ADMA’s view on privacy: open the door for trust & digital economic participation

Regulating privacy in Australia is under review: here’s what marketers should know.

Privacy and freedom have a lot in common. Both concepts are best understood only when they have been invaded, gone wrong or crumbled.

Australia doesn’t have a ‘bill of rights’ to legally enshrine freedom, but we do have a Privacy Act.

And how we legislate and enshrine privacy in law is under review right now in the Attorney-General’s department in Canberra, with a formal re-examination of Australia’s 1988 Privacy Act.

The Privacy Act was first put on notice in 2019, when the federal government released its Digital Platforms Inquiry Final Report and said Australian privacy laws needed to be reviewed as part of its clampdown on Google and Facebook (check recommendation 16, for those who want the details).

It looks we will get a glimpse of Australia’s new privacy legislation in April or May 2021, when a new ‘exposure draft’ of the proposed changes - along with a new Discussion Paper - will be made public.

ADMA has made its own submission to the privacy review - which you can read in full here - and is encouraging the industry to have its say when the next Discussion Paper is made public.

So what’s happening with the Privacy Act in Australia?

Privacy has been challenged by technological change since it was enshrined in common law back in 1847 when Queen Victoria took legal action to prevent a newspaper publishing her etchings of her children.

Back then, the royal family wanted to prevent a newspaper publishing the Queen’s drawings, which had been reproduced thanks to printing technology advances that could turn one drawing into multiple etchings.  (The fear was that these etchings would make the Queen seem like a common mother rather than regal royalty.)

Today, technology change has upended more than the printing press ever did. We can create selfies of our common everyday lives faster than you can say ‘etching’. What’s more, all of us create a vast exhaust trail of meta data and personal information even if we don’t take selfies.

A 2020 survey by the OAIC found 59% of Australians do not like the way their personal information is being handled and 70% were concerned about our privacy.

So how should governments protect our privacy in an age where we willingly give up personal information for the conveniences of social media, web browsing, online banking and navigating the streets with online maps? We’re about to find out …

What was wrong with the existing Privacy laws?

Most legal experts believe Australia’s privacy laws are good. Our 1988 Privacy Act was last updated in 2014 to:

• Introduce penalties of up to $1.7m for companies and $340,000 for individuals who breach the act.

• Give more power to the Office of the Australian Information Commissioner, particularly to set up a notifiable data breaches scheme.

• Prescribe better ways to manage personal information used in connection with consumer credit.

• Create 13 Australian Privacy Principles (also called APPs) which replaced the Information Privacy Principles and National Privacy Principles. The APPs generally apply to government agencies and to private sector organizations with an annual turnover of $3 million or more (‘APP entities’).

Since those 2014 legal changes, the Australian federal government has started its far-reaching Digital Platforms Inquiry and signaled it wants to:

1. Increase the financial penalties for breaching the Privacy Act

2. Regulate social media platforms and others who “trade in personal information” through the Privacy Act

ADMA’s view on what needs to happen with privacy regulation

Australian privacy laws must clearly define the legal concepts it is trying to protect if the legislation is to remain future-fit and technology proof.

It’s ADMA’s view that businesses - particularly small businesses who don’t have the same resources as global technology giants - must be supported to create a privacy-compliant future.

Our legal frameworks must give all Australians access to a trusted digital economy that is diverse and global.

We would like any new privacy laws to offer clear legal definitions of what personal information is and how consumers should opt in for it to be collected.

ADMA also believes it’s vital that smaller businesses can operate without having to invest in expensive or cumbersome systems to manage the flow of personal information through the ecosystem.

Privacy laws should also clearly distinguish between malicious actors who use tools like ‘zombie cookies’ and compliant and ethical businesses who process personal information.

Hundreds of companies and not-for-profits have already made submissions to the Privacy Act Review - including ADMA - and we advise all our members to be prepared to follow the issue closely and be prepared to have their say.

Privacy cannot be viewed in isolation with so much disruption in play

ADMA believes changes to this country’s privacy laws - and all the other regulatory reforms underway - cannot be viewed in isolation. All new regulation must factor in broader issues like:

• The demise of third party cookies
  This technology change will be completed by 2022 when Google Chrome stops supporting cookies, yet there is no one clear plan as to what technology will replace the cookie and whether this may further entrench the global companies’ data power. This change will impact all digital platforms, especially advertisers, marketers and publishers (including the ‘expanded’ definition of news businesses, which the the News Media bargaining  Code says now includes sporting companies like the NRL and other groups).

• The changes underway as part of the ACCC’s Australian Advertising & Marketing Services inquiry
  The ad tech industry is also under review by the ACCC - not to be confused with the broader Digital Platforms Inquiry -  which will continue to change how personalised marketing and advertising is served to consumers.

• The reforms happening as part of the ACCC’s Digital Platforms Inquiry
  This inquiry is far-reaching and includes the News Media Bargaining Code, mobile app marketplaces, Google and Facebook’s market power, the review of privacy laws along with plans for a new ombudsman to regulate technology platforms. This review will be ongoing until 2025, with interim reports released every six months to update the industry.

• The changes to Consumer Data Right legislation
  As the new Consumer Data Right rolls out across telecommunications and other industries, any privacy legislation changes need to be done in tandem with laws that regulate how consumers access the data and information held about them by businesses.

• Business and citizens increasing reliance on digital technology for day-to-day tasks
  The COVID-19 pandemic saw dramatic increases in people using virtual meeting software like Zoom or Microsoft Teams, the need for QR codes to trace people’s activity and a rise in working from home rather than the office. The acceleration to digital - which relies on processing and creating ever more data about citizens - is now intrinsic to our economic, social and productivity growth.

• The antitrust investigations and increasing global regulation of large technology platforms
  American or European legislation could impact the way Australians use technology services if we don’t ensure our own legislation is watertight. This is why ADMA believes the privacy regulations around overseas data flow must ensure Australia remains a competitive digital economy player and that our citizens’ personal information is not compromised if it flows into other legal domains.

• Security issues in the digital space and ‘bad actors’
  Although officially outside of the scope of the Digital Platforms Inquiry, the rise of scams and digital security problems already unfairly burden smaller businesses who don’t have the same resources or access to technical skills of larger companies. Even large enterprises - like Nine Entertainment Company - have been subjected to damaging security breaches.

Our view on the future of privacy in Australia

As ADMA wrote in its submission for the Privacy Act Review: “Privacy law is a critical component of an economy driven by data.”
ADMA is of the view that Privacy Act reforms should:

• Improve efficiencies and benefits to citizens.

• Maintain digital trust.

• Give regulators appropriate authority.

• Relieve businesses from unnecessary burdens and expense if they handle data in a fair, transparent and responsible manner.

We believe the data-driven advertising and marketing industry should contribute and have a say about new privacy regulations as more details are released.