Widespread changes to privacy laws set to follow ACCC Digital Platforms Inquiry final report

04 March 2020

In response to a wide-reaching report on the operation of digital platforms in Australia (including a review and numerous recommendations for changes to Australia’s privacy laws) by the Australian Competition and Consumer Commission (ACCC) last year, the Australian Government has accepted the need for reform.

It has announced that it will consider a number of significant changes to Australia’s privacy laws, subject to further consultation and review. This article provides a high level summary of the key proposed changes and timelines that are being considered by the Australian Government.

Background

On 12 December 2019, the Australian Government released its response to the ACCC’s final report for the Digital Platforms Inquiry (DPI Final Report).

The DPI was a broad-reaching inquiry into the impact of digital platforms – including search engines, social media and digital content aggregation platforms such as Google and Facebook – on competition in media and advertising services markets, undertaken by the ACCC in 2018-19.

The DPI Final Report made a number of recommendations across a breadth of policy areas, with some of the most significant aspects relating to changes to Australia’s privacy laws and strengthening consumer protection. These recommendations were largely economy-wide (with only one recommendation limited to digital platforms).

The Australian Government’s response

The Australian Government has accepted the need for reform and largely supports the ACCC’s recommendations, including in relation to reforms of Australia’s privacy and data regulations. However, it is considering which recommendations it will actually implement, by when and to what extent.

Relevantly, in relation to privacy law reform, it is clear from the Government’s response that Australia’s privacy landscape is set to significantly change over the coming years, subject to further consideration and consultation.

Specifically, the Australian Government has stated that it will look to strengthen consumer protection under Australia’s Privacy Act 1988 (Cth) (Privacy Act) by:

Increasing penalties. Increasing the penalties for breaches of the Privacy Act to the greater of (i) $10 million AUD, (ii) three times the value of the benefit obtained through the misuse of information or (iii) 10% of the company’s annual turnover.
Definition of personal information. Amending the definition of personal information to capture technical data and other online identifiers (e.g. IP addresses, device identifiers, location data and any other online identifiers).
Strengthening existing notice and consent requirements. For example, by requiring collection notices to be concise, transparent, intelligible and easily accessible, written in clear and plain language, and provided free of charge.
Introducing direct right of action. Providing individuals with a direct right to bring actions to seek compensation for interferences with their privacy.
Binding code. Developing a binding privacy code applicable to social media and other online platforms trading in personal information.

The Government has indicated that consultation and the subsequent introduction of draft legislation to Parliament to address the above reforms will occur in 2020.

The Government has also stated that it will undertake a comprehensive review of the Privacy Act in 2020, to be completed by 2021, which the Government has flagged will include consideration of the introduction of the right of erasure of personal information and a statutory tort for serious invasions of privacy.

Summary of key changes

Increased penalties for breaches of the Privacy Act

Currently, the maximum penalty for serious or repeated breaches of the Australian Privacy Act is A$2.1 million. In March 2019, the Australian Government noted that this existing penalty ‘fall[s] short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information’.[1]

Therefore, the Government has proposed to develop draft legislation to increase the maximum penalties for serious or repeated breached of the Privacy Act to the greater of:

$10 million AUD;
three times the value of the benefit obtained through the misuse of information; or
10% of the company’s annual turnover.[2]

The Government expects that the draft legislation will be released for public consultation and introduced to Parliament in 2020.

Definition of personal information

The Australian Government has committed to amending the definition of ‘personal information’ in the Privacy Act to capture technical data and other online identifiers.

The Privacy Act currently defines personal information as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable’.[3]

In its DPI Final Report, the ACCC noted that in Australia there is significant legal uncertainty as to whether ‘personal information’ includes metadata such as IP addresses or other technical data. In light of ‘the volume of technical data relating to identifiable individuals that is collected, used and shared in digital markets’, the ACCC recommended that the definition of ‘personal information’ be amended to capture technical information such as IP addresses, device identifiers, location data and any other online identifiers that relate to an identified individual.[4] This amendment would reflect the wording used in the GDPR and would further align Australia with international standards.

Notice and consent requirements

The Australian Privacy Act currently requires entities to take ‘reasonable steps’ to notify individuals in relation to the collection of personal information.

The Australian Government has committed to further consultation in relation to strengthening existing notice and consent requirements under the Privacy Act to ensure entities meet best practice standards,[5] including by requiring entities to:

provide ‘a notice of the information collected that is concise, transparent, intelligible and easily accessible, written in clear and plain language, and provided free of charge’ that is ‘written at a level that can be readily understood by the minimum age of the child whose personal information is to be collected’;[6] and
obtain consent whenever a ‘consumer’s personal information is collected, used or disclosed’ (unless certain exceptions apply, for example where the personal information is necessary for the performance of a contract to which the consumer is a party, or is required by law).[7]

Direct right of action

The Australian Government has also indicated that it will engage in further consultation in relation to introducing a direct right of action for individuals to bring actions in court to seek compensation for interferences with their privacy under the Privacy Act.[8]

Limited avenues of redress are currently available to individuals for interferences with their privacy. In particular, individuals may only seek an injunction for breach of the Privacy Act or lodge a complaint with Australia’s privacy regulator, the Office of the Information Commissioner (OAIC). Therefore, the ACCC recommended giving ‘individuals a direct right to bring actions and class actions against APP entities to seek compensation for an interference with their privacy’. This would further align Australian privacy law with international standards, including the UK, New Zealand, and the EU.[9]

Binding privacy code

Finally, the Australian Government (as previously stated in March 2019) will also amend the Privacy Act to require the OAIC to develop an enforceable Privacy Code of Practice that applies to digital platforms.

The code will provide specific rules protecting the personal information of children and vulnerable groups, and require entities to, among other things, be more transparent about data sharing, meet best practice consent requirements when collecting, using and disclosing personal information, and stop using or disclosing personal information upon request.

The Government expects that the legislation will be introduced and the code developed in 2020.[10]

Comprehensive Privacy Act review

More generally, the Australian Government has stated it will undertake a comprehensive review of the Privacy Act, including considering whether to introduce a right of erasure for consumers, throughout 2020-21.

In summary, the Government’s response indicates that Australia’s privacy landscape is set to significantly change over the coming years. However, it appears that there will be significant opportunity for stakeholders to engage with the Government and regulators on the substance and form of these changes.

^[1]^{Joint Media Release, Senator Mitch Fifield and Christian Porter, ‘Tougher Penalties to Keep Australians Safe Online’ (25 March 2019).}
^{[2] Ibid.}
^{[3] Privacy Act 1988 (Cth) s 6 (definition of ‘personal information’); Australian Competition and Consumer Commission, ‘Digital Platforms Inquiry Final Report’ (July 2019), page 458, see}^here^.
^{[4] Australian Competition and Consumer Commission, above n 4, pages 458 – 459.}
^{[5] Commonwealth of Australia, above n 3.}
^{[6] Australian Competition and Consumer Commission, above n 4, page 461.}
^{[7] Australian Competition and Consumer Commission, above n 4, page 464.}
^{[8] Commonwealth of Australia, above n 3.}
^{[9] Australian Competition and Consumer Commission, above n 4, pages 473 - 474.}
^{[10] Commonwealth of Australia, above n 3.}