Skip to main content
  • On this page

23 September 2019

Introduction

1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry Final Report (final report). We commend the ACCC for its final report and significant contribution to a greater understanding of the markets in which digital platforms operate and the privacy issues which arise in this context.

2 The OAIC broadly supports the recommendations contained in the final report which, if adopted together with the OAIC’s suggestions, will strengthen the privacy protection framework in Australia and help ensure consumer trust and confidence in the way that digital platforms handle consumers’ valuable personal data in the digital economy. The recommendations will result in a combination of new obligations, enhanced protections for individuals and a greater level of specificity within the existing regulatory framework, including by codifying existing protections.

3 The final report considers the evolving online landscape in which individuals increasingly find their personal information being collected, used and disclosed by digital platforms. Digital platforms have provided many opportunities to Australians, however they have also significantly shifted the environment in which we all interact. As the ACCC points out, ‘15 years ago it would have been difficult to envisage the changes that digital platforms have made to our society.’[1]

4 As digital platforms have become integrated into our daily lives, the information and power asymmetries between consumers and digital platforms present significant challenges for consumers in making informed decisions about how their personal information is handled online. These challenges are amplified for vulnerable consumers such as children.

5 The Digital Platforms Inquiry (DPI) final report seeks to redress this imbalance through recommendations designed to increase transparency, choice and control over the handling of personal information and ensure that Australia’s regulatory frameworks remain fit for purpose in the digital age.

6 In addition to strengthening the ability of individuals to self-manage their privacy, we also support the introduction of organisational accountability measures that will redress the imbalance in knowledge and power between individuals and digital platforms.

About the OAIC

7 The OAIC is an independent statutory agency within the Commonwealth Attorney-General’s portfolio with regulatory responsibility for:

  • privacy functions (regulating the handling of personal information under the Privacy Act 1988 (Privacy Act) and other Acts)
  • freedom of information functions, including access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth)
  • information management functions.

8 As the national privacy regulator, the OAIC draws upon its knowledge, experience and international networks to regulate data privacy in Australia and provide privacy guidance to government agencies, organisations and individuals to raise public awareness about data privacy and good privacy practice.

Cross-border privacy

9 Given the global nature of data flows the OAIC is actively engaged in a range of international privacy and data protection forums[2], ensuring that we are well placed to share expertise and cooperate on cross-border privacy matters. For example, the OAIC is a member of the International Conference of Data Protection and Privacy Commissioners (ICDPPC) and the Australian Information Commissioner currently sits on the Executive Committee of the ICDPPC.

10 One of our key objectives in forging these and other international partnerships is to enhance the interoperability of Australia’s privacy framework with the various data protection frameworks around the world.[3] Interoperability does not mean uniformity, but rather recognises the differences in our regulatory frameworks and provides a bridge to ensure that personal information is protected no matter where it flows. Increasing community privacy concerns have been observed globally, and the recommendations in the final report reflect the growing trend towards increased privacy protections for individuals worldwide.

11 The DPI final report provides a strong evidence base for reform and presents a timely opportunity to strengthen and clarify the application of the Privacy Act to digital platforms through greater specificity and enhanced privacy protections. It also provides the opportunity to enact economy-wide privacy reforms and to ensure the Privacy Act is generally fit for purpose, given domestic and international developments.

Reform of Australia’s privacy regulatory framework

12 Many of the recommendations in the ACCC’s final report reflect the growing intersection between data protection and consumer protection that is occurring globally, as personal information becomes a core part of the digital economy. The OAIC is co-chair of the Digital Citizen and Consumer Working Group[4] and champions greater convergence and cooperation between data protection and consumer protection authorities to ensure optimal regulatory outcomes in the public interest.

13 The OAIC is broadly supportive of the final report’s recommendations for reform of Australia’s privacy framework, subject to the comments in this submission. Our comments are aimed at ensuring the interoperability of Australia’s data protection laws globally, as well as striking the right balance between an individual’s ability to self-manage their privacy, and the accountability of those entrusted with the personal information of Australians. While it is important to enhance individual consent requirements, the challenges and complexities created by digital technologies in the online environment call for additional measures to safeguard personal information.

14 Many of the privacy recommendations could be implemented immediately and take into account our suggested refinements – for example, the proposed reforms set out in recommendations 16 (strengthen protections in the Privacy Act), 18 (OAIC privacy code of conduct for digital platforms) and 19 (statutory tort for serious invasions of privacy) – and would quickly deliver significant privacy benefits for Australians and increase the accountability of entities processing Australians’ personal information.

15 The OAIC also considers that a broader review of privacy law should take place to ensure it remains effective in the digital economy (recommendation 17). Given recent privacy reforms that have enhanced privacy protections domestically such as the Consumer Data Right (CDR), together with international developments such as the General Data Protection Regulation (GDPR) and the US California Consumer Privacy Act, it is timely to consider additional reforms to support innovation in the digital economy through strengthened data protection. We recommend that such a review be commenced and would be pleased to contribute our regulatory expertise and experience through the review process.

Part 1: Privacy Recommendations

16 The ACCC makes four recommendations which are specific to the Privacy Act and the privacy regulatory framework. We address these four recommendations in further detail below.

Recommendation 16: Strengthen protections in the Privacy Act

17 The OAIC broadly supports the proposed measures to strengthen privacy protections contained in recommendation 16.

Recommendation 16(a): update ‘personal information’ definition

18 We support a revision of the definition of ‘personal information’ in the Privacy Act to capture technical data such as IP addresses, device identifiers, location data, and other online identifiers that may be used to identify an individual.

Recommendation 16(b): strengthening notification requirements

19 We support the strengthening of existing notice requirements under Australian Privacy Principle (APP) 5, subject to appropriate legal and public interest exceptions. Requirements for notices to be concise, transparent, intelligible, written in clear and plain language and provided free of charge provide important privacy protections that assist individuals to exercise choice and control over how their personal information is collected, used and disclosed.

20 We acknowledge that a balance must be struck between appropriate, strengthened notice requirements and the practical consequences of increased provision of notices to consumers, which could include increased notification fatigue. An important part of this balance may require consideration of the need to constrain certain data or business practices which are contrary to consumers’ expectations in relation to privacy, in addition to strengthened notification requirements. The Office of the Privacy Commissioner of Canada has described this as developing ‘no-go zones’, examples of which include profiling or categorisation that leads to unfair, unethical or discriminatory treatment contrary to human rights law, and collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual.[5] Consent could not be obtained for the use of personal information for such purposes. This concept would require further consideration, and the OAIC would welcome the opportunity to engage with Treasury on this further.

21 The ACCC has noted that standardised icons or phrases may assist consumers to better understand notice and consent requirements and the OAIC is supportive of measures to create a common language to assist individuals make informed decisions about their personal information. The ACCC’s recommendation 18, that the OAIC develop a Code for online platforms, provides an opportunity to implement these measures in the online context.

22 However in order to implement these measures more broadly, consideration should be given to developing economy-wide enforceable rules, standards, binding guidance, or a code to operationalise a common language, including the use of standardised icons or phrases. Legislative amendment to the Privacy Act could be considered to enable the Australian Information Commissioner to make such rules, standards or an economy-wide code over time. This would assist in consumer understanding and reduce regulatory fragmentation.

23 There is an opportunity to consider how the work being undertaken by Data61 in the CDR context could be applied more broadly. The consumer experience guidelines being developed by Data 61 are intended to provide data recipients and data holders with standards and guidance for seeking and receiving consent from consumers.[6]

Recommendation 16(c): strengthening consent requirements and pro-consumer defaults

24 The OAIC welcomes the recommendation that consent should require a clear affirmative act that is freely given, specific, unambiguous and informed. This reform would align the definition of consent more closely with the GDPR.[7]

25 In line with the approach taken in relation to the CDR and the comments above in relation to notice, consideration should be given to other mechanisms to enhance the specificity of consent, such as:

  • the use of graduated consent – where an individual can give consent to different uses of their data throughout their relationship with a service provider[8]
  • the use of tiered consent – where an individual may consent to disclosing increasing amounts of personal information in exchange for different products or levels of services.

26 Greater certainty on consent requirements could be achieved through economy-wide enforceable rules, standards, binding guidance or code, as referred to above.

Consent – balancing privacy self-management with organisational accountability

27 The ACCC has proposed that consent be required whenever an individual’s personal information is collected, used or disclosed by a regulated entity (an APP entity), except where personal information is necessary for the performance of a contract to which the consumer is a party, is required under law or is otherwise necessary for an overriding public interest reason.

28 While consent is an important part of Australia’s privacy framework, it is not the only basis for permitting the handling of personal information under the Privacy Act.[9] Seeking freely given, specific, unambiguous and informed consent may, in some circumstances, be impractical or overly burdensome. Seeking consent for routine purposes may also undermine the quality of consents obtained and result in consent fatigue for consumers.

29 Overreliance on consent shifts the burden to individuals to critically analyse and decide whether they should disclose their personal information in return for a service or benefit. In the digital age, where data flows and technologies used to process personal information are increasingly complex and difficult to understand,[10] individuals are not always well placed to assess the risks and benefits of providing their personal information.[11]

30 The limitations of consent have been recognised by the UK Information Commissioner and the European Data Protection Board, which have both stated that consent is only appropriate where individuals can be offered real choice and control over how their personal information is used.[12]

31 Accordingly, in addition to appropriately strengthened consents, we also support the introduction of organisational accountability measures that will redress the imbalance in knowledge and power between individuals and organisations, including digital platforms.

32 There are several models that the Australian Government may wish to consider in striking the right balance between consent and organisational accountability:

  1. The Canadian Government observed that a balanced approach for individuals and businesses is to enhance consent requirements where the impact on privacy is greatest and not require consent for uses of personal information for ‘standard business purposes’ that most individuals would consider reasonable.[13]
  2. The EU GDPR contains six lawful bases for processing personal information, including where a processor has a ‘legitimate interest’. This requires entities to apply a three-part test and consider whether there is a legitimate interest behind the processing, whether the processing is necessary for that purpose, and whether the legitimate interest is overridden by the individual’s interests, rights or freedoms.[14]
Default consent settings

33 The ACCC recommends that default settings which enable processing by APP entities for purposes other than performance of a contract – for example, to conduct targeted advertising – should be pre-selected to ‘off’.

34 The OAIC is generally supportive of this recommendation.

Recommendation 16(d): enable the erasure of personal information

35 The OAIC supports the recommendation to enable individuals to request the erasure of their personal information subject to various exceptions. Under this recommendation, APP entities will be required to comply with the request to erase personal information without undue delay, unless there is an overriding reason for the information to be retained.

36 In addition, the OAIC recommends that consumers be notified of their ability to request the erasure of their personal information. This could be modelled on similar requirements in Article 13 of the GDPR.

37 Further, we recommend that the right to erasure be complemented by a right for individuals to object to the handling of their personal information for specific purposes. Under a right to object, an individual may prevent certain types of data processing without requiring the erasure of their personal information, which is important where individuals wish to continue using a service. A right to object could be modelled on a similar protection contained in Article 21 of the GDPR.

38 The OAIC has previously suggested that consideration be given to an obligation on all APP entities, not just digital platforms, to delete all user data on request. A comparative provision is found in subsection 17(3) of the My Health Records Act 2012 (Cth), which requires the destruction of records containing health information in a My Health Record upon request by the individual. This provision was implemented in response to the Australian community’s calls for stronger privacy and security protections within the My Health Record system, and reflects consumer expectations about continuing access to data. A similar ability to request (and require) deletion of data is built into the legislative framework of the Consumer Data Right and supported by data standards.

Recommendation 16(e): introduce direct right of action for individuals

39 The OAIC supports the introduction of a direct right of action for individuals to seek compensation under the Privacy Act for an interference with their privacy. This recommendation, if implemented, would bring the Australian privacy framework into line with other countries including the United Kingdom, New Zealand and those in the European Union.

40 We recommend that the Government consider whether this direct right of action should be supplemented by legislative options for the OAIC to exercise[15]:

  • a right to intervene in proceedings (or alternatively to seek the leave of the court to intervene)
  • a right to seek the leave of the court to act in the role of amicus curiae in the proceedings.

41 Finally, the OAIC notes that a direct right of action for individuals to seek compensation should not be limited to ‘serious and repeated interferences’ with privacy, as this will limit the effectiveness of the recommendation in practice.

Recommendation 16(f): higher penalties for a breach of the Privacy Act

42 The OAIC supports the recommendation to increase the penalties for breach of the Privacy Act. We reiterate the position taken in our submission to the DPI Preliminary Report – that penalties be increased to at least mirror the increased penalties for breaches of the Australian Consumer Law (ACL) or penalties under the GDPR, whichever are highest.

Recommendation 17: Broader Reform of Privacy Law

17.1 Objectives

43 The OAIC supports a review of the objectives of the Privacy Act and looks forward to contributing its privacy expertise and insights to strengthen privacy protections for Australians and to ensure an appropriate balance between privacy and the broader public interest in the free flow of information.

17.2 Scope

44 The OAIC supports a review of the current exemptions for certain entities in the Privacy Act, including the exemptions in relation to small businesses, employers and employee records, and political parties. These exempt entities may collect, use and disclose personal information, including sensitive information, and there is currently no protection under the Privacy Act for the personal information they hold.

45 Importantly, these exempt entities are not required to notify individuals or the OAIC about eligible data breaches under the Notifiable Data Breaches scheme (NDB scheme). The NDB scheme provides individuals with the opportunity to take steps to reduce the likelihood that they will experience serious harm and reinforces organisations’ accountability for personal information security.

46 Personal and sensitive information held by small businesses, employers and political parties is not immune to the substantial risks that exist in the digital environment. The OAIC agrees that it is appropriate to consider more comprehensive privacy protections for Australians, including through the NDB scheme.

17.3 Higher standard of privacy protections

47 The OAIC supports the ACCC’s recommendation to enhance privacy protections to address some of the information asymmetries identified in the final report. We recommend the introduction of a requirement for APP entities to use and disclose personal information ‘fairly and lawfully’ (rather than by ‘fair and lawful means’). This is consistent with our previous recommendation to codify the fair collection, use and disclosure of personal information.[16]

48 In our submission to the DPI Preliminary Report, the OAIC noted that Canada has reviewed its data protection legislation and introduced further guidance around ‘no-go zones’. These ‘no-go zones’ specify certain information-handling practices by organisations that would generally be considered ‘inappropriate’ by a reasonable person, including [17]:

  1. collection, use or disclosure that is otherwise unlawful
  2. profiling or categorisation that leads to unfair, unethical or discriminatory treatment contrary to human rights law
  3. collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual
  4. requiring passwords to social media accounts for the purpose of employee screening
  5. surveillance by an organisation through audio or video functionality of the individual’s own device.

49 The OAIC suggests that consideration be given to introducing a similar provision in the Privacy Act.

50 Additionally, we recommend that the privacy review consider whether the following measures should be introduced in Australia:

  1. protections for individuals in relation to profiling and automated decision-making[18]
  2. compulsory privacy impact assessments (PIAs) for the collection, use or disclosure of personal information involving high risks
  3. express requirements to implement privacy by default and design.

17.4 Inferred information

51 Inferred information relates to the use of data analytics based on personal information to infer additional information about an individual, which may include sensitive information. Although it is likely that ‘inferred information’ is captured by the current definition of ‘personal information’ in the Privacy Act, the OAIC suggests that a privacy review should consider whether a more explicit reference in the Act would be beneficial.

17.5 Protections for de-identified or anonymised information

52 The OAIC recognises that the viability of de-identification as a method of protecting personal information is seriously challenged in the digital environment – particularly in light of artificial intelligence and data analytics capabilities.

53 We therefore recommend that the review consider whether new protections are needed in the case of de-identified information, including whether PIAs should be mandated to determine the risks of re-identification.

17.6 Overseas data flow

54 The ACCC recommends that consideration be given to the benefits of Australia seeking a decision by the European Commission that Australian privacy law offers ‘an adequate level of data protection’. An adequacy decision by the European Commission has the potential to increase confidence in Australia’s ability to safely and securely transfer data across international borders.

55 The OAIC’s active engagement in a range of international privacy and data protection forums makes us well-placed to advise on matters of cross-border privacy. The OAIC would welcome the opportunity to contribute to further consideration of this matter.

17.7 Third-party certification

56 The OAIC supports the introduction of a third-party certification scheme, which would provide assurance to consumers that regulated entities are meeting their obligations under the Privacy Act. It would also provide consumers with evidence-based information about the privacy credentials of entities with which they may engage.[19]

57 The OAIC should be identified as the certification scheme’s regulator for privacy breaches and the ACCC for breaches of competition and consumer law.

Recommendation 18: OAIC Privacy Code for Digital Platforms

58 The OAIC supports the introduction of an enforceable code to enable proactive and targeted regulation of digital platforms’ data practices. This recommendation aligns with the Government’s announcement in March 2019 regarding enhanced measures to keep Australians safe online and supports the objective of providing Australians with greater transparency and control over how their personal information is used, collected and disclosed by digital platforms.[20]

59 The OAIC supports additional privacy safeguards for the handling of personal information of children (and other vulnerable groups) so that collection, use and disclosure is minimised, particularly for targeted advertising and online profiling. The OAIC will draw on its international experience and leverage insights from data protection authorities such as the Information Commissioner’s Office (ICO) in the United Kingdom, which is currently developing an age appropriate design code of practice for online services.[21]

60 The OAIC will consult broadly with industry and stakeholders during the development of the code.

Recommendation 19: Statutory Tort for Serious Invasions of Privacy

61 The OAIC supports recommendations to enhance Australia’s privacy framework to include additional remedies for invasions of privacy. The introduction of a statutory cause of action for serious invasions of privacy complements recommendation 16(e) in the final report and is consistent with international privacy regulatory developments in New Zealand, the United Kingdom, the United States and Canada.

62 A statutory tort for serious invasions of privacy would be an important addition to the suite of regulatory measures needed to address online harms, including the serious risks that can be posed to individuals’ privacy by private individuals and entities who publish, disseminate and duplicate information, including through the use of live streaming technologies.[22]

63 Importantly, a statutory tort as recommended by the ACCC would provide fuller coverage and protection to individuals in line with Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Article 17 provides that:

  • No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
  • Everyone has the right to the protection of the law against such interference or attacks.

64 We also recommend that this statutory tort be supplemented by legislative powers for the OAIC to be notified of, to exercise a right to intervene in proceedings, and to seek the leave of the court to act in the role of amicus curiae in the proceedings, where the proceedings involve a misuse of personal information.[23] This will be important where proceedings have the potential to impact the evolution of the Privacy Act and privacy jurisprudence and policy.

Part 2: Recommendations requiring a co-regulatory approach and information sharing

65 The OAIC has closely conferred with the ACCC on areas of mutual concern and is conscious of the increasing importance of alignment and cooperation between privacy and consumer regulators globally. This convergence is reflected in a 2017 resolution by the International Conference of Data Protection and Privacy Commissioners[24] to find ways to improve collaboration between data protection and consumer protection authorities in order to provide better protection for citizens and consumers. We support increased alignment and cooperation between privacy and consumer regulators, and the Australian Information Commissioner co-chairs the Digital Citizens and Consumer Working Group which leverages the intersection of these two jurisdictions.

66 In the context of the increasing intersection between privacy and competition regulation, the OAIC provides the following comment on some of the recommendations in the ACCC’s report that suggest the need for an ongoing cooperative approach between the ACCC and the OAIC in certain areas, and between the OAIC and the Australian Communications and Media Authority (ACMA). Such an approach would be facilitated by additional information sharing provisions.

Recommendation 1. Changes to merger law

67 The ACCC recognises the importance of data in fast moving markets and markets involving emerging technologies, including the competitive advantage that data confers on large digital platforms. It recommends changes to the Competition and Consumer Act (CCA) to make it clear that the ‘nature and significance of assets, including data and technology, being acquired directly or through the body corporate’[25] should be taken into account in assessing whether a merger or acquisition has the likely effect of substantially lessening competition. The OAIC is well placed to advise on the ‘nature and significance’ of data assets containing personal information and should be consulted on these matters where they arise in the context of mergers in order to ensure the best privacy outcome for Australians.

68 Accordingly, we recommend that consideration be given to facilitating greater collaboration between the ACCC and OAIC through an information-sharing power to allow for the exchange of information when assessing relevant mergers or acquisitions. This would avoid the time and costs to all parties in duplicating the collection of data from regulated entities.

69 Information sharing could be facilitated through legislative amendment to the CCA to provide for the Australian Information Commissioner to be consulted in relation to privacy matters. A comparable provision is set out in section 134 of the Telecommunications Act 1997, which requires the Australian Information Commissioner to be consulted before an industry standard which deals with privacy matters is determined or varied. Similarly, section 53(4) of the Office of National Intelligence Act 2018 requires the Prime Minister to consult with the Director‑General, the Inspector‑General of Intelligence and Security, the Privacy Commissioner and the Attorney‑General, in relation to privacy rules.

70 A concurrent amendment to section 29 of the Australian Information Commissioner Act 2010 to facilitate greater information sharing is also necessary to support efficient cooperation.

Recommendation 4. Proactive investigation, monitoring and enforcement of issues in markets in which digital platforms operate

71 The OAIC supports the ACCC’s recommendation for the establishment of a specialist digital platforms branch within the ACCC to proactively monitor and mitigate any conduct by digital platforms that results in harm to consumers. Importantly, such harms may include the infringement of consumers’ privacy rights and, accordingly, the OAIC seeks to work cooperatively with the ACCC’s digital platforms branch in this area in future. As per our comments on recommendation 1 (above), this would be facilitated by an information-sharing power between the ACCC and the OAIC.

Recommendation 7. Designated digital platforms to provide codes of conduct governing relationships between digital platforms and media businesses to the ACMA

72 One of the features of the codes of conduct recommended by the ACCC to address the imbalance in the bargaining relationship between leading digital platforms and news media businesses is a commitment by the digital platforms to the sharing of data with news media businesses. The ACCC notes that it is ‘likely to be contrary to consumer expectations that media businesses should be entitled to any or all data gathered by a digital platform on that consumer’[26]. Rather, the data to be shared would be about users’ consumption of the media businesses’ news content on the digital platform’s service. The ACCC states that the commitment to data sharing should be ‘within the limits of data protection and privacy laws’ [27] , recognising the close connection that this aspect of the code has with the privacy rights of consumers.

73 Accordingly, if this recommendation is adopted, we recommend that the OAIC be consulted by ACMA to ensure that commitments to data sharing agreements between designated digital platforms and media businesses adhere to Australia’s privacy laws, including the new privacy code for designated digital platforms.

The value in jurisdictional and regulatory boundaries

Recommendation 20 – Prohibition against unfair contract terms

74 The ACCC recommends amending the CCA so that unfair contract terms are prohibited. The Privacy Act should be similarly amended to prohibit the unfair collection, use or disclosure of personal information, as suggested in recommendation 17(3).

75 However, we also note that in formulating this recommendation, the ACCC expresses the view that the privacy policies of digital platforms constitute a standard form contract (for which there is zero monetary price). Under the Privacy Act, the requirement to have a privacy policy is not intended to constitute a contract (as it may do in the United States); rather, privacy policies are intended to operate as transparency tools for individuals, which set out in general terms how an organisation handles personal information. A privacy policy should not be ‘agreed’ to by an individual, rather, any requirements for consent should be obtained by separate means. The OAIC considers this is an area requiring further consideration to ensure a clear understanding of the role and nature of privacy policies in Australia.

76 We suggest that this is another area where the ACCC and OAIC would benefit from a legislative mechanism (as discussed above) allowing the two organisations to share information gathered using their respective powers, where an act may constitute both an interference in privacy and a consumer law infringement.

Recommendation 21 – Prohibition on certain unfair trading practices

77 The ACCC identifies examples of conduct that it considers to be significantly detrimental to consumers – but which are not prohibited by the CCA – and recommends amending the CCA to include a prohibition on unfair trading practices.

78 Many of the examples of detrimental conduct identified by the ACCC fall within the remit of the OAIC and the privacy framework. For example, APP 11 requires organisations to maintain the security of personal information, which addresses the ACCC’s example of businesses failing to comply with reasonable data security standards.

79 We agree with the ACCC that there is a need to prohibit some of these practices and suggest that this be achieved by further strengthening the Privacy Act, to minimise the risk of regulatory complexity or duplication.

80 If the ACL is amended, then this is another area where the ACCC and OAIC would benefit from close collaboration and information sharing.

Education and dispute resolution measures

Recommendation 12 and 13 – improving digital media literacy in the community and in schools

81 The ACCC recommends the introduction of digital media literacy training in both the community and as part of the Australian Curriculum in schools. The OAIC agrees that consumers must be adequately equipped and empowered with the ability to access, interpret and critically assess what they see and do online. We are supportive of measures to increase digital media literacy and suggest that privacy awareness be incorporated as a complementary component of the recommended training and education.

82 Privacy awareness, like digital media literacy, is an important protective factor for individuals navigating online platforms and services. The 2017 Australian Community Attitudes to Privacy Survey revealed that although the majority of Australians are concerned about their online privacy, few people take simple steps to protect privacy, such as reading privacy policies, adjusting privacy settings, clearing browser and search histories, and asking organisations why they need personal information.[28] The OAIC would welcome the opportunity to share its expertise and insights in relation to privacy to inform the development of resources and training.

Recommendation 23 – establishment of an ombudsman scheme to resolve complaints and disputes with digital platform providers

83 The OAIC is supportive of this recommendation and notes that consumers may make complaints regarding privacy to the ombudsman. We suggest that a referral mechanism be implemented to allow privacy complaints received by the ombudsman to be referred to the OAIC where appropriate.

Part 3: Other comments

Measures to address consumer harms – including privacy concerns - arising from the use of personal information

84 The ACCC has identified a wide range of potential consumer harms, many of which arise directly from the collection, use and disclosure of personal information, or indirectly within the context of digital platforms’ substantial market power and business models based on the monetisation of consumer data. These harms include, but are not limited to:

  • increased risk of data breaches and cybercrime
  • non-financial detriment such as harm to health and safety and reputational injury
  • disinformation and misinformation
  • increased instances of unsolicited targeted advertising
  • third parties leveraging information against the consumer’s interest – e.g. price discrimination and psychological profiling which results in manipulation and loss of autonomy
  • discrimination or exclusionary harm as a result of targeting techniques
  • targeted scams
  • risks to vulnerable people (including children) of being targeted with inappropriate products or scams, discriminated against or inappropriately excluded from markets

85 The ACCC has proposed recommendations to address these harms by regulating the systems, processes and mechanisms by which personal information is collected, used and disclosed by digital platforms. The OAIC is broadly supportive of these recommendations, to the extent that they address the power imbalances and information asymmetries which result in consumer harms including infringements on the right to privacy.

86 The OAIC is supportive of recommendation 3 – to provide Australian users of Android devices with the ability to choose their own default search engine and default internet browser from a number of options. Providing consumers with greater choice and control over browsers and search engines may also provide consumers with better access to privacy-protective features inherent in different browsers and engines.

87 The use of personal information in the adtech and advertising services industry is of interest to the OAIC, and we note that the UK ICO is considering the adtech sector as a priority.[29] The OAIC supports an inquiry into adtech services (recommendation 5) and suggests that such a review may explicate the use and disclosure of personal information for targeted advertising. Similarly, the OAIC supports an increase in transparency in relation to the quality and quantity of information presented to digital platform users (recommendation 6).

88 The OAIC acknowledges the concerns about the personalisation of news content to digital platform users and is supportive of regulatory oversight to improve transparency of digital platforms’ featuring of news content on their services (recommendation 14). Concerns around disinformation and content presented to online users of digital platforms are also expressed in the final report, and the proposed code of conduct to govern the handling of complaints about disinformation seeks to address this issue (recommendation 15).

89 Measures to examine and address these issues may result in more positive outcomes for consumers, including more transparent businesses practices and greater organisational accountability.

Data portability and interoperability

The ACCC will revisit the applicability of the CDR to digital platforms in the future. While considering that data portability is unlikely to have a significant impact on the market power of digital platforms in the short term, the ACCC has flagged that it will monitor this initiative and may make recommendations in future. Aside from the issue of market power, the ACCC recognises that portability of data held by digital platforms may deliver significant benefits to current and potential future markets, including through innovation and development of new services. Accordingly, this may have implications for the OAIC in its joint role with the ACCC regarding the CDR.

Conclusion

90 The OAIC commends the ACCC for undertaking the Digital Platforms Inquiry and looks forward to working with the Government to implement the recommendations.

91 The OAIC is available to provide further information as required.

Footnotes

[1] ACCC, Digital Platforms Inquiry, Final Report, 26 July 2019, p. 1.

[2] The OAIC is also a part of the following networks: the Asia Pacific Privacy Authorities (APPA) Forum, which brings together privacy and data protection authorities in our region; the Global Privacy Enforcement Network (GPEN), which facilitates cooperation between privacy and data protection authorities globally on cross-border privacy matters; the International Conference of Data Protection and Privacy Commissioners, which seeks to provide leadership at an international level in data protection and privacy by connecting the efforts of privacy and data protection authorities from across the globe; the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement,[2] which creates a framework for regional cooperation in the enforcement of privacy laws and information sharing among privacy enforcement authorities in APEC economies.

[3] The OAIC is also actively engaged with the Attorney-General’s Department to facilitate Australia’s participation in the APEC Cross Border Privacy Rules system, which was developed by the participating APEC economies with the aim of building consumer, business and regulator trust in cross border flows of personal information. APEC member Economies and EU officials have been collaborating to promote interoperability between the APEC and EU regional transfer mechanisms.

[4] The Digital Citizen and Consumer Working Group was established by resolution of the ICDPPC and is tasked with identifying, leveraging and building upon existing initiatives and networks that consider the intersection between consumer, data and privacy protection. For more information, see for example the ICDPPC Digital Citizen and Consumer Working Group report to the 40th conference on the collaboration between Data Protection, Consumer Protection and other Authorities for Better Protection of Citizens and Consumers in the Digital Economy.

[5] Office of the Privacy Commissioner of Canada, Guidance on inappropriate data practices: Interpretation and application of subsection 5(3), May 2018.

[6] Consumer Data Standards Consumer Experience workstream, The ACCC Rules on Consent.

[7] Article 4(11) of the GDPR defines ‘consent’ of the data subject as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

[8] See discussion in the UK Information Commissioner’s Office (UK ICO) report: Big Data, AI, Machine Learning and Data Protection, 2017, page 30.

[9] See, for example: APP 3, APP 6, APP 7 and APP 8.

[10] See discussion around the challenges of seeking consent in relation to the use of artificial intelligence technologies in the OAIC submission to Standards Australia, Developing Standards for Artificial Intelligence: Hearing Australia’s Voice – Submission to Standards Australia, 26 August 2019<https://www.oaic.gov.au/engage-with-us/submissions/developing-standards-for-artificial-intelligence-hearing-australias-voice-submission-to-standards-australia/>

[11] See the discussion of human behaviour in Office of the Privacy Commissioner of Canada’s Discussion Paper - Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (2016). Page 9 refers to numerous studies that have shown that individuals will say they care about privacy yet at the same time disclose significant quantities of personal information online. This may be because individuals have limited time and energy to fully engage in privacy policies and find it difficult to quantify privacy risks compared to concrete rewards for disclosing personal information online.

[12] UK ICO, Guide to the General Data Protection Regulation – Consent & Article 29 Data Protection Working Party 2018, Guidelines on Consent under Regulation 2016/679 (adopted by the European Data Protection Board on 25 May 2018).

[13] Innovation, Science and Economic Development Canada, Strengthening Privacy for the Digital Age, 2019

[14] Article 6, EU GDPR.

[15] There are several examples of agencies having the power to exercise either an intervenor and amicus curiae role where appropriate (e.g. the Australian Securities and Investments Commission (ASIC) has a right to intervene in court proceedings that relate to matters including under the Corporations Act 2001 (Cth) (Corporations Act) and the National Consumer Credit Protection Act 2009 (National Credit Act), and can also appear as an amicus curiae in certain circumstances).

[16] OAIC, Digital Platforms Inquiry Preliminary Report – submission to the Australian Competition and Consumer Commission, 15 May 2019 < https://www.oaic.gov.au/engage-with-us/submissions/digital-platforms-inquiry-preliminary-report-submission-to-the-australian-competition-and-consumer-commission/> recommendation 2.2.

[17] Office of the Privacy Commissioner of Canada, Guidance on inappropriate data practices: Interpretation and application of subsection 5(3), May 2018

[18] See, for example, EU GDPR Articles 13(2)(f), 14(2)(g), 15(1)(h), 22.

[19] Australia is currently in the process of implementing the Cross-Border Privacy Rules (CBPR), which will provide a mechanism for governments and businesses to safeguard the free flow of data while protecting the privacy rights of individuals. The CBPR requires participating businesses to demonstrate compliance with a commonly understood set of privacy standards, establishing a level of certainty and assurance for the individuals providing their data.

[20] Attorney-General’s Department and Department of Communications and the Arts, Joint Media Release, 24 March 2019

[21] UK ICO, Blog: protecting children online: Update on the progress of ICO code, 7 August 2019.

[22] See for example, Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (No. 38, 2019).

[23] See discussion in Part 2 of this submission in relation to recommendation 16(e).

[24] ICDPPC, Adopted Resolutions

[25] ACCC, Digital Platforms Inquiry, Final Report, 26 July 2019, recommendation 1.

[26] Ibid, p. 248.

[27] ACCC, Digital Platforms Inquiry, Final Report, 26 July 2019, p. 256.

[28] OAIC Australian Community Attitudes to Privacy Survey 2017 <https://www.oaic.gov.au/updates/videos/australian-community-attitudes-to-privacy-survey-2017/>

[29] UK Information Commissioner’s Office, Update report into adtech and real time bidding (20 June 2019)