Summary: ADMA's submission in response to the Attorney-General Department's Privacy Act Review Discussion Paper.

In January, ADMA made a submission in response to the Attorney-General Department’s Privacy Act Review Discussion Paper. Read ADMA’s full submission.

Consumers benefit from both privacy protections and engagement in the digital economy.

The data-driven advertising and marketing industry is a dynamic sector that contributes significantly to the Australian economy. Ad-supported services facilitates low cost or free access to content and information and better prices for products and services across many sectors of the Australian economy. Data privacy law is a critical component of an economy enabled by data, data-driven marketing and data analytics. Having the right legislative and regulatory framework in place allows responsible marketers to understand the barriers within which they can operate to fulfill their function while also protecting the data privacy of consumers. Our members support a data privacy regulatory framework that protects personal information, while accommodating respectful and fair collection and use of consumer data.

ADMA sees this Privacy Review consultation as being a most important opportunity to bring the Act up to the standards expected and to ensure that it is fit for purpose for a thriving data-driven digital economy. ADMA’s submission expressed strong support for such a Review, but also advocated that data privacy reform is complex and must only address known concerns as to the acts and practice causing privacy harm, not hypotheticals.

First up in its submission, ADMA supported a clarification to the Objects of the Act making it clear upfront that Australia’s Privacy Act protects the interests of an individual in relation to handling of personal information. This is because the word ‘privacy’ covers a broad spectrum of rights, and the Privacy Act addresses only a subset of rights of privacy of individuals – their data privacy interests.

We submitted that we welcomed the modernisation of the threshold concept of the definition "personal information" so that it remains relevant in a digital economy and is interoperable with relevant domestic laws and comparable international data privacy jurisdictions. To that end, ADMA supports the expansion of the definition of personal information to include information that relates to an individual (rather than being about an individual as it currently stands). We believe that a change will provide more clarity for APP entities and reduce the gap that currently exists in the wording of the Act and the OAICs guidance. ADMA also strongly advocated for the importance of ensuring that any change in wording does NOT shift the requirement to make a contextual evaluation when determining if technical data should be considered to be personal information. This remains crucial as technical data in and of itself does not have the same weight in different data environments. The determination of whether particular types of technical information can be considered ‘personally identifiable” depends on other information a regulated entity holds or has access to.

At the other end of the spectrum of the threshold for coverage, ADMA did not support the expansion of the definition of personal information to the extent where that information must be anonymous before it is no longer protected by the Act. Many experts consider that complete and full anonymisation of data is not possible in practice for most consumer data because over time re-identification is always a possibility when other data sources become available, and this cannot always be reasonably anticipated by a regulated entity.

In relation to the notions of consent and notice, ADMA strongly supported the proposal that notices must be clear, current and understandable. This is an important element to data-driven marketing and is equally valuable for regulated entities as it is for the consumer. ADMA also cautioned against moving towards a privacy regime that expands the requirements of consent unnecessarily as this just increases the burden on consumers and increases ‘consent fatigue’ rather than empowering consumers as may be the intent.

In its submission ADMA noted that where consent is required and can be provided by ‘an unambiguous indication through clear action”, ADMA does NOT support an amendment that looks to make “clear action” require a specific affirmative action. There are a number of contexts in which the ability for entities to be able to rely on implied consent is valuable to both consumers and the regulated entity.

With regards to the proposal to introduce a ‘fair and reasonable’ threshold test, ADMA understands and supports the Government’s intention to apply a level of regulated standards that hold entities to account to help build a more trustworthy digital economy with less reliance on consent. However, ADMA does not believe that the test as outlined in the Discussion Paper would achieve the goals intended. ‘Reasonableness’ as an overarching positive legal requirement is highly subjective and having such a test could actually create greater uncertainty into data privacy governance, compliance and data risk assurances of regulated entities.

When it came to the Act and direct marketing, ADMA in its submission stated that it does not support the inclusion of any unqualified right to object to direct marketing usage of personal information. This is because the law through various other related legislation (SPAM Act, Do Not Call Register etc) already, in practice, covers what the proposal is trying to achieve. We believe that properly governed and data privacy assured targeted advertising does not lead to privacy harms and the introduction of the unqualified right to object is unnecessarily restrictive on regulated entities.

ADMA also addressed the opportunity that this Review brings to redefine the phrase ‘direct marketing’ and to consider whether it suitably clarifies the range of activities expected to be undertaken by an organisation in a modern economy.

Overall, ADMA suggested that in the case of responsible marketers, many of the deficiencies in data privacy management arises through a lack of regulated entities understanding of how the Act is to be applied rather than a deliberate malicious intent to disregard privacy laws and their responsibility of compliance. While the Act was drafted to be ‘technology neutral’, rapid advances in technologies has created concepts, processes, identifiers and platforms that the Act does not address clearly. Therefore, a key to this Privacy Review, from the perspective of the data-driven marketing and advertising industry is to consider reform only when such reform assists in providing more clarity in the protection of personal information against actual harms.

ADMA’s submission also addressed other important areas for review including the small business exemption and the need to support this important cohort, the introduction of controller and processor distinctions to improve organisational accountability and to help clarify application of the Australian Privacy Principles. We also addressed the proposed Right to Object as well as the importance of reducing frictions for Australian businesses expanding overseas and in cross-border transactions, understanding that this is a critical requirement for an economy that is becoming more global.

The next stage of this Review will likely be the release of policy recommendations made by the Attorney-General’s Department for drafting of a Privacy Act. While a Federal election may have an impact on the timing of the release of recommendations, this privacy law reform is likely to continue regardless of the outcome of the election. ADMA will remain actively involved in this important reform process as it will be critical to the foundations of data-driven marketing and advertising in Australia.