Modern Australian
The Times

A new proposed privacy code promises tough rules and $10 million penalties for tech giants

  • Written by Katharine Kemp, Senior Lecturer, Faculty of Law & Justice, UNSW, UNSW
A new proposed privacy code promises tough rules and $10 million penalties for tech giants

This week the federal government announced proposed legislation to develop an online privacy code (or “OP Code”) setting tougher privacy standards for Facebook, Google, Amazon and many other online platforms.

These companies collect and use vast amounts of consumers’ personal data, much of it without their knowledge or real consent, and the code is intended to guard against privacy harms from these practices.

The higher standards would be backed by increased penalties for interference with privacy under the Privacy Act and greater enforcement powers for the federal privacy commissioner. Serious or repeated breaches of the code could carry penalties of up to A$10 million or 10% of turnover for companies.

However, relevant companies are likely to try to avoid obligations under the OP Code by drawing out the process for drafting and registering the code. They are also likely to try to exclude themselves from the code’s coverage, and argue about the definition of “personal information”.

The current definition of “personal information” under the Privacy Act does not clearly include technical data such as IP addresses and device identifiers. Updating this will be important to ensure the OP Code is effective.

Which organisations would be covered and why?

The code is intended to address some clear online privacy dangers, while we await broader changes from the current broader review of the Privacy Act that would apply across all sectors.

The OP Code would target online platforms that “collect a high volume of personal information or trade in personal information”, including:

  • social media networks such as Facebook; dating apps like Bumble; online blogging or forum sites like Reddit; gaming platforms; online messaging and videoconferencing services such as WhatsApp and Zoom

  • data brokers that trade in personal information, including Quantium, Acxiom, Experian and Nielsen Corporation

  • other large online platforms that collect personal information and have more than 2.5 million annual users in Australia, such as Amazon, Google and Apple.

The OP Code would impose higher standards for these companies than otherwise apply under the Privacy Act.

Read more: It's time for third-party data brokers to emerge from the shadows

Higher standards for consent - maybe

The OP Code would set out details about how these organisations must meet obligations under the Privacy Act. This would include higher standards for what constitutes users’ “consent” for how their data are used.

The government’s explanatory paper says the OP Code would require consent to be “voluntary, informed, unambiguous, specific and current”. (Unfortunately, the draft legislation itself doesn’t actually say that, and will require some amendment to achieve this.)

This description draws on the definition of consent in the European Union’s General Data Protection Regulation.

Under the proposed code, consumers would have to give ‘voluntary, informed, unambiguous, specific and current’ consent to what companies do with their data. Jeff Chiu / AP

In the EU, for example, “unambiguous” consent means a person must take clear, affirmative action – for instance by ticking a box or clicking a button – to consent to a use of their information.

Consent must also be “specific”, so companies cannot, for example, require consumers to consent to unrelated uses (such as market research) when their data is only needed to process a specific purchase.

Requests to stop using and disclosing personal information

The ACCC recommended we should have a right to erase our personal data as a means of reducing the power imbalance between consumers and large platforms. In the EU, the “right to be forgotten” by search engines and the like is part of this erasure right. The government has not adopted this recommendation.

However, the OP Code would include an obligation for organisations to comply with a consumer’s reasonable request to stop using and disclosing their personal data. Companies would be allowed to charge a “non-excessive” fee for fulfilling these requests. This is a very weak version of the EU right to be forgotten.

For example, Amazon currently states in its privacy policy that it uses customers’ personal data in its advertising business and discloses the data to its vast Amazon.com corporate group. The proposed OP Code would mean Amazon would have to stop this, at a customer’s request, unless it had reasonable grounds for refusing.

Ideally, the code should also allow consumers to ask a company to stop collecting their personal information from third parties, as they currently do, to build profiles on us.

Read more: How one simple rule change could curb online retailers' snooping on you

Increased protections for children and vulnerable groups

The draft bill also includes a vague provision for the OP Code to add protections for kids and other vulnerable people who are not capable of making their own privacy decisions.

A more controversial proposal would require new consents and verification for kids using social media services such as Facebook and WhatsApp. These services would be required to:

  • take reasonable steps to verify the age of social media users

  • obtain parental consent before collecting, using or disclosing personal information of a child under 16

  • ensure its data practices are “fair and reasonable in the circumstances”, with the best interests of the child as the primary consideration.

What is ‘personal information’?

A key tactic companies will likely use to avoid the new rules is to claim that the information they use is not truly “personal”, since the OP Code and the Privacy Act only apply to “personal information”, as defined in the Act.

The companies may claim the data they collect is only connected to our individual device or to an online identifier they’ve allocated to us, rather than our legal name. However, the effect is the same. The data is used to build a more detailed profile on an individual and to have effects on that individual.

Australia needs to update the definition of “personal information” to clarify it includes data such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual or to interact with them on an individual basis. Data should only be de-identified if no individual is identifiable from that data.

Increased penalties and upgraded enforcement

The government has pledged to give tougher powers to the privacy commissioner, and to hit companies with tougher penalties for breaching their obligations once the code comes into effect.

The maximum civil penalty for a serious and/or repeated interference with privacy will be increased up to the equivalent penalties in the Australian Consumer Law.

For individuals, the maximum penalty will increase to more than A$500,000. For corporations, the maximum will be the greater of A$10 million, or three times the value of the benefit received from the breach, or (if this value cannot be determined) 10% of the company’s annual turnover.

The privacy commissioner could also issue infringement notices for failing to provide relevant information to an investigation. The maximum penalty will be A$2,644 for individuals or A$13,320 for companies.

Such civil penalty provisions will make it unnecessary for the Commissioner to resort to prosecution of a criminal offence, or to civil litigation, in these cases.

Don’t hold your breath

Once legislation is passed, it will take around 12 months for the code to be developed and registered.

The tech giants will have plenty of opportunity to create delay in this process. Companies are likely to challenge the content of the code, and whether they should even be covered by it at all.

Authors: Katharine Kemp, Senior Lecturer, Faculty of Law & Justice, UNSW, UNSW

Read more https://theconversation.com/a-new-proposed-privacy-code-promises-tough-rules-and-10-million-penalties-for-tech-giants-170711

Plantation Shutters vs Curtains: Which Is Better for Your New Home?

Moving into a new home is an exciting opportunity to personalise your space and make it your own. While many homeowners focus on furniture, flooring...

Celebration of Life vs Traditional Funeral: What's the Difference?

When saying goodbye to someone you love, there is no single way to honour their life. Every family has different traditions, beliefs, and preference...

Building Approval for Roofing Projects: What Homeowners Need to Know

Roofing projects are an important part of maintaining and protecting your home. Whether you're repairing storm damage, replacing an ageing roof, or ...

Chatswood Tutoring And Its Role In Academic Achievement

Academic success often requires more than classroom attendance alone. Students face increasing expectations as they progress through school, particu...

Why Laser Hair Removal Treatments Continue Growing In Popularity

Managing unwanted hair can become time-consuming and frustrating for many people, especially when shaving, waxing, and other temporary methods requi...

Choosing the Right Devices for a Flexible Workplace

For IT leaders managing large fleets, the device layer is where workforce productivity and security policy meet. The shift towards flexible and hybrid...

How Business Advisory Services Help Companies Achieve Sustainable Growth

Every business owner aims to build a profitable and sustainable organisation. While dedication, innovation, and hard work are important, achieving l...

Why Body Contouring Has Become A Popular Cosmetic Treatment

Many people maintain healthy lifestyles through regular exercise and balanced eating habits but still struggle with stubborn areas of fat that are d...

How to Choose the Right POS Hardware for Your Business in Australia

A lot of Australian business owners spend weeks researching POS software but buy hardware almost as an afterthought. That's a mistake. The wrong har...

Why Material Handling Hose Is Critical for Industrial Efficiency

A high-performance material handling hose is an essential component in industries that transport abrasive, dry, or bulk materials on a daily basis...

How to Choose the Right Lawyer in Melbourne for Your Situation

Choosing legal support can feel difficult, especially when the stakes are personal or business-related. The right lawyer in Melbourne should underst...

Hoteliers Look to Clever Value Adds to Increase Revenue

The Australian hospitality industry is still in recovery mode after a notoriously rough patch in recent years. While there has been a post-COVID tra...

Moving to Queensland? Here’s How to Prep Your Car for the Big Move North

There’s no sign of the northern migration slowing down, with thousands of southerners fleeing from chaotic lifestyles and cooler climates for a brig...

Diesel Shortage to Impact Trades and Contractors

Strait of Hormuz blockage affecting all major parts of trades and construction Trades and construction across residential, commercial and industria...

Why Holiday Home Owners Turn to Rental Management Agents

The Allure — and the Reality — of Renting Out Your Property Owning a holiday home is a dream for many Australians. Whether it's a beachside sha...

Why Finding Reliable Doctors In Bundoora Is Important For Long-Term Health

Access to quality healthcare plays an important role in maintaining overall wellbeing and managing health concerns early. Trusted Doctors in Bundoor...

Understanding the Different Types of Car Services: Minor vs Major

When it comes to car maintenance, one of the most important things every vehicle owner should understand is the difference between a minor and a maj...

How Superannuation and TPD Insurance Work Together

Superannuation is an essential part of financial planning in Australia. It is designed to provide individuals with income during retirement, helping...