ADMA's Privacy Act Review Submission Summary

5 May 2023

The recent Privacy Act Review Report was a watershed moment for privacy in Australia and an important inflection point for data-driven marketing. ADMA as the peak body for data-driven marketers was heavily involved in the consultation with the regulatory bodies and provided a lengthy submission.

In summary the ADMA submission covered the following points and arguments from the marketing industry perspective. We once again thank our members and the broader community for their input as part of the submission process.

1. ADMA continues to support moves to enhance privacy safeguards for Australians.

2. ADMA supports many of the Proposals put forward in the Report, some as recommended and others with minor amendments.

3. While ADMA supports the intention behind the approach adopted in the Report, some of the Proposals as drafted will affect little protection from bad actors and instead be burdensome on good actors, confusing for affected individuals, and in some cases effect substantial societal detriment for limited benefits.

4. Direct Marketing, Targeting and Trading: One focus of ADMA’s submission relates to Direct Marketing, Targeting and Trading where we see the relevant Proposals in this area would increase uncertainty and add unnecessary complexity to the existing compliance framework in the digital marketing sector.

5. Definitions too broad: Proposed definitions of Direct Marketing, Targeting and Trading are too broad, and will cause ambiguity. Overly broad coverage (beyond reasonable scope) will adversely affect quality and range of services available to citizens and create unnecessary confusion and complexity for APP entities implementing changes to systems and processes and data handling practices as required to give effect to the proposed reforms.

6. Consent/ opt out fails to protect from most important privacy harms: Consent based/optout frameworks don't solve for inappropriate data collection and data abuse by bad actors. These frameworks also promote the unrealistic consumer expectation that they will never see an audience segmented ad. Explanations as to use of broad audience segments are often confused with much more granular personalisation through profiling. Attempts by organisations to explain uses of privacy enhancing technologies (PETs) for effective anonymisation may lead to consumer confusion resulting in the counter-productive effect of creating disincentives for organisational adoption of PETS and effective anonymisation. Opaque and harmful targeting should be addressed, not broad audience segmentation.

7. Application of Proposals highlight impracticality: Applying the Proposals to real-world use case scenarios reveals concerns with the approach adopted and the compliance burden that will be imposed on APP entities, the potential confusion data subjects will face and the failure to protect against the actions of bad actors.

8. Unintended/ secondary consequences don’t seem to have been considered: The amendments fail to preserve situations where certain types of data collection are necessary to protect users, young people, protect data security, comply with other requirements (i.e. not to market products to consumers where an APP entity ought reasonably anticipate would cause them financial hardship) or consumer expectations (i.e., not to be marketed for a product or service that they already have or that is inappropriate for their needs).

9. Litigation driven enforcement: The proposed direct right of action may lead to uncertain but potentially costly litigation exposures from plaintiff class action lawsuits, particularly if plaintiff lawyers may litigate as to whether a data handling practice is “fair”. In an increasingly digital society and economy, this may create significant economic and social uncertainty and discourage innovation and investment in the digital economy.

10. Not everything can be regulated through the Privacy Act: An underlying theme of the Report and Proposals is the need to address perceived consumer harm from "big data" and "big tech". The Proposals should focus upon addressing recognised categories of privacy harms to affected individuals. Other consumer harms, such as harms caused by misleading practices such as use of ‘dark patterns’, or arising from use of unfair contract terms (including inclusion of unfair provisions in a privacy policy or privacy notice), should be addressed by

Australian Consumer Law. Harms to competitive neutrality and the Australian economy should be addressed through competition law.

11. Regulate for the outcome: There is a need to clearly categorise the forms of behaviour that should be prohibited or subjected to guardrails or heightened controls, and then legislate to effect that outcome.

12. Need for further consultation in some areas: ADMA believes this Review will benefit from more in-depth, solution-specific consultation across industry verticals (federal, state and local) and certain use cases (for example loyalty and financial services), as well as a focus on how to protect sensitive data sets from abuse/misuses (i.e., for protection against hacking and other malicious activity and to ensure national security).