Australian Competition & Consumer Commission releases the Digital Platforms Inquiry – calls for more privacy protections amongst many other recommendations
July 30, 2019 |
Last Friday, 26 July 2019, the Australian Competition & Consumer Commission released its long anticipated and comprehensive final report. At 623 pages it is something of a tome, not surprisingly given the broad and comprehensive recommendations it makes. The executive summary is found here.
The scope of the recommendations cover issues of competition and protecting diversity in the media, issues of critical importance but beyond the usual coverage of this publication.
Relevantly, for this site, is the recommendations for more privacy protections. That includes statements such as:
The ACCC considers that the Privacy Act needs reform in order to ensure consumers are adequately informed, empowered and protected, as to how their data is being used and collected. This will increase trust in the digital economy and spur competition between businesses on the basis of privacy.
..a holistic approach that takes into account the close links between competition, consumer, and privacy issues is needed; a siloed approach will fail to address the core interrelated issues associated with the ubiquity of digital platforms.
The most relevant chapter regarding privacy protections is Chapter 7 which the Executive Summary describes as follows:
Consumers’ bargain with digital platforms
Digital platforms provide a wide range of valuable services to Australian consumers, often for zero monetary cost. The ubiquity of digital platforms in the daily lives of consumers means that many are obliged to join or use these platforms and accept their non-negotiable terms of use in order to receive communications and remain involved in community life. The ACCC considers that Australian consumers are better off when they are both sufficiently informed about the collection and use of their data and have sufficient control over their data. Transparency over the collection and use of data is important so that consumers have the opportunity to understand what data they are providing to others and how it is being used. However, this transparency is not enough. Consumers, once they understand what is being collected and how it is used, must be able to exercise real choice and meaningful control.The future of the digital economy relies on trust, by both consumers and business users. As the Productivity Commission has noted9:Businesses, as much as governments, rely on the willingness of the public – the source of so much of the data – to continue to trust data handling and use. Against the background of an ocean of personal data that is already public, there is now, and will be in the future, a need for continued community acceptance and trust in the handling of personal data by both governments and business.Social licence will develop if people:?have a sound basis for believing in the integrity and accountability of entities (public and private)handling data feel they have some control over how their own data is used and by whom, and an inalienable ability to choose to experience some of the benefits of these uses themselves?better understand the potential community-wide benefits of data use. The ACCC’s proposals will provide sufficient information to enable consumers to make informed and genuine choices, to increase the accountability of entities handling user data, and to provide the ability for consumers to exercise some control over their user data. The ACCC considers that the most efficient way to make these changes is to amend the existing privacy law and extend protections under consumer law.
A lack of informed and genuine choice
Many digital platforms increasingly collect a large amount and variety of user data. The data collected often extends far beyond the data users actively provide when using the digital platform’s services. Digital platforms may passively collect data from users, including from online browsing behaviour across the internet, IP addresses, device specifications and location and movement data. Once collected, digital platforms often have broad discretions regarding how user data is used and also disclosed to third parties.The user data collected can enable digital platforms to create more detailed segmented user profiles that are then available for use by advertisers wishing to target advertisements. Consumers have informed the ACCC that they have concerns about the extent and range of information collected by digital platforms. The ACCC is of the view that consumers’ ability to make informed choices is affected by:??
-
- The information asymmetry between digital platforms and consumers. The ACCC found that consumers are generally not aware of the extent of data that is collected nor how it is collected, used and shared by digital platforms. This is influenced by the length, complexity and ambiguity of online terms of service and privacy policies. Digital platforms also tend to understate to consumers the extent of their data collection practices while overstating the level of consumer control over their personal user data.
- ??The bargaining power held by digital platforms compared to consumers. The ACCC also found considerable imbalance in bargaining power between digital platforms and consumers. Many digital platforms use standard-form click-wrap agreements with take-it-or-leave-it terms and bundled consents, which limit the ability of consumers to provide well-informed and freely given consent to digital platforms’ collection, use and disclosure of their valuable data.
Without adequate information on how digital platforms collect and use users’ data, or the ability to choose between digital platforms on the basis of their data practices, consumers are unable to make informed decisions. This is likely to impede potential competition between digital platforms on the privacy and data protection offered. This may also impede the new entry of rival services that use alternative business models.
Lack of consumer protection and effective deterrence under existing laws
The lack of both consumer protection and effective deterrence under laws governing data collection have enabled problematic data practices and a lack of transparency and control which undermine consumers’ ability to select a product that best meets their privacy preferences. The lack of deterrence under current laws is compounded by individual consumers’ inability to bring direct actions for breaches of their privacy under the Privacy Act or for serious invasions of their privacy that cause financial or emotional harm.
The need for strengthened protections in the Privacy Act
The ACCC notes the announcement from the Australian Government on 24 March 2019 of tougher penalties and other measures to protect Australians’ online privacy. The announced changes include:??
-
- increased penalties for serious or repeated breaches to whichever is the greater of: AU$10 million, three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover
- new infringement notice powers for the Office of the Australian Information Commissioner (OAIC) and other expanded options available to the OAIC to address breaches??
- a requirement for social media and online platforms to stop using or disclosing an individual’s personal information upon request??
- specific rules to protect vulnerable groups such as children.
The ACCC welcomes these changes, a number of which also form part of this Report’s recommendations. The ACCC also recommends the Government consider further legislative changes to strengthen privacy regulations in Australia, in particular:
1. Updating the definition of personal information in line with current and likely future technological developments to capture any technical data relating to an identifiable individual.
2. Strengthening notification requirements to ensure that the collection of consumers’ personal information directly, or by a third party is accompanied by a notice of the collection that is concise, intelligible and easily accessible, written in clear and plain language, provided free of charge, and accompanied by appropriate measures to reduce the information burden on consumers.
3. Strengthening consent requirements to require that consents are freely given, specific, unambiguous and informed and that any settings for additional data collection must be preselected to ‘off’. Consents should be required whenever personal information is collected, used or disclosed by an entity subject to the Privacy Act, unless the personal information is necessary to perform a contract to which a consumer is a party, required under law, or otherwise necessary in the public interest.
4. Requiring entities subject to the Privacy Act to erase the personal information of a consumer without undue delay on receiving a request for erasure from the consumer, except in certain circumstances.
5. Introducing direct rights for individuals to bring actions or class actions before the courts to seek compensation for an interference with their privacy under the Privacy Act.
The ACCC also notes that privacy law reform responding to the increasing collection and use of personal information is not unique to Australia. In recent years, a number of jurisdictions have introduced strengthened privacy regulations including in Europe (via the General Data Protection Regulation), certain states in the United States (including California), and Japan.
Future concerns – review of privacy regulation
Innovation and rapid technological change has transformed the ability and incentive of entities to collect, use, and disclose the personal information of Australian consumers in the digital economy. These changes are accompanied by the growing awareness and concern of Australian consumers regarding privacy and data protection.As observed by the ALRC in their report on Australian privacy law and practice more than a decade ago, ‘rapid advances in information, communication and surveillance technologies have created a range of previously unforeseen privacy issues’. 10 The Productivity Commission has also echoed these comments in noting that the Privacy Act may have a limited application in a highly data-driven future.11The ACCC therefore considers that, in addition to its recommendations for targeted amendments to the Privacy Act, broader reform of the Australian privacy regime may be necessary to maintain effective protection of consumers’ personal information in the longer term, including a consideration of the current objectives and scope of the Privacy Act (recommendation 17).
Some privacy law changes should apply economy-wide
The ACCC’s inquiries indicate that potentially problematic data practices, and the associated potential for consumer harm, extend beyond digital platforms to other markets. For example, many businesses seek consent to data practices using click-wrap agreements, bundled consents, and take-it-or-leave-it terms where consumers are not provided with sufficient information or choice regarding the use of their personal information.This results in an increased exposure to data breach risks, a reduction in trust which could result in consumers avoiding transactions, and the potential for particular risk to vulnerable consumers, including children.Therefore, changes to laws which give consumers greater control over their personal information and increase the accountability of businesses for data practices and the deterrence effect of Australian privacy laws are needed.The ACCC considers that the proposed amendments to Australian privacy law and the introduction of a statutory tort for serious invasions of privacy (recommendations 16, 17 and 19) should apply across the economy. The ACCC does not consider that only implementing specific changes applicable to digital platforms would be sufficient to protect the long-term interest of consumers or to maintain their trust to facilitate the free flow of information necessary for data-driven markets in the digital economy.
Digital platforms – OAIC Privacy Code of Practice
The Inquiry has identified that, in addition to the large volume of Australian consumer personal information collected by digital platforms, several aspects of digital platforms’ notification and consent processes raise particular concerns. As such, it is necessary to supplement the economy-wide amendments to the Privacy Act outlined above with additional obligations specific to digital platforms’ data practices, including in relation to notification and consent requirements, opt-out control, the handling of children’s data, information security, retention of data and complaints handling.For example, to address the acute information asymmetry between digital platforms and consumers without increasing the information burden on consumers, digital platforms should be required to provide multi-layered notices about their data practices. This should range from a first layer containing concise statements targeted to areas of potential concern to a consumer to a final layer which can set out all relevant details of how a consumer’s data may be collected, used, disclosed and shared by a business (including with third parties).The ACCC recommends that this be achieved via an enforceable Privacy Code of Practice to be developed by the OAIC to apply to digital platforms. It should also be enforced by the OAIC and accompanied by the same penalties as are applicable to an interference with privacy under the Privacy Act.The Privacy Code of Practice should be developed through extensive consultation with relevant stakeholders, including consumer and privacy advocates. The ACCC should also be involved in developing the code in its role as the competition and consumer regulator.As above, the ACCC notes that, in March 2019, the Government announced the creation of a legislated code to apply to social media and online platforms which trade in personal information. The ACCC views that this recommendation could align with and be taken into account in the Government’s consideration of the substance and reach of that code.
Consumers require additional protection under consumer law
In the course of this Inquiry the ACCC has identified a number of examples of conduct which are detrimental to consumers that may not be effectively addressed or neatly fit under the existing Australian Consumer Law (ACL). The ACCC has observed terms in contracts that can involve a significant imbalance in the rights of consumers and digital platforms but which, if held to be an unfair contract term, would not be subject to penalties. While individual terms that are unfair could be declared ‘void’ by a court, this remedy may not be of much benefit to a consumer and does not effectively deter businesses from using such terms.
Therefore, the ACCC considers that the introduction of civil pecuniary penalties for unfair contract terms in standard form consumer or small business contracts would more effectively deter businesses, including digital platforms, from leveraging their bargaining power to include unfair contract terms in their terms of use or privacy policies. The ACCC has also observed a range of practices that are significantly detrimental for consumers but which may not neatly fit under existing consumer laws. These practices are driven in part by the significant increase in the amount of consumer data now collected and the increased sophistication in data analysis and consumer targeting, which also creates the potential for significant consumer harm. These practices include:
1. Changing terms on which products or services are provided without reasonable notice or the ability to consider the new terms, including in relation to products with subscriptions or contracts that automatically renew.
2. Adopting business practices to dissuade a consumer from exercising their contractual or other legal rights, including requiring the provision of unnecessary information in order to access benefits.
3. Inducing consent or agreement by very long contracts or providing insufficient time to consider them or all or nothing ‘click wrap’ consents. Accordingly, the ACCC recommends that the Australian Consumer Law be amended to include a prohibition on certain unfair trading practices, noting that such prohibitions have been used to address similar practices overseas. The ACCC recognises that the scope of such a prohibition should be carefully developed such that it is sufficiently defined and targeted, with appropriate legal safeguards and guidance. It also notes the current work on this issue being undertaken as part of the Consumer Affairs Australia and New Zealand (CAANZ) process, and will progress its support for the recommendation through that forum.The ACCC, as the Commonwealth consumer protection agency, will actively enforce the Australian Consumer Law to ensure consumers are protected from any conduct of digital platforms that may raise consumer protection concerns. The digital platforms branch proposed under Recommendation 4, in addition to monitoring and investigating instances of potentially anti-competitive conduct, will have an important role in monitoring the impact of digital platforms on Australian consumers and digital platforms’ compliance with the Australian Consumer Law.The ACCC is also currently investigating conduct identified during the Inquiry that raise concerns under the Australian Consumer Law (see page 38).
Recommendations in Chapter 7
Recommendation 16: Strengthen protections in the Privacy Act Recommendation 17: Broader reform of Australian privacy law Recommendation 18: OAIC privacy code for digital platforms Recommendation 19: Statutory tort for serious invasions of privacy Recommendation 20: Prohibition against unfair contract terms Recommendation 21: Prohibition against certain unfair trading practices
All of the above recommendations would constitute a very significant improvement in privacy protection and fill a large gap in the law at the moment. It is especially important to implement Recommendation 19, a statutory tort for serious invasions of privacy. Unfortunately that is the least likely to be accepted by the Government based on past comments when faced with similar proposals. There are other caveats to the effectiveness of the recommendations:
- it is all well and good to strengthen the protections in the Privacy Act 1988 however if the regulator is timid and ineffective then they will not be properly used. And the regulator is timid and ineffective. Upping the penalties means little if the current attitude of doing little with the powers currently available continues. Boosting the Commissioner’s budget won’t help much either. The current Information Commissioner is just as languid, tentative and conflict averse as her predecessor. Given the propensity of the Commissioner to talk to rather than act against and an almost obsessive desire to”engage” with malefactors to make them see the light there is a real possibility that there has been state capture of the Commissioner and the operations of the office given the exceptionally poor work rate and weak enforcement. There needs to be an overhaul in the Commissioner’s office. It is currently a backwater with a focus on making as few waves as possible. Not bad for those who want to have a comfortable long term public service career. But it is a disaster for regulation. The Commissioner should come from outside the public service and, preferably, have an expertise in, or at least a knowledge of, litigating. The Commissioner’s bland, state the obvious and don’t say anything in a lot of words, response to the ACCC report highlights the lack of intestinal fortitude in that office.
- codes of practice in Australia, and within the privacy sphere especially, are a remarkably poor means of regulation and difficult to enforce. They are drafted in the broad and vague and provide significant cover for marginal behaviour by organisations and agencies.
- creating yet another ombudsman, this time a digital platforms ombudsman will do little when dealing with serious and egregious interferences with privacy by social media sites and Google. It is a comfortable venue for those organisations to deal with complaints piecemeal and with little cost. Real regulatory action by the ACCC and the Information Commissioner with real penalties and reputational cost associated with such action is the only viable means of effecting change and getting some measure of justice for those harmed.
- the Privacy Act 1988 should be amended and the 60 other pieces of legislation which in one way or another affect privacy and data security should be reviewed and rationalised. The amendments to the Privacy Act should include, at minimum:
- removing many of the exemptions in the Act, including the employment records exemption and the political exemption (which will be unlikely to happen). The rationale for those exemptions was always quite weak.
- removing the small business exemption. An arbitrary figure of a $3 million turnover as determining whether an entity is covered by the Act (with the exception of a number of defined industries) or not is illogical and contrary to public policy. Poor data handling practices by businesses with a turnover of less than $3 million can cause as much harm as large organisations. The test should relate to the information collected by a business not what the financial returns prepared by its accountants.
- removing the scope for external legislation limiting the operation of the Australian Privacy Principles;
- either giving guidelines some form of regulatory force or enacting regulations to provide substance to the Australian Privacy Principles. Currently the guidelines are of little use to a Court or Tribunal. If the status quo is maintained then the approach taken to drafting guidelines should change. They are drafted in such vague and ambiguous terms that they are too often vaguer than the Australian Privacy Principles. That assists no one but those seeking to use them to justify poor behaviour.
- permitting individuals to take action under the Privacy Act 1988 and thereby limiting the Information Commissioner’s gatekeeper role of using the provisions against businesses and organisations. The Commissioner’s approach to dealing with complaints in the most opaque manner and so slowly has robbed the Privacy Act of much of its effectiveness.
- consider whether it is in the interests of justice and proper administration of the Act for the Administrative Appeals Tribunal to continue to have a role in any appeal from the Commissioner’s determination. The AAT’s track record has been quite poor and sometimes worse. It’s approach has been overly affected by the minutae of administrative law rather that considering the operation of the privacy principles and what they are designed to protect. This area of law should be governed more by tortious than administrative law principles. Better that the Federal Magistrates Court be the venue to hear an appeal as a hearing de novo, which is more suited to and cognisant of rights based litigation, and have any appeal to the Federal Court or Full Bench of the Federal Court. Another factor in changing the jurisdiction is the recent concerns raised by the former High Court justice Ian Callinan regarding the AAT.
- with over 30 years of regulatory inaction of the Privacy Act 1988 there is a very poor privacy culture in the business community and, to a much lesser extent, in government. To turn that around will require a very significant effort by the Information Commissioner, the ACCC and ASIC (in ensuring directors properly attend to their fiduciary duties in keeping data secure). That means the regulators bringing cases to court and getting wins against transgressors which can be publicised. The Information Commissioner has proven to be a poor litigator so a complete review of its legal team and an overhaul of its strategy is warranted.
The media coverage has been comprehensive, with a focus on the huge fines proposed, more protection promised and big changes to Google and Facebook.
The media release provides:
The dominance of the leading digital platforms and their impact across Australia’s economy, media and society must be addressed with significant, holistic reform, according to the final report of the ACCC’s Digital Platforms Inquiry released today.
The report contains 23 recommendations, spanning competition law, consumer protection, media regulation and privacy law, reflecting the intersection of issues arising from the growth of digital platforms.
“Our recommendations are comprehensive and forward looking and deal with the many competition, consumer, privacy and news media issues we have identified throughout the course of this Inquiry,” ACCC Chair Rod Sims said.
“Importantly, our recommendations are dynamic in that they will provide the framework and the information that governments and communities will need to address further issues as they arise. Our goal is to assist the community in staying up to date with these issues and futureproofing our enforcement, regulatory and legal frameworks.”
During the course of its Inquiry, the ACCC identified many adverse effects associated with digital platforms, many of which flow from the dominance of Google and Facebook.
These include:
-
- The market power of Google and Facebook has distorted the ability of businesses to compete on their merits in advertising, media and a range of other markets
- The digital advertising markets are opaque with highly uncertain money flows, particularly for automated and programmatic advertising
- Consumers are not adequately informed about how their data is collected and used and have little control over the huge range of data collected
- News content creators are reliant on the dominant digital platforms, yet face difficulties in monetising their content
- Australian society, like others around the world, has been impacted by disinformation and a rising mistrust of news.
“The dominant digital platforms’ response to the issues we have raised might best be described as ‘trust us’,” Mr Sims said.
“There is nothing wrong with being highly focused on revenue growth and providing increasing value to shareholders; indeed it can be admired. But we believe the issues we have uncovered during this Inquiry are too important to be left to the companies themselves.”
“Action on consumer law and privacy issues, as well as on competition law and policy, will all be vital in dealing with the problems associated with digital platforms’ market power and the accumulation of consumers’ data,” Mr Sims said.
Australian media businesses and news consumers
The ACCC has made a series of recommendations to address the digital platforms’ impact on Australian media businesses and how Australians access news.
These include:
-
- Requiring designated digital platforms to each provide the Australian Communications and Media Authority (ACMA) with codes to address the imbalance in the bargaining relationship between these platforms and news media businesses and recognise the need for value sharing and monetisation of content
- Addressing the regulatory imbalance that exists between news media businesses and digital platforms, by harmonizing the media regulatory framework
- Targeted grants to support local journalism of about AU$50 million a year
- Introducing measures to encourage philanthropic funding of public interest journalism in Australia
- ACMA monitoring the digital platforms’ efforts to identify reliable and trustworthy news
- Requiring the digital platforms to draft and implement an industry code for handling complaints about deliberately misleading and harmful news stories
- Introducing a mandatory take-down ACMA code to assist copyright enforcement on digital platforms.
Promoting competition
The Inquiry notes the acquisition of startups by large digital platforms has the potential to remove future competitive threats. Acquisitions may also increase the platforms’ access to data. Both situations may further entrench a platform’s market power.
The ACCC recommends changes to Australia’s merger laws to expressly require consideration of the effect of potential competition and to recognise the importance of data. The ACCC also recommends that large digital platforms agree to a notification protocol that would alert the ACCC to proposed acquisitions that may impact competition in Australia.
The report also calls on Google to allow Australian users of Android devices (new and existing) to choose their search engine and internet browser from a number of options, as proposed in Europe, rather than being provided with defaults.
Empowering consumers
Effective consumer protections are critical to addressing issues associated with dominant digital platforms. Throughout this Inquiry, the ACCC has identified some problematic data practices with the potential to cause consumer harm.
The ACCC is well advanced with investigations into some of these data practices to determine whether there has been a contravention of the Australian Consumer Law.
To deal with further data practices that do not fit neatly within the existing consumer law, the ACCC also recommends introducing a general prohibition on unfair commercial practices.
“Introducing this broad, flexible prohibition will increase consumer protections in fast-moving digital markets to safeguard consumers’ ability to make informed and genuine choices,” Mr Sims said.
The ACCC has also again recommended unfair contract terms should be prohibited and should attract civil pecuniary penalties, and not just be voidable as they are now.
The ACCC further recommends a mandatory standard to bolster a digital platforms’ internal dispute resolution processes and that an ombudsman scheme be established, to assist with resolving disputes and complaints between consumers and digital platform providers.
Protecting privacy
In light of the overlapping nature of privacy, competition and consumer protection issues in digital markets, the ACCC has made a range of privacy-related recommendations, including:
-
- Strengthening protections in the Privacy Act
- Broader reform of the Australian privacy law framework
- The introduction of a privacy code of practice specifically for digital platforms
- The introduction of a statutory tort for serious invasions of privacy.
The Inquiry found that digital platforms’ privacy policies are long, complex, vague and difficult to navigate and that many digital platforms do not provide consumers with meaningful control over the collection, use and disclosure of user data.
Problematic data practices include the use of click-wrap agreements and take it or leave it terms.
“We’re very concerned that current privacy policies offer consumers the illusion of control but instead are almost legal waivers that give digital platforms’ broad discretion about how they can use consumers’ data,” Mr Sims said.
“Due to growing concerns in this area, we believe some of the privacy reforms we have recommended should apply economy wide.”
The recommended amendments to the Privacy Act should be supplemented by an enforceable privacy code of practice, developed by the Office of the Australian Information Commissioner (OAIC), and address data practices specific to digital platforms.
Continued scrutiny of digital platforms
The ACCC recommends the Government establish a specialist digital platforms branch within the ACCC, with standing information-gathering powers, to proactively monitor and investigate potentially anti-competitive conduct by digital platforms and conduct that may breach our consumer laws, and to undertake rolling market studies.
“We believe continuing scrutiny is necessary given the critical position that digital platforms occupy in the digital economy, their continued expansion and the opacity and complexity of the markets in which they operate,” Mr Sims said.
One of the first tasks of the new branch should be to conduct an inquiry into the supply of ad-tech services and the supply of online advertising services by advertising and media agencies.
The inquiry would identify whether any competition or efficiency concerns exist and help achieve greater transparency in the supply of these services.
“The ACCC branch will also provide regular reports to Government on issues as they arise, work closely with other arms of government to help co-ordinate work in this vital area, and be the crucial link with our overseas counterparts to share learnings and responses,” Mr Sims said.
Expert regulators and agencies to play complementary roles
The ACCC recommends future law enforcement and regulation of digital platforms be dealt with by the current regulators including the ACMA, the OAIC and the ACCC.
“The ACCC, the ACMA and the OAIC are already working together closely and have now built up expertise in the areas covered by this Inquiry,” Mr Sims said.
“There has been global interest in this timely Australian inquiry and the many significant international reports and external developments in the past 18 months. These reports demonstrate the shared concerns and momentum for reform.”
“The world has now recognised the impact of the digital platforms’ market power and the impact this has on consumers, news, businesses and society more broadly. Continuing national and world action will now follow,” Mr Sims said.
As time passes the impact of this report will fade, fast. It will end up being of interest to activists and academics. The real test of its effectiveness is when the the Government provides its response and declares its hand on what it will accept and what it discards. If that response comes in a Friday release in late December the signs will not be good.