Australia's Data Protection Overhaul - What You Need to Know

Introduction

Our digital footprint expands daily and understanding privacy and data protection laws in Australia is more crucial than ever. Personal data rights have been in the spotlight lately and Australia is due to see a much-needed update of privacy and data protection laws, influenced by findings from the Australian Competition & Consumer Commission’s (ACCC) investigations into how digital platforms and ads work. Most of our clients (and any Australian organisation managing personal information) will be affected in one way or another, so we reviewed the findings from the inquiries so far and have put some words together to summarise how the law might change and what it means for organisations working with digital products, platforms and services.

Current Inquiries, Investigations, and Their Impact on Privacy and Data

The Digital Platforms Inquiry Report:

The Digital Platforms Inquiry Report was unveiled on 26 July 2019. This extensive investigation revealed a stark truth: the rapid pace of technological advancement has outpaced our existing legal framework. A few of the findings and recommendations include:

The report recognised the need for comprehensive reforms to mitigate the extensive influence of major digital platforms, particularly Google and Facebook, on Australia’s economy, media, and society.
New products like voice assistants are collecting more consumer data, raising concerns about unintended information disclosure and reduced privacy.
Proposals include updating competition laws, establishing a dedicated ACCC branch for digital platforms, scrutinising digital advertising markets, and reforming media regulations for a more balanced digital environment.
The report also advocates for a code of conduct to govern relationships between digital platforms and news media, alongside initiatives to support journalism and combat disinformation.

Significant amendments to privacy laws were recommended (the last major update to the Privacy Act was in 2014), alongside enhancements in consumer protections and the introduction of more effective dispute resolution mechanisms for digital platform users. One of the recommendations was to undertake a separate inquiry into the competition in ad tech and online advertising services.

Privacy Act Review by the Office of the Australian Information Commissioner (OAIC)

Alongside the inquiries, the OAIC has been reviewing the Privacy Act to make sure it gives more power to consumers to protect their data. They came up with 116 suggestions, but no new Privacy Law proposal has been put before Parliament yet. Parts of a new Online Privacy Bill did become law in 2022, with more to come. These updates include:

Maximum civil penalties for serious privacy breaches increased to the greater of AU$50 million, three times the benefit obtained from the breach, or 30% of the entity’s adjusted turnover.

Greater enforcement and information sharing powers for the Australian Information Commissioner
Enhanced information sharing powers for the Australian Communications and Media Authority
The threshold for foreign organisations to be covered by the Privacy Act was lowered
Aligning Australian privacy law more closely with international standards, like the EU’s General Data Protection Regulation (GDPR).

Quick note about the Privacy Act 1988

When collecting personal data, it is important to be aware of the requirements of the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles or APPs. These rules apply to businesses making more than $3 million a year or those dealing with personal info. You need to have a clear Privacy Policy, only collect data you really need, and tell people upfront with a Collection Statement about how you’ll use and share their info.

The Digital Advertising Services Inquiry (Ad Tech Inquiry)

Initiated in March 2020, this inquiry delved into ad tech and ad agency services. By September 2021, it crystallised into a report. The key findings were:

Google was found to have significant market power in the ad tech supply chain, involved in over 90% of ad impressions traded.
Google was reported to favour its own services, limiting competition by, for instance, blocking rival ad tech services from accessing ad opportunities on YouTube.
The lack of competition was estimated to lead to high ad tech fees, with ad tech providers retaining at least 27% of advertiser spend in Australia in 2020. This could potentially increase costs for advertisers and publishers and affect the quality or quantity of online content.
The current competition laws were deemed insufficient to address the issues identified, with a call for the development of specific rules to manage conflicts of interest, prevent anti-competitive self-preferencing, and allow competition on merit.

The findings all point towards a need for regulatory reform to promote fair competition and transparency in the digital advertising market.

The Digital Platforms Services Inquiry 2020-2025

The ACCC’s Digital Platforms Services Inquiry is an extensive examination of the digital platform services sector in Australia. It’s still ongoing with the final report slated for release in 2025. Some points from the interim reports include:

Big platforms like Facebook are ahead because they have lots of users, which brings even more users.
There’s a lot of concern about how companies share our data with others and track what we do online. The ACCC wants clearer terms of service and better explanations about things like cookies and tracking.
Google and Facebook are still the top dogs in social media and search engines, but people are starting to look for options that care more about privacy.
Tracking and scams on the rise – With more people using online services, there’s more tracking and scamming going on. People don’t always get how their information is used after they give permission, which is sparking calls for changes to give people more choice and knowledge.

These findings point to significant concerns about market concentration, consumer data privacy, and the adequacy of current regulatory frameworks.

Implications from the inquiries so far

It’s clear that these ACCC inquiries are set to considerably transform Australia’s digital marketplace. They advocate for the creation of new regulatory frameworks that ensure fair competition and robust protection of user privacy. These developments are likely to push most businesses to recalibrate their data practices, fostering a shift towards a “privacy-first approach” and transparent data usage. For direct marketing, this means a potential overhaul of strategies to align with these privacy-first imperatives. Marketers will need to place greater emphasis on obtaining explicit consent, providing clear opt-out mechanisms, and ensuring the use of personal information is transparent and responsible. The shift indicated by these developments will likely empower consumers with more control and understanding of how and where their data is used, and will hopefully pave the way for a marketplace that values ethical data practices and respects consumer privacy as a priority.

Suggestions for compliance and best practices

We suggest embracing a forward-thinking approach to data governance. Privacy by Design is a key strategy in this respect—it means considering privacy at the outset of any new project or business initiative and integrating it into the design of new products and services from the ground up. This approach ensures that privacy is not an afterthought but a foundational principle, providing a clear signal to consumers that their data protection is a core value of your business.

Keeping privacy policies transparent and reflective of the latest legislative developments is also vital in maintaining consumer trust. Staying informed about potential changes, like those expected from the Privacy Act review, will allow your organisation to adapt quickly and remain compliant. Systematic data audits and a company culture that prizes data ethics will not only align with regulatory expectations but distinguish your brand as a trusted leader in privacy and data protection.

"Data security has transformed from being a specialised IT concern to a central, shared responsibility across an organisation. Data breaches aren't merely technical issues; they impact the whole business, from brand reputation to customer trust. This shift underlines the importance of integrating ethical data practices into every aspect of operations and decision-making processes." Simon Krambousanos Director of Design

A bit of historical context – OAIC vs Facebook (March 2020)

A large part of the reason these inquiries have taken place and the need for privacy laws to be reviewed is the case between the Office of the Australian Information Commissioner (OAIC) and Facebook in March 2020. It was a landmark moment in data privacy enforcement. The OAIC accused Facebook of compromising the personal data of approximately 311,127 Australians by sharing it with Cambridge Analytica via a third-party app, without users’ informed consent. This incident not only raised concerns about the privacy of online data but also about the potential for such data to be used in influencing democratic processes, considering the political consulting work of Cambridge Analytica.

The lawsuit underscored the necessity for stronger data protection laws and brought much needed attention to the responsibilities of digital platforms in safeguarding user information. It served as a catalyst for ongoing legislative reviews, pushing for more rigorous protections of personal information in the digital ecosystem.

Lessons from the ACCC & OAIC

The Australian Competition & Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) have taken a firmer stance on privacy and data management, focusing on the accuracy and clarity of the information that businesses provide to consumers. They’ve highlighted how deceptive narratives or misleading statements within privacy policies not only breach trust but can also lead to legal consequences. The expectation is that privacy disclosures should be made in plain language, readily accessible, and should not require consumers to navigate through convoluted jargon to understand how their data is used.

For the advertising industry and related agencies, the message is clear – transparency is non-negotiable. The way data is handled, from collection to potential sharing with third parties, must be communicated in a way that is easily understandable to the end-user. If advertising agencies are complicit in opaque data practices or fail to uphold these principles, they could also be held accountable. As businesses adapt, prioritising clear and ethical data practices is essential to ensure future compliance and to reinforce trust.

The Price of Personalisation

The concept of personalisation has emerged as a bit of a double-edged sword. While it promises to enhance user experiences, it also raises concerns about privacy and the ethical boundaries in data usage. Striking a balance is crucial. Different sectors will need to approach data usage with a nuanced understanding of their unique roles. For government entities, personalisation might mean integrating data across various departments to streamline access to public services, enhancing citizen engagement and efficiency. For e-commerce platforms, it involves leveraging browsing and purchasing data to curate product recommendations and simplify the path to purchase.

Regardless of the sector, the overarching principle remains the same: personalisation shouldn’t come at the cost of user trust or privacy. Organisations must plan for ethical data use, ensuring that personalisation strategies are transparent and respect user autonomy. The evolving data protection laws in Australia emphasise the need for organisations to be accountable and responsible in their data practices. The challenge moving forward will be harnessing the power of data-driven personalisation in a manner that is both respectful and beneficial to the end user. This careful balancing act will be the cornerstone of building long-term trust.

Little asterisk

It’s worth mentioning that our thoughts here come from our own experiences helping our clients navigate complex data and privacy challenges. It isn’t formal advice, just a summary of findings and our take on things.