As you’re probably aware, Australia’s most important privacy framework, The Privacy Act 1988 (Cth) (The Act), is currently under review. The evaluation was announced in December 2019 and commenced in October 2020 (speedy hey?), in response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry.
Earlier this year, I described the Australian Government’s speed with regard to privacy legislation reform as “moving at a glacial pace.” And here we are nearing the end of 2021 only inches further along than we were one year ago – need I say more?
I was provided with some ‘direct feedback’ that my sentiment on this topic was a little harsh. Granted, there is a metronomic process of issues papers, discussion papers and bill drafts that need to be followed but I stand by my commentary simply because privacy is one of the most important factors affecting the legal landscape and we are lagging. It’s not good (or fast) enough for the marketing industry.
Privacy protections have been a contentious topic for a number of years, exacerbated by digitisation and the Internet of Things. It is disappointing that having been a first mover in launching a well-rounded data privacy regime in 2012, we now trail most of our global peers. Over the past few years, there have been various schemes, reports and inquiries which have started to shape the future of privacy legislation. Here’s a timeline to prompt the memory bank.
Figure 1: A timeline of key privacy outcomes in Australia
Privacy Act snapshot
Let’s quickly recap on The Act. It is a Commonwealth legislation which was passed in 1988 (yes, the same year as the infamous World Expo 88 themed Leisure in the Age of Technology – clearly, ahead of its time – and when floppy disks were a thing). The Office of the Australian Information Commissioner (OAIC) claims The Act was introduced to “promote and protect the privacy of individuals and to regulate how organisations handle personal information.” The Act only applies to certain information about you, namely personal or sensitive information. It contains a number of exemptions, including but not limited to small business under $3M turnover, politics, and journalism. The Act has undergone over 90 amendments in its time and numerous reform recommendations have been made by the ACCC and the Australian Law Reform Commission (ALRC). With an ever-changing data economy, it’s no surprise it is deemed no longer fit for purpose. And now, it is being reviewed under the counsel of the Attorney-General’s Department. The review aims to “make recommendations to better empower consumers, protect their data and support the digital economy.”
The Privacy Act Discussion Paper
Late last month, a Discussion Paper regarding The Act’s review was published (yes, the same day the Online Privacy Bill Exposure Draft was released – for clarity, they are different. Possible follow up column incoming – hit me up if you want to know more about that). The Discussion Paper follows on from the Issues Paper released last year; it was designed to elicit feedback on the merits of ideas and proposals outlined in the Issues Paper, resulting in over 200 submissions from various stakeholders including our side of the fence, via brands, media and agencies. While the reform agenda is still under development, the Discussion Paper paves the way for what will be the most significant privacy law developments on record. And no doubt, it will have important implications for businesses that deal with personal (and sensitive) information.
The 200+ page dossier is presented in three main parts; (1) Scope and Application of the Privacy Act, (2) Protections, and (3) Regulation and enforcement, offering 67 proposals. The most noteworthy themes and suggestions are;
Scope/definition of personal information
- Amend how personal information is defined
- In the definition of personal information i.e. where data can be personal information if it is about an identified individual, change the word ‘about’ to ‘relates to’
- Clarify the differences between personal information (e.g. name, gender, date of birth) and technical information (e.g. device type, browser, IP address)
- Include a non-exhaustive list of information types
Personal information collection/consent
- Amend the definition of ‘collection’ to include inferred or generated information
- Uphold pro-privacy default settings
- Develop a Code that standardises data collection/consent, including common templates, layouts, language, iconography, and/or consent taxonomies
- Use of a ‘fair and reasonable’ test with regard to data collection, use and disclosure i.e. taking ‘reasonable steps’ to identify and mitigate risks and consider individual expectations and information sensitivity
- Definitions for ‘primary’ and ‘secondary’ purposes of information collection
- Third party entities and indirect practices to be held to higher account
- Information to be ‘anonymised’ rather than ‘de-identified’ before it is not bound by the Privacy Act – this is due to de-identification science being able to re-identify data after it has been de-identified
Additional protections, rights and controls for individuals
- The right for an individual to object (or withdraw consent) to their personal information being handled
- The right for an individual to the erasure of their personal information – circumstance dependant and subject to exceptions
- Creation of a direct right of action for privacy intrusions, including changes to enforcement and remedies
- Introduce a statutory tort of privacy
Direct marketing, targeted advertising and profiling
- The right for individuals to object to the collection, use or disclosure of their personal information for direct marketing purposes
- For certain acts/practices, businesses to be required to take ‘reasonable steps’ to identify and mitigate privacy risks
- More transparency regarding when personal information is used to influence behaviour
Overseas data flows
- Remove the informed consent exception in Australian Privacy Principle (APP) 8.2(b)
- Definition of ‘disclosure’
- Develop Standard Contractual Clauses to transfer personal information overseas and enhance transparency requirements
- Introduce a voluntary domestic privacy certification scheme to work in concert with the Cross Border Privacy Rules
Regulation and enforcement
- Create tiers of civil penalty provisions
- Increased penalties for privacy non-compliance
- Define a ‘serious’ or ‘repeated’ offence regarding privacy interference
- Increase enforcement options and powers of the Information Commissioner
- Improved collaboration between regulators including OAIC, Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA), the Australian Communications and Media Authority (ACMA) and the ACCC
- Establish new regulatory models such as a Federal Privacy Ombudsman or a Deputy Information Commissioner
Other topics
- Enhanced transparency on whether personal information will be used in automated decision-making
- Flexibility of the APPs
- Interoperability with global legislation – align Australia to the rest of the world with a consistent privacy regime, allowing it to act as an expansion of foreign privacy laws
- The concept of controllers and processors of personal information, as per the European Union’s General Data Protection Regulation
- Removal/part removal of exemptions for employee records, small business, political – there was strong support for the journalism exemption to be maintained
- Further proposals to protect children and vulnerable individuals.
What it means for marketers
On its own, the Discussion Paper means nothing – there is no obligation, it is a collation of conversations and list of reform suggestions. It is, however, indicative of what comes next. So, instead of sitting idle, consider looking ahead and think about what it could mean for your organisation. As I gaze into my crystal ball (no, I don’t really have one), several aspects are summons to the forefront of my mind.
The increased liability and legal risk will not discriminate – there is a clear burden shift from consumer to business. It is highly likely smaller organisations will start to be held to (at least some) account regarding personal information, and it is also likely that the obligations of larger organisations will increase. Either way, it doesn’t matter where you work; DTC, B2B or otherwise, increased privacy protections will take pole position on your agenda and possibly change the way you operate. Stay ahead of the game by being proactive early and avoid getting caught out.
If you collect, store and/or use personal information (pretty much every marketer), reconsider your data handling process – more than likely, you inherited it. So, if you were to build it from scratch with best practice in mind, what should it look like? What consent model are you using? Is the language used clear? Is it obtained by fair and lawful means? How do you store it? How would you deal with information collection objections? You get the drift.
Privacy reform seems to go hand in hand with a cookie-less future and when partnered with the Digital Platforms and Digital Advertising Services Inquiry final reports, many of the recommendations support more vigilance and security in this area. Reader poll: Since Google’s announcement of its cookie removal delay to late 2023 (it was supposed to be next year, remember?), who has packed their ‘life after cookies’ project in ‘file 13’ to deal with later? I’m guessing most readers just face palmed and are saying “guilty as charged.” I strongly recommend you avoid waiting for Google and resurrect that project stat – it is more probable that you will need it actioned as part of the Privacy Act amendments, not just for a life sans cookies.
And finally, familiarise yourself with all 13 of the APPs – they’re bound to be amended and will very likely start to be more vehemently enforced. Don’t be that marketer who ends up in the General Counsel’s office saying, “What is an APP?”
What’s next?
Not dissimilar to the Digital Platforms and Digital Advertising Services Inquiries, received submissions for the Privacy Act Discussion Paper will be considered, along with further consultation, to produce a Final Report for the Government. From there, it is the Government who will decide which reforms and recommendations it wants to uptake, it will draft/approve the legislation, by which time we will probably see an election and more time will pass – the Metaverse might have landed by then, but we’ll see.
For the legal nerds and privacy champions who have nothing better to do over the festive break, you can (and should) contribute; more feedback is required to determine reform requirements across various areas including small business exemptions, consent, international standards, the prospect of a tort of privacy, and much more. Submissions for the Discussion Paper close on 10 January 2022 so feel free to get involved.
I’m not going to do the math on the average time it takes the Government to implement recommendations because I don’t want my sunny disposition dampened but I have sizeable expectations from this review and genuinely hope it elevates Australia’s privacy regime to global standards, and the 21st century.
Diana Di Cecco is the CMO of Bill Identity. CMOpinion is a regular Mumbrella column.