The future global economy is digital, as central bank digital currencies (CBDC) gain prominence and AI treads the precipice of a new world. Specifically, the rise of digital platforms at the turn of the twenty-first century heralded this new economic era – one that is founded upon data. The world is now squarely in the realm of platform economics; whereby, the value of a particular platform increases in correlation with the growth of its users, interactions and data. It is, therefore, right to state that data is the currency of the digital economy, whilst trust is the enabler of data-driven value creation.
The Precursor to the Privacy Act Review Report
Against this backdrop, the Australian Competition & Consumer Commission (ACCC) released its Digital Platforms Inquiry – Final Report in 2019, which was the result of an investigation into the impacts of digital platforms upon market competition, consumer protection, copyright and privacy. Within the Digital Platforms Inquiry – Final Report, the ACCC proposed significant reforms to the Privacy Act 1988 (Cth) [Privacy Act] that extended beyond the mere regulation of digital platforms to economy-wide changes that implicate all businesses and commercial exchanges.
The ACCC’s proposed reforms to Australia’s privacy regime included:
Significant changes to the Privacy Act that encompass:
- Expanding the definition of personal information to include technical data.
- Increasing minimum notification and consent requirements; including, requiring consent with respect to any secondary use and requiring data collection settings to be pre-set to ‘off’; and
- Requiring erasure of data upon request, with limited exceptions.
A new approach to privacy policies and collection notices:
- More rigorous obligations as to the content and form of privacy policies and collection statements; including:
- Mandating that all APP entities provide notice upon collection of personal information;
- Requiring notices to be more informative, including with respect to the purpose for which each type of data is collected and disclosed, and the types of third parties to whom it will be disclosed;
- Optimising the consent experience to reduce the ‘information burden’ upon consumers.
Categorising privacy policies as contracts:
- The categorisation of privacy policies as contracts may render many privacy policies subject to the unfair contracts regime under the Australian Consumer Law (ACL). As privacy policies tend to capitalise upon an inequality in bargaining power, organisations will need to rethink the form and substance of privacy policies to mitigate any risks that may arise. For example, one avenue to mitigating risk could be to ensure that a privacy policy counterbalances the protection of consumer rights and interests with a fair and reasonable purpose for data collection, use and disclosure.
New and more impactful punitive measures for privacy breaches:
- Increased penalties for breaches of the Privacy Act to mirror the increased penalties for breaches of the Australian Consumer Law (ACL).
- Granting a direct right of action for privacy breaches under the Privacy Act;
- Introducing a statutory tort for serious invasions of privacy.
Pursuing an EU adequacy decision:
- Under Article 45 of the GDPR, the European Commission can make a determination of adequacy status with respect to a country that offers a comparable level of personal data protection to that of the European Union. In turn, the free flow of data can occur between the European Union and a country with adequacy status, enabling vast economic and trade benefits. The ACCC proposed that Australia’s principal privacy legislation be reformed to the extent that an adequacy decision could be supported.
The introduction of data portability into the Australian economic landscape:
- Data portability can improve market competition and consumer welfare, whilst enhancing the productivity of digital markets.
- Data portability was originally introduced into the Australian economic landscape via the Consumer Data Right (CDR); however, its economy-wide introduction via the Privacy Act will further rebalance market and bargaining power.
Prioritising the Privacy Imperative: 4 Corporate Risk Mitigation Measures
Amid heightened regulatory oversight, organisations can implement the following prudent measures to mitigate legal, financial and reputational risks:
- Implement effective cybersecurity controls to guard against the unauthorised access, use or loss of data. The implementation of cybersecurity controls should be complemented by a robust risk mitigation strategy. Tealium can play a vital role in a broader risk mitigation strategy by consolidating data, enforcing consent across all integrated systems and controlling data access.
- Ensure an effective risk management framework from the board level down to enable robust escalation and reporting policies that are understood and current.
- Update and implement a comprehensive privacy compliance strategy and policy that is enlivened by a fit-for-purpose data architecture.
- Develop a response system that will enable compliance with applicable Notifiable Data Breach requirements.
The Next Stage in Australian Privacy Reform
The release of the ACCC’s Digital Platforms Inquiry – Final Report instigated the Australian Government’s review of the efficacy of its federal privacy regime in a global digital economy. Importantly, this review was underpinned by the Australian Government’s increasing recognition of the role of personal information in shaping the contours of the digital economy.
In February 2023, the review process culminated in the release of the Attorney General’s Privacy Act Review Report [the Report]. The Report comprises 116 proposals for the reform of the Privacy Act. The proposed reforms endeavour to modernise Australia’s privacy regime in line with a maturing digital economy through achieving the policy objective of fair and efficient markets for the benefit of consumers.
In part two of The Shifting Sands of Data Privacy series, the implications of the Privacy Act Review Report will be outlined, alongside key considerations relevant to building the privacy-enabled enterprise of the future. Part two in the series will be released on Monday, 6 March 2023.
To learn how Tealium transforms trust in the digital era, access our complimentary white paper: Consumer Data Right: The New Value Exchange.