‘It will redefine our industry for the next decade’: Federal Gov accelerates privacy reform to August as Attorney General, Privacy Commissioner harden language on personal information; customer matching, clean rooms uncertain
Last week under a request from Prime Minister Anthony Albanese, the Federal Attorney General [AG] Mark Dreyfus dropped a privacy curveball – the new Privacy Act will be introduced into Parliament in August, well ahead of an end-of-year deadline many thought would spill into next year. More pressing for the broad church of marketing, media, CX, adtech, programmatic and ecom teams across every industry sector, it appears the rhetoric from the AG and even the new Privacy Commissioner on the definition, treatment and transparency of personal information is firming against many current and emerging industry practices – first-party customer data matching between different entities is just one. The use of website tracking pixels is also under investigation, led by a Privacy Commissioner probe into how TikTok deploys such code. “It would have significant implications for a huge number of things,” says Omnicom Media Group’s Chief Investment Officer Kristiaan Kroon on any restrictions in customer matching programs. “From an Omnicom perspective, we would say privacy reform is one of the top things that will redefine our industry in the coming decade.”
It is clear that personal information has immense value – not just to individuals, but to those engaged in marketing, research, product development and advertising. It's past time we stopped treating the most personal and private information of Australians as an asset that entities hold.
It started last week when the Prime Minister Anthony Albanese and four cabinet ministers issued a joint announcement wrapping a pilot testing “age assurance” technology to protect children from pornography, extreme misogyny and other age-restricted online services with domestic violence anti-doxxing initiatives, a national ID register for hacked personal information – and the fast tracking of new privacy legislation into Parliament in August.
Some argue by bundling broader civic protections with privacy reforms around personal information, the Albanese government has made it more difficult for industry to protest material shifts in how it currently collects, uses and trades personal data.
Whatever the intent, the Attorney General and Australia’s new Privacy Commissioner, Carly Kind appear to have ratcheted up their language in various forums in the past week.
Both gave keynotes at the Privacy By Design Awards last week – Canva took out the Large Enterprise gong, and perhaps ironically, Google had a “Highly Commended” in the same category.
But the language from Mark Dreyfus and Carly Kind was sharp.
"As everyone in this room is well aware, the personal privacy of citizens is under attack – both here in Australia and overseas," he said. "Just about all of us are online, nearly all of the time, but in return for this Australians are increasingly being asked to share their personal information in online transactions. And they expect that when they do, their information will be protected and that they will maintain control over it. It is clear that personal information has immense value – not just to individuals, but to those engaged in marketing, research, product development and advertising. It's past time we stopped treating the most personal and private information of Australians as an asset that entities hold."
The last two lines should be enough to snap any professional involved in marketing, customer data or media to high alert. And that’s before the Privacy Commissioner followed up the Attorney General with a sharp focus on shifting the balance of power in personal information back to the individual.
Because organisations won’t be able to ‘consent out’ of the fair and reasonable requirement to justify their activities, I’m hopeful that this new feature of the Australian framework will set us aside from other jurisdictions worldwide and position us as Australia’s privacy regulator to take on some of the more concerning industry practices we’re seeing…
Sharper intent
Lofty policy and societal debate is not the typical territory of marketing, media and tech professionals but it’s coming regardless. OMG’s Kristiaan Kroon told Mi3 in response to the accelerated privacy reform agenda: “It certainly seems the language is hardening. Again, it will come back to the exact wording but to be fair, I would suggest that there are parts of the industry that have not done anyone any favours in their behaviour and what increasingly is coming to light.”
Civic Data’s Chris Brinkworth, who attended a briefing yesterday with the Privacy Commissioner said while it was clear new privacy legislation was set for August, the Attorney General and the Privacy Commissioner have “not given any true insights yet” on specifics. “That’s whether small businesses will be exempt, whether [industry] consultations have finished 'in principle' and much, much more that will have an impact on not just the Australian privacy landscape, but on businesses and the overall economy,” Brinkworth said.
There are clues however. “We can expect the reforms to include the introduction of a "fair and reasonable" test for the collection, use, and disclosure of personal information, a statutory tort for serious invasions of privacy, and the right for Australians to sue for privacy invasions,” said Brinkworth. “The proposed changes also encompass new and enhanced individual rights, such as the right to erasure, also known as the right to be forgotten, and the right to de-index internet search results … Furthermore, the government is considering requirements for businesses regarding maximum and minimum retention periods for personal information. These amendments aim to empower individuals to exercise greater control over their personal information and align Australia's privacy framework more closely with international standards.”
It certainly seems the language is hardening. Again, it will come back to the exact wording but to be fair, I would suggest that there are parts of the industry that have not done anyone any favours in their behaviour and what increasingly is coming to light.
Consent buster
Except Carly Kind seems more ambitious than aligning Australia’s privacy laws to international standards. It's worth quoting Kind at length from her Tech Council-backed Privacy by Design Awards address last Thursday night – stick with it because it’s the basis on which any media, marketing or customer professional needs to plot what they do next in a future operational context.
“The concept of privacy by design speaks to a deeper and more universal truth. That technology should be deployed in the pursuit of societal objectives, and not the other way around. That even as we, as individuals and communities, are shaped by technology, we also have the power to shape technology
“The key word there is power. Notions of power cut in every direction in the digital ecosystem – the power wielded by tech monopolies and duopolies; the power concealed in political microtargeting and misinformation campaigns; the lack of power and agency consumers feel when they’re using digital technologies. To me, the right to privacy is all about power – the power to control who has what information about you, and the power to hold them to account in how they use it.
“In particular, as the Attorney-General outlined, the Government has agreed in principle to introduce a new positive obligation that personal information handling is fair and reasonable. This is a fundamental shift in approach, and provides confidence that, like a safety standard, privacy is built into products and services from start.
“The fair and reasonable standard would put the onus on organisations to consider, among other matters, whether consumers would reasonably expect their personal information to be used in particular ways, and to take into account the risk of unjustified adverse impact or harm, which could include physical, psychological or emotional harm or negative outcomes with respect to an individual’s eligibility for rights or benefits in employment, credit and insurance, housing, education, professional certification or provision of health care and related services.
“Because organisations won’t be able to ‘consent out’ of the fair and reasonable requirement to justify their activities, I’m hopeful that this new feature of the Australian framework will set us aside from other jurisdictions worldwide and position us as Australia’s privacy regulator to take on some of the more concerning industry practices we’re seeing, whether those be related to emerging technologies such as biometric recognition, or to persistent problematic practices such as microtargeting or dark patterns.
“Organisations can get in front of this now by thinking about how new products and offerings can embody fairness and reasonableness right from the start. One mechanism for facilitating this process is to get into the habit now of undertaking a privacy impact assessment at the commencement of any new technological deployment or novel use of personal data. This can help organisations identify and mitigate risks and think through the ‘should’ as well as the ‘could’.”
We can expect the reforms to include the introduction of a "fair and reasonable" test for the collection, use, and disclosure of personal information, a statutory tort for serious invasions of privacy, and the right for Australians to sue for privacy invasions.
Fair vs. foul
For OMG’s Kroon and most following privacy reform, the implications for a slate of current industry practices remain cloudy – the surge in first-party customer matching and clean rooms is a case in point. “A lot of consumers may well agree with their [AG and Privacy Commissioner] sentiment,” he says. "There's an awful lot within the Attorney General's paper that talks to what is fair and reasonable, and that is what is going to be challenging for any business that is working through the implications. If you're a supermarket or a retailer using it to serve the next best offer, that is reasonable. If you're a TV network and you've got lots of consumer data but then you're passing it to an advertising group who then might be on selling it to other customers, that would be a stretch for consumers or wouldn't pass the pub test.”
Equally in an anonymised first party customer swap, would it be “fair and reasonable” for an individual to know their data is moving between supply chain players to facilitate targeting and commerce – after it’s explained in language understood by a persons of “below average intelligence”?
“There's going to be a lot of subjective conversations in the short term,” says Kroon. “It looks like the government's finally getting to the point where they'll give more direction that allows people start making their choices. Between cookies and privacy, it’s going to put a lot of short term pressure on making significant change. We get a lot of very sophisticated questions from clients around data handling, its usage, cleanrooms and so-on. They want to be on top of it. The issue for them, I think in market is with all agencies and publishers, everyone says they are privacy ready. I do find that statement somewhat challenging.”