Industry, consumer groups respond to Privacy Act Review

Submissions from the IAB, OAIC, IGEA and CPRC highlights concerns around consumer consent fatigue, legitimate reasons for data collection and finding the balance between privacy control and digital innovation

Consumer consent fatigue, protecting legitimate data collection processes, consistency with international laws and strong accountability measures are just some concerns consumer and industry bodies have highlighted as they respond to plans to update Australia’s Privacy Act review.  

The recommendations and comments follow the release of the Federal Government’s Privacy Act Review Discussion Paper in November 2021. The paper is about long-term amendments to Australia’s privacy laws and includes a wide-ranging set of matters for review. These extend from the definition of personal information and permitted situations and settings around the collection, to use and disclosure of such personal information, ensuring the Privacy Act goes far enough to protecting consumers’ rights, consent, data breach notifications and management, enforcement powers and compliance measures.    

Submissions from industry and individuals on the Discussion Paper were due into the Attorney-General in January. Here, we look at how several major industry and consumer bodies are viewing the proposed changes.  

IAB: Balancing consumer privacy with industry innovation  

This week, the Interactive Advertising Bureau (IAB) Australia shared its submission publicly, stating it’s critical to find a balance between protecting individuals’ privacy and ensuring online interactions can continue. While the Discussion Paper highlights the importance of this critical balancing exercise, the association expressed concern the “cumulative effect” of the proposals would restrict business activities, including but not limited to digital advertising that relies on data as a significant input.  

“Consumers benefit from both privacy and engagement in the digital economy. If we get the balance between the two wrong, consumers as well as businesses and Australian society more broadly, will be disadvantaged,” the IAB stated in the submission.    

A big concern for the IAB is consent fatigue. The association said it supported the Government’s objective to reduce the existing burden on consumers but raised concerns about how the Paper proposes to achieve this.  

“The burden of privacy management on individuals is too high and consent fatigue is a significant issue which undermines the goals of privacy law,” the IAB stated in its submission. “We therefore support the approach of introducing alternative lawful grounds to consent in place of onerous privacy self-management for consumers, consistent with developments in other jurisdictions such as the UK.  

“As the OAIC has previously stated, consent should be preserved for high privacy risk situations, rather than routine personal information handling. However, we would note it is also important not to ‘throw the baby out with the bathwater’ and introduce changes which have unintended consequences or simply make online business slower and less consumer friendly, for no benefit.”  

IAB CEO, Gai Le Roy, said privacy and consumer trust are fundamental to the functioning of the industry. “But we can’t keep throwing more frequent and more detailed notices at consumers,” she said.  

The IAB Australia submission also noted three overarching concerns with the Government’s proposals. The first is that privacy regulation does not prevent legitimate data practices supporting the digital economy. To counter this, the association specifically recommended ‘fair and reasonable’ use cases be replaced with a ‘legitimate interests’ basis for processing data.  

The IAB’s second concern is to ensure principles-based and ‘tech neutral’ legislation, which could more easily adapt to evolving data practices over time. Thirdly, the IAB said it was critical to ensure Australia’s regulatory framework is in line with international practices, such as those already in play in the UK and Europe. Failing to do so could again stifle innovation and leave Australian businesses unfairly disadvantaged against overseas counterparts.  

As previously highlighted in CMO’s explainer on the proposed privacy law changes, one of the most significant potential changes to the Privacy Act is the broader definition of what’s classified as ‘personal information’. At present, ‘personal information’ only applies to information where someone is identifiable.  

Under the proposed changes in the Discussion Paper, this would change to ‘relates to’. This would mean personal identification could also apply to when an individual can be distinguished from others, or has a profile associated with an online identifier or pseudonym, even if they’re not named.  

The problem here is inferred information and when it trespasses into personal information territory. In its submission, the IAB said a more targeted approach to defining information is still needed and disagreed changing ‘de-identification’ to ‘anonymisation’ delivered this clarity. The IAB also argued location information should not be considered sensitive information.  

“In our view, the proposal to explicitly include inferences in the scope of the legislative definition would not address this. Again, a more targeted approach to addressing any lack of clarity that exists should be adopted,” the IAB stated. “A better approach would be to ensure the relevant standard required is more clearly articulated and achievable.”  

Le Roy’s overarching call is for the regulatory framework to address harmful practices without slowing down the digital economy “or the advertising that funds it”.  

“If we want to be a leading digital economy and society, the law should not be restricting legitimate uses of data that are not harmful, are within consumers’ expectations and are necessary to support online business,” she said.  

OAIC: Strengthening accountability measures for organisations  

In its submission, the Office of the Australian Information Commissioner (OAIC) described the Discussion Paper as a well-considered proposal presenting a sound basis for advancing the case of privacy reform.  

A key theme in the OAIC’s submission is easing consumer responsibility and ensuring strengthened accountability measures for organisations handling personal information instead. These will help protect and empower consumers while promoting innovation and a thriving digital economy, the commissioner argued.

Australian Information Commissioner and Privacy Commissioner, Angelene Falk, said a strong digital economy needed to be paired with clear responsibility for how personal information is handled.

“By embedding strong accountability measures, businesses and other organisations can build a reputation for strong and effective privacy management, which is essential for meeting community expectations and realising the benefits of the personal information they hold,” Falk said. “It is unrealistic to expect individuals to consider and evaluate whether every collection of their personal information is reasonable, and to take steps to protect themselves from all privacy harms.  

“Strengthened accountability requirements will raise the standard of data handling so individuals can have greater confidence that their personal information will be handled fairly when they choose to engage with a product or service.”  

Alongside this, the OAIC’s recommendations concentrate on empowering consumers to take control of their personal information through new rights and enhanced transparency requirements. Like the IAB, the commissioner is also keen to see global interoperability and consistency.  

In addition, the OAIC is recommending measures to better support its efforts to pursue significant privacy risks and systemic non-compliance through regulatory action.  

“This can occur through a simplified civil penalty regime, supported by infringement notices as a quick and cost-effective way to deter non-compliant behaviour without the need for court proceedings,” Falk said. “These changes should be supported by the introduction of a direct right of action and statutory tort of privacy that would give individuals access to additional options to protect their privacy rights.”

CPRC: Modernise what it means to be identifiable

According to the Consumer Policy Research Centre (CPRC), the lack of agency and understanding consumers have over their privacy has rendered them “powerless with no real, meaningful way for consumers to express their preferences”.  

In its submission to the Attorney-General, the group called for a modernisation of what it means to be identifiable going far beyond the current definition of personal information. For example, the CPRC wants technical information, such as IP address and device type, to fall under the purview of ‘personal data’.  

In addition, the group is advocating a principles-based approach to the definition as a way to deal with today’s needs as well as help cater for future data points that may attribute to being identifiable.  

In terms of transparency, choice and control, the CPRC’s submission again calls for more accountability to be placed on organisations. As well as agreeing with the right to erase personal information and data held by companies where there is no legal reason for it to be retained, the CPRC is recommending standardised notices that support consumer comprehension, consumer experience (CX) research that measures consumer comprehension of rights and risks, and ensuring ‘fair and reasonable’ requirement is an overarching requirement in the Privacy Act.  

The CPRC also agrees with bringing in pro-privacy default settings, creating an ecosystem for privacy protections and complaints mechanisms by ensuring the regulator is adequately resourced, and a holistic approach to dispute resolution, such as via the establishment of a Digital Ombudsman.  

IGEA: Don’t take a one-size-fits-all approach  

The Interactive Games and Entertainment Association (IGEA), which represents the video games industry, has also weighed in with a submission. It noted many online and offline video games companies rely on player data in order to operate. While a lot of this is not for advertising or monetisation purposes, it’s prevalent across the ecosystem.  

In this vein, the overarching recommendation of IGEA’s submission is to avoid a one-size-fits-all approach to regulation and instead adopt a data collection approach that’s based on context and a flexible framework.  

“Personal information handled by video game companies is often a far lower risk of causing privacy harms to affected individuals than personal information handled by healthcare providers and mortgage brokers,” IGEA stated in its submission. “We consider that a revised Act should accommodate these differences. It should also encourage organisations to collect low-risk information, such as gamer tags, rather than more identifiable information such as names and email addresses. Treating all data as the same would be self-defeating in this regard and be contrary to the public interest.”  

Like the IAB, the IGEA is advocating a balance of privacy settings to ensure entities can operate efficiently and effectively, enabling personal information to be used where ‘reasonably necessary’ for one or more of an entity’s functions or activities.  

The IGEA also raised particular concerns around consumer consent, noting it as a vital mechanism that’s most effective when used in narrowly defined situations and where individuals most need to exert control over their personal data.  

“Our concern with giving consent a more prominent role under the Act, which may lead to consent fatigue, overwhelming consumers with consent requests, and burdening entities who would need to obtain consent in situations where an individual would reasonably expect that their data would be used,” the submission read.    

“Entities being given flexibility around how to obtain consent, as some businesses in our sector may ask players to swipe a notice with their finger, press a particular button on a controller, or perform some other interaction to show that they give consent.  

“If the specification of certain prohibited practices is proposed, they need to be carefully calibrated and appropriately targeted to avoid unintended blanket prohibitions that may actually prohibit some beneficial or legitimate practices.”    

The IGEA is also against changing the language of personal information from ‘about’ to ‘relates to’ and added its concern to expanding the definition of personal information.  

“This may put an onerous burden on organisations having to provide extensive amounts of technical information in response to access requests,” it added.  

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page      


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

Focus on your customer experience not your NPS score. Fix the fucking problems and the customer support requests will go away.I currently...

Chris B

Bringing community thinking to Optus' customer service team

Read more

Nice blog!Blog is really informative , valuable.keep updating us with such amazing blogs.influencer agency in Melbourne

Rajat Kumar

Why flipping Status Quo Bias is the key to B2B marketing success

Read more

good this information are very helpful for millions of peoples customer loyalty Consultant is an important part of every business.

Tom Devid

Report: 4 ways to generate customer loyalty

Read more

Great post, thanks for sharing such a informative content.

CodeWare Limited

APAC software company brings on first VP of growth

Read more

This article highlights Gartner’s latest digital experience platforms report and how they are influencing content operations ecosystems. ...

vikram Roy

Gartner 2022 Digital Experience Platforms reveals leading vendor players

Read more

Blog Posts

From unconscious to reflective: What level of data user are you?

Using data is a hot topic right now. Leaders are realising data can no longer just be the responsibility of dedicated analysts or staff with ‘data’ in their title or role description.

Dr Selena Fisk

Data expert, author

Whose responsibility is it to set the ground rules for agency collaboration?

It’s not that your agencies don’t have your best interests at heart – most of them do. But the only way to ensure they’re 100 per cent focused on your business and not growing theirs by scope creep is by setting the guard rails for healthy agency collaboration.

Andrew Pascoe

Head of planning, Hatched

AI Ethics Part 2: Mitigating bias in our algorithms

In first part of this article series, we explored the various forms of AI bias, ways to understand and identify them. This second part will cover various tangible measures that can be undertaken to control, mitigate or remove these biases.

Kshira Saagar

Chief data officer, Latitude Financial Services

Sign in