Australian Privacy Law Update
Earlier this year during Privacy Awareness Week 2020, Angelene Falk (our Australian Information and Privacy Commissioner) stated that while online privacy has been a focus for the regulator, COVID-19 and the shift to remote working arrangements and increase in other online activities (such as learning, socialising and shopping) has really underscored its importance.
Concurrently, the Australian Competition & Consumer Commission (ACCC) has highlighted the intersection between questions of substantial market power and competitive harm, consumer protection and privacy. In its Digital Platforms Inquiry issued in July 2019 (ACCC Inquiry), recommendations were made for changes to Australia’s privacy laws with a focus on data privacy laws. However, it was suggested that any amendments to the Privacy Act 1988 (Cth) (Privacy Act) will require a clear and consistent standard of data protection across different industries to consistently protect the privacy of consumers.
In December 2019, the Australian Government responded to the ACCC Inquiry affirming that it would need to consider how the scope of the Privacy Act applies in the digital age and indicated that given the new ways in which people and businesses connect via digital platforms, new and fairer approaches to regulation were called for and broader reforms will be introduced to enhance consumer protection, promote competition and improve market transparency.
While digital platforms have become a focal point for regulatory reform, the anticipated changes could also have implications for smaller businesses currently not covered by the Privacy Act. Consultation and a comprehensive review of the Privacy Act are expected to be completed in 2021.
Given the numerous reforms in stall, in the coming months businesses of all sizes need to pay particular attention to their privacy and data protection practices from both a privacy law perspective and also a consumer law perspective, with particular focus on privacy policies being clear, coherent and not misleading as to how collected personal information may be used.
Recent cases - HealthEngine, Google and Facebook
In the ACCC Inquiry report, the ACCC recommends that the definition of ‘personal information’ be amended to capture technical information such as IP addresses, device identifiers, location data and any other online identifiers that relate to an identified individual. The ACCC was also of the view that a statutory tort for serious invasions of privacy should be applied across the economy. With the ACCC recently paying such acute attention to privacy matters in the context of consumer protection, it is likely the ACCC will step up its enforcement agenda in the privacy space applying consumer laws to address privacy and data protection issues more frequently where the Office of the Australian Information Commissioner (OAIC) may not yet have power to do so under the Privacy Act.
An example of the ACCC’s outreach into privacy matters can be found in ACCC v HealthEngine Pty Ltd [2020] FCA 1208 (the HealthEngine case) where HealthEngine Pty Ltd’s conduct in relation to the collection and use of personal information was found to be misleading in that it did not make clear to individuals that their personal information would be disclosed to third party health insurance brokers and that those third party health insurance brokers would contact the individuals. The Federal Court of Australia imposed a pecuniary penalty of A$1.4 million as well as other extremely onerous orders to notify all persons whose personal information had been disclosed to such brokers over a period of 4 years and to undertake an independent annual review of its existing compliance program for 3 years.
On 27 July 2020, the ACCC announced that it had launched proceedings in the Federal Court against Google over its alleged misleading of consumers when collecting their personal information for the use in targeting advertising. It claimed that Google failed to obtain explicit and informed consent from its consumers about the use of their data and acted contrary to representations made in its privacy policy. It failed to convey to consumers how much of their personal data it was collecting or what it planned to do with large amounts of it.
The OAIC has also this year lodged proceedings against Facebook in the Federal Court, alleging the social media platform has committed serious and/or repeated interferences with privacy in contravention of Australian privacy law and that the personal information of Australian Facebook users was disclosed to a third party app for a purpose other than the purpose for which the information was collected in breach of the Privacy Act. The OAIC argued that the design of the Facebook platform meant users were unable to exercise reasonable choice and control about how their personal information was disclosed and that Facebook’s default settings facilitated the disclosure of personal information, including sensitive information at the expense of privacy.
The ACCC and OAIC have both inferred that potentially problematic data practices, and the associated potential for consumer harm, extend beyond digital platforms to other markets and that consumers in general are currently not adequately informed of how their information is being used nor provided any choice regarding the use of their personal information.
Australian Community Attitudes to Privacy Survey 2020
In September 2020, the OAIC published the Australian Community Attitudes to Privacy Survey (ACAPS) which looks at Australian attitudes towards privacy.
Some of the ACAPS findings include the following statistics:
- 83% of Australians would like the government to do more to protect their data;
- 71% of those surveyed believe small businesses should be covered by the Privacy Act;
- 73% of those surveyed believe businesses collecting work related information about employees should be covered by the Privacy Act;
- Over half of Australians are more concerned about the protection of their personal information following the COVID-19 outbreak;
- Only 24% of Australians believe their personal information is well protected; and
- Australians hold very little trust in companies in general and that lack of trust has increased during COVID-19.
These attitudes seem to correlate with the direction in which the OAIC and ACCC are heading in terms of their assessment of the need for a revised privacy law framework (which will, amongst other things, strengthen consent and notification requirements). They also set alarm bells to businesses that consumers are increasingly aware of their rights under consumer and privacy laws and are likely to avoid businesses who fail to provide certain comforts with respect to their data practices.
Penalties under the Australian Consumer Law versus the Privacy Act
With the ACAPS and above mentioned ACCC cases in mind, if it is brought to the ACCC’s attention that your business misused personal information or misrepresented the intended use of personal information or you do not have a clear and transparent privacy policy, your business may be running the risk of attracting a much higher ACCC penalty than under the Privacy Act.
However, this may not be the case for too much longer, as higher penalties for breach of the Privacy Act were also announced in March 2019 to give the OAIC:
• the ability to seek increased penalties for serious or repeated breaches of the Privacy Act to the greater of (i) $10 million AUD, (ii) three times the value of the benefit obtained through the misuse of information or (iii) 10% of the company’s annual turnover; and
• the ability to issue infringement notices of up to $63,000 for corporations and $12,000 for individuals for failure to cooperate with efforts to resolve minor breaches.
These amendments to the Privacy Act, once enacted, will align maximum civil penalties under the Privacy Act with those under the Australian Consumer Law.
Key Take Aways
While the traditional focus for businesses was to ensure its data protection and privacy practices were compliant with ever changing privacy laws, it is now clear that businesses also need to take into account consumer law factors when approaching their privacy practices generally.
The ACCC Inquiry, the Government’s response and the ACAPS together tell us that businesses should:
- stay informed with the privacy law reform process;
- if you are an APP entity, and do not have a privacy policy, put one in place or if you have one (whether an APP entity or not) make sure it is up to date and complies with the Privacy Act and aligns with the ACCC Inquiry recommendations;
- ensure their privacy policy is bespoke, accurate and contextual taking into account any industry specific considerations;
- ensure their use of personal information is related to the purposes for collection;
- ensure appropriate consents are obtained where required;
- ensure their customers have more control and choice over the collection and use of personal information;
- strengthen measures to prevent data breaches by training their staff and ensuring appropriate systems are in place to protect data;
- ensure that you have a data breach response plan in place and that employees understand the steps to be taken in the event of a data breach; and
- regularly conduct a general privacy health-check.
With the end of the year fast approaching, it is time to plan for 2021 and reconsider privacy and consumer laws within the context of your business and industry.