01 August 2019
As we reported on 29 July 2019, the Australian Competition and Consumer Commission (ACCC) has released its Digital Platforms Inquiry (DPI) Final Report. This is the second article in our series considering what the Final Report’s recommendations may mean for local and foreign businesses that deal with Australian consumers.
‘Digital platforms’ is a catch-all term for a wide variety of online businesses offering diverse services. Under the DPI terms of reference, the ACCC was directed to focus on search engines, social media and content aggregation platforms.
Many digital platforms operate under a distinct business model providing services to consumers for zero monetary cost in exchange for consumers’ attention and use of their data. The platforms then 'monetise' that data by selling targeted advertising, from which they typically earn the majority of their revenue.
Despite the focus of the terms of reference on specific types of digital platforms, five of the six recommendations in the Final Report relating to data privacy are intended to apply ‘economy-wide’, and only one is targeted solely at digital platforms.
If all of these recommendations are implemented, the aspects that extend beyond what might be seen as current global best practice could add significantly to the compliance burden for foreign firms doing business in Australia.
We also see the potential for some unintended adverse outcomes for consumers.
The Final Report states that the detriment suffered by consumers in their dealings with digital platforms:
“…may extend to the myriad of industries across the Australian economy that collect, use or disclose the user data of Australians. This is because information asymmetries, bargaining power imbalances, and behavioural biases identified in this chapter also characterise the data practices of many other businesses beyond digital platforms.” (page 449)
Coupled with the results of certain, relatively simplistic, consumer surveys, this ‘may extend’ way of thinking forms the basis for the recommended economy-wide reforms.
The ACCC has flagged financial institutions, telcos, retailers offering rewards schemes, airlines and media businesses as potentially having data practices with many of the same features as those of digital platforms.
The ACCC sets the scene for reform in the Final Report as follows:
“The ACCC notes that, since the Privacy Act was passed 30 years ago, the Internet and digitalisation have radically altered the ways in which businesses and consumers interact and exchange personal information. Numerous amendments have been made to the Privacy Act, but these incremental changes may not be sufficient to address the volume and significance of privacy and data protection issues proliferating in the digital economy. The data practices of digital platforms considered in this chapter demonstrate some significant gaps in Australian privacy laws.” (page 437)
There is little doubt that the data privacy regulatory regime has not kept pace with the multiple ways in which many businesses collect, use, share and deal in data.
For the ACCC, however, this is not only about privacy – its consideration of broader consumer welfare issues has led it to extend its recommendations to changes to the Australian Consumer Law.
In its analysis of consumer welfare, the ACCC places significant weight on consumer survey data which indicates a strong consumer preference for having control over the data collected about them (especially location data and internet browsing data) and how it is used and disclosed. These results are hardly surprising, but the issue the surveys do not appear to address is whether consumers value this control more than some of the benefits that access to data drives (e.g. improvements to the quality of services or the ability to offer services for free).
The ACCC is highly focused on the importance of consumers being able to make ‘informed choices’ about the handling of their data. Some of its key findings in this context include:
The ACCC did not propose wholesale adoption of the European Union General Data Protection Regulation (GDPR), but was influenced by the GDPR in making certain recommendations for reform, observing generally that:
“closer alignment of Australian privacy regulations with the GDPR’s higher standards of protection could significantly increase the effectiveness of Australian privacy law and increase the accountability of entities processing the personal information of Australian consumers”. (page 439)
While one could argue with the ACCC's justification for pursuing ‘economy-wide’ privacy reform, some sectors of the Australian economy (e.g. e-commerce) are taking steps towards GDPR compliance in any event. An impetus for this is global businesses wishing to avoid multiple data handling regimes across different jurisdictions and simply adopting the GDPR as the global ‘high water mark’.
Significantly, however, the ACCC’s recommendations around consumer consent appear to be stricter than the GDPR. In summary, the ACCC’s key recommendations are:
Australian privacy law reform is perhaps inevitable. Global convergence towards the standards of the GDPR means that recommendations that align with the European privacy regime are unlikely to impose significant additional regulatory burdens on the majority of businesses operating in Australia.
Rather, it is the recommendations relating to consent, which are stricter than the GDPR protection standard, that are likely to present a greater compliance challenge. In particular, more stringent consent requirements coupled with unbundling consents potentially present real IT system challenges, with systems needing to be able to record and implement diverse consent patterns on an individual consumer level based on the particular services acquired.
In addition, the consent recommendations and the proposed digital platforms privacy code arguably raise some fundamental issues in relation to the way digital platforms operate. The ACCC has acknowledged that data collection drives the ability to offer valuable services without charge and to improve those services over time. In an individual case, much of the data collected may not be necessary for the provision of the particular digital service a consumer is receiving. However, the potential cumulative impact of successive decisions by consumers to refuse consent for such data collection (or a simple failure to adjust mandated default settings which would prevent the collection) has not been addressed by the ACCC, either in terms of quality of service or the ability to offer services at no charge.
Given the potential for unintended adverse outcomes in terms of consumer welfare, there is arguably substantial further work required to come to grips with these issues before the ACCC’s recommendations are adopted.
Perhaps the key takeaway from the data privacy sections of the Final Report is that the ACCC does not view data privacy as an issue solely for OAIC regulation. The ACCC is now thinking about data privacy as a consumer issue that may equally be addressed under the Australian Consumer Law as misleading or deceptive conduct, unfair contract terms or unconscionable conduct. In line with other jurisdictions, such as the US and Germany, we can expect to see the ACCC being prepared to pursue enforcement action to address data privacy issues under competition or consumer protection legislation.
The ACCC has also expressed a clear preference for consumers to be able to bring actions directly if they choose to, whether under the Privacy Act or Australian Consumer Law.
This article is the second in a series examining the implications of the ACCC Digital Platforms Inquiry Final Report from a range of perspectives, including data privacy, competition, merger regulation, harmonisation of media regulation, adtech, fairness issues and enforcement.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.