BP Rewards, Qantas Frequent Flyer and Qantas Business Rewards loyalty program — submission to ACCC

Introduction

1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Australian Competition and Consumer Commission’s (ACCC) draft determination in respect of the application for authorisation lodged by BP, resellers of fuel under the BP brand (BP Resellers), Qantas Airways Limited and Qantas Frequent Flyer Limited (the Applicants) on 5 September 2019.

2 The ACCC proposes to grant authorisation for five years to the Applicants to collectively participate in the BP Rewards, Qantas Frequent Flyer and Qantas Business Rewards programs (BP Rewards Program).

3 The OAIC was consulted by the ACCC in September 2019 in relation to BP’s application for authorisation to establish a BP Rewards Program, and the OAIC considered BP’s application with respect to potential privacy risks. The OAIC provided a submission to the ACCC on 15 October 2019.[1]

4 The OAIC is of the view that innovative uses of personal information can result in public benefit where they have a strong foundation in privacy and data protection. However, privacy risks may constitute a public detriment if not appropriately mitigated.

5 The OAIC recommends that further consideration be given to the privacy risks that might constitute a public detriment, in particular:

• the uncertainty around whether or not BP Resellers will be collecting personal information, and any risk of re-identification of the information collected by BP Resellers
• the potential privacy risks that arise for individuals whose personal information is collected by BP Resellers that are not subject to the Privacy Act, including risks in relation to data breaches and data breach notification.

6 The recommendations in the current submission, and in the OAIC’s earlier submission, present an opportunity for BP (including BP Resellers) to increase consumer confidence and trust in how all members of the BP Rewards program are handling consumer’s personal information, in line with increasing consumer expectations in relation to privacy, which would result in public benefit.

Background: the draft determination proposing to grant authorisation for the BP Rewards Program

7 The Applicants have sought authorisation for the proposed conduct —the BP Rewards Program— that may otherwise constitute a cartel provision within the meaning of Division 1 of Part IV of the Competition and Consumer Act 2010 (Cth), and may substantially lessen competition within the meaning of section 45 of that Act.

8 Consistent with subsections 90(7) and 90(8) of the Competition and Consumer Act, the ACCC must not grant authorisation to an Applicant unless it is satisfied, in all the circumstances, that the conduct would result or be likely to result in a benefit to the public, and that the benefit would outweigh the likely public detriment.

9 As part of its assessment the ACCC has considered a range of potential public benefits as well potential public detriments resulting from the collection and use of customer data. The ACCC considered potential concerns regarding the use of personal data by loyalty schemes generally, as well as in relation to BP and Qantas. The ACCC’s draft determination notes the OAIC’s concerns about uneven coverage of the Privacy Act for all participants in the BP Rewards Program.

10 The ACCC considers that the BP Rewards Program is unlikely to result in significant public detriment. In forming this view, the ACCC has taken into account the information in BP’s application, the four submissions received (including the OAIC’s submission) and the supplementary submission provided by BP on 30 October 2019.

Potential concerns regarding collection and use of customer data

11 The life cycle of personal information in the context of customer-facing rewards programs can be complicated. The complexity of this life cycle is compounded by the various methods of collecting consumers’ personal information, as well as increasingly sophisticated capabilities deployed by organisations to combine information and infer insights about customers participating in the scheme.

12 The ACCC’s draft determination acknowledges that there is likely to be some detriment to consumers as a result of their personal information being shared between Qantas and BP.[2] However, the OAIC considers the privacy risks relating to the collection, use and disclosure of personal information by BP Resellers would benefit from further analysis.

13 Given privacy risks can result in public detriments to consumers, is it important to consider the personal information flows within the context of the scheme in order to properly identify, assess and mitigate any risks. The OAIC considers that further information is required in order to fully assess the information flows and the adequacy of privacy safeguards.

14 In its earlier submission to the ACCC, the OAIC emphasised the need to ensure that all participants in the BP Rewards Program, including the 1093 BP Resellers, are subject to the Privacy Act 1988 (Privacy Act). BP’s application indicates that BP Resellers are independent operators of service stations at which fuel is re-sold under the BP brand. Whilst BP and Qantas are both organisations subject to the Privacy Act, it remains unclear how many of the 1093 independently owned BP Resellers would fall within the jurisdiction of the Privacy Act.

15 The OAIC made two recommendations in relation to this issue:

1. Any BP Resellers who are not subject to the Privacy Act should be required to opt-in to coverage under section 6EA of the Privacy Act.
2. The ACCC should consider specifying conditions on BP’s application which would ensure that participants in the loyalty program, who are not subject to the Privacy Act, be required to opt-in to coverage under section 6EA of the Privacy Act.

16 We note that the ACCC has not specified any such conditions in its draft determination, and BP has indicated that it opposes the OAIC’s recommendation in this regard. BP’s response to the OAIC’s submissions about a potential gap in coverage for some BP Reseller’s under the Privacy Act is set out as follows[3]:

• BP claims that BP Resellers will not handle any personal information to which the Privacy Act applies.
• BP submits that even if BP Resellers were to handle personal information, many BP Resellers are already covered by the Privacy Act because they generate an annual turnover of more than $3 million per year (and are therefore a regulated entity under the Privacy Act).
• BP submits that, to the extent that BP Resellers are not covered by the Privacy Act, this reflects that they are small businesses and imposing obligations under the Privacy Act would be disproportionate given their size and relative inability to absorb additional compliance costs.

17 The OAIC provides information in response to each of these points below to assist the ACCC’s consideration.

BP Resellers will not handle any personal information to which the Privacy Act applies

Consideration of the nature of personal information

18 BP submits that BP Resellers will not handle any ‘personal information’ to which the Privacy Act applies. Rather, it states BP Resellers will be handling de-identified data only, such as the date, location and value of the transaction, number of points earned, and card number.

19 We suggest that further consideration be given to whether this information may constitute personal information under the Privacy Act, taking into account any further information regarding the context in which the information will be collected and used.

20 The Privacy Act defines ‘personal information’[4] as information or an opinion about an identified individual, or an individual who is reasonably identifiable. What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances.

21 Information is ‘about’ an individual where there is a connection between the information and the individual. This is ultimately a question of fact and will depend on the context and circumstances of each particular case.

22 Generally speaking, an individual is ‘identified’ when, within a group of persons, he or she is ‘distinguished’ from all other members of a group. For the purposes of the Privacy Act, this will be achieved where a link can be established between the information and a particular person. This may not necessarily involve identifying the individual by name.

23 If information that is unique to a particular individual —such as a customer card number— can be referenced against other available information about that person, then it may be used to identify an individual.

24 It is unclear whether BP Resellers will only be dealing with de-identified information, for example the wording in paragraph 5.4 of BP’s application for authorisation contemplates that BP Resellers may deal with ‘customer personal information’ in the context of the BP Rewards Program and refers to certain restrictions on the use of this information.

25 Further information would assist to clarify this issue, for example, information on how this unique card number might be utilised in practice to obtain access to reward points or the personal information stored on a customer’s account. The OAIC suggests that BP provide further information, with reference to its Privacy Impact Assessment.

26 Where there is uncertainty, the OAIC considers that entities should err on the side of caution, by treating the information as personal information, and handle it in accordance with the Australian Privacy Principles (APPs).[5]

The amount of information to be collected, used and disclosed by BP Resellers

27 The ACCC considers that BP Resellers not covered by the Privacy Act are small Resellers who are unlikely to be dealing with large amounts of customer data. This appears to be based on BP’s supplementary submission which states that only the date, location and value of the transaction, points earned and card numbers will be collected and handled by BP Resellers.

28 A unique card number, when linked to an individual customer’s account, has the potential to provide a rich picture of an individual, particularly in light of the insights that loyalty schemes can generate about their customer base.

29 Further information in relation to the collection of these unique customer card numbers (including any safeguards and measures that are in place to ensure customer verification, account security and the secure disclosure of customer information from BP Resellers to BP), could further assist the ACCC in assessing the scope of potential public detriments arising from the collection and use of any customer data.

Many BP Resellers are already covered by the Privacy Act

30 The Privacy Act regulates ‘APP entities’ which includes ‘organisations’ but does not include small businesses. Generally, a small business operator is one which has an annual turnover of $3,000,000 or less.

31 It remains unclear how many of the 1093 independently owned BP Resellers are small businesses and therefore not covered by the Privacy Act.

32 The fact that some BP Resellers are covered by the Privacy Act does not mitigate the privacy risks which may arise for those individuals who engage with BP Resellers as part of the BP Rewards Program who are not covered by the Privacy Act.

BP Resellers, who are small businesses, are exempt from the Privacy Act

33 BP submits that those BP Resellers who are not covered by the Privacy Act are exempt due to their status as a small business and that it would be disproportionate to impose new obligations on these exempt BP Resellers under the Privacy Act, due to their size and relative inability to absorb additional compliance costs.

34 It is important to consider that individuals might reasonably assume that their personal information is protected under the Privacy Act in the same way, regardless of which BP station or BP Reseller they engage with. Individuals may not be aware that they are not afforded equal and consistent privacy protections when engaging with BP Resellers, which may be contrary to consumer expectations in relation to privacy.

35 This uneven coverage for individuals engaging in a loyalty program is problematic, particularly given the lack of clarity around which BP Resellers are covered by the Privacy Act. Accordingly, individuals are prevented from making informed choices about who to share their personal information with.

The ACCC’s assessment of public detriments and public benefits

36 Given the uncertainty around the number of small business BP Resellers who are exempt from the Privacy Act, and the privacy risks which might arise for individuals engaging with BP Resellers as part of the BP Rewards Program, we suggest that further consideration be given to the potential privacy risks, specifically concerning BP Resellers.

37 The potential costs and detriments to consumers who provide their personal information to loyalty schemes was canvassed in the ACCC’s final report on Customer Loyalty Schemes.[6] This includes increased risk of data breach and cybercrime from increased online transmission, storage and disclosure. This in turn can lead to both financial detriments such as those associated with identity fraud and scams, as well as non-financial detriments, such as harm to health and safety and reputational injury.

38 We suggest that these public detriments, which are particular to those BP Resellers to whom the Privacy Act does not apply, should be considered by the ACCC in determining the authorisation, and any conditions that might be imposed.

39 First, there may be an increased risk to consumers of a data breach due to the lack of privacy obligations on some BP Resellers. APP entities are required to collect, use and disclose personal information in accordance with the APPs, which includes obligations, rights and standards in relation to the integrity and security of personal information, as well as requirements for open and transparent management of personal information.

40 Secondly, if a data breach were to occur, some BP Resellers will have no obligation to notify affected individuals and the OAIC under the Privacy Act. This reduces the opportunities for these individuals to take steps to mitigate these risks and the resultant privacy impacts.

41 In its draft determination, the ACCC acknowledges that detrimental business practices of loyalty schemes would also likely reduce the consumer benefits that may arise from a BP Rewards program.

Potential public benefits that arise from opting-in to coverage of the Privacy Act

42 The OAIC is of the view that requiring BP Resellers to opt-in to coverage of the Privacy Act will have public benefits for both individuals as well as BP Resellers, and the BP Rewards program and BP brand more broadly.

43 The practice of opting-in to the Privacy Act under section 6EA demonstrates a public commitment to good privacy practice. By opting-in, small businesses can benefit from increased consumer confidence and trust that may be derived from knowledge that the business is operating under the Privacy Act. Recent research indicates that trust has become the primary driver of consumer decision-making, with 65 per cent of surveyed respondents to the 2019 Australian Privacy Index ranking trust as their first consideration when deciding whether to provide an organisation with access to their personal information.[7]

44 A proactive approach to protecting personal information represents an opportunity for differentiation and a means to enhance trust.

45 We therefore reiterate our previous recommendations:

1. that BP Resellers opt-in to coverage under section 6EA of the Privacy Act.[8]
2. that the ACCC specify a condition on granting authorisation to ensure that any BP Resellers who are not covered by the Privacy Act be required to opt-in.

46 This would ensure that Australian consumers receive equal and consistent privacy protections, in line with their expectations of large organisations such as BP and Qantas.

Registration for BP Rewards via BPme mobile app

47 The OAIC has previously expressed concerns about individuals being automatically enrolled in the BP Rewards Program when they download and register an account with the BPme mobile app.

48 BP submits that consumers will be offered two methods of joining the BP Rewards Program – either by filling out a registration form on the BP Rewards Program website, or by registering for a BPme account using the BPme mobile app.

49 We note that consumers may download the BPme app for reasons other than wanting to sign up to the BP Rewards Program, such as to find BP stations where they can pay for fuel through the BPme app.

50 BP also submits that ‘in all cases, consumers who sign up for the BP Rewards Program will be presented with and required to accept the BP Rewards and BPme T&Cs and BP’s Privacy Policy’. The OAIC notes that consumers who download the BPme app (irrespective of whether they know about, or intend to join the BP Rewards Program) should be adequately informed about—and have an opportunity to specifically consent to— their personal information being used to join the BP Rewards Program.

51 The OAIC is available to provide further information as required.