Enforcement mode: Privacy Commissioner Carly Kind takes aim at widespread pixel data spillage, loyalty, data enrichment, broking and geotargeting under existing laws
Privacy Commissioner Carly Kind was “surprised” – read underwhelmed – by the first tranche of Privacy Act legislation laid before parliament last month. But she says the hard stuff is still coming after the election, which means businesses now diverting budgets away from compliance to other activities may regret it, especially as the regulator has sharper teeth. Kind says firms are failing under the current Privacy Act – and they are in the regulator’s crosshairs. Tracking pixels are under serious scrutiny across the piste, as are companies using data beyond what it was collected for and potentially passing it to third parties. In that vein, Kind has “existing concerns” about loyalty programs, customer data enrichment businesses and data broking: “It's something I'd like to look at again under the current framework,” she says, suggesting those operators “make sure that they're watertight”. Likewise firms targeting via geolocation: “We’re looking at a case at the moment … We have some real concerns about how it's being used.”
What you need to know:
- Privacy Commissioner Carly Kind wanted government to go harder on its first tranche of privacy reforms, but accepts there are tradeoffs ahead of an election and amid a sustained economic crunch.
- As well as avoiding a ‘fair and reasonable’ use of data requirement that would have trumped consent, use of lookalikes, customer audiences, hashed emails and data clean rooms are in the clear. But under the next wave of reforms “the changing definition of personal information could certainly have an impact [on those approaches]” she says, though for now it’s not clear-cut.
- In the meantime, Kind says the regulator is looking hard at pixels and how brands and publishers are passing data to big platforms and other third parties.
- Loyalty, data enrichment and geotargeting are also in the frame for further probes under the current regime.
- To avoid breaching the existing Privacy Act and Australian Privacy Principles, Kind says there are four areas for businesses to laser in on – with the regulator now firmly in enforcement mode.
- First, “know what data you hold and who you’re giving it to.”
- Second, “make sure you've got a retention and destruction regime in place – anything that’s old, you don’t need to hold it any more.”
- Next, get into the weeds on contracts with third party service providers; and be sure to have a data breach response plan in place. “It's an area of vulnerability we're seeing a lot at the moment,” says Kind.
- In short: “Don't take your foot off the gas, because we're looking to take a more enforcement-based approach to regulation in the interim.”
- There’s more nuance and detail in the podcast. Get the full download here.
If I can get one message out it’s don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms.
BAU buster
Carly Kind became Australia’s Privacy Commissioner in February after nearly two decades working with the likes of the UN, the International Council on Human Rights Policy, Unicef, Amnesty, the data and AI-focused ADA Lovelace Institute and Privacy International, where almost decade ago she took on the British Intelligence Services over information sharing with the US National Security Agency – and ultimately won.
After dispatching MI5 and MI6, Kind’s now appealing to Mi3, specifically readers that may think the (underwhelming) first tranche of Privacy Act reforms mean it’s business as usual for at least another 12 months.
“It’s really important for me to get the message to your audience that, notwithstanding the privacy reforms … our office is taking a slightly different approach than we have historically,” says Kind.
“Part of that is about putting more [information] out for entities, but also being more enforcement-focused than we have been historically.”
Forewarned is forearmed. Kind underlines that the regulator has plenty to get its teeth into under the current Privacy Act – because a lot of companies are likely already in breach. They just might not realise it…Yet.
“If I can get one message out it’s don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms.”
Pixel leakage, loyalty, data enrichment, data broking and geolocation are all in Kind’s crosshairs.
I have existing concerns … and we've done some work previously on loyalty programs. … there are some concerning practices … so [that is] something I'd like to look at under the current regime and would suggest entities really look at processes that are there to make sure that they're watertight.
When vs. if
The warning comes amid rumblings that corporate budgets previously set aside for privacy reform compliance are being diverted to other perceived urgent commercial agendas. That follows the first tranche of Privacy Act reforms landing in parliament last month – leaving many either frustrated that full-blown regime change has been left until after the election, or breathing a sigh of relief, or just plain confused about how to best prepare for what might come next.
Kind, who has talked about setting a world leading privacy regime, falls into the former camp.
“It's fair to say we would like to see all 100 or so reforms identified in the Privacy Act review actioned as government has indicated that it intends to do. So yes, I would prefer to see all of that wholesale change as soon as possible.”
But she accepts the government has to walk a fine line ahead of an election trailing crunched consumer spending and a flaccid economy.
“I suspect it’s a combination of those two things … There are those that argue, with some accuracy, that the cost of compliance around legislative reform is not insignificant and will have to be borne by businesses who are navigating the cost of living crisis as well. So I think the timing against the fiscal outlook is a relevant factor,” says Kind.
“I was surprised that we weren't seeing more of [the reforms included in the first legislative package], because that had been the impression that I had – that we were moving full steam ahead,” she admits.
“I don't think it's so much been an active change of tack so much as a ‘let's get a bit through at a time when we can’. So this has been an opportunistic decision.”
But Kind says policymakers remain committed.
“Certainly we see the intention of government to proceed with tranche two. That's the noises that they're making at this stage.”
Her “hunch” is that government will start consulting on phase two “as soon as the first tranche is through”. Election timing impacts are hard to call, but “all signs are moving ahead. I think there's kind of cross-party support for the program generally. So I would like to see tranche two in 2025.”
If that timetable holds, it gives businesses a narrow window to prepare for a regime where the definition of what constitutes personal information is much broader, and in which firms can’t consent their way to compliance because regardless of consent, they will have to prove they are using data in a ‘fair and reasonable’ way. That will require a wholesale rewrite of some business models, and at the very least a deep data review, supply chain sweep and policy overhaul for pretty much everyone else, including millions of small firms.
Which is why Kind urges firms not to take their foot off the gas – because many may not be compliant with current Privacy Act obligations, let alone what comes next.
We have some real concerns about how [location data] it's being used, and particularly the robustness of collection practices around geolocation. It’s in scope for scrutiny under the existing framework.
Basic fails
Reluctant to state categorically that companies across the board are “breaching” the current Privacy Act, Kind says “we’re seeing a lot of pretty basic privacy infringements” landing in the OAIC in-tray - the Office of the Australian Information Commissioner is where Kind resides, ultimately under the portfolio of Attorney General Mark Dreyfus.
“Retention of data is a really big issue that comes across our desk time and time again. Having entities take a good look at that would really put people in good stead. Cyber security and reasonable steps to secure information is another – it's the main complaint we get coming through our doors.”
A lot of the time, companies involved in those infringements “don't even know what data they have, or they've had a data breach, and they've got so much data that's exposed to the data breach that they just shouldn't have anymore. They should have an appropriate destruction and retention regime in place”, says Kind.
“A second one is about looking at what data you hold, the purpose for which you collected it in the first place, and really understanding the interplay of the APP [Australian Privacy Principles] three and six, which relate to collection, use and disclosure of data, which say, just because you collect data for one reason doesn't mean you can use it for any other reason as well,” she adds.
“You really need to make sure that you've got your ducks lined up on [whether] you can potentially use it for secondary purposes.”
Taking that approach will better prepare businesses thinking about using that data to train AI and large language models, which Kind says is next off the bat for the OAIC.
“We’re publishing guidance in the next few weeks on the use of personal information in the context of commercial off-the-shelf AI products, as well as the use of personal information to train AI models.”
Can we follow the tech to look at how potentially privacy violations are occurring?
Pixels targeted
“At the moment, we're really interested in looking at the use and disclosure provisions of the APP. So how companies are using data they already have for other purposes or potentially providing it to other entities – passing it on to third parties – and to what extent is that done in a lawful, legitimate and defensible way?
“You'll have seen some attention recently on the use of tracking pixels, for example, so that disclosure onto social media companies by website providers of browsing data,” says Kind, “so really looking at those.”
Kind’s op-ed in The Australian a few months back referenced TikTok’s data harvesting via pixels, with some telling lines:
- “Legally it is website providers who are primarily responsible for the collection and disclosure of this personal information in the first place.”
- “Most people wouldn’t reasonably expect household brand websites, medical providers or news sites to be disclosing to X, Facebook, Snapchat or TikTok where you go on their site, how long you stay for, and what you read.”
- “Australia’s privacy laws do not outlaw such online tracking.”
- “Privacy law reform could not only lift the standards for consent, bring into scope a larger subset of the Australian economy, and expand the powers of the OAIC to enforce privacy law, but also introduce a ‘‘fair and reasonable’’ test that could end these kinds of practices. The fair and reasonable test would prevent organisations from using consent as a shield for bad privacy practices.”
That catch-all fair and reasonable test may have been kicked into the second tranche of reforms, but Kind says the regulator is still looking at pixel use: “Are website providers properly configuring the way in which they pass on data to third parties, including social media companies.
“That's a good example of where we can use our existing powers and our existing law, but with a slightly different approach – a more tech-centric approach ... Can we follow the tech to look at how potentially privacy violations are occurring?”
Loyalty test
Kind also hints at potential probes for loyalty programs, data enrichment and data broking businesses, as well as use of location data.
“I have existing concerns about some of these, and we've done some work previously on loyalty programs. It's something I'd like to look at again under the current framework. The ACCC recently did the Data Broker Inquiry, I think there are some concerning practices in that broad space, without speaking to specifics. So [that is] something I'd like to look at under the current regime and would suggest entities really look at processes that are there to make sure that they're watertight.”
On geotargeting, “we're looking at a case at the moment on this under the existing framework”, says Kind. “We have some real concerns about how it's being used, and particularly the robustness of collection practices around geolocation. So I would say again, [it is] in scope for scrutiny under the existing framework. I think the expectation is certainly under the tranche two changes [location data will be more tightly regulated].”
The use of de-identified transaction data by the likes of Commbank IQ and Westpac Datax, is “an interesting one”, per Kind. “Because de-identified and anonymised uses of data that also then deliver value back to customers and to communities I think is a really exciting prospect in many respects. I certainly don't want to take a position which says we shouldn't be using data at all, particularly where it can deliver public good or consumer good. So I think well done, with the proper de-identification processes in place, there is a real prospect for that to be consistent [with Australian Privacy Principles].”
What about lookalike and custom audiences, hashed emails and data clean rooms – in the clear?
“I'd say no change to the current situation under tranche one. Tranche two, the changing definition of personal information could certainly have an impact. But it’s a bit difficult to say at this stage.”
Platform pressure
Asked whether the impact of privacy reforms will be evenly distributed, i.e. will big tech walled gardens benefit from a protective buffer that local companies cannot match, Kind says the answer is twofold.
“From where I stand, one is, with great power comes great responsibility … I think, and I believe, that those entities have additional responsibilities, [that] regulators should take additional scrutiny towards them,” says Kind.
“Where I think they have an advantage is that they have a lot of very good lawyers in house, and compliance is really often a process of working out how to go right up to the line and not going over it.”
She says the regulator is acutely aware of that approach, and will match it with a prescriptive regime that spells out: “What does good look like when it comes to compliance with the Privacy Act so that entities can go right up to the line and not over it. That will be the job that we're going to take on our shoulders to make sure there is a competitive and equal playing field when it comes to compliance with new laws.”
Does that mean big tech will get more scrutiny?
“We're certainly committed to taking a close eye to those entities that have the ability to really control markets, and where our intervention may change market practices – and that’s often going to be those big players.”
[Proving 'fair and reasonable' use of data] is not an insignificant responsibility on the shoulders of entities who are going to be processing data, they won't be able to cover their back with a consent-based approach.
Fair warning
If Kind’s hunch is right and the next tranche of legislation lands next year, it will require some major changes, especially around the ‘fair and reasonable’ use of data stipulation. It will mean brands, publishers and everyone else will have to be able to simply articulate what they are doing with data – and that what they are doing is fair and reasonable in the eyes of the layman, even if they have obtained consent.
“It’s a higher bar [than GDPR] and it circumvents the consent challenges,” says Kind.
“Importantly, the onus is on the entity using the data. It is a responsibility that will sit on their shoulders. They will have to not only handle data in a fair and reasonable way, but they'll have to show that they're doing it in a fair and reasonable way – and explain it and make that clear to users.”
The fair and reasonable requirement – and the penalties and potential for class actions that will come with it – has been one of the biggest concerns for digital marketers, platforms, publishers and their advisors. (Potentially “a catastrophe” as one expert put it.)
Kind provides a working example.
“You’re a car company. You sell someone a car, and when they sit in the car for the first time, they're looking at the screen, and the screen says ‘We're going to collect a bunch of data on you and we're also going to share that data with our trusted third parties, do you consent to this collection?’ You say ‘Yes, I consent to that’, because you're sitting in your brand new car, and you're happy to do that. And then they pass that data on to an insurance company, and you later get a higher insurance premium because you put your foot on the brake too hard on occasion – which is probably what car companies are doing at this stage,” says Kind. (Update: She's right.)
“Within a framework that relies on consent, that is all lawful, because the individual has consented to that. But in a framework that relies on fair and reasonable, even if the individual consents, it may still not be fair and reasonable.
“So that is where the obligation is on the entity to say, ‘is it fair for us to ask this of an individual, and even if they consent, is it fair and reasonable for us to still pass that information on to the insurer? That's is where those factors will come into play,” she adds.
“So it's not an insignificant responsibility on the shoulders of entities who are going to be processing data. They won't be able to cover their back with a consent-based approach.”
Hence many breathing a sigh of relief that fair and reasonable use of the data that underpins the digital marketing industry didn’t make the first round of legislation. Because it might well prove hard to argue.
There’s more nuance and detail in the podcast. Get the full download here.