ACCC makes recommendations for privacy law reform
Earlier this week, the Australian Competition and Consumer Commission (“ACCC”) released its final report for the Digital Platforms Inquiry. The report looks at the impact of digital platforms on consumers, businesses and the media in Australia and recommends reforms to competition and consumer laws, media regulation and privacy law. The recommended reforms to privacy law extend beyond digital platforms and include a number of significant changes which would impact how all Australian organisations handle personal information.
The ACCC’s key recommendations to reform the Privacy Act 1988 (Cth) include:
- updating the definition of “personal information” to include online identifiers such as IP addresses, device identifiers and location data;
- strengthening existing requirements to notify individuals how an organisation will collect, use and disclose their personal information at the time of collection;
- strengthening the requirements for obtaining valid consent from individuals, including requiring “opt-in” rather than “opt-out” consent;
- providing individuals with a right to require that their personal information be deleted (the so-called “right to be forgotten”);
- providing individuals with a right to take action (including a class action) to seek compensation from an organisation which has contravened the Act; and
- increasing penalties for contravention of the Act.
The ACCC’s recommendations are heavily influenced by the EU’s General Data Protection Regulation (“GDPR”), which already has strong notice requirements, requires opt-in consent, and provides individuals with a right to be forgotten and a right to take action for compensation.
The ACCC also recommended that the Government should also consider:
- removing the current exemptions under the Act for small businesses, employee records and registered political parties;
- strengthening the Australian Privacy Principles, for example by requiring all use and disclosure of personal information to be lawful and fair;
- providing standards for de-identification, anonymization and pseudonymisation of personal information, to address the risks of re-identification; and
- applying for an adequacy decision from the European Commission to facilitate the transfer of personal information from the European Economic Area to Australia.
The ACCC also recommends that the Government should introduce a statutory cause of action for serious invasions of privacy. The idea of a “tort of privacy” is a longstanding one, and was previously proposed by the Australian Law Reform Commission.
It remains to be seen to what extent the Government will adopt the ACCC’s recommendations. Prior to the last election, the Government proposed a number of privacy reforms in relation to social media platforms, including increasing the maximum penalties for serious and repeated breaches of the Act from their current level of $2.1 million to the greater of $10 million, three times the value of the benefit obtained from the breach or 10% of a corporation’s annual domestic turnover.
In a related development, the Government recently introduced the Treasury Laws Amendment (Consumer Data Right) Bill 2019, which will introduce a “consumer data right” in the banking, telecommunications and energy industries. If requested by a consumer, retail service providers in these industries will be required to make the consumer’s personal information available to other service providers in an open format. The intent is to make it easier for customers to compare and switch providers, and also to foster the development of consumer fintech services. The effect of the law should be somewhat similar to the “data portability” right in the GDPR. The ACCC noted in its report that it will consider whether this right should be extended to digital platforms.