The federal Attorney-General’s department in October 2021 released two privacy reviews which set out a range of reforms intended to strengthen privacy protection for consumers in the evolving online environment. As we summarised previously, these reviews are:
- Privacy Act Review – which sets out a range of reforms that have the potential to overhaul privacy regulation in Australia to bring it more in-line with other jurisdictions such as GDPR.
- Draft Exposure Legislation – which proposed more immediate reforms, in particular an Online Privacy Code.
With industry consultation now well underway, we thought it would be timely to ask experts in the industry for their insights on the complexity of some the issues raised by the proposed reforms and the implications for industry.
Questions and answers below looking at:
- The key considerations for businesses
- Analysis of the implications of some of the key reform proposals, including the definition of ‘personal information’, the overarching ‘fair and reasonable’ requirement and the proposals regarding ‘direct marketing’
- Analysis of reforms missing from the Government’s Discussion Paper that Australia should potentially consider, including whether we should have a ‘legitimate interests’ exception; and
- The potential overall impact of the reforms combined, for digital advertising and profiling.
Many thanks to our esteemed panel of industry experts: Ross Phillipson, Brett Farrell, Anna Johnston and Peter Leonard.
________
We have recently seen the Government announce two major reviews into Australian Privacy Law. What are the key considerations for marketers from a business perspective?
Ross Phillipson, Senior Advisor - Risk Advisory, Norton Rose Fulbright Australia
The review of the privacy legislation has been a long time coming and indeed still looks like a further long time in the making. The process is not going to be rapid, and the concerns for advertisers and marketers right now is that there are significant investments needing to be made in technology choices and innovation, especially in light of continuing pressure in Europe to modify the online advertising technology stack and process. The uncertainty that the legislative reform process in Australia will create is unlikely to be welcome from that perspective.
That said, this is also the ideal time to be reforming the privacy laws in Australia. While we know that the pace of digital change will only accelerate, we have had three years of GDPR (and even longer in the preparation) and a real opportunity to see how the policy choices made there worked out.
If Australia is to be a leading digital economy by 2030 then this is an ideal opportunity for business in Australia to engage with the reforms, adopt what works for Australia and Australian business and avoid what doesn’t.
The substantial broadening out of the definition of ‘personal information’ is one of the key reforms proposed. Does the definition of Personal Information need to be broadened in Australia? Will this negatively impact on the digital economy?
Anna Johnston, Principal, Salinger Privacy
The definition of ‘personal information’ certainly needs to be clarified in Australia. There has been a history of complicated and confusing case law in Australia, including the Grubb v Telstra line of cases, which has muddied the waters around whether or not metadata is included, and whether or not online identifiers are included. As a result, the definition in the Privacy Act no longer aligns with the definition for the purposes of the consumer data right, let alone with the definition in other jurisdictions including Europe and California. This is a problem that was called out by the ACCC in its Digital Platforms Inquiry in 2019.
The Discussion Paper proposes a re-drafting of the threshold definition of ‘personal information’, so that it explicitly recognises and includes online identifiers and technical data. By moving closer to the GDPR’s definition of ‘personal data’ which includes online identifiers, indirect identification and the notion of ‘singling out’, this proposal alone will help strengthen and modernise Australia’s privacy laws.
How it will impact the digital economy of course depends on where you sit in that economy. Organisations which wish to exploit people’s personal information without being subject to legal safeguards won’t like the proposal. However we know that community expectations are that people’s privacy should be protected, regardless of quibbles over things like online identifiers or metadata.
Also, by strengthening Australia's privacy laws and bringing them closer into line with the GDPR, we should see a significant benefit, if the European Commission then recognises Australia's privacy laws as equivalent to its own. If the European Commission formally recognises Australia's privacy laws as ‘adequate’, that changes the legal framework for data transfers between Europe and Australia, and indeed from Australia to anywhere else in the world. Such a development would open up great opportunities for Australian organisations, by lifting a current compliance burden and regulatory headache.
The other major overarching reform is the proposed new ‘fair and reasonable’ requirement. This will require all collections, uses and disclosures of [the broadened definition of] ‘personal information’ to be both ‘fair’ and ‘reasonable’. What are the risks of this new requirement to businesses?
Ross Phillipson, Senior Advisor - Risk Advisory, Norton Rose Fulbright Australia
The concept of a “fair and reasonable” assessment for the collection and use of personal information is very attractive as it sounds just that, fair and reasonable.
Unfortunately, experience has demonstrated that individual’s differ greatly in their perception of what is both fair and reasonable based upon a multitude of factors, including experience, background and cultural context. Consequently, individual’s do not fit neatly into one box – their approaches are a continuum bounded at two extremes.
As a result, businesses, when faced with trying to determine whether a given activity is fair and reasonable typically would start the assessment at the end – what could go wrong, who could complain and why, and how would we explain that this was fair and reasonable in a post-hoc manner? This is not an easy question to answer and therefore such a solution to a difficult problem may not result in the outcomes the legislators intended.
Without wishing to adopt mistakes made in the GDPR, the approach contained there providing multiple avenues for data collection and processing that do not require consent such as contractual necessity, compliance with law or legitimate interests are useful concepts that could be considered to help provide businesses with the necessary certainty they need.
Will the ‘fair and reasonable’ requirement impose a major compliance challenge?
Brett Farrell, Principal, Westbright Law
The 2021 Discussion Paper reforms are asking a lot. At one level, we could say that the reforms are bringing Australia into line with what’s happening in other jurisdictions. On another level – and for most organisations – this will be significant compliance event. There is one change that comes to mind that I believe will challenge most organisations operationally.
The proposed fair and reasonable test enhances the disclosure & notification regime in place in Australia. Implementing this test and putting controls in place to ensure compliance will be a significant challenge and impost on organisations. Yet, if done right, could make using personal information much simpler if the right framework is in place.
What is “fair and reasonable” is not simply a reframing of the “pub test”. The reforms set out some indicators for what is “fair and reasonable” that would become legislation. For example, an individual’s expectations about the collection, the sensitivity and amount of information, if the collection and use is necessary to achieve the organisation’s aims and whether an individual’s loss of privacy is in proportion to the benefits.
Organisations will be required to take reasonable steps to identify and mitigate risks with collecting certain types of information like biometric, some purposes like profiling and data use that could result in high privacy risk or harm to a person.
I expect that “fair and reasonable” would focus the regulator’s attention to produce detailed guidance and possibly test drive new enforcement powers to find the boundaries of “fair and reasonable”.
Incidentally, if the small business exemption is ultimately narrowed, more organisations will need to address this, but from a standing start. These organisations will need to start from scratch building a compliance regime.
I hope that regulatory guidance and enforcement stances take a constructive approach to help organisations come to terms with what is required beyond an intuitive understanding of “consent + unsubscribe + privacy policy on website”. Being clear on that as a sector and with the regulators will help balance innovation with consumer protections.
Will the new “fair and reasonable” requirement reduce the burden on consumers to understand and deal with numerous and complex consent requests? Could the proposals be improved in this regard?
Anna Johnston, Principal, Salinger Privacy
Not surprisingly given the European Parliament moving on AdTech, Google phasing out third party cookies, and concerns expressed about some of Facebook’s activities, the Discussion Paper has much to say about digital harms, targeted advertising, personalised content, and the role of consumer ‘consent’.
The Discussion Paper proposes a ‘fair and reasonable’ test, which should be applied to collection, use and disclosure, on top of (or, if you like, before you even get to) existing rules around collection necessity and purpose limitation, or consent.
The objective of introducing this ‘fair and reasonable’ test is to reduce reliance on the ‘notice and consent’ self-management model of privacy regulation, in favour of stricter limits on collection, use and disclosure. If a proposed collection, use or disclosure can’t pass the ‘pub test’ – because it is unfair or unreasonable – then the Act will effectively say you can’t do it. You won’t be able to try and get consumers to ‘consent’ away their rights, if the practice is unfair or unreasonable. But equally – if you can pass the ‘pub test’, more routine activities should not require companies to ask for consent in the first place. That should reduce the burden on consumers.
However while moving away from requiring consent for routine activities, it looks like consent will remain as an option for authorising some types of information handling practices (after you have passed the ‘fair and reasonable’ test). The Discussion Paper also proposes to tighten the legal tests for what constitutes a valid consent, by building into the legislation what has to date been guidance from the Office of the Australian Information Commissioner: that consent must be voluntary, informed, specific and current, and requires an “unambiguous indication through clear action”.
The Discussion Paper also includes a proposal to require ‘pro-privacy defaults’ when choices are to be offered to users.
So, taking those three proposals together – the ‘fair and reasonable’ test, a consolidation of what you need in order to gain a valid consent, and the implementation of pro-privacy defaults – if enacted, these proposals should spell the end of companies using dark patterns to trick people into sharing their personal information, and then claiming ‘consent’ as their lawful basis for collection, use or disclosure.
The reforms have also proposed specific changes to ‘direct marketing’ (including abolition of APP 7), what will be the key impacts to industry of proposed reforms to direct marketing?
Brett Farrell, Principal, Westbright Law
Superficially, the proposal to abolish APP 7 (Marketing) would be welcomed by most in the industry. However, in return, organisations will have higher transparency obligations and must administer a customer’s unqualified right to object to direct marketing.
One possible outworking of the reforms could leave Australia in an interesting position where direct marketing would be permissible so long as organisations made relevant disclosures, were ‘fair and reasonable’ in their use of the personal information for marketing and complied with the transparency and risk mitigation obligations. This is all independent of whether direct marketing or associated practices like profiling will require consent (noting one suggestion to treat the data associated with those practices as ‘sensitive’ requiring consent).
Under the proposed Online Privacy Bill, an even higher standard would apply to social media providers, platforms with 2.5m+ customers and data companies. This could confuse what is required in the market at one level, yet put a hefty compliance and technological cost onto organisations.
Most organisations are working through consent management enhancements to address multi-vertical environments now, so adding in the ‘right to object’ is a further operational challenge to unpack. In addition to all the above, the reforms propose 2 options to address pro-privacy defaults. One option is that all settings must default to privacy by default, the other option, is obvious and clear preferences for a user to self-manage.
Should there be a “legitimate interests” style exception in Australia instead of a primary consent only approach?
Brett Farrell, Principal, Westbright Law
Conceptually, I like the GDPR-style approach where ‘consent’ is but one of many lawful processing options available to an organisation who uses personal information. However, the reforms propose a fair and reasonable test in Australia which backs away from earlier suggestions that consent would be the principal basis for using personal information. And instead of a GDPR style list of options, we’re left with other mechanisms to address compliance (see question above).
I wonder whether we should be dialling back consent as a mechanism even further rather than trying to clarify in legislation what it is. Being clear that consent must be “voluntary, informed, current, specific and an unambiguous indication through clear action” is easy to say, but difficult to implement to that standard in a digital age.
We need to accept that the digital experience has – and continues to – outpace regulation and retrofitting compliance to where the market has ended up (globally) to this standard is ambitious. Anecdotally, I’m even seeing GDPR regulated businesses struggle with this when trying to comply in good faith.
The idea in the proposal to standardise consent using iconography has some merit to help organisations and consumers understand what is behind the consent. Yet, rather than enhancing consent icons, I wonder what outcomes could be achieved if we focused on explaining the value exchange proposition clearly between organisation and customer?
That said, abolishing APP 7 and being able to use personal information for marketing subject to the other reforms (eg the fair and reasonable test above) is a net positive for the industry at this time. Consolidating the positions under the Spam Act and Do Not Call Register Act will further support alignment and understanding.
These reforms in combination will fundamentally change the approach taken under existing laws. What will the implications be for digital advertising and profiling, when taken as a whole?
Peter Leonard, Principal, Data Synergies Pty Limited
There is growing consensus that the Australian Privacy Act, in common with similar statutes in other jurisdictions, needs a major overhaul.
One impetus for overhaul is increasing concern about use of personal information about individuals for differentiated treatment of individuals: not just for targeting of digital advertising, but also use of inferences about an individual’s personality, behaviour, interests and habits for making predictions or decisions relating to that individual. Or to use the emotionally charged terms adopted by many consumer advocates, addressing ‘pervasive online surveillance’ or ‘hidden profiling of citizens’.
Advances in transactor and transaction analytics, shift to online transactions, take-up of non-conventional internet enabled devices such as personal wellness devices and smart speakers, and deployment of and rearchitecting of data platforms, have fuelled ever more sophisticated profiling of individuals. If a supplier has reasons to single out a person - to deal, or not deal, or for a more or less favourable offer – this differentiated treatment is often possible without needing to know the identity of the person that is singled out. If a supplier takes care not to know, and not to be able to work out, who it is that is being singled out, current Australian data privacy law generally doesn’t regulate that singling out, or the reasons for singling out.
Of course, other laws may limit the reasons that a supplier may single someone out. An increasing variety of topic and sector specific statutory provisions regulate particular reasons for differential treatment, including laws about discrimination, consumer protection, targeting of children, tracking and surveillance, disinformation and misinformation.
One key issue for reform of the data privacy statute is scoping the role for a Privacy Act in regulating profiling. What should be addressed by data privacy law, and what is better addressed by Australian Consumer Law and topic-specific and sector-specific laws? Even for particular applications of profiling where it is agreed that the Privacy Act is the right regulatory tool to address and control unacceptable practices, it is difficult to structure the right package of new rules.
A small change in one area of data privacy law, such as by broadening the definition of personal information, may have substantial knock-on effects in other areas, such as increasing the complexity of technical information that needs to be disclosed, placing further stress upon consumer understanding of privacy policies and notices. Tweaking settings within the Privacy Act requires reconsideration of the effect upon the package, including the balancing of interests of regulated entities in conducting business and reasonable concern of affected individuals, that is privacy regulation.
Contemplate the various elements of the Privacy Act that might need to be tweaked to addressed profiling. The question is not only whether uses of technical information relating to individuals should be brought within the scope of rules currently applying to use of identifiers associated with information about individuals. If use of non-identifying transaction or transactor codes for profiling is brought within scope, the statute must embed the right combination of no-go zones (i.e., targeting of unhealthy food or activities to young children), generic requirements of reasonableness or fairness, broadened transparency requirements, restrictions in use of dark patterns, exceptions from any requirements for transparency or opt-outs for reasonable business uses, sector or application specific needs, and so on.
Reform of the Privacy Act may look straightforward. The balancing of interests and incentives underlying good data privacy practice, and the complex interaction of elements of privacy regulation, makes it deceptively difficult to get reform right. And the most difficult area of all is adjusting the settings around profiling.