Submission in response to the Exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 and the Regulation Impact Statement (RIS)

The Association for Data-driven Marketing and Advertising (ADMA) welcomes the opportunity to make a submission to the Attorney-General’s Department  (AGD) in relation to the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), the associated Explanatory Paper (Explanatory Paper) and the Early Assessment – Regulatory Impact Statement (RIS)

INTRODUCTION

Proposals for revision of the Privacy Act 1988 have been eagerly awaited since the Government stated its commitment to strengthening privacy protections and requiring social media providers and entities trading in personal information to develop a code of practice. Even at the time of these announcements, which preceded the global pandemic and associated explosion of the digital economy, industry widely agreed that the Privacy Act required comprehensive review to address challenges of the digital economy.

One of the greatest catalysts of change in the digital economy has been growth and uptake of social media services. ADMA acknowledges that the speed with which large social media platforms are expanding, transforming and acquiring data-driven technologies that expand their existing influence.

ADMA also acknowledges the consumer concerns that arise from activities of organisations that “trade in personal information”. 

However, the OP Bill, if enacted in its current form, would also capture other organisations and activities well outside of social media services and data brokerage services and uses of consumer data derived from provision of those services.

ADMA notes that AGD’s parallel Privacy Act Review envisages substantial, revisions of the Privacy Act that will be applicable to the economy at large and will also address key concerns that the Government has identified in relation to uses of personal information derived from provision of social media services and data brokerage services.

ADMA submits that concerns as to activities of providers of social media services, data brokerage services and large digital platforms are not so pressing as to require a fast-track process to address these issues for limited sectors of the digital economy. 

KEY RECOMMENDATIONS

ADMA submits that requirements for an OP code should be informed by regulatory settings determined by Government through consideration of submissions on the Discussion Paper: that is, within the broader context of Privacy Act reform.

Once the new settings for the Privacy Act are sufficiently clear, the appropriate scope of coverage of an OP code will also be sufficiently clear, and relevant industry sectors might then be expected and required to build an OP code with clarity as to foundational concepts pivotal to creating a fit for purpose OP Code.

If (contrary to ADMA’s submission) the Government elects to now proceed with introduction of an OP Bill, ADMA submits that matters addressed below should be considered in further development of the OP Bill.

THE INTENTION AND PROPOSED PROCESS OF REFORM

ADMA acknowledges that the Exposure Draft is the Government’s initial step in fulfilling its promise to strengthen statutory protection of data privacy.

The Explanatory Paper states that “to address the particular privacy challenges posed by social media and online platforms in complying with the APPs in the online space, it is necessary to provide greater detail and adapt some of the APPs to this context”. However, the only reference to particular and pressing need is in relation to the Facebook/ Cambridge Analytica data harvesting incident in March 2018.   Other reports by regulators  have stated the need for the current economy wide privacy framework to be strengthened to protect consumers from online privacy harms, but have not singled out particular sectors as requiring particular, and more pressing, additional regulation.

The fast-track process required by the OP Bill would require some online sectors to pre-empt substantial areas of reform proposed for further consideration and development in the parallel Privacy Act Review.

Further, if an OP code is mandated for development in advance of the Privacy Act reforms, the code will likely have substantially different operation and effect once the Privacy Act reforms contemplated by the Discussion Paper are enacted. In advance of those changes, future, changed legislative provisions cannot be anticipated by OP organisations, and addressed in an OP Code.

The time, effort and financial burden upon covered organisations in first round development of an OP Code will be very substantial. That estimation did not include the further costs of re-development of an OP Code, which will inevitably be necessary once the full Privacy Act Review is completed. The time, effort and financial burden upon covered organisations in first round code development, with the time limited benefit of a short period of operation before the Government effects its proposed economy-wide Privacy Act reforms, will need to then be repeated to address new and changed requirements of the revised Privacy Act.

As to data brokerage services, it is not clear from the broad scope of this definition in the OP Bill whether the Government is seeking to apply stricter regulation to  many APP entities handling derived data relating to consumers (which the current definition potentially capture), or whether the government is focussed upon activities of entities that aggregate and deal with other entities using personal information about individuals. ADMA suggests that the OP Bill should adopt elements of GDPR and the CCPA in addressing entities that trade in personal information, in particular by utilising the distinction between data controllers and data processors but addressing dealings in personal information about (or relating to) individuals and not other (derived) data. Further, as the definitions are currently drafted, there is a fine and unclear line between “data brokerage services” and “large online platforms”: in particular, it is not clear whether a large online platform that controls data becomes a “data brokerage service” when the entity discloses personal information to another entity only for the purpose of service activation and provision by the first entity of a service as completed and requested by a consumer.

Recommendation:   ADMA does not believe that there is evidence of pressing need to implement an OP Code that outweighs the need to give industry participants clarity and certainty as to foundational elements required to build a comprehensive and workable code. 

A code should not be required in advance of the legislature enacting reforms as canvassed in the Discussion Paper.  Instead, consideration of the matters contemplated in Schedule 1 of the OP Bill should be contemplated (if required at all) after the other reform processes have sufficiently progressed and confirmed as being fit for purpose and (within reason) future proof.

SCOPE: DEFINITIONS

The scope of covered organisations is defined in Division 2A – Key definitions relating to online Privacy.

In section 6W of the Exposure Draft of the OP Bill the meaning of OP Organisation is broken into three categories:
1. Organisations that provide social media services; and
2. Organisations that provide data brokerage services; and
3. Large online platforms.

Recommendation  ADMA submits that the definitions should be rescoped to address (1) a more targeted class of covered organisations, and (2) how that more limited class of covered organisations may give effect to requirements of current APPs, applying current definitions in the Privacy Act.

DEFINITION OF ‘SOCIAL MEDIA SERVICE’

ADMA notes that the definition of ‘social media services’ in the OP Bill does not require that a social media service collect personal information, although this threshold is proposed for the other categories of OP Organisations.

The absence of this requirement here means that the OP Code will also regulate unintentional collection of personal information by a social media service that occurs incidentally through provision and operation of functionality of the platform itself and within other content that is hosted on a platform (such as within forum discussions

Further the draft definition of “social media services” includes the element “where the sole or primary purpose of the service is to enable social interaction between two or more end users’”.  This creates uncertainty as to whether these services that provide chat features (together with other features or functionality such as online inter-player gaming) will fall within either the social or the principal purpose test and therefore be regulated as a ‘social media service.’

Clarity on category within which an OP Organisation is classified, is important as that will determine, in the case of the category of  ‘social media services’ - the other compliance requirements it may also be subject to within the proposed OP Code (ie the parental consent for under 16 year olds).

The definition of social media services excludes ‘organisations which enable online communication, interactions and content sharing as an additional feature, for example, business interactions with customers such as online feedback facilities ’ This exemption is welcome however ADMA recommends that this be addressed as a matter of scope rather than an exception as otherwise there is a potential that organisations may adjust service functionalities in order to align with the exclusion criteria in order to avoid regulation.

Recommendation:   ADMA recommends that the definition of social media services includes a requirement that the social media service collects personal information. ADMA also recommends that the definition in section 6W (1) be amended to include clarifying language that reduces both the potential for confusion and attempts to avoid regulation.

DEFINITION OF ‘DATA BROKERAGE SERVICE’ / ‘LARGE ONLINE PLATFORMS’

The OP Bill’s definition of a ‘data brokerage service’ is broad and will potentially include data analytics services that use derived information which is in effectively anonymised form to derive substantially transformed data analytic outputs such as insights, dashboards, reports etc that may then be made available to third parties in a form which does not enable the recipient to reidentify an individual. While the Government may not have intended to capture such activities as ‘trading in personal information’, the potential scope of operation of the definition of section 6W (3) (a)” is so broad that the definition could encompass such activities.

Similarly, the very broad definition in section 6W (4) (b) would have the effect that the collection of personal information by a “large online platform” as reasonably necessary incident of dealing with an individual (ie capture of information to provide a service or product) brings a provider within coverage, regardless of whether there is any relevant other use or disclosure of that personal information beyond as a reasonable incident of dealing with an individual (supply or purchase of product or service) and regardless of whether any subsequent use or disclosure is only of effectively anonymised derivative information.

The Explanatory Paper states that an ‘end user’ is any individual who uses the [relevant] electronic service and provides the examples of Apple, Google, Amazon and Spotify in order to explain who is a ‘large online platform’. However, it is quite unclear what the common feature is that should bring within coverage other OP organisations that together constitute the class of (by the Government’s estimation) 265 organisations that are captured as large online platforms.

Further, many online services leverage Apple, Google, Facebook, etc. as part of their login or sign-in process. Inclusion of such organisations within coverage may lead to organizations ceasing to use these platforms over concern that their business operations will be caught under the proposed OP Bill, and/or building their own solutions that lack the right security, privacy, and other controls necessary to protect consumers.

Recommendation:   ADMA believes that the current definitions of ‘data brokerage services’ and’ large online platforms’ has an overlap which can be used to tighten the definition and reduce extending the scope unintentionally.

The key criteria for ‘data brokerage services’ should be tightened for coverage based on whether an ‘organisation is trading in personal information’.

ADMA believes that there shouldn’t then be a need for separate coverage of large online platforms in addition to the coverage of data brokerage services because such would fall within the scope of what might be an appropriate scope for data brokerage services.

ADMA recommends refining the definitions in section 6W (3) and 6W (4) to improve intended coverage:
Data brokerage service/ large online platforms: entities that disclose to other entities information about individuals (a) in a form in which any individual is reasonably identifiable by any direct or indirect recipient, or (b) in circumstances in which any individual is reasonably identifiable by any direct or indirect recipient, having regard to other information reasonably available to that recipient

DISPROPORTIONALITY OF RANGE OF ACTIVITIES OF OP ORGANISATIONS

The drafting of the OP Bill has been done in a way where each OP Organisation is covered and regulated for all of their activities not only provision of a service that may have led them to become within scope of the OP Code.

The only exception (outside exercise of Ministerial discretion) is in the event that section 26KC (9) is used by the code developer of the Commissioner to take out of coverage particular activities of a covered entity as specified by the code developer or the Commissioner respectively.

ADMA believes that this approach leads to a clear inequity as between specialist entities and diversified entities and makes it much less likely that potentially covered entities will be able to negotiate and agree a Code: the range of activities that will need to be taken considered in drafting of the code is huge. This is a disproportionate response to policy relevant concerns as articulated by the Government to date.

This also increases the likelihood that a Code will become more difficult to agree upon (because of the diversity of interests and concerns of potentially covered entities) and therefore the Commissioner will determine a Code.

Recommendation: ADMA recommends that the OP Code should cover acts and practices in collection and handling of personal information relating to personally identifiable individuals where that information is directly or indirectly derived from conduct of an activity which is (newly defined as) a “covered activity”.

ADMA suggests the coverage should be of large social media services where the sole or primary purpose of the service is to enable social interaction between 2 of more end users but for clarity not including services principally for online gaming where chat or other interaction between players or observers of player is a feature of the service; and data brokerage services and large online platforms that disclose to other entities information about individuals (a) in a form in which any individual is reasonably identifiable by any direct or indirect recipient, or (b) in circumstances in which any individual is reasonably identifiable by any direct or indirect recipient, having regard to other information reasonably available to that recipient.

INTERACTION WITH CURRENT AUSTRALIAN PRIVACY PRINCIPLES

The Discussion Paper released by the AGD at the same time as the Exposure Draft of the OP Bill, canvasses substantial revisions of existing APPs which address required coverage of privacy policies and privacy notices respectively.

The OP Bill requires these same existing APPs to be addressed and elaborated upon by the OP Code. The Code provisions will then need to be revisited and revised when the APPs are changed by the revised Privacy Act. Previously in this submission, ADMA stated its disagreement with OP Organisations bearing the burden, wastage and costs associated with going through this process prior to the conclusion of the wider Privacy Review.

The most relevant APP’s:
APP 1.4 (c) related to privacy policies:
the OP Code will require entities to ensure that privacy policies clearly and simply explain the purposes for which they collect, hold, use and disclose personal information;

APP 5.2 about privacy (collection) notices:
the OP code will require all notices to be clear and understandable, current and provided in a timely manner. The OP Code will also allow other notice requirements to be imposed in addition to those in APP 5 with a new requirement requiring an OP organisation to notify an individual, or to otherwise ensure that the individual is aware, of the purposes for which the organisation collects, uses and discloses personal information

The intended scope of operation of the proposed new requirement as to notification of purposes is not clear given that that existing APPs 1.4 (c) and 5.2 (d)  already directly address notification of purposes. Section 26KC(2)(c) of the OP Bill may be read as significantly broadening the range of circumstances in which notice must be given to individuals as to purposes of collection and handling, and as to other matters as addressed in APP 5.2.This is an inappropriate and substantial extension to currently legislated requirements as to privacy notices.

APP 3 and 6 currently address when and how consent must be sought for certain specified collections, uses and disclosures of personal information.
Section 26KC(2)(e) goes beyond requiring the code to set out how an OP organisation is to comply with these (existing) APPs, and states that the code must make provision addressing the providing of consent, including “the circumstances in which consent is taken to be provided voluntarily, and is informed, unambiguous and specific; and consent is taken to be current”.
The scope of operation of the proposed new requirement as to consent is clear and substantial, noting that existing law as to consent generally allows inferred consent and does not require consent for many acts and practices in collection and handling of non-sensitive personal information.
Recommendation: ADMA recommends that section 26 KC(2)(e) of the OP Bill should be deleted and the need for and scope of its proposed coverage revisited after completion of the Privacy Act Review.

NEW REQUIREMENTS: AGE VERIFICATION 

Section 26KC (6) (a) – (b) of Schedule 1 of the OP Bill includes a significant issue that is not also in the Discussion Paper as part of the broader Privacy Review. The age verification for the use of social media, along with the requirement for parental consent, to sign up social media users under the age of 16.

Age verification is complex and requires careful consideration weighing up the advantages, potential (and unintended) consequences of implementation.

To effect age verification for children and vulnerable persons, social media companies would require age verification of all users of all social media platforms, not just the targeted cohort of children and/or vulnerable persons.

ADMA believes that the approach suggested in the OP Bill will have no positive impact in achieving the intended goal.

Firstly, parents for the most part are already aware of their children’s presence on various platforms and making these parents/guardians consent before letting the child under 16 use social media will have no material change to the data collection models that underpin social media nor will it reduce the harms that flow from it.

Also, age verification goes against the principle of privacy frameworks that try to minimise the collection of personal information. The suggested model of age verification will have the opposite effect of providing the social media companies more information – some of which will be relational information that the social media company may not already have (not all children are friends with /follow /are followed by, their parents on social media).

Any approach that is considered will have some risk of incorrectly classifying a child as either an adult or an older child, possibly allowing them access to potentially harmful services or inappropriate material. Some methods can be circumvented. For example, a child or parent can provide false information in a self-declaration, or a child could log into their parent’s account to complete account confirmation. If the Government wants to move ahead with a proactive approach, it could consider whether parental controls is more suitable than age verification, although this will be a struggle to implement to the age of 16 for the very nature and temperament of children in their teens. The spill-over effect of this will be pushback from the social media platforms not wanting to lose a key audience demographic.

The often spoken about ‘harms of social media’ relate to the addictive, toxic serving of content that is underpinned by data from and about its users. The societal harms to children come from the ongoing manner in which data is manipulated in ways where harms can’t be seen. The regular serving of specific content that is generated from data collected with each interaction the child has with the platform can be more damaging to a child’s mental health and can go predominantly until the harm has been done. Implementation of age verification will do nothing to curtail the ongoing collection of data and will in other ways only feed the current toxicity. Furthermore, it will provide social media companies (and their algorithms) even more information and this will only perpetuate the digital harms and flow on effects.

Recommendation
ADMA believes that age verification is contrary to the aim of privacy protection, which essentially relies on data minimisation. Furthermore, the costs involved with implementing age verification would far outweigh the benefit gained.

ADMA recommends that the proposal for age verification be considered at greater length in the form raised in the wider Privacy Act Review taking place in parallel to this consultation on the Exposure Draft of the OP Bill, before considering how it should be implemented (if at all) in a future OP Code. There may also be merit in breaking up the definition of children to be handled differently (ie pre-teens cannot in today’s society be expected to be treated the same as teenagers). Given the Government has not stipulated any specific urgency for this, it is better that reforms in this space are the result of a broader and more considered approach rather than becoming, through immature implementation, yet another veil of “compliance” that a social media platform can point to, to exonerate what could be otherwise classed as ‘smoke and mirror’ behaviours.

ADMA believes there would be better results in working with social media platforms to first better identify and then manage how the data they already have (and handle) must be used more responsibly.

Conclusion
ADMA is supportive of Government and the legislature delegating to industry participants a leading role in the development of Best Practice guidance and codes as to how to implement legislative compliance frameworks as to data privacy.
The likely reforms to the Privacy Act, as envisaged by the AGDs Discussion Paper should first be considered as to how it applies to the economy as a whole before a draft Bill suggesting another layer of regulation is put forward. Any prospective OP Code will require more responsibility and accountability of covered entities and therefore the clarity and confidence that will come from the wider Privacy Review consultation cannot be underestimated.
ADMA looks forward to continued engagement with the Attorney-General’s Department, the Office of the Australian Information Commissioner and other stakeholders involved in this important review of the Privacy Act. While changes in the privacy regime will have economy-wide application, it will directly affect the data-driven marketing and advertising industry in how it delivers its core functionality. ADMA looks forward to submitting its response to the AGD’s consultation on the Discussion Paper.

ABOUT ADMA
ADMA represents the full 360 degrees of Australia’s media, marketing and advertising ecosystem. ADMA itself is the principal industry body for data-driven marketing and advertising in Australia, representing over 350 organisations from a broad spectrum of Australian industries. Together these organisations employ about 28,000 marketing professionals, many of whom are on the cutting edge of the data revolution. Members range in size from SMEs to multinational corporations. They include banks and telecommunication companies, global tech companies, advertising agencies, specialist suppliers of marketing services, statutory corporations, retailers, specialist industries such as travel, hospitality and automotive, charities (both large & small) and educational institutions. 

ADMA, as the principal industry body for data-driven marketing and advertising, is committed to upholding good standards in privacy. ADMA members are advocates of responsible marketing and as such recognise that a sustainable marketing and advertising sector requires fair and transparent business practices in the handling of consumer data (including personal information) and that such practices reflect a respect of consumers which in turn nurtures digital trust.
ADMA members take their privacy compliance responsibilities very seriously and support a regime that protects the personal information of the consumers understanding that responsible marketing practices stem from a compliance with data privacy law.
ADMA is keen to support all key stakeholders, however it can to ensure that the review of the Privacy Act and regulatory regime is considered both through reform of the instrument itself and its application to industry. This will help ensure that Australia’s privacy framework will be fit-for-purpose and the regime will be future proof to the extent that it can be while executing its objective and purpose effectively.
ADMA acknowledges that our members may have an interest in individual questions raised in the Issues Paper, however in this submission we focus on key issues as they pertain to the data-driven marketing and advertising industry.
Individual members of ADMA may provide separate submissions to the Attorney-General’s Department.