July Regulatory Round-Up

Digital Platforms Inquiry Final Report Expected Shortly

The final report of ACCC’s Digital Platforms Inquiry is expected soon and there is plenty of speculation around what regulatory changes it may foreshadow.

The preliminary report identified a number of issues related to news media and advertisers including the market influence of the major digital platforms and the potential for significant changes to competition, consumer protection and privacy laws, including an enforceable code of practice under Part IIIB of the Privacy Act to provide Australians with greater transparency and control over how their personal information is collected, used and disclosed by digital platforms.

The Government’s response to the final report will determine whether Australia embarks on a new era of regulatory reform. In ADMA’s submission to the DPI, we challenged the need for new regulatory provisions, arguing that Australia’s existing principles based approach to privacy and consumer protection are sufficient to meet current and future challenges.

ACMA bids to be the ‘Content Regulator’ for Digital Platforms

The Australian Communications and Media Authority has put its case forward to become the “content regulator” under whatever new regime emerges from the DPI. In its submission, ACMA said:

“We propose that a new regulatory framework should be developed that is: principles-based, outcome focused and based on a communications stack model and that allows for different regulatory approaches. We also consider that a single regulatory framework for content delivered across any platform should have oversight by a single content regulator, in consultation with local and international regulators. With responsibility for a wide range of regulation of traditional media and increasingly of online platforms, the ACMA is best placed to take on the role of single content regulator.”

ADMA has argued that the existing regulatory framework, which is media and platform neutral, is adequate to respond to future challenges.

The Consumer Data Right – Lapsed Bill likely to be re-introduced to Parliament shortly

A Bill giving consumers a right of access to data relating to them (Consumer Data Right) which lapsed after the recent federal election was called, is expected to be re-introduced to the Federal Parliament in July.

The new regime is being rolled out in the banking sector first, followed by the energy and telecommunications sectors. The intent is to enable consumers to more readily switch providers of these services. Consumers will be able to direct their current supplier to provide their data to other suppliers or comparison services, boosting competition across these sectors. Eventually, the government intends to extend these same rights of access to all sectors of the economy.

The Consumer Data Right will generally only permit data relating to identifiable consumers to be transferred to accredited data recipients. The competition regulator, the ACCC, will be responsible for data recipient accreditation. Accreditation will aim to ensure that the data recipient is a person who can be trusted to receive, hold and use data. The accreditation criteria will be set out in the Rules and are expected to include information security, privacy and identity verification requirements. Some examples of the types of firms who may apply for accreditation (and therefore be bound by it in relation to data received through the CDR) are:

• Price comparison websites that compare products taking into account how the customer actually uses the product (e.g. how they use their credit card)

• Budgeting apps that need access to raw banking transaction data

• Accounting software packages that need access to raw transaction data

The ACCC has proposed that the first version of the Rules will prohibit an accredited data recipient from on-selling CDR data, aggregating it to build profiles of third parties without their express consent, or from using CDR data for the direct marketing of products or services unrelated to the product or service to which the data relates.

The Australian Government has recently published Consumer Data Right Privacy Protections to explain the additional privacy rules that apply to CDR data.

First Anniversary of GDPR Passes Quietly but Ominously

When Europe’s General Data Protection Regulation took effect a year ago, many in Australia shrugged their shoulders and said, “Nice for them, but not my problem.” But that might not be quite the case.

In California a ‘lite’ version of GDPR called the California Consumer Privacy Act has already passed into law. Can changes to Australia’s privacy laws be far behind? In a recent article for Brink, Matthew McCabe, Senior Vice President and Assistant General Counsel on Cyber Policy at Marsh , points out that “Regulators intended for the reach of the GDPR to extend far beyond the EU’s borders, with the rights granted under it following wherever an individual’s data may sprawl. However, the GDPR has also prompted many nations to introduce comprehensive data privacy rules of their own. Brazil, India, Japan, Thailand, the U.S and others have adopted laws with protections similar to those in the GDPR.”

As the first anniversary slips by, it is becoming increasingly clear that the globalisation of consumer data regulation is a new reality that will change business practices here in Australia, as elsewhere in the world.

The ‘Human Element’ in Data Breaches

At the opening event of Privacy Awareness Week, Information and Privacy Commissioner Angelene Falk released the first report since the onset of compulsory breach reporting. “Perhaps the most important insight from this report is that most data breaches, including cyber incidents, involve or exploit a human element. Whether it’s sending information to the wrong person or clicking on a phishing link, employees were centrally involved in most of the data breaches reported to the OAIC.”

She challenged businesses to move beyond a purely compliance approach. “We believe entities are now well equipped to meet their obligations and take proactive steps to prevent breaches of personal information... This means fostering a workplace culture where privacy and security are organisational priorities. We expect you to support consumers effectively, take responsibility for the impacts of a data breach, and help people mitigate the harm that may result.”

ADMA’s web based privacy training can help ensure your staff are privacy aware, reducing your risk of a privacy breach.

New Minister for Communications has ‘Cyber Safety’ added to his Portfolio

Under the new Morrison Government, the Hon Paul Fletcher MP becomes Minister for Communications, Cyber Safety and the Arts. In making the announcement, Prime Minister Scott Morrison emphasised the new cyber safety aspect of the role: “As the National Broadband Network nears full roll out and social media becomes an even more prominent front in the fight to keep Australians safe, Paul Fletcher, as Minister for Communications, Cyber Safety and the Arts brings extensive experience and insight to the task.”

Mr. Fletcher has worked extensively in the communications sector since the mid-90’s as a policy adviser, as a senior executive at Optus for eight years, as a consultant serving the sector, and more recently as Parliamentary Secretary to the Minister for Communications from 2013 to 2015.