Australia’s privacy law reforms will challenge regional & global businesses

The proposals continue the general trend of Australian governments of finding a distinctly Australian way in data regulation, picking up elements from various recent data protection statutes of other countries, and adding Australian innovations. If implemented as currently proposed, these reforms would require fundamental changes in processes and practices of collection, use and disclosure of personal information across all business sectors.

Even before these reforms have been fully developed and implemented, the Office of the Australian Information Commissioner (which includes the Privacy Commissioner) has been given extensive new enforcement powers and funding for investigations and enforcement actions. Penalties for breaches of the Privacy Act were substantially increased in late 2022. The coverage of the Privacy Act has been more clearly stated to cover acts and practices by entities operating outside Australia but collecting and using personal information about individuals within Australia. Regulated entities should expect to see this better-resourced Privacy Commissioner becoming more active in the enforcement of the Privacy Act in its current form, as well as ready to enforce the Act when expanded as currently proposed.

Targeting targeted advertising

The most far-reaching and distinctive proposals relate to the proposed regulation of consumer targeting and profiling. These proposals would require all businesses engaged in online and offline audience segmentation-based marketing - and not only businesses conducting online targeted (fully personalized) advertising – to provide consumers with a high level of transparency and readily understandable explanation of the business’s audience segmentation practices, and to offer consumers an easy way to opt-out from such marketing. Many organizations would need to extensively reengineer their customer management systems and databases, and redesign their marketing practices, to comply with these new requirements.

The proposed requirements for transparency and explanation of the business’s segmented marketing and personalization practices will create particular challenges in the Australian regulatory environment. The Australian Competition and Consumer Commission (ACCC) already vigorously enforces its consumer protection powers in relation to any gap between an organization’s statements as to its business practices and the organization’s practices in-market. The ACCC has used Australian Consumer Law as a tool to court-imposed substantial penalties for misleading algorithmic practices – ie ACCC v Trivago, where some accommodation providers were paying to be promoted in rank order of presentation of available rooms) and incomplete privacy disclosures – ie ACCC v Google (No.2), where Google was found to have (apparently inadvertently) made inadequate disclosures as to continuing uses of geolocation data after users had opted out from permissions for uses of geolocation data. If the Privacy Act is amended to require much more detailed transparency and explanation of the use of personal information in segmented marketing practices, there will be a substantially increased risk of contravention of Australian Consumer Law by organizations found to have inadequate or incomplete privacy disclosures. Organizations should start to think now about how they should reformulate consumer data and privacy-related disclosures, and take active steps to maintain congruence between these disclosures and their marketing practices as changing over time.

Fair and reasonable use of personal data

The proposed reforms generally avoid imposing additional responsibilities upon data subjects to understand privacy settings affecting them and guard their own privacy. Although the proposals include measures to improve practices around seeking and obtaining privacy consents, including disincentivizing use by service providers of ‘dark patterns’ and other gaming of consumer choice architecture, it is not currently proposed to substantially expand the range of acts and practices in relation to which prior consent of affected individuals (data subjects) must be obtained. The proposals also include a new, overarching (unable to be contracted out of) obligation for APP entities to be fair and reasonable in their practices of collection, handling and disclosure of personal information. In this regard, the Australian proposals are a significant pivot away from EU GDPR focus upon prior ‘unambiguous express consent’ of data subjects, and towards imposing concrete legal requirements of responsibility and accountability of APP entities.

Other proposals include restrictions and requirements around handling of deidentified information which potentially could be used to assist reidentification of relevant individuals. This leads to difficult questions of evaluation of reidentification risk and safeguards and controls to mitigate those risks, and how Australian regulation should be designed to provide appropriate incentives for regulated entities to adopt emerging (and rapidly evolving) international best practice in use of privacy-enhancing technologies such as effective anonymization environments (safeguarded and controlled clean rooms) and attribute-based marketing without individuals becoming reasonably identifiable. Regulation in these areas needs to be carefully designed to ensure that regulated entities have appropriate incentives to deidentify information and use only deidentified information wherever practicable.

Protecting children and the vulnerable

The proposals also include further restrictions as to collection and use of information relating to children and vulnerable persons, such as users likely to suffer financial hardship of they were to take up a particular offer. These restrictions will create particular challenges for many regulated entities conducting business online, as they would effectively require entities to take active steps to verify attributes of users in order to exclude out users that are likely to be children or vulnerable persons. These proposals reflect Australia’s continuing focus on the protection of vulnerable consumers and online safety, as already demonstrated by the imposition of many e-safety mandatory codes of practice by the active Office of the eSafety Commissioner.

The proposals include new powers for the Privacy Commissioner to determine mandatory codes of practice. This proposal reflects the trend of Australian federal statutes to confer broad discretions on regulators to determine codes of practice that are legally binding and that substantially extend the legal obligations of regulated entities beyond those imposed by the statute itself. This trend would be less problematic if the regulator’s powers were qualified and structured as to procedural requirements for consultations to better reflect international best practice in conferral of such powerful discretions upon regulators. Unreasonable expectations of Australian policymakers, both as to the scope of coverage and time for the industry to find consensus and develop industry codes, are a real problem for Australian businesses in many sectors.

Not a GDPR mini-me

In summary, the key Australian data privacy statute, and its regulatory enforcement, are likely to look fundamentally different within the next 12 to 24 months. The shape of many of the proposed changes is becoming reasonably clear. Many entities that are not regulated today by the Australian Privacy Act, including entities operating offshore but knowingly collecting personal information about individuals within Australia, will come within coverage.

Australia will not become a mini-me GDPR jurisdiction: the revised Australian Privacy Act is likely to have quite distinct features. This creates challenges for businesses conducting business across the Asia Pacific region, or globally, as data privacy affecting processes and practices will need to accommodate distinct features of the revised Australian law. Given lead times in changing data architectures and data-driven business processes, many businesses should now start to consider how they will adapt their processes and practices to be ready for these changes.

Peter Leonard is principal of Data Synergies and a professor of practice at UNSW Business School. He chairs the Australian Data and Insights Association’s Privacy Compliance Committee. To read more from The Drum’s latest Deep Dive, where we’ll be demystifying data & privacy for marketers in 2023, head over to our special hub.