Privacy law reform is now full steam ahead – Australian Privacy Act Review
The Attorney General’s Department on 30 October 2020, released an issues paper and terms of reference for an internal review by the Department of the federal Privacy Act 1988 (Cth). Interested Australians were given four weeks to review and decide whether and how to respond to 68 questions posed by the 90 page issues paper.
The issues paper picks up many of the criticisms made by the ACCC in its Digital Platforms Inquiry Final Report. The Department asks questions related to the ACCC’s recommendations for ramping up notice and consent requirements under the Privacy Act. The outcome of the review will be recommendations made to the Attorney-General as to privacy law reform to address drafting and prominence of privacy policies and notices, when consent must be obtained, preconditions for valid consent (and opt-out versus opt-in), and so on.
The issues paper also asks other questions which go far beyond those oft debated issues. The review can be expected to make recommendations which affect the fundamentals of the digital advertising business. Areas to be addressed include processes and practices for handling of consumer data and associated technical architecture and data governance, use and sharing of online tracking codes (including ‘cookie matching’), third party behavioural advertising, and targeted and one-to-one direct marketing enabled through joining and analysis of offline data and online identifiers.
Questions asked include:
Does the Act strike the right balance between the use of personal information in relation to direct marketing?
What approaches should be considered to ensure the Act protects an appropriate range of technical information?
Should the definition of personal information be updated to expressly include inferred personal information?
Should there be additional protections in relation to de-identified, anonymised and pseudonymised information? If so, what should these be?.
This review involves Department officers evaluating answers suggested by stakeholders to each of these questions, and 63 others. The Department will then formulate its own recommendations. The Department’s recommendations will inform drafting by the federal Government of proposed new law and regulation.
Finding the right answers in relation to regulation of digital advertising requires policy makers to understanding the adtech business and technical processes. In particular, policymakers need to understand what good data governance in digital advertising should look like, and the appropriate scope for regulation and industry codes in ensuring responsible handling and use of online tracking code. With current interest of consumer organisations and academics in developing new restrictions as to profiling of consumers, we can expect close attention to the role of regulation to promote fair and transparent use of audience segments, including lookalikes, inclusion and exclusion audiences, to promote benefits for consumers and guard against anticompetitive practices and overly intrusive or otherwise adverse or unanticipated outcomes for consumers.
The digital advertising sector works needs to actively participate in this review, to ensure that the Department is properly informed as to how the advertising services sector and digital marketing works. Unless a broad cross-section of the sector expresses their respective views, recommendations of the review might be expected to be skewed towards the views of the ACCC and the few large players that can afford to devote significant time and effort into influencing the Department’s thinking.
The issues paper says that the Department will review submissions and that its next deliverable will be a discussion paper to be released in early 2021. This further paper will “seek more specific feedback on preliminary outcomes, including any possible options for reform”. Accordingly, decisions to be made by the Department as to the narrowing of issues that will be addressed, and as to preliminary outcomes to address that narrowed list of issues, will be made on basis of this current round of consultation. To put it another way, this round of consultation will set the priorities and frame used to determine preliminary outcomes.
The review is wide-ranging and will likely result in a significant overhaul to Australia’s current privacy regime. It builds upon reforms announced by the Government in March 2019 to increase maximum civil penalties for serious or repeated privacy breaches from $2.1 million to the greater of: 10 per cent of a company’s annual domestic turnover; $10 million; or three times the value of any benefit obtained through the misuse of information. That announcement was over eighteen months ago – this review, and the release of this issues paper, has been a long time coming.
However, the Department now appears to be in a hurry. If the Department doesn’t slow down, many stakeholders in the digital advertising sector are going to struggle to keep up and be heard sufficiently early in the process as to influence the answers that this important inquiry will propose.
Many people in the Australian digital advertising sector follow the never-ending policy debate in Europe as to online identifiers, the proposed ePrivacy Regulation and ongoing implementation of GDPR. Many of those people express the view that they expect that data privacy reforms will move regulation in Australia of digital advertising closer to the GDPR. That view may well be wrong. The ACCC was clearly impressed by the GDPR focus upon consent to cookies and enhanced requirements for consent. However, the Department may be less impressed by the GDPR approach.
Many interested parties in Australia don’t think that the GDPR approach is the best way to go. There are good reasons to argue that the GDPR encourages data custodians to ‘paper their way to compliance’, through ever more fulsome notices and numerous requests for consent. This places a further burden on consumers, of notices and ‘I agrees’. Of course, the thrust of GDPR regulation has been taken up in some other jurisdictions. Most notably, the Californian Consumer Privacy Act (CCPA) adopts much of the enhanced notice and consent architecture of the EU GDPR, and puts ‘consent’ (if that is what clicking “I agree” really is) by the consumer at the heart of regulatory compliance.
However, GDPR and CCPA are not unchallenged contenders as the new ‘gold standard’. Some of the influential proposals for a federal US privacy law adopt a fundamentally different approach, requiring organisational accountability of data custodians through demonstrably reliable and responsible handling of consumer data, regardless of what consumers might have ‘agreed to’ through clickthrough of ‘I agree’. Similarly, the brand new Canadian Bill C-11 for a Consumer Privacy Protection Act, unveiled just last week, emphasises the substance of accountable, fair and responsible practices by data custodians, over form of notice and consent by consumers.
The Canadian Bill states: “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances”.
That ‘appropriate purposes’ assessment is to be made having regard to factors listed in the proposed statute. These are: the sensitivity of the personal information; whether the purposes represent legitimate business needs of the organization; the effectiveness of the process in meeting the organization’s legitimate business needs; whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
The ‘appropriate purposes’ assessment is not easy. However, the factors that must be taken into account are stated in plain English, and as plain French as that language can get. Compare a dip in these transparent and bracing Canadian regulatory waters, to a swim in the murky pond of EU GDPR: there are valid reasons for the advertising services sector, and for consumers, to rethink whether GDPR really is the gold standard that it is often touted to be.
Australia now has diverse recent regulatory models to pick and choose from. There is this new Canadian example, the recently revised Singapore example, the quite original Data Protection Bill of India as now before the Lok Sabha, the now evolving federal US model, EU GDPR and CCPA. Or Australia might bravely strike out on its own course. It should be borne in mind that Australia’s recent enactment and implementation of the Consumer Data Right has no close equivalent in any other country. Similarly, the draft federal Data Availability and Transparency Bill also unique in its policy conception and proposed implementation. The federal Government has shown a willingness to strike its own path on regulation about uses and sharing of data by both the public sector and private sector.
You may not like what this review may propose. You may not like the now accelerated timetable that has left little opportunity for considered input by the digital advertising sector. However, the Department and the federal Government may plough ahead and come up with novel regulatory proposals that reshape the digital advertising sector. Those proposals might well be different to proposals promoted by the ACCC. It is time to start taking notice, expressing views and informing people in Canberra that are now immersing themselves in how consumer data is being collected, shared and used across the Australian economy and in the digital advertising sector.
What do Australian businesses need to do now?
Consider whether your organisation’s handling of personal information about identifiable individuals is reliably only for purposes that a reasonable person would consider appropriate in the circumstances.
Consider whether your handling of online tracking code and use of technologies to deliver targeted advertising is appropriately separated from your handling of personal information about identifiable individuals.
Review arrangements with other participants in advertising data ecosystems in which you participate and whether those arrangements are appropriate for you to be able to provide reliable and verifiable assurance to consumers that those other participants are handling consumer data consistently with the standards that you apply to your own organisation.
Peter Leonard, Principal, Data Synergies and Professor of Practice, UNSW Business School
27 November 2020