of a specific Code of Practice for digital platforms, to be managed by the OAIC, which would be enforceable under the Privacy Act. This would include multi-layered notice requirements, specific opt-in controls, adequate information security management and requirements to establish a time period for the retention of personal information not required for providing the core consumer-facing service.  

New and larger sticks: greater enforcement powers and capabilities

The Final Report identified a lack of effective deterrence in the way digital platforms handle (and potentially misuse) the data of their consumers. Citing the need to align penalties for serious or repeated interference with privacy with international standards and proportionality to risk of harm, the ACCC made several recommendations to increase the bite of the Privacy Act (which, again, would apply across all industry sectors):

• Increase the penalties for breach. In line with what was proposed by the Government prior to the election (see more here), the ACCC recommended bringing the penalties for serious or repeated interferences with privacy in line with the new civil pecuniary penalties available under the ACL. That is, penalties would be up to the higher of:
  • $10,000,000;
  • three times the value of the benefit received; or
  • 10% of the organisation's annual turnover in the last 12 months, if a court cannot determine the benefit obtained from the offence.

This represents a significant increase to the existing penalties available under the Privacy Act for serious interferences with privacy, which are currently capped at $2.1 million for corporate entities.

• Introduce direct rights of action for individuals under the Privacy Act.
  • The ACCC also proposed the introduction of a statutory right for an individual to make a civil claim for breach of their privacy under the Privacy Act. This, again, would be a fundamental shift from the current operation of civil penalties under the Privacy Act (which may only be sought by the OAIC in response to an individual's complaint or an investigation into an entity's data handling practices, but not by individuals themselves).
  • Data breach class actions have been on the rise in the US – having already been brought against targets like Target, Yahoo, Ashley Madison and Home Depot following high-profile data breach scandals – and may now be on the horizon in Australia if these individual rights of redress are passed. (For more on data breach class actions, see A global snapshot of data breach class actions and Where are all the data breach class actions in Australia?)
• Introduce a tort for serious invasions of privacy.
  • In addition to recommending individual rights of redress under the Privacy Act, the Final Report adds to a growing number of comprehensive reports released by Australian law reform bodies recommending the introduction of a statutory cause of action for invasions of privacy.⁵
• The tort would provide a mechanism to pursue breaches of privacy in situations that are not regulated under the Privacy Act, and would also align Australia with several foreign jurisdictions.⁶ However, given the historical responses to previous iterations of this proposal by various federal and state governments in Australia, it may not receive significant traction.

More (significant) change to privacy regulation on the horizon

The ACCC also recommended the Government consider broader reform of Australian privacy legislation, including the following issues which will have potentially significant and wide-ranging impact:

• Scope of Privacy Act. The ACCC has drawn attention to whether the current exemptions for small businesses, employee records and registered political parties should be removed.
• Protections and standards relating to inferred information and to de-identified information. The ACCC's recommendation to consider whether the Privacy Act should offer protections for inferred information (ie the use of data analytics based on personal information to infer additional information about an individual) and de-identified information could challenge the current business model of many organisations that avoid privacy legislation through the use of de-identified data or data that is not sufficiently linked to an identifiable individual.
• Pursuing an adequacy determination for EU data information flows. If pursued, this recommendation will facilitate ease of data flows between Australia and the EU as cross-border transfers from the EU to Australia will be permitted.
• Introducing a third-party certifications scheme. This recommendation would see certain businesses undergoing external audits to monitor, and publicly demonstrate compliance with, applicable privacy laws through the use of a data protection seal or mark.

Data portability as a long-term goal

The ACCC indicated that although portability of data held by digital platforms may offer significant benefits to current and potential future markets in the long term, it has further work to do on this front, noting that:

• data portability would be unlikely to have any significant short-term impacts; and
• digital platforms are distinguishable from other industry sectors such as banking because they are provided for free and offer less incentive to switch – especially while they continue to hold substantial market power (eg a Facebook user is unlikely to move to a rival platform if all their contacts remain on Facebook, but the same is not necessarily true in other markets like banking).

As a consequence, the ACCC declined to make any concrete recommendations in the Final Report in relation to data portability for digital platforms. Rather, the ACCC suggested that the potential application of the Consumer Data Right regime to digital platforms will be considered by the ACCC in the ordinary course as it weighs new sectors to which this framework should apply in the future.

The ACCC also acknowledged some stakeholder concerns that the recommended uplifts to the Privacy Act may contain differences to the privacy and information security protections outlined as part of the CDR framework, and could therefore result in conflicting levels of privacy protection for consumers. In response, the ACCC noted the Inquiry's recommendations are 'forward-looking proposals' to strengthen Australia's overarching privacy regulation; while the CDR operates within the existing legislative framework to deal with certain types of data and means of accessing that data in specific industry sectors. On that basis, the CDR privacy protections should be viewed as extra protections applicable only to CDR data (as that term is defined under the CDR framework). For more on the intersection of the Privacy Act and the CDR's privacy safeguards, see our analysis here.

Next steps

For now, the Federal Government has indicated it is considering the ACCC's recommendations, with a view to releasing a detailed response before the end of the year. The Treasurer has indicated this will include a 12-week consultation to obtain feedback on the Final Report.

We will be watching closely to see if and how the Government reconciles the ACCC's recommendations in light of its own proposed changes to the Privacy Act announced earlier this year.