Australia proposes ‘GDPR with sharper teeth’

Add Australia to the list of countries cracking down on tech giants in light of rising concerns over data privacy. The Australian Competition and Consumer Commission (ACCC) has released its Digital Platforms Inquiry, a 619-page report on the ACCC’s 18-month study of the problems associated with the dominance of Facebook and Google as the preeminent “gateways for businesses seeking to reach Australian consumers.” The ACCC report contains 23 recommendations for Australian businesses, consumers, and regulators on how to protect the interest of Australians when sharing sensitive information to access services like Facebook and Google.

Since the report’s initial release, all eyes have been on Australia, with many suspecting that we’ll soon see a “GDPR with sharper teeth.” In other words, we’ll see the same privacy-protecting regulation that came out of Europe’s GDPR, but with heavier fines and penalties for non-compliance. And the first of this set of regulations is currently in the Senate waiting for a vote on the “right to delete,” modeled after GDPR’s “right to be forgotten.”

Proposed Changes

In March 2019, the federal government announced plans to increase the penalties associated with the Privacy Act. Australia’s Privacy Act was introduced in 1988 to regulate the way public and private organizations collect and use personal information. The proposed changes build on the work of the Online Safety Charter and Online Safety Research program and the Consumer Data Right (CDR). Proposed changes to the Privacy Act include:

  • Updating the definition of “personal information” to include all of the technical and web data that relates to people and requiring explicit notification and consent for the collection of personal data.
  • Enabling Australians to request that online platforms stop the use or disclosure of their data.
  • Raising the maximum penalty for repeat or serious offenders from AU$2.1 million to the largest of the following sums:
    • AU$10 million
    • Three times the value of any benefit obtained through the misuse of information
    • 10% of a company’s annual Australian turnover (revenue)
  • Tasking the Office of the Australian Information Commissioner (OAIC) with issuing new penalties of up to AU$63,000 for corporate bodies and AU$12,600 for individuals, publishing public notice of breaches, and ensuring that breaches receive third-party reviews.
  • Developing a Privacy Code of Practice to provide guidance on how companies should disclose their data practices.

80% of Australia voters express concerns over how sites like Facebook and Google collect and use personal information

-The Guardian Essential Poll (Aug 2019)

A poll of Australian voters conducted by The Guardian earlier this month found broad support for greater oversight of large tech platforms. 80% express concerns about how Facebook and Google collect personal information, and 75% believe social networks need additional regulation.

Other recommendations in the report include greater transparency in online advertising markets, better policing of anti-competitive conduct, and making efforts to improve digital literacy in schools and the greater community. If adopted, the changes proposed by ACCC could be viewed as Australia’s version of the GDPR requirements enacted in Europe. GDPR governs data privacy and is famous for introducing “the right to be forgotten” as a cornerstone of effective regulations on data.

What this all means

The government will need time to assess the ACCC’s recommendations but has signaled its support for the creation of a special branch of the ACCC to oversee the use of algorithms designed to match users with advertisements. As explained by Attorney-General Christian Porter,

“This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information.”

Companies have started to recognize privacy and consent as the new normal—asking forgiveness instead of permission when data breaches reveal the misuse of customers’ personal information will no longer fly. Fortunately, Australian businesses and regulators will be able to use the adoption of GDPR in Europe as a model for implementation. Much has been written about the difficulty in bringing legacy systems for data management into compliance with GDPR by the prescribed deadlines.

75% of Australians support having a specialist body oversee the operations of Facebook and Google

-The Guardian’s Essential Poll (Aug 2019)

In reflecting on the implementation of GDPR, an article from the legal blog of Hunton Andrews Kurth offers guidance to both businesses and regulators. Companies faced difficulty understanding their obligations with regard to emerging technologies, like artificial intelligence and machine learning, and how to deal with different customers in different jurisdictions covered by GDPR. Raising awareness around privacy and incorporating it into company culture has also been an important concern. Security procedures don’t mean much if employees commonly ignore them in favor of simple conveniences.

Consideration also needs to be given to ensure that businesses with large numbers of employees and/or customers get the time and flexibility needed to bring their systems into compliance. Regulators should prepare for a flood of complaints as consumers take advantage of their newfound power to hold companies accountable for misused data. Between the recommendations from the ACCC and reflections on the implementation of GDPR, Australian regulators should be able to develop a plan that suits the unique needs of Australians.

According to the ACCC report, 19.2 million Australians (78% of the population) use Google and 17.3 million (70%) use Facebook on a monthly basis. As the report points out, “The ubiquity of digital platforms in the daily lives of consumers means that many are obliged to join or use these platforms and accept their non-negotiable terms of use in order to receive communications and remain involved in community life.” The obvious need to engage with platforms like Facebook and Google, combined with ongoing revelations about the lack of data privacy and the consequences of fake news associated with such sites, will inevitably lead to big changes in the way we think about the use of personal information on the internet.