Add Australia to the list of countries cracking down on tech giants in light of rising concerns over data privacy. The Australian Competition and Consumer Commission (ACCC) has released its Digital Platforms Inquiry, a 619-page report on the ACCC’s 18-month study of the problems associated with the dominance of Facebook and Google as the preeminent “gateways for businesses seeking to reach Australian consumers.” The ACCC report contains 23 recommendations for Australian businesses, consumers, and regulators on how to protect the interest of Australians when sharing sensitive information to access services like Facebook and Google.
Since the report’s initial release, all eyes have been on Australia, with many suspecting that we’ll soon see a “GDPR with sharper teeth.” In other words, we’ll see the same privacy-protecting regulation that came out of Europe’s GDPR, but with heavier fines and penalties for non-compliance. And the first of this set of regulations is currently in the Senate waiting for a vote on the “right to delete,” modeled after GDPR’s “right to be forgotten.”
In March 2019, the federal government announced plans to increase the penalties associated with the Privacy Act. Australia’s Privacy Act was introduced in 1988 to regulate the way public and private organizations collect and use personal information. The proposed changes build on the work of the Online Safety Charter and Online Safety Research program and the Consumer Data Right (CDR). Proposed changes to the Privacy Act include:
- Updating the definition of “personal information” to include all of the technical and web data that relates to people and requiring explicit notification and consent for the collection of personal data.
- Enabling Australians to request that online platforms stop the use or disclosure of their data.
- Raising the maximum penalty for repeat or serious offenders from AU$2.1 million to the largest of the following sums:
- AU$10 million
- Three times the value of any benefit obtained through the misuse of information
- 10% of a company’s annual Australian turnover (revenue)
- Tasking the Office of the Australian Information Commissioner (OAIC) with issuing new penalties of up to AU$63,000 for corporate bodies and AU$12,600 for individuals, publishing public notice of breaches, and ensuring that breaches receive third-party reviews.
- Developing a Privacy Code of Practice to provide guidance on how companies should disclose their data practices.
A poll of Australian voters conducted by The Guardian earlier this month found broad support for greater oversight of large tech platforms. 80% express concerns about how Facebook and Google collect personal information, and 75% believe social networks need additional regulation.
Other recommendations in the report include greater transparency in online advertising markets, better policing of anti-competitive conduct, and making efforts to improve digital literacy in schools and the greater community. If adopted, the changes proposed by ACCC could be viewed as Australia’s version of the GDPR requirements enacted in Europe. GDPR governs data privacy and is famous for introducing “the right to be forgotten” as a cornerstone of effective regulations on data.
What this all means
The government will need time to assess the ACCC’s recommendations but has signaled its support for the creation of a special branch of the ACCC to oversee the use of algorithms designed to match users with advertisements. As explained by Attorney-General Christian Porter,
“This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information.”
Companies have started to recognize privacy and consent as the new normal—asking forgiveness instead of permission when data breaches reveal the misuse of customers’ personal information will no longer fly. Fortunately, Australian businesses and regulators will be able to use the adoption of GDPR in Europe as a model for implementation. Much has been written about the difficulty in bringing legacy systems for data management into compliance with GDPR by the prescribed deadlines.
In reflecting on the implementation of GDPR, an article from the legal blog of Hunton Andrews Kurth offers guidance to both businesses and regulators. Companies faced difficulty understanding their obligations with regard to emerging technologies, like artificial intelligence and machine learning, and how to deal with different customers in different jurisdictions covered by GDPR. Raising awareness around privacy and incorporating it into company culture has also been an important concern. Security procedures don’t mean much if employees commonly ignore them in favor of simple conveniences.
Consideration also needs to be given to ensure that businesses with large numbers of employees and/or customers get the time and flexibility needed to bring their systems into compliance. Regulators should prepare for a flood of complaints as consumers take advantage of their newfound power to hold companies accountable for misused data. Between the recommendations from the ACCC and reflections on the implementation of GDPR, Australian regulators should be able to develop a plan that suits the unique needs of Australians.