Who could imagine weathering this COVID-19 pandemic without the innovations and connectivity brought by digital platforms. The benefits of digital platforms to society have been immense and have also enabled efficient and effective advertising, and facilitated connections with consumers.
However, with this innovation came the ‘dark side’ of this technology where consumer interests have become obfuscated. Following high profile data breaches, the Australian Competition and Consumer Commission (ACCC) launched its Digital Platforms Inquiry in July 2019. The consequences of this inquiry and the changes to the regulatory landscape will, in our view, be almost be like a COVID-19 for digital.
This article will provide an overview of the Digital Platforms Inquiry (DPI) and follow-ons, highlight the focus on the protection of consumers and their privacy/personal data, touch on current Regulator Court actions relating to consumer privacy and data, and what the future may hold. This article is part of a series that we will be releasing where we navigate these issues in more depth and provide updates and insights as the law and regulation evolve.
The ACCC is the independent Commonwealth statutory authority whose role is to enforce the Competition and Consumer Act 2010 (Australian Consumer Law) a piece of federal legislation which focusses on the protection of consumers.
In December 2017 the ACCC, directed by the Federal Government, was asked to consider the impact of search, social and content on all stakeholders and consequently conducted their DPI.
Released on 26 July 2019, the DPI Report spans 600+ pages and confirms law and regulation have not kept pace with technology and commercial practice. The DPI Report places a particular focus on the protection of consumers’ privacy and data, standards of consent, and transparency of data handling.
In this report, a Digital Platforms Branch was recommended and is now established to conduct investigation and prosecution.
The DPI Report has deliberately targeted the ad tech supply chain and interaction of digital platforms, online advertising and ad tech services. The recommendations have ramifications for businesses in programmatic advertising including advertisers, media agencies, ad tech platforms and publishers.
On 12 December 2019, the Federal Government responded to the DPI Report with a detailed roadmap for policy and law reform. This is now the beginning of intense investigations, court cases, and law reform that will likely occur over the next decade.
In March 2020, the ACCC released an issues paper for inquiry into the tech stack. Many agencies and advertisers responded, including the MFA. The ACCC seems to be zeroing in on the complexity and opacity of ad tech and ad agency services –stating that “… online display advertising practices certainly warrant some digging”.
The ACCC must provide its final report to the for Federal Government by 31 August 2021, and then there will be new law enacted most likely with a transparency focus.
On 23 October 2020, the first interim report was released by ACCC. This report focused on consumer protection issues of messenger services including Facebook Messenger, WhatsApp, iMessage & FaceTime.
The ACCC places significant importance on consumer’s being able to make ‘informed choices’ about the handling of their data. They are of the view that the current practice of platforms means that consumers are unable to assess the current and future consequences of providing their data.
In the ACCC’s view the practice of using clickwrap agreements, take it or leave it consents, and bundling numerous consents is very problematic and results in legally questionable consumer consent.
They also consider that Privacy Policies that are too long, complex, vague and difficult to navigate are problematic and furthermore it is an issue that consumers may not be made aware about targeted advertising and third-party data sharing within these Privacy Policies.
Businesses with Privacy Policies that ostensibly protect consumers, but where the policies are not followed in practice, are in the ACCC’s view also problematic.
Generally, it is the ACCC’s position that Australian privacy regulation should be more closely aligned with the GDPR’s higher standards of protection.
The Office of the Australian Information Commissioner (OAIC) is the national privacy regulator and has supported many of the ACCC’s recommendations in the DPI, and has suggested additional protections for consumers.
The OAIC believes that the threshold for consumers providing their consent should be aligned with the GDPR’s standards and enable graduated consent (consent to different uses over time) and tiered consent (consent to giving more PI in exchange for different products or levels of services).
The OAIC is of the view that there should be a right to object by individuals for specific data collection purposes, and that there should be compensation under the Privacy Act 1988 (Cth) (Privacy Act) for interference with privacy.
They also challenged anonymous and de-identified data as a PI protection method due to AI and data analytics technologies and think that the law should treat all data as PI (see below our Big Bets).
Below are some examples of current regulator court actions. There is a pervading theme throughout these cases where the issue is one of the consumer being given the opportunity to make an informed choice, provide informed express consent, and retain control. In such cases we see that the ACCC and the OAIC are increasingly willing to bring actions against companies.
Stealing a march on the OAIC and not waiting for new law to fall out of the DPI process, the ACCC is using misleading and deceptive conduct provisions under the ACL to bring businesses with data as their center of gravity to heel.
On 20 August 2020, Health Engine was found liable for collecting and disclosing users’ personal data and patient information to insurance brokers without consent and for publishing misleading patient reviews and ratings and was issued a $2.9 million fine.
On 29 October 2019 in proceedings against Google the ACCC claimed that Google breached Australian Consumer Law through misleading conduct and false representations made via phone screens about the sensitive and valuable personal location data it collects, keeps and uses (for numerous purposes). This was largely (in part) due to the fact that the consumers were unable to make an informed choice on sharing this data with Google.
On 27 July 2020, further proceedings were brought against Google with the ACCC alleging misleading conduct by Google in obtaining consumer consent to expand the scope of PI that Google could collect and combine about internet activity for various purposes including targeted advertising. The ACCC alleges Google misled consumers when it failed to properly inform consumers and due to the fact that there was a failure to obtain explicit informed consent.
If Google is found liable, the fine is likely to be many millions and the precedent will have a profound impact on data and PI collection, use and disclosure by businesses.
Sensing a move into its territory and not to be outdone, the OAIC has now launched its own action against a tech giant.
On 9 March 2020 the OAIC issued proceedings against Facebook alleging it committed serious and repeated interferences with privacy in breach of the Privacy Act.
The allegation is that PI of Australian Facebook users was disclosed to the “This is Your Digital Life” app (and possibly Cambridge Analytica) for a purpose other than its disclosed purpose of collection. It alleged that there was an inability of users to exercise reasonable choice and control about how their PI was disclosed.
In this case, the OAIC is seeking a penalty for each act of disclosure of PI and consequently, the penalty could theoretically be as high as $500 billion. The precedent that this may set will also have a profound impact on data and PI collection, use and disclosure by businesses.
The DPI Final Report, ACCC’s recommendations, Federal Government response, establishment of the Digital Platforms Branch, current inquiries and prosecutorial vectors of the ACCC and OAIC point to a significant future impact on any business with data and PI as their center of gravity.
Significant court cases are already underway against the big platform players even before DPI Report spawned laws have hit the statutes.
All businesses involved in programmatic services will be impacted – advertisers, media agencies, publishers and suppliers in the middle layers of the ad tech stack (SSP’s, DSP’s, DMP’s, Ad X) as will businesses that rely on consumer data driven business models eg sale of segment data for targeted advertising or customer loyalty schemes.
Here are some of our Big Bets on what is coming in the future:
Businesses that engage with and embrace the change will have the commercial advantage, in particular businesses that:
Businesses need to start immunising themselves now and prepare for the changes to come. Aligning practices, disclosures, and consents with the GDPR would be a good place to start in the absence of specific new law at present.
von Muenster Legal will continue to provide updates and guidance to the industry as the nature and extent of changes to the law become known.