It is widely known and accepted that personal information in the form of data is being collected and used by digital platforms (most notably Google and Facebook) in advertising, media and communications. This data collection allows companies to streamline their audience by ensuring they are reaching their desired target market. While Google channels consumers via SEO, Facebook provides analytics of interaction and audience. Amongst other scandals, the 2018 Facebook Cambridge Analytica data privacy breach has highlighted how such use of data has a large-scale impact on the individual consumer and their privacy. Up until recently, when ‘that’ tick box appeared on screen, most consumers would blindly agree to their personal data being virtually shipped off around the world to be used in ways they were unlikely aware of. Cambridge Analytica has shone a light on the use of this data, and consumers are no longer sitting back quietly and allowing this to occur.
Closer to home, the compliance arm of Australia’s Competition and Consumer Commission (the ACCC) is already flexing its muscles in respect of misleading and deceptive conduct under the consumer law. The ACCC currently has proceedings on foot in the Federal Court against the medical appointment booking app HealthEngine, alleging that the platform has been collecting and disclosing user’s personal data to insurance brokers without consent. The app’s developers face millions of dollars in fines if they are found guilty of these alleged breaches. We expect Australian Competition and Consumer Commission v Healthengine Pty Ltd to stand as a test case in this area and eagerly await the outcome. When the judgement is handed down, it will no doubt shed light on the principles to be elaborated upon below. More information about the case can be found here.
With issues of data and privacy coming to the forefront of international attention, Australia instituted a Digital Platforms Inquiry which released its Final Report in July 2019. The Inquiry set out to investigate the impact of ‘online search engines, social media and digital content aggregators (digital platforms) on competition in the media and advertising services market’ and the effect of data collection on consumers’ privacy. This inquiry is forward looking, and the final report seeks to set out a list of recommendations that will assist the Australian marketplace to transition into a data driven space, where competition is protected, and individual’s privacy rights are upheld.
The rise of digital platforms, mainly Facebook and Google have brought about a world of untapped possibility when it comes to the potential of personal data and the effect it can have in assisting businesses to target their advertising successfully. Whilst such platforms can be largely positive in the effects they have on business success, their collection of user’s personal data is controversial to say the least.
For the advertisers and agencies who rely on Facebook and Google to deliver targeted marketing campaigns to the desired audience, not only does the lack of transparency on the part of Google and Facebook affect the capability of the agency or advertiser to fully understand how or even if their specified audience is being targeted, it is also unclear how the digital platforms charge for their data use in audience targeting. What we do know is that whilst these digital platforms have become a necessary tool, data mining, data brokerage and data analysis comes with its own problems and it is now recognised that the sector should be regulated and policed.
Consumers, perhaps even more so then advertisers and agencies, are affected by the data collection policies of the likes of Facebook and Google. There is a significant asymmetry of information and lack of bargaining power that exists between consumers and digital platforms and this often means that consumers are unable to make an ‘informed and genuine’ choice in respect of consent to their personal data being used. Consumers will often mindlessly tick a box or simply click a button to proceed, releasing their personal data with no appreciation of the consequences.
This high-level summary addresses the key issues raised by the report.
The ACCC’s inquiry puts forward a set of recommendations to increase privacy protection in relation to data collection. If, or rather when implemented, the recommendations will impact both the digital platforms collecting the data and the way agencies and advertisers use the data, as well as recommending safeguards for consumers to protect their data. These implications are set out below. We note that we have concentrated on the recommendations that we consider will affect agencies and advertisers directly. The full report can be accessed here.
The report sets out multiple ways that the Privacy Act could be amended to enhance protections for consumers and their personal data.
Firstly, amending the definition of ‘personal information’ in the Privacy Act to include technical data that includes all identifiers that could be used to distinguish individuals. This would bring breaches of data privacy into the jurisdiction of the Act and this means that consumers have the capability of benefitting from the protections available under the Privacy Act.
Secondly, the report recommends that the Privacy Act should require an enhanced collection disclosure notice upfront. This should be concise, clear, transparent and easily accessible, explaining how a user’s data will be collected, used and disclosed, including ‘layered’ notifications, and short terms and conditions written in plain and concise language.
A major issue bought forward for reform under the Privacy Act is the issue of consent to use of personal data. The most poignant of recommendations are in the form of consumer consents to collect, use and disclose personal data. Consents should represent ‘a clear affirmative act that is freely given, specific, unambiguous and informed’. This would mean that the collection and use of data would be an ‘opt-in’ system where consumer’s personal data will only be collected, used and disclosed when informed consent is given. For instance, the positive act of ticking a box that sits alongside the clear disclosure information as set out above. This will undoubtedly impact the amount of data that will be capable of collection, use and disclosure as consumers become more aware of their rights to data privacy.
Consumers should also have a right to have their personal data information erased, without undue delay, upon their request.
Finally, the report recommends that consumers should have a direct right of action against any company or individuals who breach the rules set out in the Privacy Act and such breaches should incur higher penalties.
A major change to look out for is the potential creation of a special branch of the ACCC that will be tasked with ‘proactive investigation, monitoring and enforcement’ in relation to all things data privacy and digital platform content. This will mean that digital platforms will be monitored by dedicated, trained officers who will be tasked with proactively calling out breaches of privacy law in relation to personal data protection. Essentially, there will be a police-like force ensuring that data privacy is adhered to.
The possible inclusion of a statutory tort for serious invasions of privacy will mean that digital platform handling individual’s personal data may be liable in tort should a serious enough breach occur. This will mean that many agencies and advertisers may be held accountable in this way and consumers using their platforms will have access to greater control over their personal information. Both agencies and advertisers should begin to rethink their entire consumer data collection and use strategies, in order to avoid facing serious legal liability under the invariable changes to privacy law.
The Office of the Australian Information Commissioner (OIAC) will also have a part to play in this web of protection of data should the recommendations be implemented. A regulatory data privacy code of practice is in development and this will be yet another supervisory mechanism that will make the OAIC another route for people to lodge complaints and request information about where their data is being used. Under the protocol recommended to apply to the OAIC, digital platforms may be required to disclose information about their use of personal data in ways that were not required previously. This will mean that such platforms will need to be extra diligent in ensuring that their practices are above board and that they comply with the new privacy amendments that are likely to imminently come into force.
In March 2019, in between the release of the preliminary report and the final report of the digital platforms inquiry, parliament announced a set of changes that were already in the works for implementation.
The OIAC is already set to receive an additional $25 million over 5 years to ensure that the office has the resources to realise their increased enforcement and control powers. This will go hand in hand with a significant increase in the amounts the OIAC can recover, in fines. There has also been an announcement of significant increases in the amount of money (now upwards of $10 million), that a successful claimant may recover should they prove a breach of data privacy laws.
Parliament has also deemed it necessary to include a right for individuals to ensure their personal data ceases to be used upon request. This is somewhat linked to the Consumer Data Right (CDR) or ‘data portability right’ introduced in November 2017. The CDR refers to the right a consumer has to safely access the personal information and data that a business holds about them, and the ability to instruct the business to transfer this data to a third party of the consumers choice upon request. The right will first apply to the banking sector from 1 February 2020, followed by the energy sector with telecommunications proposed to follow. Once again, CDR rights will allow consumers to regain control of their own data as their own property by having the right to instruct those who hold their information on what can be done with it and how it can be used.
Ultimately, businesses operating in this space must begin taking the issue of privacy in the digital realm more seriously, otherwise they could start to face some serious consequences in the near future. Consequences that could not only cost them huge amounts in terms of financial loss, but reputational loss resulting from their failure to comply with changes that we are likely to see in the near future.