ACCC Chairman Sims gives speech on Digital Platforms Inquiry, raising privacy issues to be addressed
February 12, 2019 |
Yesterday, Rod Sims in a speech to the IIC Australian Chapter highlighted the issues that the ACCC raised in its Preliminary report on the Digital Platforms Inquiry. The final submissions close on 15 February 2019.
As with the Preliminary Report Sims highlights the privacy issues that are associated with the current regime of data collection, the matching and lack of consent. These are matters that should of primary concern to the Information Commissioner however that personage has been ineffective in enforcing the Australian Privacy Principles which should deal with data collection and consent.
Nature abhors a vacuum and the ACCC have stepped in to recommend beefed up consent requirements and a statutory cause of action for breaches of privacy.
It is a very interesting speech and the final report should put more pressure on whatever Government there is in the second half of this year to revamp and improve data collection regulation.
The speech provides:
Good morning and thank you for the invitation to speak with you today. I will use this time to explain some of the issues we are exploring in our Digital Platforms Inquiry, in particular the impact on news and journalism.
As you know, last year the Federal Government asked the ACCC to investigate the impact of digital platforms like Facebook and Google with particular regard to the media and advertising markets and the supply of journalism. In December we published our preliminary report which included 11 preliminary recommendations and identified eight areas for further analysis.
One of the key issues we identified is a problem with the commercial model for the funding of news and journalism. Information from media companies indicates the number of journalists employed in the traditional print sector fell by 20 per cent in the three years to 2017.
I recognise that the reduction in this sector, which now includes online media, is not solely due to the growth of the major digital platforms like Facebook and Google, but their commercially focussed and highly effective advertising businesses are clearly part of the issue. At the same time, Google and Facebook are very important sources of referral traffic for media websites.
Today I will focus on four key issues that I think are most relevant to the Australian media industry.
Firstly, the acknowledgement that news and journalism perform a critical role in society and therefore we cannot rely solely on market forces to deliver this important service.
Secondly, the impact of digital platforms on news and journalism. Clearly there is the financial impact and the concern that some media businesses are struggling to fund quality news and journalism.
This is, however, not just about taking advertising revenue; it is as much about digital platforms adversely impacting media business models in many ways. There are also other concerns such as the potential risk of filter bubbles and less reliable news.
But it is not all negative. The internet and digital platforms in particular have lowered the barriers to entry and delivered a wider range of news, particularly international news, to Australians.
Thirdly I will address how media concerns fit in with the other issues we are looking at. As we’ve gone through this inquiry we have realised just how interconnected a range of issues are: market power, advertising, news and journalism, consumer data and privacy protection.
Finally, I will highlight the proposals we have identified in the preliminary report which aim to address some of the media issues. I am particularly interested in your thoughts on these either here today or as soon as possible.
1. News and journalism as a public good
News and journalism are different to many other commercial activities in that they benefit both the individual and also society as a whole.
Individuals benefit through the consumption of news, information and opinions which increases their knowledge and understanding of issues and events which affect them. Society clearly benefits from having citizens who are able to make well-informed economic, social and political decisions. But news and journalism also contribute to the public interest more directly. Some examples include holding decision makers accountable through investigative journalism and exposing misconduct; acting as a journal of record for public forums such as courts, local government meetings and parliamentary sittings; and acting as a forum for debate through trained journalistic commentary and the exchange of ideas and opinions.
It is vital to note that it is not just in-depth public interest investigations that contribute to society and generate public benefits. Many forms of journalism from reporting on local council hearings to parliamentary sittings contribute to our society.
Given these benefits, we cannot simply leave the production of news and journalism entirely to market forces. Successive governments both here and overseas clearly recognise this with many countries including Australia having publicly funded national broadcasters.
But society also benefits from a diverse range of media sources. Plurality of editorial voices contribute to the public interest and we should not be in a position whereby we rely on one or even two news sources.
Given all this, it is also vital that media businesses are not disadvantaged through the exercise of market power or other mechanisms that make it difficult for them to compete on their merits.
2. The many impacts of digital platforms on news and journalism
Google and Facebook are stunningly successful commercial businesses that have rapidly gained significant market power.
The impact of the digital platforms on the traditional financial model employed by media businesses which was reliant on advertising to fund news and journalism has been the most significant. The advertising revenue of the traditional print sector has migrated online, but has largely not migrated to the online news sites of traditional newspaper businesses.
Most of the growth in online advertising expenditure has gone to Google and Facebook. Excluding classifieds, it is estimated that for a typical $100 spent online by Australian advertisers, $47 goes to Google and $21 goes to Facebook. In the past three years, Google and Facebook are estimated to have captured 80 per cent of the growth in digital advertising.
This shift in advertising revenue online, and to digital platforms, has reduced the ability of media businesses to fund news and journalism.
As I mentioned before, journalist numbers have fallen sharply in recent years. Census data shows this trend over time: from 2006-2016, the total number of people in journalism-related occupations fell by 9 per cent but the reduction in the number of journalists employed in what were traditional print businesses has fallen by 26 per cent.
We are still exploring the extent to which this reduction in journalism numbers has led to an ‘under-production’ in news and journalism.
There has of course been a number of new entrants with the growth of the so-called ‘digital natives’. The Guardian Australia, Crikey, Buzzfeed and The Daily Mail are all now actively reporting on Australian news. As set out in our preliminary report we recognise that the digital platforms have played an influential role in enabling the entry of these new providers and that has increased the diversity of news sources available to Australia.
However, these digital natives typically operate very small newsrooms and collectively, the number of journalists employed by digital natives appears to be much smaller than the number of editorial job losses among print publishers. The financial viability of these businesses is also not assured as demonstrated by Buzzfeed and Vice recently announcing redundancies in Australia, as well as worldwide.
A secondary impact comes from the practices of the digital platforms which make it hard for media businesses to, as I have mentioned and in the jargon of a competition regulator, “compete on their merits”.
As an example, one allegation is that the lack of clarity around the ad-tech supply chain disadvantages media businesses’ ability to monetise their content via advertising opportunities on their sites. In particular, it is argued, the opacity around the delivery of programmatic advertising; where, and to whom it is shown, and what cut the intermediaries owned by the digital platforms take, prevents advertisers making informed choices and hampers the ability of online publishers to take appropriate advantage of their quality offering.
Further, Google and Facebook are the key gateways to Australian consumers, making them critical business partners for media businesses (as well as advertisers) seeking to reach Australian consumers. It is because of this role that media businesses have concerns with certain practices of Google and Facebook. For example, in the course of our Inquiry, we have heard complaints about: digital platforms’ failure to act quickly to address copyright infringement complaints; a lack of transparency in the ranking of news content; ranking algorithms that do not appropriately recognise original news content or unfairly treats content which sits behind a paywall; restrictions on the types of advertising available in certain formats; as well as the impact of policies such as first click free and the potential impacts of so-called ‘snippets’ on traffic to media websites (the last one in particular is a tricky issue).
In addition, the atomisation of news delivered via digital platforms makes it difficult to maintain brand awareness and product differentiation for publishers. This also leads into the next issue.
The digital platforms have not replaced media businesses as creators or producers of news and journalism. If they had, we may simply treat this as an example of creative destruction: innovation and technological change creating a more effective or efficient product. While this view could be taken in relation to the advertising opportunities offered on the digital platforms, it cannot be taken in relation to news and journalism.
Google and Facebook are not creating news stories in Australia. Rather they select, curate, evaluate, rank and arrange news stories produced by third parties, disseminating other parties’ content.
This is a critical role with 50 per cent of traffic to Australian news media websites coming via Google and Facebook. These platforms, therefore, have a significant influence over what news and journalism Australians do and don’t see.
This is why there are concerns globally with the risk of filter bubbles and unreliable news on digital platforms and the impact this is having on citizens and society more broadly. While concerns with citizens living in a filter bubble or consuming unreliable news are not confined to journalism only accessed via digital platforms, these problems may be magnified in part due to the incentives for the production of emotive ‘click bait’ stories. This is an issue we are continuing to explore.
Holding such critical positions in both the media and advertising markets results in special responsibilities. All companies which obtain a substantial degree of market power, are subject to the special responsibilities of dominant firms. What I mean by this is that conduct by a non-dominant firm that is benign, may become problematic when a dominant firm engages in the same behaviour.
However, we consider that in each of Google and Facebook’s case, the special responsibility should go further, given the extent of their market power, the opacity of their operations and the critical roles they perform in what news and journalism is read/watched/listened to by citizens. Certain proposals contained in the preliminary recommendations and areas for further analysis aim to recognise this.
3. A number of interlinked issues
As our inquiry has progressed, it has become clearer how closely interlinked the issues are.
Media and advertising are two sides of the same coin – advertising has traditionally funded journalism. Commercial media – newspapers, commercial radio and television – are the classic example of a two-sided market.
Digital platforms are also multi-sided platforms: Google and Facebook are hugely successful at attracting consumer attention. The platforms attract consumers due to the value of the services they provide: primarily as a source of information in the case of Google (including news stories) and in the case of Facebook, as a social network. The more users they attract, the more valuable they are to the other side of the platform, the advertisers. Importantly, the amount of data collected from users also increases the attractiveness of the platform, as more relevant ads can be sold to advertisers.
Facebook and Google have market power; we’ve established this. Their market power in consumer facing markets translates into market power in advertising markets.
Google’s substantial market power in online search translates into substantial market power in online search advertising.
Facebook’s substantial market power in social media (and the significant amount of time users spend on this platform) leads to substantial market power in the online display advertising market.
Facebook and Google’s market power in advertising markets also relies increasingly on the extensive amount of data collected from consumers, enabling them to offer highly segmented or targeted advertising. More and more of what consumers do, say, or where they go is recorded by the digital platforms.
For consumers there are issues with a lack of transparency and meaningful options in terms of how, and how much, data is collected about them. This prevents consumers making an informed and genuine choice over the amount of data collected by the digital platforms, and how this data is used. Without transparency and well-informed consumers, markets can fail; and also there cannot be competition between digital platforms on this increasingly important element of competition.
Indeed, we see privacy, the limitations on how much data is collected and how it is used, as one variable of competition; no different to price or any other measure of service quality.
The close connection between market power and competition concerns, data collection, and consumer privacy is highlighted in the recent decision of the German competition authority. The German Federal Cartel Office found that Facebook’s extensive collection of its users’ data, not only from Facebook owned sites but also from third party websites and apps, amounted to an abuse of Facebook’s dominant position. The decision effectively prohibits Facebook from combining such data unless voluntary consent is obtained from the user.
In addition, other potential concerns associated with digital platforms, such as increased exposure to unreliable content and filter bubbles, are potentially a substantial issue because of the market power of the platforms: the algorithms of Google and Facebook would be much less of a concern if these platforms were not the dominant search engine and dominant social network and if they were not a significant route for many media businesses to reach their audience.
Digitalisation and the increase in online news sources also highlight inconsistencies in the current sector-specific approach to media regulation. Virtually no media regulation applies to digital platforms and this contributes to regulatory disparity between media sectors that would appear to provide the digital platforms with an unfair advantage in attracting advertising expenditure because they operate under fewer regulatory constraints and have lower regulatory compliance costs.
As mentioned above, concerns over the differences in measuring advertising performance and delivery also highlight the potential of unfair comparisons between advertising on traditional media and advertising on Google and Facebook.
Narrowing our focus to only some of these issues, and excluding others, such as consumer concerns about privacy and the use of their data, will lead to poor public policy outcomes. These issues simply cannot be addressed through a segmented approach.
4. Proposals to consider
Finally, I want to speak to the three key preliminary recommendations most relevant to the media sector and news and journalism.
First, we’ve proposed increased regulatory oversight of the ranking practices of digital platforms in relation to news and journalistic content, with the aim of identifying which criteria affect competition in media markets or incentives for production of news and journalistic content (PR 5).
This recommendation involves a regulatory authority (not necessarily a new one) having a particular investigation and reporting function in relation to digital platforms which meet certain objective requirements. The regulated digital platforms would be required to submit to the regulator information on the criteria that influences how news is ranked on a search engine results page or newsfeed. The regulator would also need the power to compel the provision of certain information and initiate investigations.
The aim is that the regulator would provide transparency about how media content is treated by the algorithms: for example, is advertiser funded content ranked higher than paid content? How is news content which substantially reproduces other original content ranked? The regulator could then report, at a high level, on the results.
Second, a separate independent review by government to design a regulatory framework to consistently regulate the conduct of all entities which perform comparable media functions – including the production and delivery of news and journalistic content, whether they are digital platforms, publishers, broadcasters and others (PR6).
Why should the online world be treated so markedly differently to the offline world?
Third, a mandatory standard (to be determined by the ACMA) involving improved take down procedures by digital platforms in relation to copyright infringing content (PR 7).
Our inquiries indicated that media businesses faced difficulties in requesting digital platforms to take down copyright-infringing content in a timely manner. This is in part due to the uncertainties involved in establishing the digital platforms liability for authorising a copyright infringement. The mandatory standard is proposed in order to improve the enforceability of copyright protections online.
In addition to these three key preliminary recommendations, we have addressed more difficult issues in the ‘areas for further analysis’.
Proposals aimed at providing people who consume news and journalistic content via digital platforms with greater transparency and certainty about the quality of the news produced. Effectively a ‘badge’ or signal would appear in relation to news content produced by news media businesses which have signed up to certain standards for the production of journalistic content. The ACMA would have oversight of these codes.
There is a proposal suggesting a broad industry supported campaign (with the ACMA) to improve news literacy online.
There are also proposals aimed at improving the ability of news media businesses to fund the production of news and journalism; particularly those types of news and journalism which are at risk of being under-funded. We have identified three broad proposals on which we are looking for feedback:
- A review of the Regional and Small Publishers ‘Jobs and Innovation Package’ which had only a three-year funding profile
- Tax offsets for the production of certain types of news and journalism
- Making personal subscriptions to news media tax deductible. Only those media businesses which are party to an ACMA-registered code would benefit from this proposal.
Of course there can be concerns with introducing and implementing tax incentives and subsidies, but they should be considered where externalities exist. I welcome feedback on these proposals but I am also interested in other new ideas which will maintain the incentives on news media businesses to produce news and journalism, particular those examples which may be at risk of under-production (e.g. local or regional reporting or court reporting).
Other proposals covered in our Preliminary Report are also relevant, for example some of the proposed changes to the Privacy Framework and the introduction of any prohibition against unfair practices. We also welcome feedback on these and other issues.
As many of you will know, submissions in response to the Preliminary Report are due this week, on 15 February. We hope to publish the submissions soon afterwards.
We believe our Inquiry is fundamentally important across many dimensions. We welcome any contribution you can make.
By comparison the Information Commissioner’s last speech on 1 November last year at the iappANZ conference, which I attended, was vague, anaemic, superficial and general. A good effort in appearing to say much while saying very little. The statistics that pepper the speech mean very little in terms of actual enforcement of the Act. There have been no civil penalty proceedings issued. The enforceable undertaking of the Department of Health regarding the Medicare and Pharmaceutical data set is incredibly weak compared to action taken in the United States and elsewhere. The Commissioner defends the practice. Why is a good question. The Commissioner advised that she has opened a formal investigation into Facebook resulting from the Cambridge Analytica fiasco. But that is all that has been done. The ICO has already hit Facebook with a massive fine and action has been taken against it in Europe. This highlights the fact that the Commissioner is incredibly slow and tentative in using the powers she has.
The speech provides:
Good morning privacy professionals, Australia and New Zealand.
I would like to acknowledge the traditional custodians of the land upon which we meet today, and pay my respects to elders past, present and future.
It is a pleasure to be here to open my first iappANZ Summit as Australian Information Commissioner and Privacy Commissioner.
As many of you might already know, I was appointed to the position in August this year, and hasn’t it been a huge year for privacy in Australia and around the world?
This year’s Summit has as its theme “Privacy – Handling the Seismic Shift.” A shift is said to be “seismic” when it is sudden or dramatic, of enormous proportions or having significant consequences. I would be interested in your views as practitioners as to whether this year feels like such a shift. As the regulator, I can tell you that I think the description is apt!
Last week I attended the International Conference of Data Protection and Privacy Commissioners in Brussels. Giovanni Buttarelli, European Data Protection Supervisor said this:
“…we are now living through a new generational shift in the respect for privacy….driven by the digitisation of almost everything in our economy and services sector, our social relations, politics and government.”
Elizabeth Denham, the UK Information Commissioner, described these times as the “decade of data”.
And from my perspective, following the Facebook Cambridge Analytica incident, I saw Australians witnessing what I describe as the “dawning of digital data”, and all its implications.
2018 marks 30 years since the Australian Privacy Act was enacted, and it has indeed been a landmark year for privacy reform in Australia. The Notifiable Data Breaches scheme and the Australian Government Agencies Privacy Code both commenced earlier this year – two significant reforms providing greater transparency and accountability for personal information handling.
And of course in global developments we saw the commencement of the General Data Protection Regulation in Europe. In the US, California has moved on additional privacy reform, and we have seen increased focus and debate around a comprehensive federal US privacy law from politicians, civil society and industry. Only last week we heard Apple, Facebook and Google indicating support for such a law in front of hundreds of data protection authorities and thousands of privacy practitioners in Brussels.
And as our interconnectedness continues to grow as a result of global data flows across digital economies, the necessity of global regulatory cooperation is reinforced. That is why I am very pleased to have been elected to the Executive Committee of the International Conference of Data Protection and Privacy Commissioners last week and I would like to thank the New Zealand Privacy Commissioner John Edwards, who is here today, for his support in that regard.
My office is focused on promoting privacy protection, preventing privacy breaches, detecting areas of risk, and providing remedies. This morning I would like to take you through how the OAIC’s implementation of the NDBs scheme and the Australian Government Agencies Privacy Code achieves these objectives. I will also touch on other key privacy developments and cases. And I’ll share some regulatory priorities and thoughts on where to next.
Notifiable Data Breaches and international trends
First the Notifiable Data Breaches scheme.
At its core, the scheme’s purpose is to increase transparency and accountability. It ensures that individuals are made aware when their personal information is caught up in a data breach and serious harm is likely to result. And through the requirement to notify the OAIC, we help ensure entities contain breaches and put in place steps to prevent reoccurrence, and we become alert to systemic issues. The requirement to notify, is also a strong motivator to improve security practice.
The scheme has now been in force since the end of February, and I released the latest quarterly statistics report earlier this week.
The purpose of these reports is to build a picture of the trends in personal information security risks.
This insight allows for more targeted and effective prevention. Our aim is to help elevate the security posture across the economy. This is a regulatory priority.
And we are already seeing some consistent trends.
245 data breach notifications were made to my Office between July and September this year. This is comparable to the previous quarter, from April to June, when we received 242 notifications.
Globally, there has been a significant increase in activity.
Prior to the introduction of the GDPR, the UK Information Commissioner’s Office received fewer than 400 notifications per month. In June, immediately after the GDPR commenced on 25 May, they received 1,700 notifications.
Canada’s public sector saw a 49 per cent increase in notifications last financial year.
And as of today, November 1, Canada’s private sector is also subject to mandatory privacy breach reporting requirements, so inevitably we expect their notifications to increase further.
There are other insights we can draw from the quarterly reports, beyond raw notification numbers.
Most data breaches reported to the OAIC involved the personal information of fewer than 100 individuals.
Consistent with international trends to date, the health care sector was the top sector reporting data breaches. This is a regulatory priority. We are working with peak bodies to elevate security awareness and practice in that sector.
It is worth noting that all private health care providers are required to notify eligible data breaches, the 3 million dollar annual turnover threshold that applies to other organisations does not apply to them.
This was followed by the financial services sector, the legal and accounting services sector and then the education sector.
In terms of the causes of eligible data breaches, we have seen a steady trend emerge since February.
57 per cent of data breach notifications we received last quarter were caused by malicious or criminal attacks compared to 59 per cent in the April to June quarter.
37 per cent of notifications were the result of human error, a slight increase from 36 per cent the previous quarter. And six per cent were the result of a system fault, up from five per cent.
The dominant theme is the human factor.
The majority of malicious or criminal breaches reported were cyber incidents that resulted from compromised credentials – that is, stolen usernames and passwords.
This usually involves someone being phished or otherwise tricked into handing over their login details.
The most common human error was sending emails containing personal information to the wrong recipient.
The human element is also evident in other jurisdictions.
In the UK, the majority of data breaches were the result of cyber incidents, again with people being tricked into handing over their credentials.
In the Netherlands, the most common cause was accidentally sending personal information to the wrong recipient.
This is the first key lesson we can take away from the NDB scheme – that an organisation may significantly reduce risks related to personal information handling by addressing the human factor.
Organisations need to promote staff awareness about secure information handling – and look for technological solutions that will assist staff.
This could include multi-factor authentication and system requirements that force users to choose a strong password that must be changed regularly.
The second lesson is the value of having an effective data breach strategy.
The faster a data breach can be identified and contained, the lower the costs to customers and the organisation.
My office has published a guide to the regulatory requirements and expectations for best practice data breach response.
It is titled ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act’ and is available on the OAIC’s website.
It provides a valuable resource for any staff member involved in compliance and risk management.
Recent notifications have also highlighted the importance of considering how organisations will work with third parties if a breach involves jointly-held personal information.
An example of this was the Page Up data breach, which affected dozens of organisations.
The NDB scheme contains a number of mechanisms to avoid duplicate obligations, so that compliance by one entity will also be taken as compliance by each of the entities that hold the information.
A major learning from our NDB reports is the need to establish clear procedures for compliance when multiple entities are involved.
This includes considering communication processes for suspected breaches, how an assessment will be conducted, and the responsibility for containment, remediation and notification. This can be achieved through contractual measures.
Complaints and investigations
As I mentioned, more and more countries around the world are formalising data breach assessment and notification obligations by making them a legal requirement.
This has elevated community expectations and awareness.
We see the heightened community awareness in the increased number of complaints being made to my Office.
In 2017-18, the OAIC received almost 3,000 privacy complaints [2,947], which is an 18 per cent increase on the previous financial year. We also closed more than 2,700 privacy complaints [2,766], up 11 per cent, in an average time of 3.7 months, down from 4.7 months through taking an early resolution approach.
And representative complaints can also be made to my office.
Earlier this year the previous Commissioner determined a representative complaint in the Cbus superannuation matter, which involved the use of secondary information without consent.
Cbus was ordered to issue an apology and change its processes.
Of note, compensation was not ordered in this matter, without evidence of harm being suffered as a result of the breach.
This is a key learning from the representative complaint – that there does need to be actual proof of loss or damage for compensation to be awarded.
We are currently handling another representative complaint involving the Department of Home Affairs. In 2014, there was a data incident that involved the details of nearly 10,000 people in immigration detention. We have had an extended period of time this year for individuals to provide their evidence of loss.
We have also received a representative complaint against Facebook.
The Privacy Act also enables me to initiate investigations into possible privacy breaches on my own initiative. In 2017-18, my Office conducted preliminary inquiries or commenced investigations in relation to 21 matters.
One remedy that is available is the power to accept an enforceable undertaking offered by a respondent.
In March, the OAIC accepted an enforceable undertaking from the Department of Health, after a Medicare and Pharmaceutical Benefits Schedule dataset was published online for third-party research purposes.
This enforceable undertaking requires an independent external review of the Department of Health’s policies and procedures for compliance with Australian Privacy Principles 1 (systems and processes) and 11 (security) for the release of data based on personal information. A follow up audit and report on the adequacy of the Department’s implementation and response to any recommendations made is also required.
There has been some criticism of regulators using enforceable undertakings following the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
It is a tool that has been effectively used by the OAIC and one that I will continue to use in appropriate circumstances.
An enforceable undertaking can require organisations to undertake a third party review of their processes, learn from them and change them.
This not only mitigates compliance risks, but also provides a vehicle for organisations to consider how to best meet community expectations.
I also have the power to seek civil penalties in the Federal Court of up to $2.1 million per breach.
This would be in circumstances of repeated or serious breaches of privacy.
This could include a history of repeated interferences with privacy or a one off serious privacy breach.
As Commissioner, my focus is on ensuring the OAIC regulates effectively through preventing, detecting and remedying interferences with privacy. Part of this is to ensure we are connected and informed by our international and domestic landscape.
In April, I opened a formal investigation into Facebook following confirmation that the information of over 300,000 Australian users was potentially misused.
I am conferring with international authorities about the case, particularly the UK Information Commissioner’s office.
Last week, the ICO confirmed a fine of 500,000 pounds against Facebook ? the maximum possible penalty under the UK law at the time the activity occurred.
Under the GDPR, potential fines increase significantly to 20 million euros or four per cent of annual global turnover – whichever amount is greater.
The UK Commissioner commented that a company of Facebook’s size and expertise should have known better and it should have done better.
Whatever the outcome of my investigation under Australian law, I think it has certainly elevated the awareness and expectations of privacy across the digital world.
In particular, the community’s desire to understand how their personal information may be subsequently used and disclosed, and for what purposes.
That has ramifications, not only for me as a regulator, but for all of you in terms of the way in which you handle personal information and the expectations of your clients and the community.
Government Agencies Code
Our regulatory approach will continue to be evidence-based and proportionate.
We are also focused on engaging constructively with stakeholders, including organisations and agencies.
Over the past year we’ve provided more advice to government, business and the community than ever before.
Part of that is our work to implement and administer the NDB scheme, as I mentioned earlier.
It also relates to our work to support the implementation of the Australian Government Agencies Privacy Code which commenced in July this year.
The Code sets out specific requirements and key practical steps that agencies must take as part of complying with Australian Privacy Principle 1.2 (APP 1.2). It requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.
The OAIC has developed a very useful resource to help agencies assess the current state of their privacy practices and set privacy goals and targets. It is called the ‘Interactive Privacy Management Plan’ and is available on our website.
While the Code currently only applies to Government agencies, I believe this is an excellent resource for all organisations. The requirements of the Code are a good indicator of my expectations for businesses, especially in regard to privacy by design.
The Code particularises the concept of building in privacy, which is reflected in Australian Privacy Principle 1. And you will note synergies with the GDPR.
What is also clear is the need for ongoing privacy consideration throughout the evolution of products and services.
We saw this recently when Facebook discovered a vulnerability in their code that impacted their ‘View As’ feature, allowing attackers to steal Facebook access tokens, which they could then use to take over people’s accounts.
Privacy by design should not just be undertaken at the start of a new project.
It requires continuous and ongoing consideration of the impact on personal information holdings.
Consumer Data Right and Digital Platforms Inquiry
As technology continues to change, building in privacy by design will increasingly require a multi-disciplined approach.
This is especially relevant in relation to the new Consumer Data Right.
My office is working closely with the ACCC to develop the Consumer Data Right framework. The Consumer Data Right will enable individuals to transfer their data to accredited recipients through a secure means and by consent.
We are also preparing to implement additional regulatory functions under that scheme.
There are of course synergies between consumer and privacy laws.
For instance, collection of information under the Privacy Act must be by fair and lawful means, while the Australian Consumer Law makes misleading or deceptive conduct unlawful.
There are also similar issues that surround the need for informed consent about how information is being collected and used, and whether a consumer contract is unconscionable or misleading.
This calls for greater cooperation between regulators as these two regimes start to converge globally.
We are seeing it in Europe and we may also see it in the United States, where as I said, there is talk of a new uniform national privacy law.
If that comes to fruition, it would sit alongside the well-established consumer protection regime in the US, and could provide for positive transparency, accountability and security obligations relating to personal information, as well as privacy rights and remedies for individuals.
Consumer protections on their own are not enough.
Privacy and consumer protection regimes both need to be used in conjunction to efficiently and effectively protect the public interest.
As privacy practitioners, we need to recognise this and anticipate how regulation might develop.
It is no longer enough to be an expert in the Privacy Act or the GDPR – practitioners need a broader understanding of consumer and other legislative regimes.
The common concept of fairness, whether it is in relation to the collection of data from a privacy perspective or consumer protections, illustrates that compliance with the law can also have reference to notions of ethics, and where we draw the line.
I believe this is one of the most important privacy issues of our time and it was clearly articulated by European Data Protection Supervisor in Brussels last week.
Giovanni Buttarelli described us as being at a “tipping point for our digital society”. He called for a sustainable code that will define our values into the future.
These ideas of right and wrong, fairness and unfairness–relate directly to Australian Privacy Principle 3, which governs the collection of personal information. And to what is meaningful consent. These are regulatory priorities.
I think we all need to consider – what does the fair collection of data look like in the new digital context of pervasive technologies and algorithmic non-transparency? And how can we support individuals including vulnerable groups like children, in the context of complex data flows? I will be focusing on these issues. I am interested in exploring the role certifications, trust marks or seals could play to support innovation, competition and better privacy practice. I’m also interested in whether we can develop a common language to assist individuals to understand and make informed decisions around the handling of their personal information.
The practical application of concepts of fairness and the role of consent will be central to the future of privacy in Australia. It is a key issue that unites my regulatory priorities and, accordingly, I also think it should be a key focus point for every organisation moving forward.