ACCC Report To Impact Privacy & Consumer Protection Laws
On 26 July 2019, the Australian Competition and Consumer Commission (ACCC) released its final Digital Platforms Inquiry report relating to the impact of online search engines, social media and digital content aggregators on competition in the media and advertising services markets, with a particular emphasis on the substantial market power of Google and Facebook.
The Commonwealth government has undertaken to respond to the recommendations in the report by the end of 2019, but already significant changes to Australia’s privacy and consumer protection regimes are being canvassed, particularly in the context of what the report describes as “the bargain between consumers and digital platforms and the ability of consumers to both be informed about their data and exercise meaningful control over it”.
This in turn may impede competition between digital platforms and the entry of rival services into the market.
Against this background, the ACCC made wide-ranging recommendations, not all of which were confined to privacy and consumer protection. Nevertheless, the projected changes to Australia’s privacy and consumer protection regimes are potentially significant and should not be underestimated. Some of these proposed changes are outlined below.
Definition of “Personal Information”
The report recommended that the definition of “personal information” in the Privacy Act be updated “in line with current and likely future technological developments”. Concerned by the constrained interpretation of the definition by the Full Court of the Federal Court in Privacy Commissioner v Telstra Corporation Limited  FCAFC 4, the ACCC recommended greater clarity around the circumstances in which device information may constitute “personal information” under the Act. It considered that advancements in data analytics technologies, and the volume of technical data relating to identifiable individuals, warranted a re-visiting of the definition. This would, apart from anything else, result in a greater alignment between the Australian terminology and international standards, particularly the EU General Data Protection Regulation (GDPR).
Notification of collection
The report advocated the strengthening of notification requirements under the Privacy Act to ensure that the collection of consumers’ personal information directly, or by a third party, is accompanied by a more meaningful collection notice than is currently mandated under the Act.
In this regard, the report acknowledged that Australian Privacy Principle (APP) 5 requires entities to “take such steps (if any) as are reasonable in the circumstances” to notify the individual of such matters regarding the data collection “as are reasonable in the circumstances”. It considered this requirement to be too imprecise, however, and it recommended a more specific obligation to ensure that collection notices are concise, transparent, intelligible and easily accessible, written in clear and plain language (particularly if addressed to a child), and provided free of charge.
The report emphasised the need for consents required under the Privacy Act to be freely given, specific, unambiguous and informed in the context of both collection and disclosure of personal information.
In relation to collection, the consent of an individual is only required under APP 3 where “sensitive information” is involved. The report recommended that this requirement be extended to any circumstances where personal information (sensitive or otherwise) is collected, subject to certain public interest exceptions.
In relation disclosure, the report noted that consent is not required under APP 6 where the use of personal information is consistent with the “primary purpose of collection”. It expressed concern that “primary purpose” is not defined and could be broadly construed by the data collector, and accordingly “stronger consent requirements are critical to ensuring that consumers have adequate control over how and why their personal information is used and disclosed to third parties”.
Generally, the report recommended an express requirement that consent involve “a clear affirmative act that is freely given, specific, unambiguous and informed (including about the consequences of providing or withholding consent)”.
Right of Erasure
The report recommended the introduction of a requirement for entities to erase a consumer’s personal information without undue delay upon receiving a request for erasure, except in certain circumstances.
This is otherwise known as “the right to be forgotten”, an issue which attracted considerable attention in 2014 following the finding by the European Court of Justice in Google Spain v Gonzalez (2014) c-131/12 that such a right existed under the 1995 EU Data Protection Directive (the forerunner to the GDPR). The right is now enshrined in Article 17 of the GDPR. The introduction of such a right would, in the ACCC’s opinion, bring Australian law into closer alignment with the GDPR, a sentiment clearly evident across all its privacy recommendation.
In 2014, the Australian Law Reform Commission recommended the introduction of a new Australian Privacy Principle dealing with the right of individuals generally to request the destruction or de-identification of their personal information, a recommendation which was ultimately rejected. The ACCC has adopted a different approach. Noting that a broad mandatory deletion obligation could create a significant regulatory burden, the ACCC considered it more appropriate for this obligation to be confined only to digital platforms collecting, using and sharing a large volume of personal information, rather than to all entities. Accordingly, it recommended that the obligation should be set out in the proposed DP Privacy Code, discussed below.
The report expressed concern about the market dominance of the incumbent digital platforms, and the barriers confronting rivals seeking to enter the market. In this context, it considered whether a form of data portability should be introduced to facilitate the movement of consumers between platforms. The concept of data portability is contained in Article 20 of the GDPR.
The merits of data portability have been extensively debated in Australia in a broader context over the past 12 months. On 1 August 2019, the Treasury Laws Amendment (Consumer Data Right) Act 2019 was passed, enabling individual and business consumers to access information about themselves and about their service providers’ products, and to direct their existing service provider to share that information with other service providers. It is intended that this “Consumer Data Right” will have mandatory application to Australia’s Big 4 Banks from February 2020, and rolled out to other banks and other industries thereafter.
Despite the apparent benefits of data portability as between digital platforms, the ACCC was unconvinced that this would be an effective mechanism to address the market power and competition issues it had identified, for three reasons.
First, at this time there are no other competing platforms for consumers to upload their data onto and switch. The introduction of a data sharing regime would not overcome this issue.
Secondly, unlike banking services, online search and social media services are provided for free. Consequently, there is less of an incentive for consumers to seek a transfer of their personal data to a rival network.
Thirdly, even if data portability made it easier for a user of Facebook to switch to another social media platform, individuals were unlikely to do so if none of their friends or family were simultaneously moving away from Facebook.
The report nevertheless foreshadowed that the ACCC would revisit the issue in the future when exercising its regulatory role in relation to the Consumer Data Right.
Statutory privacy right
The report recommended the introduction of direct rights for individuals to bring actions or class actions before the courts to seek compensation for an interference with their privacy.
Similar recommendations have emerged in various forms over the years in Australia, at both federal and State level, most notably as a recommendation by the Australian Law Reform Commission in 2006.
The rationale underpinning the ACCC’s recommendation was the need to address the increased exposure to data breach risks, a reduction in trust which could result in consumers avoiding transactions, and the potential for particular risk to vulnerable consumers, including children.
The ACCC considered that allowing individuals to enforce their rights under the Privacy Act was critical to the effectiveness of those rights. Currently, individuals could only seek limited redress under the Act, in the form of an injunction for breach of the Act or the lodgement of a complaint with the Office of the Australian Information Commissioner (OAIC). While recognising the expense and time required to litigate matters in court, the ACCC considered it important for individuals to have the ability to directly enforce their rights under the Privacy Act.
Code of Practice
Part IIIB of the Privacy Act provides for the creation of privacy codes. Codes can be devised by industry sectors in conjunction with the OAIC and, once registered, are deemed under section 26B to be legislative instruments. This option is seen as an effective mechanism for addressing unique privacy issues confronting certain industries, but to date there have been a limited number of initiatives in this regard.
The ACCC noted that several aspects of digital platforms’ notification and consent processes raised unique or pronounced privacy concerns, particularly notification and consent requirements, opt-out control, the handling of children’s data, information security, retention of data and complaints handling.
The report recommended that these issues be addressed in part via an enforceable Privacy Code of Practice applicable to digital platforms (DP Privacy Code).
The PDP Privacy Code would be developed through extensive consultation with relevant
stakeholders, including consumer and privacy advocates. The ACCC would also be involved in developing the code in its role as the competition and consumer regulator.
The DP Privacy Code should, according to the report, contain provisions targeting particular issues arising from data practices of digital platforms, such as:
- Information: requirements to provide and maintain multi-layered notices regarding key areas of concern and interest for consumers;
- Consent: requirements to provide consumers with specific, opt-in controls for any data collection for a purpose other than the purpose of supplying the core consumer-facing service and, where consents relate to the collection of children’s personal information, additional requirements to verify that consent is given or authorised by the child’s guardian;
- Opt-out controls: requirements to give consumers the ability to select global opt-outs or opt-ins, such as collecting personal information for online profiling purposes or sharing of personal information with third parties for targeted advertising purposes;
- Children’s data: additional restrictions on the collection, use or disclosure of children’s personal information for targeted advertising or online profiling purposes and requirements to minimise the collection, use and disclosure of children’s personal information;
- Information security: requirements to maintain adequate information security management systems in accordance with accepted international standards; and
- Retention: requirements to establish a finite time period for the retention of any personal information collected or obtained that is not required for providing the core consumer-facing service.
In the course of its inquiry, the ACCC identified conduct which it considered detrimental to consumers and which was not effectively addressed or did not neatly fit under the existing Australian Consumer Law (ACL).
In particular, the report referred to terms observed in contracts which it considered demonstrated a significant imbalance in the rights of consumers and digital platforms but which, if held to be an unfair contract term, would not be subject to penalties. While individual terms that are “unfair” for the purposes of the ACL can be declared “void” by a court, the ACCC considered that this remedy is not of much benefit to a consumer and does not effectively deter businesses from using such terms.
Accordingly the report urged the introduction or tightening of provisions in the ACL dealing with unfair contract terms and unfair business practices.
Unfair contract terms
Unfair business practices
The report observed a range of practices that the ACCC considered to be significantly detrimental for consumers but which did not neatly fit under existing consumer laws. These practices were driven in part by the significant increase in the amount of consumer data now collected and the increased sophistication in data analysis and consumer targeting.
These practices included:
- changing terms on which products and services are provided without reasonable notice or the ability to consider the new terms, including in relation to products with subscriptions or contracts that automatically renew;
- adopting business practices to dissuade a consumer from exercising their contractual or other legal rights, including requiring the provision of unnecessary information in order to access benefits; and
- inducing consent or agreement in very long contracts, or providing insufficient time to consider terms, or offering a service via all-or-nothing “click wrap” consents.
Accordingly, the ACCC recommended that the ACL be amended to include a prohibition on certain unfair trading practices, noting that such prohibitions have been used to address similar practices overseas.