Dianne Beer and Eva Lu

The ACCC Takes a Bite of the Privacy Pie (Part 1)

Dianne Beer and Eva Lu

17 May 2019

Confidentiality and Privacy

Eva Lu, Associate at Thomson Geer, provides a summary of the privacy and data related recommendations from the ACCC’s Digital Platform Inquiry Preliminary Report.

The Australian Competition and Consumer Commission (ACCC) Preliminary Report on the Digital Platforms Inquiry (Report) contains 11 preliminary recommendations and nine areas for further analysis. Four of those recommendations seek to better inform consumers when dealing with digital platforms and to improve their bargaining power by making amendments to existing laws around privacy. If the proposed recommendations made in the Report are implemented, it is likely to have significant implications not only on the digital platforms or the media and advertising industry, but for businesses across all sectors.

One of the key findings in relation to privacy for digital platform consumers, in the ACCC’s own words, is that “(t)he existing Australian regulatory framework over the collection, use and disclosure of user data and personal information does not effectively deter certain data practices that exploit the information asymmetries and bargaining power imbalances between digital platforms and consumers.”1 To combat this, the ACCC proposes to recommend enacting several amendments to the Privacy Act 1988 (Cth) (Privacy Act), increasing penalties for breaches of the Privacy Act, increasing resources for the Office of the Australian Information Commissioner (OAIC), adopting the Australian Law Reform Commission’s recommendation to introduce a statutory cause of action for serious invasions of privacy and making unfair contract terms illegal under the Australian Consumer Law (ACL) in Schedule 2 of the Competition and Consumer Act 2010 (Cth).

Ahead of the release of the ACCC’s final report on 3 June, Part 1 of this two-part series will focus on the privacy and data related preliminary recommendations in the Report. Part 2, to be published next week, will focus on the privacy and data related areas for further analysis outlined in the Report as well as the next steps in the Digital Platforms Inquiry.

Preliminary Recommendations

Preliminary Recommendation 8 – use and collection of personal information

The ACCC proposes to recommend a range of amendments to the Privacy Act to better enable consumers to make informed decisions in relation to, and have greater control over, privacy and the collection of personal information. Recommendation 8 is intended to apply broadly and to mitigate concerns regarding data practices by all business within the remit of the Privacy Act. The proposed recommendation are:

  1. Introduce an express requirement that the collection of consumers’ personal information directly or by a third party is accompanied by a notification of this collection that is concise, transparent, intelligible and easily accessible, written in clear and plain language (particularly if addressed to a child), and provided free of charge;
  2. Require certain businesses, which meet identified objective thresholds regarding the collection of Australian consumers’ personal information, to undergo external audits to monitor and publicly demonstrate compliance with these privacy regulations, through the use of a privacy seal or mark. The parties carrying out such audits would first be certified by the OAIC.
  3. Amend the definition of consent to require express, opt-in consent and incorporate requirements into the Australian Privacy Principles (APPs) that consent must be adequately informed (including about the consequences of providing consent), voluntarily given, current and specific. The consent must also be given by an individual or an individual’s guardian who has the capacity to understand and communicate their consent.
  4. Enable consumers to require erasure of their personal information where they have withdrawn their consent and the personal information is no longer necessary to provide the consumer with a service.
  5. Increase the maximum penalty for serious or repeated interference with privacy to at least mirror the increased penalties for breaches of the ACL, that is, the higher of $10 million, three times the value of the benefit received or, if a court is not able to determine the benefit obtained from an offence, 10% of the entity’s annual turnover in the last 12 months.
  6. Give individual consumers a direct right to bring actions for breach of their privacy under the Privacy Act without having to rely on representation by the OAIC.
  7. Provide increased resources to equip the OAIC to deal with increasing volume, significance, and complexity of privacy-related complaints.

 

Although some of the ACCC’s proposed amendments are already good privacy practices recommended in the OAIC’s Australian Privacy Principles Guidelines,2 the ACCC’s proposed amendments to the Privacy Act, such as external audits and certification process, are likely to increase the regulatory burden and costs for all businesses within the remit of the Privacy Act that collect the personal information of Australian consumers.

Preliminary Recommendation 9 – OAIC Code of Practice for digital platforms

The ACCC proposes to recommend that the OAIC engage with key digital platforms operating in Australia to develop an enforceable code of practice to provide Australians with greater transparency and control over how their personal information is collected, used and disclosed by digital platforms. Part IIIB of the Privacy Act empowers the OAIC to approve and register enforceable codes of practice. The code of practice would likely contain specific obligations on how digital platforms must inform consumers and how to obtain consumers’ informed consent, as well as appropriate consumer controls over digital platforms’ data practices.

Preliminary Recommendation 10 – serious invasions of privacy

The ACCC has renewed calls and proposes to recommend that the Government adopt the Australian Law Reform Commission’s recommendation to introduce a statutory cause of action for serious invasions of privacy (by intrusion into seclusion or misuse of private information) to increase the accountability of businesses for their data practices and give consumers greater control over their personal information. Such a statutory cause of action would also have the potential to enable individuals to take action where unauthorised surveillance and serious privacy concerns need to be addressed.

Preliminary Recommendation 11 – unfair contract terms

The ACCC proposes to recommend that unfair contract terms should be illegal under the ACL, and that civil pecuniary penalties should apply to their use, to more effectively deter digital platforms, as well as other businesses, from leveraging their bargaining power over consumers by using unfair contract terms in their terms of use or privacy policies. Currently, if a contract term in a standard form consumer or small contract is declared unfair, the term is void and unenforceable. The term is not a contravention of the ACL and the ACCC cannot seek pecuniary penalties for breach. However, the effectiveness of the proposed recommendation on privacy and data practices in unclear as privacy policies are generally not considered to be contracts. If the proposed recommendation is implemented, it is likely to trigger a more conservative approach to unfair contract terms for businesses across all sectors.

The ACCC notes that one of the consumer protections under the ACL, along with unfair contract terms, is the prohibition of businesses from engaging in misleading or deceptive conduct and false or misleading representations.3 The ACCC does not comment on whether it considers it can use the prohibition against misleading or deceptive conduct and false or misleading representations in circumstances where it is concerned that digital platforms are misleading or confusing consumers in their privacy policies and the lack of transparency in their data practices.

Part 2, to be published next week, will focus on the privacy and data related areas for further analysis outlined in the Report as well as the next steps in the Digital Platforms Inquiry.


——–

 Resources

1 Australian Competition and Consumer Commission, Digital Platforms Inquiry, Preliminary Report (2018) 164.

2 Office of the Australian Information Commissioner, Australian Privacy Principles Guidelines – Combined set out APP guidelines (as at 2 March 2018) https://www.oaic.gov.au/resources/agencies-and-organisations/app-guidelines/APP_guidelines_complete_version_2_March_2018.pdf.

3 Australian Competition and Consumer Commission, Digital Platforms Inquiry, Preliminary Report (2018) 216.