Australia: ACCC Report To Impact Privacy & Consumer Protection Laws

Last Updated: 21 August 2019
Article by Gordon Hughes

On 26 July 2019, the Australian Competition and Consumer Commission (ACCC) released its final Digital Platforms Inquiry report relating to the impact of online search engines, social media and digital content aggregators on competition in the media and advertising services markets, with a particular emphasis on the substantial market power of Google and Facebook.

The Commonwealth government has undertaken to respond to the recommendations in the report by the end of 2019, but already significant changes to Australia's privacy and consumer protection regimes are being canvassed, particularly in the context of what the report describes as "the bargain between consumers and digital platforms and the ability of consumers to both be informed about their data and exercise meaningful control over it".

In this regard, the report emphasised that the ubiquity of digital platforms in the daily lives of consumers means that many are obliged to join or use these platforms and accept their non-negotiable terms of use in order to receive communications and remain involved in commonplace communications. Consumers, according to the ACCC, require a greater awareness of what personal information is being collected, together with an ability to "exercise real choice and meaningful control".

This in turn may impede competition between digital platforms and the entry of rival services into the market.

Against this background, the ACCC made wide-ranging recommendations, not all of which were confined to privacy and consumer protection. Nevertheless, the projected changes to Australia's privacy and consumer protection regimes are potentially significant and should not be underestimated. Some of these proposed changes are outlined below.

PRIVACY

Definition of "Personal Information"

The report recommended that the definition of "personal information" in the Privacy Act be updated "in line with current and likely future technological developments". Concerned by the constrained interpretation of the definition by the Full Court of the Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4, the ACCC recommended greater clarity around the circumstances in which device information may constitute "personal information" under the Act. It considered that advancements in data analytics technologies, and the volume of technical data relating to identifiable individuals, warranted a re-visiting of the definition. This would, apart from anything else, result in a greater alignment between the Australian terminology and international standards, particularly the EU General Data Protection Regulation (GDPR).

Notification of collection

The report advocated the strengthening of notification requirements under the Privacy Act to ensure that the collection of consumers' personal information directly, or by a third party, is accompanied by a more meaningful collection notice than is currently mandated under the Act.

In this regard, the report acknowledged that Australian Privacy Principle (APP) 5 requires entities to "take such steps (if any) as are reasonable in the circumstances" to notify the individual of such matters regarding the data collection "as are reasonable in the circumstances". It considered this requirement to be too imprecise, however, and it recommended a more specific obligation to ensure that collection notices are concise, transparent, intelligible and easily accessible, written in clear and plain language (particularly if addressed to a child), and provided free of charge.

Consent

The report emphasised the need for consents required under the Privacy Act to be freely given, specific, unambiguous and informed in the context of both collection and disclosure of personal information.

In relation to collection, the consent of an individual is only required under APP 3 where "sensitive information" is involved. The report recommended that this requirement be extended to any circumstances where personal information (sensitive or otherwise) is collected, subject to certain public interest exceptions.

In relation disclosure, the report noted that consent is not required under APP 6 where the use of personal information is consistent with the "primary purpose of collection". It expressed concern that "primary purpose" is not defined and could be broadly construed by the data collector, and accordingly "stronger consent requirements are critical to ensuring that consumers have adequate control over how and why their personal information is used and disclosed to third parties".

Generally, the report recommended an express requirement that consent involve "a clear affirmative act that is freely given, specific, unambiguous and informed (including about the consequences of providing or withholding consent)".

Right of Erasure

The report recommended the introduction of a requirement for entities to erase a consumer's personal information without undue delay upon receiving a request for erasure, except in certain circumstances.

This is otherwise known as "the right to be forgotten", an issue which attracted considerable attention in 2014 following the finding by the European Court of Justice in Google Spain v Gonzalez (2014) c-131/12 that such a right existed under the 1995 EU Data Protection Directive (the forerunner to the GDPR). The right is now enshrined in Article 17 of the GDPR. The introduction of such a right would, in the ACCC's opinion, bring Australian law into closer alignment with the GDPR, a sentiment clearly evident across all its privacy recommendation.

In 2014, the Australian Law Reform Commission recommended the introduction of a new Australian Privacy Principle dealing with the right of individuals generally to request the destruction or de-identification of their personal information, a recommendation which was ultimately rejected. The ACCC has adopted a different approach. Noting that a broad mandatory deletion obligation could create a significant regulatory burden, the ACCC considered it more appropriate for this obligation to be confined only to digital platforms collecting, using and sharing a large volume of personal information, rather than to all entities. Accordingly, it recommended that the obligation should be set out in the proposed DP Privacy Code, discussed below.

Data portability

The report expressed concern about the market dominance of the incumbent digital platforms, and the barriers confronting rivals seeking to enter the market. In this context, it considered whether a form of data portability should be introduced to facilitate the movement of consumers between platforms. The concept of data portability is contained in Article 20 of the GDPR.

The merits of data portability have been extensively debated in Australia in a broader context over the past 12 months. On 1 August 2019, the Treasury Laws Amendment (Consumer Data Right) Act 2019 was passed, enabling individual and business consumers to access information about themselves and about their service providers' products, and to direct their existing service provider to share that information with other service providers. It is intended that this "Consumer Data Right" will have mandatory application to Australia's Big 4 Banks from February 2020, and rolled out to other banks and other industries thereafter.

Despite the apparent benefits of data portability as between digital platforms, the ACCC was unconvinced that this would be an effective mechanism to address the market power and competition issues it had identified, for three reasons.

First, at this time there are no other competing platforms for consumers to upload their data onto and switch. The introduction of a data sharing regime would not overcome this issue.

Secondly, unlike banking services, online search and social media services are provided for free. Consequently, there is less of an incentive for consumers to seek a transfer of their personal data to a rival network.

Thirdly, even if data portability made it easier for a user of Facebook to switch to another social media platform, individuals were unlikely to do so if none of their friends or family were simultaneously moving away from Facebook.

The report nevertheless foreshadowed that the ACCC would revisit the issue in the future when exercising its regulatory role in relation to the Consumer Data Right.

Statutory privacy right

The report recommended the introduction of direct rights for individuals to bring actions or class actions before the courts to seek compensation for an interference with their privacy.

Similar recommendations have emerged in various forms over the years in Australia, at both federal and State level, most notably as a recommendation by the Australian Law Reform Commission in 2006.

The rationale underpinning the ACCC's recommendation was the need to address the increased exposure to data breach risks, a reduction in trust which could result in consumers avoiding transactions, and the potential for particular risk to vulnerable consumers, including children.

The ACCC considered that allowing individuals to enforce their rights under the Privacy Act was critical to the effectiveness of those rights. Currently, individuals could only seek limited redress under the Act, in the form of an injunction for breach of the Act or the lodgement of a complaint with the Office of the Australian Information Commissioner (OAIC). While recognising the expense and time required to litigate matters in court, the ACCC considered it important for individuals to have the ability to directly enforce their rights under the Privacy Act.

Code of Practice

Part IIIB of the Privacy Act provides for the creation of privacy codes. Codes can be devised by industry sectors in conjunction with the OAIC and, once registered, are deemed under section 26B to be legislative instruments. This option is seen as an effective mechanism for addressing unique privacy issues confronting certain industries, but to date there have been a limited number of initiatives in this regard.

The ACCC noted that several aspects of digital platforms' notification and consent processes raised unique or pronounced privacy concerns, particularly notification and consent requirements, opt-out control, the handling of children's data, information security, retention of data and complaints handling.

The report recommended that these issues be addressed in part via an enforceable Privacy Code of Practice applicable to digital platforms (DP Privacy Code).

The PDP Privacy Code would be developed through extensive consultation with relevant

stakeholders, including consumer and privacy advocates. The ACCC would also be involved in developing the code in its role as the competition and consumer regulator.

The DP Privacy Code should, according to the report, contain provisions targeting particular issues arising from data practices of digital platforms, such as:

  1. Information: requirements to provide and maintain multi-layered notices regarding key areas of concern and interest for consumers;
  2. Consent: requirements to provide consumers with specific, opt-in controls for any data collection for a purpose other than the purpose of supplying the core consumer-facing service and, where consents relate to the collection of children's personal information, additional requirements to verify that consent is given or authorised by the child's guardian;
  3. Opt-out controls: requirements to give consumers the ability to select global opt-outs or opt-ins, such as collecting personal information for online profiling purposes or sharing of personal information with third parties for targeted advertising purposes;
  4. Children's data: additional restrictions on the collection, use or disclosure of children's personal information for targeted advertising or online profiling purposes and requirements to minimise the collection, use and disclosure of children's personal information;
  5. Information security: requirements to maintain adequate information security management systems in accordance with accepted international standards; and
  6. Retention: requirements to establish a finite time period for the retention of any personal information collected or obtained that is not required for providing the core consumer-facing service.

CONSUMER PROTECTION

In the course of its inquiry, the ACCC identified conduct which it considered detrimental to consumers and which was not effectively addressed or did not neatly fit under the existing Australian Consumer Law (ACL).

In particular, the report referred to terms observed in contracts which it considered demonstrated a significant imbalance in the rights of consumers and digital platforms but which, if held to be an unfair contract term, would not be subject to penalties. While individual terms that are "unfair" for the purposes of the ACL can be declared "void" by a court, the ACCC considered that this remedy is not of much benefit to a consumer and does not effectively deter businesses from using such terms.

Accordingly the report urged the introduction or tightening of provisions in the ACL dealing with unfair contract terms and unfair business practices.

Unfair contract terms

The report urged the introduction of civil pecuniary penalties for unfair contract terms in standard form consumer or small business contracts in order to more effectively deter businesses, including digital platforms, from leveraging their bargaining power to include unfair contract terms in their terms of use or privacy policies.

Unfair business practices

The report observed a range of practices that the ACCC considered to be significantly detrimental for consumers but which did not neatly fit under existing consumer laws. These practices were driven in part by the significant increase in the amount of consumer data now collected and the increased sophistication in data analysis and consumer targeting.

These practices included:

  1. changing terms on which products and services are provided without reasonable notice or the ability to consider the new terms, including in relation to products with subscriptions or contracts that automatically renew;
  2. adopting business practices to dissuade a consumer from exercising their contractual or other legal rights, including requiring the provision of unnecessary information in order to access benefits; and
  3. inducing consent or agreement in very long contracts, or providing insufficient time to consider terms, or offering a service via all-or-nothing "click wrap" consents.

Accordingly, the ACCC recommended that the ACL be amended to include a prohibition on certain unfair trading practices, noting that such prohibitions have been used to address similar practices overseas.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions