‘Informed choice’: significant data privacy reforms on the horizon for Australia

Following its recent detailed examination of the functioning of Australia’s digital economy, the Australian Competition and Consumer Commission (ACCC) has released its Digital Platforms Inquiry (DPI) Final Report.

The ACCC’s recommendations are wide ranging, and include a series of proposals relating to data privacy which, if implemented, would have broad impacts across the entire economy and significant implications for global businesses that deal with Australian consumers. 

 We also see the potential for some unintended adverse outcomes for consumers.

The case for reform

The primary focus of the DPI was digital platforms and the media. Digital platforms typically operate under a distinct business model providing services to consumers for zero monetary cost in exchange for their attention and use of their data. The platforms then 'monetise' that data by selling targeted advertising, from which they earn the majority of their revenue. 

This business model poses some specific challenges in terms of data privacy, but the ACCC makes a case for ‘economy-wide’ reforms, citing a number of other sectors with data practices it considers to be similar, including financial institutions, telecommunications service providers, retailers offering rewards schemes, airlines and media businesses.

Concerns regarding current practices

It is fair to say that Australian data privacy regulation has not kept pace with the multiple ways in which businesses collect, use, share and deal in data as part of the digital economy. For the ACCC, however, this is not only about privacy, but also consumer protection.

In its analysis of consumer welfare, the ACCC places significant weight on consumer survey data which indicates a strong consumer preference for having control over the data collected about them (especially location data and internet browsing data) and how it is used and disclosed. While these results are hardly surprising, what the surveys do not appear to address is whether consumers value this control more than some of the benefits that access to data drives (e.g. improvements to the quality of services or the ability to offer services for free).

The ACCC is highly focused on the importance of consumers being able to make ‘informed choices’ about the handling of their data. Some of its key findings in this context include: 

• Bargaining power imbalances and information asymmetries between digital platforms and consumers create inherent difficulties for consumers in accurately assessing the current and future consequences of providing their user data.
  
  
• Consumer consents using click-wrap agreements with take-it-or-leave-it terms that 'bundle' a wide range of consents mean that consent is not truly informed or voluntary.
  
  
• Many privacy policies are long, complex, vague and difficult to navigate. 

Key recommendations

Most of the ACCC’s recommendations would bring Australian privacy law into closer alignment with the European Union General Data Protection Regulation (GDPR). However, the ACCC’s recommendations regarding consumer consent appear to be stricter than the GDPR in some respects. The ACCC’s key recommendations are: 

• Strengthened protections in the Privacy Act (in line with the GDPR). A range of amendments are intended to broaden the definition of ‘personal information’ to encompass technical data (such as location data and IP addresses) and impose more prescriptive notification requirements at the time of collection.
  
  
• Strengthened consent requirements in the Privacy Act. These would require consumer consent for any collection, use or disclosure that is not necessary for the performance of a contract to which the consumer is a party (with some limited exceptions). Significantly, the ACCC does not recommend adoption of the GDPR exception for use or disclosure for the ‘legitimate interests’ of the collector. Separately, it has recommended that valid consent must be clear, affirmative (i.e. default settings should not allow collection and processing), specific (i.e. consents should not be bundled), unambiguous and informed.
  
  
• A prohibition against unfair contract terms. The ACCC has recommended that unfair contract terms be prohibited and not just voidable, meaning that civil pecuniary penalties would apply to their use. This could add significantly to the compliance burden for businesses contracting with Australian consumers and small businesses.
  
  
• A direct individual right of action for an interference with privacy and increased penalties.
  
  
• A new Privacy Code specifically for digital platforms. 
  
  
• A statutory tort for serious invasions of privacy.
  
  
• A prohibition against certain unfair trading practices (beyond unfair contracting). 

What’s ahead?

Global convergence towards GDPR standards means that the ACCC recommendations that align with the European privacy regime are unlikely to impose significant additional regulatory burdens on the majority of businesses operating in Australia. However, the recommendations relating to consent, which are stricter than the GDPR protection standard, are likely to present a greater compliance challenge. In particular, when coupled with unbundling consents, more stringent consent requirements could present real IT system challenges, with systems needing to be able to record and implement diverse consent patterns on an individual consumer level based on the particular services acquired. 

Further, both the consent recommendations and the proposed digital platforms privacy code arguably raise some fundamental issues in relation to the way digital platforms operate. The ACCC has acknowledged that data collection drives the ability to offer valuable services without charge and to improve those services over time. In an individual case, much of the data collected may not be necessary for the provision of the particular digital service a consumer is receiving. However, the potential cumulative impact of successive decisions by consumers to refuse consent for such data collection (or a simple failure to adjust mandated default settings which would prevent the collection) has not been addressed by the ACCC, either in terms of quality of service or the ability to offer services at no charge.

Perhaps the key takeaway from the data privacy sections of the DPI Final Report is that the ACCC does not view data privacy as an issue solely for privacy regulation – instead, it is thinking about it as a consumer issue that may equally be addressed under the Australian Consumer Law. 

Australian privacy law reform is perhaps inevitable. In line with other jurisdictions, such as the US and Germany, we also expect to see the ACCC pursue enforcement action under competition or consumer protection legislation to address data privacy issues.