Marketing industry left in limbo on consent, fair and reasonable tests and targeting as privacy reform’s first act tackles criminals, big tech, child protection
The first tranche of Privacy Act reform finally hits parliament today with serious breaches of personal information, child protection and automated decisioning transparency top of the list. But the marketing and advertising industry remains severely short on how to move forward as key areas of reform, including the ‘fair and reasonable’ test for how to use personal information, targeted advertising, consent models and SMB exemptions get kicked down the road.
Heftier legal consequences for the malicious release of personal data online, more protection for children online, direct right to action and automated decisioning have made it into the first tranche of a now multi-part overhauling of Australia’s Privacy Laws being tabled in Parliament today.
But the marketing and advertising industry is left in limbo on the big-ticket items including targeting, a ‘fair and reasonable’ test on handling personal information, consent models and SMB exemptions as all get kicked into the next tranche of privacy reform not expected until mid-2025.
The first tranche of long-awaited reforms of Australia’s Privacy Act is set to hit the House of Representatives Thursday. At a top-line level, four elements are now expected to be in the first bill: Doxxing, or the intentional exposing of personal information online; a new statutory tort (a legal framework that governs civil wrongs) for pursuing serious invasions of privacy; more child protection online; and new transparency rules for Automated Decision Making (ADM).
Attorney-General Mark Dreyfus this morning confirmed it will now be a criminal offence for the malicious release of personal data online, known as doxing, with a new maximum penalty term of seven years’ jail to be legislated. According to an ABC report, this includes a six-year term for publishing private details such as names, addresses and numbers with the intent of causing harm, but increases to seven years when a person or group is targeted using their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or ethnic origin.
The focus on doxxing is a response to the growing need – and consumer agitation – to see something done about misinformation online. For industry commentators speaking to Mi3 on background, it’s also a mainstream headline win that’s certain to gain bipartisan support in the months leading up to the next Federal election.
In addition, a statutory tort for serious invasions of privacy, something that’s already had vocal support from the Office of the Australian Information Commissioner (OAIC), will now be introduced to Australia’s privacy framework. That will allow Australians the right to sue for damages if they have been victims of serious invasions of privacy.
Both of these align well with the Government’s plans to also introduce a new misinformation bill to Parliament today. This will give the Australian Communications and Media Authority (ACMA) greater powers to crack down on tech companies for misinformation and disinformation distributed on their platforms. If the platforms do not comply, they could be slapped with a range of penalties, including a maximum fine of 5 per cent of their global revenue.
But with a new right to access and explanation for both customers and regulators, it could place heavier burdens on customer service teams as those consumers who read every item in the terms and conditions, start asking questions.
More child protection through a fresh Children’s Online Privacy Code will see the OAIC reportedly get an extra $3 million over three years for the work. The connective thread this has into online safety is again seen as signalling a strong message to the platforms that the Government is looking after children. It also comes on the heels of Prime Minister Anthony Albanese announcing plans to introduce legislation to Parliament bringing in age limit restrictions on social media by the end of this year. The national crackdown, in turn, takes inspiration from South Australian Premier Peter Malinauskas' push to ban kids under 14 from setting up social media accounts, though it's not yet clear what ages would be captured under the federal legislation. As part of its efforts, the SA Government commissioned a 276-page report from High Court chief justice Robert French to figure out how it could deliver a legislative vehicle to enact such a ban for 14-year-olds and enforce social media companies to establish parental consent before allowing teenagers aged 14 and 15.
Automated Decision Making and what it signals
The first tranche of Privacy Act changes will further cover new transparency requirements for Automated Decision Making (ADM). The need for users of these systems – banks, insurers and the like – to articulate what personal information is used in substantial automated decisions upfront presents the most significant possible change to how data is collected and consented for the marketing and advertising industry.
It’s also another hit at the big tech platforms and how they collect personal information for algorithms. These practices came firmly back into the spotlight yesterday after Facebook revealed during a Senate Inquiry that it scrapes the public photos, posts and other data of Australian adult users to train its AI models and provides no opt-out option. This is despite the fact people in the European Union can refuse content.
Commenting on what is now expected in this first tranche landing today, Civic Data managing partner, Chris Brinkworth, told Mi3 that the statutory tort and ADM alone could significantly reform unethical and risky privacy practices in the digital economy – including how basic tags and pixels are used.
“The proposed privacy tort could make some practices legally risky, potentially reshaping how companies collect and use personal data, inclusive of uploading email lists to Meta, Google, Snapchat etc., and/or using targeting solutions using identities derived from multiple data sources that the consumer was not aware of,” he said.
“Automated Decision Making (ADM) regulations, while not to the level of GDPR's article 22, will force companies to explain their algorithms, potentially ending the era of ‘black box’ personalisation and pricing.
“Many platforms depend on agencies, publishers, and advertisers to adhere to data protection laws. However, if entities do not fully understand or follow these legal requirements, it can lead to misuse of data, such as targeting without proper consent or mishandling sensitive information.”
For ADMA director of regulatory and policy, Sarla Fernando, ADM being included is the Government signalling its intention to change the way we approach data usage and collection.
"Aiming for transparency on ADM, and giving consumers the ability to know what personal data has been collected and used for ADM to make decisions upfront, is a sit up and [take] notice on the way we are thinking about data as an industry right now," she said.
"It tells us we need to be thinking differently about what data we are holding and the journey and lifecycle of the data we collect and use, as well as minimising the data we collect," she told Mi3. "And it’s a signal in line with how we prepare as an industry overall for the complete reform of Australia’s Privacy laws."
While the expected first tranche will be good steps forward – and certainly focusing on vulnerable people and children is something ADMA understands and approves of – Fernando and the rest of the marketing industry seeks further dialogue with Government on what's coming next. (Consultation so far has been "average", per AANA chief Joshua Faulks.)
"We are keen to work with the Government to understand the definitions so marketers can begin to do what’s required for the next stage of the transition period," added Fernando.
Having heard the first reading, IAB Australia CEO Gai Le Roy expressed similar sentiments.
"IAB Australia today welcomed the Government’s announcement that further consultation will be undertaken on some of the more complex privacy law reforms that will impact the industry, while also acknowledging the importance of the reforms that were introduced into the Parliament today," she stated. "IAB will go through the Bill and explanatory memorandum to carefully assess their impact on our industry. However, we are pleased to see that the Government looks to be moving forward on these important reforms in a considered way.
"Privacy laws are fundamental to the functioning of our digital economy. IAB will continue to work constructively with Government to ensure that our laws are fit for purpose and so that industry can continue to meet consumer expectations to deliver freely available online content and services."
What’s not included in the Privacy Act first tranche
What’s not in this first tranche of the Privacy Act is arguably of most interest to the marketing and advertising industry.
Notably, the definition of ‘fair and reasonable’ test, a world-first which would make Australia’s Privacy Laws distinct compared with other laws internationally including GDPR, is expected to be left in limbo.
Updated tests on the definition of ‘personal information’ also remain unclear. Since September 2023, the Government has been using amended language to state personal information is that which can be “can be acted upon” – including targeted, contacted or located – regardless of whether an organisation knows the individual’s legal identity or not.
New definitions for direct marketing, targeting and trading, while advanced at least in industry consultation up until this point, are now not expected until post-election in the second more ambitious tranche of reform.
In February this year, targeting was looking like it would be adjusted with a new definition that states “information designed to promote the message of an entity or individual presented to an individual where targeting has been used”. Online targeting was also deliberately added in to the information earlier this year. De-identified information is another doozy for the industry, but remains uncertain without further definition. The promise of direct right to action has also been left for stage two.
Attorney-General Mark Dreyfus will tell parliament his morning: “Australians have got the right to have their privacy respected and when they're asked to hand over their personal data they have a right to expect it will be respected.
"The Government is committed to ensuring the Privacy Act works for all Australians and is fit for purpose in the digital age. This legislation is just the first stage of the Government’s commitment to provide individuals with greater control over their personal information," he will state. "We will continue targeted consultations with industry, small business, the media, consumer groups and other key stakeholders on draft provisions to ensure we strike the right balance between protecting people’s personal information, and allowing it to be used and shared in ways that benefit individuals, society and the economy.
"The Australian people expect greater protections, transparency and control over their personal information and this legislation begins the process of delivering on those expectations."
Yet despite initially accelerating the Privacy Act reforms into parliament in September, the Government's efforts to deliver more substantial reform to privacy laws remains an ongoing job.
For now, the marketing and advertising industry is going to have to wait to know their role in delivering this new age of privacy – and how they will have to operate within it.