Australian federal privacy reform update

Concern in Australia about the power of the major digital media platforms has acted as a catalyst for a full review of Australian privacy law. The 2019 Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry (Inquiry), while focussed on the effect of digital platforms and content aggregation services on competition in media and advertising industries in Australia, also reviewed and assessed related privacy practices. This has prompted the Federal Government to undertake a specific review of Australia's privacy laws, with a view to bringing them into the digital era, strengthening privacy protections for individuals and streamlining compliance for businesses working across international borders.

Privacy, search, social media and online advertising

It is no accident that privacy became an issue in the Digital Platforms Inquiry. Personal information is an essential part of the business models of Google and Facebook (and others). In order to provide "free" services to end users, such as search or social media platforms, they sell digital display advertising using sophisticated ad-serving technologies. Online advertising pairs user behaviours with user information, which can include "personal information" as defined under the Privacy Act 1988 (Cth), including a person's name, address, gender, age, political and religious affiliations, sexual orientation, types of meta data and more.

The most valuable online advertising is that which is targeted directly to individual users, based on their personal information. The success of a targeted advertising campaign is measured and priced based on trackable "engagement", "conversions" or "acquisitions", with the ultimate goal being customers completing a paid transaction once they have clicked on an advertisement. Access and control over personal information and related data analytics, used for monetisation, in a context where transparency and accountability may be lacking, underpinned the ACCC's recommendation for privacy reform.

Privacy review

The current review of the Privacy Act considers basic issues such as what constitutes "personal information" - one proposal being to broaden the definition to include technical information such as IP address, location data, device identifiers and other online identifiers. Other issues include whether "personal information" should expressly include "inferred information" - that being, information that can be inferred from other data held by an entity; and, higher standards for what constitutes de-identified, anonymised and pseudonymised information.

Other significant issues being considered by the review include:

• whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act, which they currently do not have,
• whether a statutory tort for serious invasions of privacy should be introduced into Australian law, which currently does not exist at common law,
• the impact and effectiveness of the current mandatory notifiable data breach scheme,
• the effectiveness of current enforcement powers and how they interact with other Commonwealth regulatory frameworks; and
• the utility of a self-certification scheme for organisations to monitor and demonstrate compliance.

Increased penalties

The Government has already committed to a strengthening of the protections and penalties for misuse of personal information, announcing it will introduce the following changes:

• Increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia. This increases the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million, three times the value of any benefit obtained through the misuse of information or 10 per cent of a company's annual domestic turnover – whichever is the greater.
• Provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches.
• Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised.
• Require social media and online platforms to stop using or disclosing an individual's personal information upon request.
• Introduce specific rules to protect the personal information of children and other vulnerable groups.

Given the inevitable strengthening of privacy laws and the penalties for non-compliance, it is more important than ever that Australian enterprises covered by the Privacy Act take steps to ensure they are operating in compliance with the law.