On 4 December 2017, the Australian government directed the Australian Competition and Consumer Commission (ACCC)a to conduct an inquiry into digital platforms. The inquiry, says the ACCC, ‘is looking at the effect that digital search engines, social media platforms and other digital content aggregation platforms have on competition in media and advertising services markets. In particular, the inquiry is looking at the impact of digital platforms on the supply of news and journalistic content and the implications of this for media content creators, advertisers and consumers’. On 10 December 2018 the ACCC released its preliminary report for the inquiry, and called for submissions. The final report by the ACCC is due by 3 June 2019.
This submission by the Australian Privacy Foundation (APF) has been prepared by the above-listed authors with expertise in privacy-related issues, and focuses on the ACCC recommendations that are particularly relevant to privacy issues. The APF gives general support to all of the draft Recommendations made by the ACCC, but makes the following eighteen specific submissions as to how those recommendations should be strengthened:
(i) We submit that it is essential that the ACCC give full weight to all of the companies that Google and Facebook have acquired, and also to all the streams of personal information to which they have access because of those acquisitions and because of other business arrangements.
(ii) The issues at stake also go beyond questions of correcting market imperfections. We submit that the ACCC should explicitly recognise that they constitute a new and dangerous economic formation, where flows of data have been used to create what is now widely described as ‘surveillance capitalism’, or ‘the surveillance economy’,
(iii) We support strongly Recommendations 1 (additional relevant factors in merger laws, to include the amount and nature of data acquired in a merger), Recommendation 2 (prior notice of acquisitions), and Recommendation 3 (required choices rather than defaults when operating system providers supply browsers, and when browser providers supply search engines).
(iv) We submit that Recommendation 2 is not strong enough, because the history of the platforms shows that any voluntary measures will be evaded and defeated, and that the only realistic approach when dealing with these companies is legal compulsion coupled with penalties severe enough to be deterrents. The ACCC should state that platforms will be legally compelled to give the required notice.
(v) We support Recommendation 8(a), but submit that it should be more specific and should specify (as ACCC suggests) ‘the identity and contact details of the entity collecting data; the types of data collected and the purposes for which each type of data is collected, and whether the data will be disclosed to any third parties and, if so, which third parties and for what purposes’
(vi) We submit that Recommendation 8(a) will not be sufficient to achieve its aims unless the definition of ‘personal information’ in the Privacy Act is amended to clarify that it does include an IP address, a URL, or other information which can be used to identify an individual.
(vii) We further submit that the definition of ‘personal information’ in the Privacy Act ought be amended to clarify that it encompasses data drawn from the profiling or tracking of behaviours or movements such that an individual can be singled out and thus can be subjected to targeting or intervention, even if the individual cannot be identified per se from the data.
(viii) We submit that the certification schemes proposed in Recommendation 8(b) must be developed with considerable care to avoid problems identified in the submission, but do not oppose appropriate certification being used as a means of implementing ‘demonstrable accountability’.
(ix) We support Recommendation 8(c) concerning consent, but submit that it should specifically state that the onus of proof of compliance with all consent conditions lies with the collector of the information; that such separate consents should be required for each separate purpose; and that information for which consent is required should be unbundled from any information for which consent is not required.
(x) We further submit that the ACCC should require companies to rely on ‘consent’ as the legal basis for collecting, using or disclosing any personal information that is not strictly necessary to fulfil the original transaction.
(xi) We support Recommendation 8(d) to enable the erasure of personal information, but submit that it is far too limited in its scope, being restricted to information provided by the data subject on the grounds of ‘consent’ in the first place. We submit that it should be expanded to encompass an Australian equivalent of the EU’s ‘right to be forgotten’.
(xii) In relation to Recommendation 8(e) concerning increase in the penalties for breach, we submit that if Australian privacy law is to have a deterrent effect on companies of the scale of Google and Facebook, the maximum fines that can be issued should be proportional to the global turnover of the company concerned, and the proportion should be in the range 2-4%.
(xiii) We further submit that ACCC should in addition recommend a statutory damages provision whereby a specified amount of statutory damages may be awarded to all persons whose personal data was disclosed as a result of a data breach due to negligent security (or other reasons in breach of the law), without need for proof of actual damage by the data subject whose personal data was disclosed.
(xiv) We give strong support to Recommendation 8(f) to introduce direct rights of action for individuals to take actions for breach of the Privacy Act before the Courts, without need to first complain to the OAIC.
(xv) While not opposing Recommendation 8(g) to expand resourcing for the OAIC, we submit this is not the most significant cause of the lack of interpretation of the Privacy Act by courts or tribunals. We submit that the ACCC should recommend the removal of the s41(1)(a) and s41(2)(a) Privacy Act impediment to s52 determinations, by amendment to the sub-section to provide that, if a complainant objects to the Commissioner’s dismissal of a complaint under these sub-sections, the Commissioner will then make a formal determination under s52. This will give complainants (and respondents) the opportunity to appeal to the AAT.
(xvi) We support Recommendation 9, and in particular the involvement of the ACCC in the development of such a Code of Practice.
(xvii) We endorse strongly Recommendation 10 that there should be a statutory cause of action for serious invasions of privacy. The ALRC’s examination of this issue was very thorough and its recommendations well-balanced, but we further submit that the ACCC may also wish to examine both the APF submission to the ALRC and the NSW Parliamentary Committee report on this topic, and to consider strengthening its recommendation accordingly.
(xviii) The ACCC preliminary report identifies 9 areas which require further analysis and assessment, and we submit that two of those areas are particularly relevant to privacy protection and do require such further consideration: deletion of user data and opt-in targeted advertising.The national Attorney-General and the Minister for Communications and the Arts have meanwhile announced ' new penalty regime under the Privacy Act and other measures to ensure Australians were protected online and that major social media companies took action to protect the personal information they collect about Australians, particularly children'. Nothing like an election on the horizon, with the new-found commitment to privacy being somewhat at odds with the Government's indifference over the past four years..
"Existing protections and penalties for misuse of Australians' personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade," the Attorney-General said.
"What the Morrison Government is doing today is outlining a new regime of protections for Australians and penalties for those who misuse Australians' personal information. This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space."
Minister for Communications and the Arts, Mitch Fifield, said it was clear the Australian community enjoyed using social media and technology platforms, but was increasingly concerned about how personal data is captured, analysed and shared. This was particularly the case for children and members of other vulnerable community segments, he said.
"The tech industry needs to do much more to protect Australians' data and privacy," Minister Fifield said. "Today we are sending a clear message that this Government will act to ensure consumers have their privacy respected and we will punish those firms and platforms who defy our norms and our laws."
The amendments to the Privacy Act will:
- Increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company's annual domestic turnover – whichever is the greater
- Provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches
- Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised
- Require social media and online platforms to stop using or disclosing an individual's personal information upon request Introduce specific rules to protect the personal information of children and other vulnerable groups.
"This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information," the Attorney-General said.
"We will also be requiring platforms to implement a mechanism to ensure they can take all reasonable action to stop using an individual's personal information if a user requests them to do so and have even stronger regimes to address these issues when the user is a child or other vulnerable person."
The OAIC will be provided with an additional $25 million over three years to give it the resources it needs to investigate and respond to breaches of individuals' privacy and oversee the online privacy rules.
Legislation will be drafted for consultation in the second half of 2019 [which is of course after an election likely to be lost by the Government].
"This new regime builds on other Government initiatives to improve online safety and provide Australians with greater control over their personal data, including the Online Safety Charter and Online Safety Research program, and the Consumer Data Right," the Attorney-General said.
"The draft legislation will also incorporate any relevant findings of the current Digital Platforms inquiry by the Australian Competition and Consumer Commission which is due to issue its final reportin June 2019. Whilst focused on the impact of large digital media platforms on competition in news media, it is also touching on privacy-related issues and, in its interim report late last year, recommended the tougher penalty regime being outlined today by the Morrison Government."