Did you know that each month, approximately 19.2 million Australians use Google Search, 17.3 million access Facebook,17.6 million watch YouTube (which is owned by Google) and 11.2 million access Instagram (which is owned by Facebook)? The widespread and regular use of both Facebook and Google, amongst other digital platforms, means that these businesses sit in a unique position with the collection of user data critical to their offering.
What does the rise of digital platforms mean for consumers and businesses using them? What do they mean for data collection, use and privacy?
These questions have been considered and answered by the Australian Competition and Consumer Commission (ACCC
) in its Digital Platforms Inquiry Report. The final Report, published in June 2019, has been two years in the making and outlines 23 recommendations that respond to the substantial market power that has arisen through the growth of digital platforms. The ACCC’s view is the majority of consumers and most likely, business owners, would not fully understand what and how much data is collected, nor what they are signing up for when they do interact on these digital platforms.
Recommendations relating to Privacy
The ACCC is of the view that there is a substantial disconnect between how consumers think their data should be treated and how it is actually treated by digital platforms. To address these concerns, the Report has made a number of recommendations targeted at data privacy and amendments to the current privacy laws. These include:
- Updating the definition of “personal information” to include technical data and online identifiers such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual (similar to the EU General Data Protection Regulation (GDPR) definition).
- Requiring entities to erase the personal information of a consumer without undue delay upon request by the consumer.
- Introducing direct rights for individuals to bring actions or class actions before the courts to seek compensation for an interference with their privacy under the Privacy Act.
- Increasing the penalties for an interference with privacy under the Privacy Act 1988 (Cth) to mirror the increased penalties for breaches of the Australian Consumer Law (that is, increasing the penalties for serious or repeated breaches to whichever is the greater of: AU$10 million, three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover.)
Specific to digital platforms, the ACCC has recommended the introduction of an enforceable Privacy Code of Practice, to be developed by the Office of the Australian Information Commissioner.
In its Report, the ACCC has also recommended introducing a statutory cause of action for serious invasions of privacy (as recommended by the Australian Law Reform Commission). This cause of action would provide protection for individuals against serious invasions of privacy that may not be captured within the scope of the Privacy Act.
How will this effect businesses advertising or collecting data digitally?
The ACCC is clearly following a global trend of strengthening privacy regulations – as we have seen in Europe (via the GDPR), certain states in the United States (including California) and Japan.
If enacted, the ACCC recommendations would apply to all businesses collecting data digitally, not just digital platforms (other than the specific digital platforms Privacy Code of Practice).
This means that all businesses will need to reassess and review what information they collect (to include technical data and online identifiers), how they notify their consumers of the collections, how their consumers consent to the collection and the procedures relating to data destruction. It is important for businesses to ensure they have the basics set up at the start, providing a solid foundation to then review the process for capturing data, how it is stored and secured, and how data breaches or grievances are managed.
If you are a business that collects data digitally, now is the time to audit your notification and consent procedures in respect of the collection, use and disclosure of personal information. Consider how often and at what points you deal with personal information, and at what points you would need to notify your consumers, or obtain their consent, in respect of the use of their personal information.