Consent and disclosure: Federal Privacy Act draft changes due in days; additional laws for social media, young people proposed, marketers on the hook
An overhaul of Australia's federal privacy laws is imminent, with the Attorney General's Department last week advising a Senate Committee hearing on Foreign Interference Through Social Media that draft privacy changes will likely be released by next week. Tougher rules for collecting personal data and gaining consent, and a raft of additional proposed restrictions specifically targeting social media platforms and the data collected from young people will also land. A more combative information and privacy regulator, and changes to the definition of 'personal information' are on the cards. It could mean that even when people consent to data being collected, brands are ultimately not allowed to use it – and lawyers expect compliance will be quickly enforced.
What you need to know:
- Privacy laws that determine key advertising, marketing and data collection decisions are set for a major overhaul. Within days, the government will release draft changes to the Privacy Act, and will share a crucial discussion paper shortly after.
- Penalties for breaches of the Act are set to skyrocket from $2.1 million to $10m or 10 per cent of annual Australian turnover, and there will be legislation to create a code of conduct requiring transparent data use from social media giants.
- The discussion paper will outline issues of identity, consent, and notice, informed by 150 submissions from the likes of Google, Facebook, the major banks, government departments, and the major publishers.
- The current legislation relies "heavily on a notice and consent model" that could benefit from a notion of fairness or reasonableness, one senior official said.
Changing data architecture and data management is always painful. I think organisations now can reasonably anticipate the general way in which legislation will change.
The changes to the 13 Australian Privacy Principles that form the foundation of the Privacy Act will profoundly impact marketers and the broader advertising industry, an IAB forum heard this week.
Proposed changes to the Act, which underpins privacy, data usage and consent requirements in Australia, are expected imminently, with beefed up penalties for breaches, plus legislation enforcing data transparency from social media platforms expected.
An exposure draft with some of the proposed amendments, along with a discussion paper canvassing more than 150 submissions into how the bill can be updated, are due “shortly”, understood to mean within the next fortnight.
“We’re at a really interesting time, for marketers and for ad tech,” said Sophie Dawson, a Technology Media and Telecommunications partner at law firm Bird & Bird.
“There's a global jigsaw puzzle of privacy and other laws regulating online advertising. And each piece of that jigsaw puzzle is changing.”
When yes means no
Exchanges between officials from the Attorney General’s Department and Senate Estimates hearings on March 23 and July 30 this year gave a hint about what can be expected.
One official said the government wants to ensure the laws aren’t “overly burdensome” and will update the Act in stages, starting with increased penalties for breaches as it explores the more contentious elements in industry submissions.
Last Friday, Julia Galluccio from the Attorney General's Department told a Select Committee hearing the current Privacy Act "relies quite heavily on a notice and consent model".
"Some of the submissions that have come through have highlighted perhaps some limitations with that model in terms of the increasing volume of personal information being collected and the range of uses for personal information," she said.
"Some submissions have suggested that perhaps there should be some situations where, even if the individual does consent to the use of the information, that information still shouldn't be collected, used or disclosed, and there should be some kind of notion of fairness and reasonableness in the circumstances to be able to collect, use and disclose that information."
It’s also expected the exposure draft will outline legislation targeting social media platforms and their use of personal data.
It will ensure "there's greater transparency about how personal information is being used, and how consent is obtained, particularly for young people", Galluccio said.
"We're in the process of finalising that legislation at the moment, and that will also be released for public discussion as well."
How marketers can prepare
There is enough detail known about incoming changes for marketers to start preparing and future-proofing their data. The definition of ‘personal information’ is very likely to change, for example, which will have a major impact on digital advertising.
“Changing data architecture and data management is always painful. I think organisations now can reasonably anticipate the general way in which legislation will change and be starting to minimise the extent to which they handle and use personal information that is identifying information about individuals,” said privacy expert and data lawyer Peter Leonard.
“Almost certainly the regulation of cookies and other online identifiers where an individual can be re-associated with that identifier, that regulation will change and will significantly restrict the extent to which intermediaries in the ad tech system can exchange data based on device identifiers or browser identifiers.”
The key things people need to understand is what their key datasets are, where they’re getting it, what they’re telling people at the moment, and whether they’ve got consent attached to that data.
Sarla Fernando, ADMA’s regulatory lead, urged marketers to get on the front foot.
“Now is the time to assess your own practices, processes, systems and documentation,” she said.
“Do you have the proper consent, architecture and levels of access in place to guarantee the respective level of security required? … This shouldn’t just be seen as needing to ‘write a new Privacy Policy’... Everyone is taking it seriously. Marketers need to do the same.”
Bird & Bird's Dawson said while it’s unlikely Australia will take exactly the same approach as Europe’s General Data Protection Regulations (GDPR), it provides a “good guide” for how organisations can prepare for local legislative reform.
“The key things people need to understand is what their key datasets are, where they’re getting it, what they’re telling people at the moment, and whether they’ve got consent attached to that data,” she said.
“I think the change the ‘personal information’ definition, combined with the increased enforcement risk and penalties, are the most important changes from an ad tech perspective.”
Time is money
Changes will be much more expensive to make for organisations that leave it until the last minute, said Peter Leonard. He doesn’t think the government will give much time for a transition.
Some players in market are taking cues from privacy laws overseas. Consultancies with expertise in “clean rooms” – where aggregated data from walled gardens can be securely shared with partners – are emerging, and cross-platform data and privacy expertise is increasingly prized.
The review of the Privacy Act is one of seven separate regulatory and legislative changes that need to work together, Leonard said. “There a few stars that the Federal Government needs to align,” said Leonard, including:
- The National Identity-Matching Services bill.
- The Data Availability and Transparency bill.
- The Home Affairs consultation about data security.
- The Department of Industry musings about AI policy.
- The ACCC’s final report of its digital advertising services inquiry (due 31 August).
- Reforms of Australian Consumer Law to address unfair contract terms.
Per Leonard: “It ain’t easy.”