This week the federal government announced proposed legislation to develop an online privacy code (or “OP Code”) setting tougher privacy standards for Facebook, Google, Amazon and many other online platforms.
These companies collect and use vast amounts of consumers’ personal data, much of it without their knowledge or real consent, and the code is intended to guard against privacy harms from these practices.
The higher standards would be backed by increased penalties for interference with privacy under the Privacy Act and greater enforcement powers for the federal privacy commissioner. Serious or repeated breaches of the code could carry penalties of up to A$10 million or 10% of turnover for companies.
However, relevant companies are likely to try to avoid obligations under the OP Code by drawing out the process for drafting and registering the code. They are also likely to try to exclude themselves from the code’s coverage, and argue about the definition of “personal information”.
The current definition of “personal information” under the Privacy Act does not clearly include technical data such as IP addresses and device identifiers. Updating this will be important to ensure the OP Code is effective.
Which organisations would be covered and why?
The code is intended to address some clear online privacy dangers, while we await broader changes from the current broader review of the Privacy Act that would apply across all sectors.
The OP Code would target online platforms that “collect a high volume of personal information or trade in personal information”, including:
- social media networks such as Facebook; dating apps like Bumble; online blogging or forum sites like Reddit; gaming platforms; online messaging and videoconferencing services such as WhatsApp and Zoom
- data brokers that trade in personal information, including Quantium, Acxiom, Experian and Nielsen Corporation
- other large online platforms that collect personal information and have more than 2.5 million annual users in Australia, such as Amazon, Google and Apple.
The OP Code would impose higher standards for these companies than otherwise apply under the Privacy Act.
Higher standards for consent – maybe
The OP Code would set out details about how these organisations must meet obligations under the Privacy Act. This would include higher standards for what constitutes users’ “consent” for how their data are used.
The government’s explanatory paper says the OP Code would require consent to be “voluntary, informed, unambiguous, specific and current”. (Unfortunately, the draft legislation itself doesn’t actually say that, and will require some amendment to achieve this.)
This description draws on the definition of consent in the European Union’s General Data Protection Regulation.
In the EU, for example, “unambiguous” consent means a person must take clear, affirmative action – for instance by ticking a box or clicking a button – to consent to a use of their information.
Consent must also be “specific”, so companies cannot, for example, require consumers to consent to unrelated uses (such as market research) when their data is only needed to process a specific purchase.
Requests to stop using and disclosing personal information
The ACCC recommended we should have a right to erase our personal data as a means of reducing the power imbalance between consumers and large platforms. In the EU, the “right to be forgotten” by search engines and the like is part of this erasure right. The government has not adopted this recommendation.
However, the OP Code would include an obligation for organisations to comply with a consumer’s reasonable request to stop using and disclosing their personal data. Companies would be allowed to charge a “non-excessive” fee for fulfilling these requests. This is a very weak version of the EU right to be forgotten.
Ideally, the code should also allow consumers to ask a company to stop collecting their personal information from third parties, as they currently do, to build profiles on us.
Increased protections for children and vulnerable groups
The draft bill also includes a vague provision for the OP Code to add protections for kids and other vulnerable people who are not capable of making their own privacy decisions.
A more controversial proposal would require new consents and verification for kids using social media services such as Facebook and WhatsApp. These services would be required to:
- take reasonable steps to verify the age of social media users
- obtain parental consent before collecting, using or disclosing personal information of a child under 16
- ensure its data practices are “fair and reasonable in the circumstances”, with the best interests of the child as the primary consideration.
What is ‘personal information’?
A key tactic companies will likely use to avoid the new rules is to claim that the information they use is not truly “personal”, since the OP Code and the Privacy Act only apply to “personal information”, as defined in the Act.
The companies may claim the data they collect is only connected to our individual device or to an online identifier they’ve allocated to us, rather than our legal name. However, the effect is the same. The data is used to build a more detailed profile on an individual and to have effects on that individual.
Australia needs to update the definition of “personal information” to clarify it includes data such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual or to interact with them on an individual basis. Data should only be de-identified if no individual is identifiable from that data.
Increased penalties and upgraded enforcement
The government has pledged to give tougher powers to the privacy commissioner, and to hit companies with tougher penalties for breaching their obligations once the code comes into effect.
The maximum civil penalty for a serious and/or repeated interference with privacy will be increased up to the equivalent penalties in the Australian Consumer Law.
For individuals, the maximum penalty will increase to more than A$500,000. For corporations, the maximum will be the greater of A$10 million, or three times the value of the benefit received from the breach, or (if this value cannot be determined) 10% of the company’s annual turnover.
The privacy commissioner could also issue infringement notices for failing to provide relevant information to an investigation. The maximum penalty will be A$2,644 for individuals or A$13,320 for companies.
Such civil penalty provisions will make it unnecessary for the Commissioner to resort to prosecution of a criminal offence, or to civil litigation, in these cases.
Don’t hold your breath
Once legislation is passed, it will take around 12 months for the code to be developed and registered.
The tech giants will have plenty of opportunity to create delay in this process. Companies are likely to challenge the content of the code, and whether they should even be covered by it at all.