Industry, consumer groups respond to Privacy Act Review

Submissions from the IAB, OAIC, IGEA and CPRC highlights concerns around consumer consent fatigue, legitimate reasons for data collection and finding the balance between privacy control and digital innovation

Consumer consent fatigue, protecting legitimate data collection processes, consistency with international laws and strong accountability measures are just some concerns consumer and industry bodies have highlighted as they respond to plans to update Australia’s Privacy Act review.  

The recommendations and comments follow the release of the Federal Government’s Privacy Act Review Discussion Paper in November 2021. The paper is about long-term amendments to Australia’s privacy laws and includes a wide-ranging set of matters for review. These extend from the definition of personal information and permitted situations and settings around the collection, to use and disclosure of such personal information, ensuring the Privacy Act goes far enough to protecting consumers’ rights, consent, data breach notifications and management, enforcement powers and compliance measures.    

Submissions from industry and individuals on the Discussion Paper were due into the Attorney-General in January. Here, we look at how several major industry and consumer bodies are viewing the proposed changes.  

IAB: Balancing consumer privacy with industry innovation  

This week, the Interactive Advertising Bureau (IAB) Australia shared its submission publicly, stating it’s critical to find a balance between protecting individuals’ privacy and ensuring online interactions can continue. While the Discussion Paper highlights the importance of this critical balancing exercise, the association expressed concern the “cumulative effect” of the proposals would restrict business activities, including but not limited to digital advertising that relies on data as a significant input.  

“Consumers benefit from both privacy and engagement in the digital economy. If we get the balance between the two wrong, consumers as well as businesses and Australian society more broadly, will be disadvantaged,” the IAB stated in the submission.    

A big concern for the IAB is consent fatigue. The association said it supported the Government’s objective to reduce the existing burden on consumers but raised concerns about how the Paper proposes to achieve this.  

“The burden of privacy management on individuals is too high and consent fatigue is a significant issue which undermines the goals of privacy law,” the IAB stated in its submission. “We therefore support the approach of introducing alternative lawful grounds to consent in place of onerous privacy self-management for consumers, consistent with developments in other jurisdictions such as the UK.  

“As the OAIC has previously stated, consent should be preserved for high privacy risk situations, rather than routine personal information handling. However, we would note it is also important not to ‘throw the baby out with the bathwater’ and introduce changes which have unintended consequences or simply make online business slower and less consumer friendly, for no benefit.”  

IAB CEO, Gai Le Roy, said privacy and consumer trust are fundamental to the functioning of the industry. “But we can’t keep throwing more frequent and more detailed notices at consumers,” she said.  

The IAB Australia submission also noted three overarching concerns with the Government’s proposals. The first is that privacy regulation does not prevent legitimate data practices supporting the digital economy. To counter this, the association specifically recommended ‘fair and reasonable’ use cases be replaced with a ‘legitimate interests’ basis for processing data.  

The IAB’s second concern is to ensure principles-based and ‘tech neutral’ legislation, which could more easily adapt to evolving data practices over time. Thirdly, the IAB said it was critical to ensure Australia’s regulatory framework is in line with international practices, such as those already in play in the UK and Europe. Failing to do so could again stifle innovation and leave Australian businesses unfairly disadvantaged against overseas counterparts.  

As previously highlighted in CMO’s explainer on the proposed privacy law changes, one of the most significant potential changes to the Privacy Act is the broader definition of what’s classified as ‘personal information’. At present, ‘personal information’ only applies to information where someone is identifiable.  

Under the proposed changes in the Discussion Paper, this would change to ‘relates to’. This would mean personal identification could also apply to when an individual can be distinguished from others, or has a profile associated with an online identifier or pseudonym, even if they’re not named.  

The problem here is inferred information and when it trespasses into personal information territory. In its submission, the IAB said a more targeted approach to defining information is still needed and disagreed changing ‘de-identification’ to ‘anonymisation’ delivered this clarity. The IAB also argued location information should not be considered sensitive information.  

“In our view, the proposal to explicitly include inferences in the scope of the legislative definition would not address this. Again, a more targeted approach to addressing any lack of clarity that exists should be adopted,” the IAB stated. “A better approach would be to ensure the relevant standard required is more clearly articulated and achievable.”  

Le Roy’s overarching call is for the regulatory framework to address harmful practices without slowing down the digital economy “or the advertising that funds it”.  

“If we want to be a leading digital economy and society, the law should not be restricting legitimate uses of data that are not harmful, are within consumers’ expectations and are necessary to support online business,” she said.  

OAIC: Strengthening accountability measures for organisations  

In its submission, the Office of the Australian Information Commissioner (OAIC) described the Discussion Paper as a well-considered proposal presenting a sound basis for advancing the case of privacy reform.  

A key theme in the OAIC’s submission is easing consumer responsibility and ensuring strengthened accountability measures for organisations handling personal information instead. These will help protect and empower consumers while promoting innovation and a thriving digital economy, the commissioner argued.

Australian Information Commissioner and Privacy Commissioner, Angelene Falk, said a strong digital economy needed to be paired with clear responsibility for how personal information is handled.

“By embedding strong accountability measures, businesses and other organisations can build a reputation for strong and effective privacy management, which is essential for meeting community expectations and realising the benefits of the personal information they hold,” Falk said. “It is unrealistic to expect individuals to consider and evaluate whether every collection of their personal information is reasonable, and to take steps to protect themselves from all privacy harms.  

“Strengthened accountability requirements will raise the standard of data handling so individuals can have greater confidence that their personal information will be handled fairly when they choose to engage with a product or service.”  

Alongside this, the OAIC’s recommendations concentrate on empowering consumers to take control of their personal information through new rights and enhanced transparency requirements. Like the IAB, the commissioner is also keen to see global interoperability and consistency.  

In addition, the OAIC is recommending measures to better support its efforts to pursue significant privacy risks and systemic non-compliance through regulatory action.  

“This can occur through a simplified civil penalty regime, supported by infringement notices as a quick and cost-effective way to deter non-compliant behaviour without the need for court proceedings,” Falk said. “These changes should be supported by the introduction of a direct right of action and statutory tort of privacy that would give individuals access to additional options to protect their privacy rights.”

CPRC: Modernise what it means to be identifiable

According to the Consumer Policy Research Centre (CPRC), the lack of agency and understanding consumers have over their privacy has rendered them “powerless with no real, meaningful way for consumers to express their preferences”.  

In its submission to the Attorney-General, the group called for a modernisation of what it means to be identifiable going far beyond the current definition of personal information. For example, the CPRC wants technical information, such as IP address and device type, to fall under the purview of ‘personal data’.  

In addition, the group is advocating a principles-based approach to the definition as a way to deal with today’s needs as well as help cater for future data points that may attribute to being identifiable.  

In terms of transparency, choice and control, the CPRC’s submission again calls for more accountability to be placed on organisations. As well as agreeing with the right to erase personal information and data held by companies where there is no legal reason for it to be retained, the CPRC is recommending standardised notices that support consumer comprehension, consumer experience (CX) research that measures consumer comprehension of rights and risks, and ensuring ‘fair and reasonable’ requirement is an overarching requirement in the Privacy Act.  

The CPRC also agrees with bringing in pro-privacy default settings, creating an ecosystem for privacy protections and complaints mechanisms by ensuring the regulator is adequately resourced, and a holistic approach to dispute resolution, such as via the establishment of a Digital Ombudsman.  

IGEA: Don’t take a one-size-fits-all approach  

The Interactive Games and Entertainment Association (IGEA), which represents the video games industry, has also weighed in with a submission. It noted many online and offline video games companies rely on player data in order to operate. While a lot of this is not for advertising or monetisation purposes, it’s prevalent across the ecosystem.  

In this vein, the overarching recommendation of IGEA’s submission is to avoid a one-size-fits-all approach to regulation and instead adopt a data collection approach that’s based on context and a flexible framework.  

“Personal information handled by video game companies is often a far lower risk of causing privacy harms to affected individuals than personal information handled by healthcare providers and mortgage brokers,” IGEA stated in its submission. “We consider that a revised Act should accommodate these differences. It should also encourage organisations to collect low-risk information, such as gamer tags, rather than more identifiable information such as names and email addresses. Treating all data as the same would be self-defeating in this regard and be contrary to the public interest.”  

Like the IAB, the IGEA is advocating a balance of privacy settings to ensure entities can operate efficiently and effectively, enabling personal information to be used where ‘reasonably necessary’ for one or more of an entity’s functions or activities.  

The IGEA also raised particular concerns around consumer consent, noting it as a vital mechanism that’s most effective when used in narrowly defined situations and where individuals most need to exert control over their personal data.  

“Our concern with giving consent a more prominent role under the Act, which may lead to consent fatigue, overwhelming consumers with consent requests, and burdening entities who would need to obtain consent in situations where an individual would reasonably expect that their data would be used,” the submission read.    

“Entities being given flexibility around how to obtain consent, as some businesses in our sector may ask players to swipe a notice with their finger, press a particular button on a controller, or perform some other interaction to show that they give consent.  

“If the specification of certain prohibited practices is proposed, they need to be carefully calibrated and appropriately targeted to avoid unintended blanket prohibitions that may actually prohibit some beneficial or legitimate practices.”    

The IGEA is also against changing the language of personal information from ‘about’ to ‘relates to’ and added its concern to expanding the definition of personal information.  

“This may put an onerous burden on organisations having to provide extensive amounts of technical information in response to access requests,” it added.  

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page      


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

More Brand Posts



CMO's top 10 martech stories for the week - 9 June

Read more

Great e-commerce article!

Vadim Frost

CMO’s State of CX Leadership 2022 report finds the CX striving to align to business outcomes

Read more

Are you searching something related to Lottery and Lottery App then Agnito Technologies can be a help for you Agnito comes out as a true ...


The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Thorough testing and quality assurance are required for a bug-free Lottery Platform. I'm looking forward to dependability.

Ella Hall

The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Great Sharing thoughts.It is really helps to define marketing strategies. After all good digital marketing plan leads to brand awareness...

Paul F

Driving digital marketing effectiveness

Read more

Blog Posts

Marketing prowess versus the enigma of the metaverse

Flash back to the classic film, Willy Wonka and the Chocolate Factory. Television-obsessed Mike insists on becoming the first person to be ‘sent by Wonkavision’, dematerialising on one end, pixel by pixel, and materialising in another space. His cinematic dreams are realised thanks to rash decisions as he is shrunken down to fit the digital universe, followed by a trip to the taffy puller to return to normal size.

Liz Miller

VP, Constellation Research

Why Excellent Leadership Begins with Vertical Growth

Why is it there is no shortage of leadership development materials, yet outstanding leadership is so rare? Despite having access to so many leadership principles, tools, systems and processes, why is it so hard to develop and improve as a leader?

Michael Bunting

Author, leadership expert

More than money talks in sports sponsorship

As a nation united by sport, brands are beginning to learn money alone won’t talk without aligned values and action. If recent events with major leagues and their players have shown us anything, it’s the next generation of athletes are standing by what they believe in – and they won’t let their values be superseded by money.

Simone Waugh

Managing Director, Publicis Queensland

Sign in