The industry group representing technology companies including Google and Facebook has pushed back on the ACCC’s recommendation that the government should strengthen the protections in the Privacy Act.
Responding to the ACCC Digital Platform Inquiry report, which made 23 recommendations, the Digital Industry Group (DIGI) has argued Australia cannot afford a “GDPR Plus” style of privacy legislation in a submission to Treasury.
DIGI is a non-profit industry association that advocates for the interests of the digital industry in Australia, with Google, Facebook, Twitter and Verizon Media as its founding members. It also has an associate membership program for smaller digital companies, such as Redbubble and GoFundMe.
The government has said it will respond to the ACCC’s proposed recommendations by the end of the year.
The submission took issue with the majority of the recommendations, urging the government to be wary of the “unintended consequences” which could stifle innovation and have effects on the broader economy. It also included a detailed response to recommendation 16 – to strengthen protections in the Privacy Act.
The submission argues that, at a high level, the recommended reforms exceed the standards of the EU’s General Data Protection Regulation (GDPR), which is currently considered the world’s strictest privacy regime.
DIGI noted that many companies outside the digital sector collect and use considerable volumes of personal information and should be actively engaged in the consultation process before any changes are made to Australia’s privacy legislation.
“It is reasonable to assume that not all affected industries are paying due attention to the wide scope of the ACCC’s DPI recommendations, nor engaging in the Treasury consultation period,” the submission states.
Under recommendation 16a, the ACCC considers extending the definition of personal information to include IP addresses and device identifiers.
DIGI says, “The combined effect of 16a and 16c is that a digital provider must obtain user consent before an IP address or device identifier is collected, resulting in a consumer being blocked with a consent screen before a page can even load.”
“We believe that IP addresses should not be deemed to be personal information where they are not actually used to identify an individual.”
Switching off targeted ads
DIGI also raised concerns with the implication in recommendation 16c, which relates to obtaining consent from users, that any digital product or service’s use of targeted advertising must be pre-selected to off.
“A default pre-selection of targeted advertising to off will have an impact on the whole economy, for every company or other organisation — large and small — that advertises goods, services or public interest causes on the Internet.”
The submission noted, it would also have an impact on digital platforms that are supported by advertising — the same business model used by many traditional media organisations. “Advertising powers free digital services and the wide range of freely available content available to consumers.”
The submission also urges against unbundling consent, saying, “The requirements around disclosure not being bundled will effectively see consumers have to check a box for each distinct act of data processing, providing a huge burden on the average consumer.”
“Seeking consent for every such act of data processing that businesses undertake has been rejected in other jurisdictions, such as the EU and California, as completely impractical.”
Within recommendation 16, DIGI is supportive of 16d, which would allow for consumers to request their data be deleted.
DIGI members allow their users to delete, access and correct their personal information in accordance with the Australian Privacy Act 1988 and where relevant they apply the GDPR’s requirements in this area. (But this would be a new burden on businesses which don’t have strong data governance practices).
Also, DIGI is broadly supportive of recommendation 16b,which proposes making data collection notices clear, transparent and easy to understand. The industry group said its members all provide comprehensive notices that outline data use; however, they are in legalese for a reason.
Such attempts to make notices more transparent must recognise they are legal documents, DIGI argues. “As a result, there can be a level of complexity in such a contractual agreement that must also hold up in a court of law if required.”