Explainer: What's next for privacy laws?
- 28 May, 2020 09:02
IAB Australia hosted a data governance and consumer privacy webinar recently. As part of this, principal of one of Australia's most respected experts in privacy law and practice, Salinger Privacy, Anna Johnston, shared her thoughts on the future of privacy for the Australian and global media and marketing industry.
For Johnston, privacy laws are not a barrier to innovation, but actually an enabler. To begin with, it’s important to recognise privacy law is not only about what might be described as private data. The Privacy Act regulates all personal information, whether the information is publicly found or privately held.
“It doesn't matter if it's considered private in the sense of things secret or something embarrassing, what the law protects is actually very broad,” Johnston explained.
But it’s not about companies, which don't have privacy, it's an individual human right. “That individual must be identified, or reasonably identifiable. If you can put two and two together to maybe figure out who the person is, it will make the definition of personal information and the Privacy Act will apply and privacy principles which define your legal obligations will kick in,” she said.
Privacy regulations apply from collection, storage, use and eventual destruction of personal information - that is, its lifecycle. The regulatory environment, both locally and globally, is also covered by numerous privacy laws, creating new challenges for organisations to ensure they comply across all jurisdictions. It’s an environment which is increasingly complex as privacy requirements are changing, Johnston said.
The local context
The Office of the Australian Information Commissioner (OAIC), which includes the Privacy Commissioner, is the regulator in this space. Following the Australian Competition and Consumer Commission (ACCC) Digital Platforms Inquiry, the OAIC is expected to put out a legally binding code on digital platforms in regard to privacy requirements.
Following the inquiry, the Federal Government made an in-principle agreement to review and reform the federal Privacy Act along the lines of most of the ACCC's recommendations. Johnston expected there to be a focus on improving and bolstering the definitions of consent.
There's also the potential to recast the definition of personal information in line with the recommendation from the ACCC that it explicitly include online identifiers, including cookies, beacons and other kinds of tracking technologies, even if you can't necessarily link the identifier to a named or nameable person. This, in turn, could lead to potentially tougher rules around the secondary use or disclosure of personal information, Johnston said.
The co-regulatory model is another potential development that would involve cooperation between the OAIC and ACCC as the consumer protection and trade practices regulator. It's for this reason Johnston saw the two regulatory bodies increasingly joining forces to tackle industries such as digital platforms.
Loyalty schemes and adtech could also be subject to collection principles on invasive or unfair practices. “The OAIC more recently has started to call out things like whether or not the means of collection of personal information is fair. And if it's not fair, does that not even meet the law? It’s not just an ethical test, it’s also a legal test," Johnston continued.
“The OAIC is potentially looking at an overriding fairness test and maybe targeted marketing and profiling for adtech will be opt-in only.”
Australian privacy law may also be bolstered to include data subject rights - in addition to the current right of access and correction - to include erasure or deletion, algorithmic fairness and transparency, similar to the GDPR laws in Europe.
“We could see an increased focus on accountability through methodologies like privacy impact assessments on new projects, possibly making the idea of privacy by design mandatory," Johnston said. "This is the idea that when building new products, services and technology systems, it must start from a position of privacy by design, possibly privacy by default.
“We could also possibly see direct right of action, meaning consumers could sue companies directly for breaches of the privacy principles, rather than have to go through the privacy regulator.”
The global context
We have witnessed the backlash against big tech, nicknamed the ‘techlash’, after the Facebook Cambridge Analytics scandal in particular. But it also pushes back against the big tech platforms like Google and Amazon and the sense they have gone too far in infringing on people’s privacy.
Johnston suggested we could see consumer protection and privacy regulators joining forces and noted the ACCC globally is being watched very carefully by the privacy community. “The ACCC is very much the first ones to come out and do a big inquiry into the digital platforms,” she pointed out.
“That focus on big tech is also coming from the privacy regulators. It's not just privacy advocates or consumer advocates, it's the regulator's themselves.”
Johnston gave the example of New Zealand Privacy Commissioner, John Edwards, who in a recent speech called on regulators to join forces to deal with the power of symmetry of the big tech companies. She noted after the Christchurch massacre, New Zealand has taken a particular interest in regulating digital platforms.
“He [Edwards] is talking about not just the consumer and competition regulators and privacy regulators, but also online safety regulators and, to a lesser extent, those covering intellectual property and publishing issues like copyright and defamation,” she explained.
In Europe, the Court of Justice of the European Union said third-party and tracking cookies need the consent of the user of that website, or the consent of the consumer must be opt-in and proactive. The French privacy regulator issued a 50 million euro fine for Google on the grounds where the law in Europe said you need consent to deliver personalised ads, and the way Google had gone about trying to gain that consent was not considered valid under European privacy law, Johnston said.
“Coming out of Europe, eventually we should see a new ePrivacy regulation, specifically regulating cookies and email marketing and related topics to provide better uniformity across the EU,” she predicted.
In closing, Johnston said the breadth of what is covered by the definition of personal information can surprise people. “It's not just about protecting private data. And privacy is not just about protecting secrets. It's about how organisations handle all the data they have that is not secret,” she concluded.
“Privacy is not just about data security, it's not just about preventing disclosure. It is also about how personal information can and can't be collected and used in a way that does no harm to individuals. And above all else, privacy law is about fairness, accuracy and transparency.”
“The key trends, both locally and globally, include applying a consumer protection lens or top of privacy law and asking how the law might need to expand to cover all forms of privacy.”
Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page, or join us on Facebook: https://www.facebook.com/CMOAustralia.