04 Aug 2021

  • Digital Marketing
  • Privacy and Compliance

Privacy on notice with changes ahead

Marketers should formulate opinions and make submissions on the review of Australia’s Privacy Act, with a new exposure draft and discussion paper expected soon.

Social media, smartphones, ridiculously long terms and conditions forms and misunderstanding of how data is used have elevated concerns around privacy for citizens, with the government promising to evolve the Privacy Act to meet the needs of a rapidly changing industry landscape. 

The Digital Platforms Inquiry Report flagged this hot potato issue back in 2019, and we summarised the issue in this article.

With privacy underpinning the way digital marketers perform their work - particularly collecting the information for targeting or communications - it’s vital for ADMA members to keep their eyes peeled for the new Exposure Draft and Discussion Paper expected from the Attorney-General’s department around privacy laws.

These new drafts and reports will aim to balance data collection (especially personal information that creates ‘profiles’) against the risk of harm, particularly from foreign-owned digital platforms and social media companies.

Another potential red flag for the new legislation is it may insert “some kind of notion of fairness and reasonableness” for companies to collect, use and disclose personal information, even when citizens have given consent.

What do ADMA believe is likely to be changed in the review of the Privacy Act (1988)?

Privacy regulation is only going to get tighter, with a likely increase in fines and penalties for data breaches. Key privacy first raised by Europe’s implementation of GDPR legislation and California’s strict 2020 privacy laws continue to echo in Australia.

The Australian government is trying to balance legislation, platforms and changing consumer expectations to regulate towards a ‘privacy-first’ mindset that gives consumers more control of personal data, while increasing transparency and demanding more accountability from the companies and platforms that profit from data. 

What could be raised in the new Privacy Exposure Draft and Discussion Paper?

We suspect changes to the definition of personal information to better reflect data that can identify or reasonably identify someone. We also suspect that the issues of consent and notice will bend and be re-evaluated.

The Privacy Act and Australian Privacy Principles were introduced when technology had different capabilities and consumers weren’t so wedded to using smartphones for everything from banking to COVID check-ins.

The current consent and notice framework – which relies on consumers opting into meaninglessly long terms and conditions contracts – is no longer enough to achieve the objective of the Privacy laws. We believe the government wants to examine the issue of ‘consent fatigue’ and what is considered notice of using personal information.

We believe the very notion of privacy legislation could be redefined in this review, and are hopeful the changes will be realistic for consumers and businesses.

We also hope that any possible consideration to remove the small business exemption won’t cripple businesses with arduous overheads (In our submission in response to the Issues Paper, we reference the Corporations Act as an example).

How can marketers and advertisers be prepared for privacy changes?

We shouldn't assume that Australia will just cut and paste the GDPR or repeat the privacy laws of California. What we should take away from international Privacy models is the fact that the laws are tightening not relaxing. Australia has already been on the journey of understanding the importance of implementing Privacy by Design approaches into their governance frameworks

Businesses must assess their own privacy and personal information practices, processes, systems and documentation.  Where in the business is data collected, what is the purpose of the collection now and in the future, what kind of data is being collected and do you collect, store or use personal or sensitive information? 

Every business needs proper privacy consent, architecture and levels of access to guarantee security. Businesses should assess the documentation - things like notices, contract terms, consent wording -  they currently have in place.

A precautionary note is that businesses shouldn’t change privacy consent and notices until the internal cleanse has been done. Marketers and other divisions of the business must work together to make sure privacy-first frameworks are successfully implemented.

We recommend businesses assess why data is being collected, how they intend to use it and whether this matches consumer understanding of how their data will be used.

Marketers need to think ahead and prepare a privacy-by-design framework to collect, manage, use, access, and disclose data. Then it's time to look at reviewing the documentation. This shouldn’t just be seen as needing to “write a new Privacy Policy”. 
The global platforms have reacted to the current environment and made privacy a key message. Everyone is taking it seriously.  Marketers need to do the same.

How might digital platforms evolve with changing privacy regulation?

Politicians have been ramping up pressure on digital platforms, with a senate estimates committee meeting last Friday demonstrating harsh language about social media companies' use of Australian citizens’ data collected through smartphones.

“Given we also know that foreign entities use and weaponise these data profiles to influence the hearts and minds of the public, will the current review of the Privacy Act impose new limitations on the collection and use of Australian personal information,” one senator asked in a Senate Committee meeting about foreign interference through social media.

The bureaucrats did reveal that new Exposure Draft legislation that specifically target “social media companies and certain other online platforms” particularly around:
-    How personal information is used by these companies, particularly given the vast volumes collected.
-    How consent is obtained.
-    How privacy for young people should be protected.

“The correct balance between protecting individuals’ personal information and still ensuring that we can operate in a very digital economy” is how the bureaucrat described the ambition of the latest Privacy Act review, which had an issues paper released last year.

The review has been delayed - apparently by COVID-19 and the need to go through more than 200 submissions - but the Exposure Draft is said to be coming “in a couple of weeks”, with a Discussion Paper to follow.

Need more info?