Adtech’s opaque data collection practices are under the regulator’s microscope and targeted advertising could become opt-in only under potential reforms to Australia’s privacy law.

Those are two of the possible changes highlighted by Anna Johnston, Principal of Salinger Privacy, one of Australia’s most respected experts in privacy law. 

During a webinar hosted by IAB Australia last week, Johnston addressed a series of potential changes to Australia’s privacy regulation that will impact the local digital marketing and advertising industry. 

Johnston said she has seen signals in speeches from the privacy commissioner and OAIC submissions to various ACCC inquiries into digital platforms, consumer loyalty schemes and adtech that indicate the direction of Australia’s future privacy rules. 

The signs are worth paying attention to given that the Australian federal government has made an in principle decision to reform the Privacy Act in 2020 – 2021 along those lines of the recommendations made in the ACCC’s Digital Platforms report. 

 “We’re yet to see any detail but I think that’s the general direction that we’re moving in,” Johnston said. 

The recommendations include a focus on improving and bolstering the definitions of consent,  expanding the definition of personal information to include online identifiers like cookies and other tracking technologies, and giving consumers more power over their data. 

For example, Johnston noted that the OAIC has more recently started to call out things like whether or not the means of collection of personal information is fair in relation to the customer loyalty schemes, ad tech profiling and tracking of consumers.

They’ve actually started to query if some of that kind of tracking and profiling behaviour breaches Australian privacy principle 3.5, which is the rule that says collect only by fair means. Especially if the practices are opaque – so if consumers don’t actually know what’s going on.”  

A fairness test would require consumers to understand fully what they are consenting to. 

“[There possibly could be] tougher rules around the secondary use or disclosure of personal information. The OAIC is talking about an overriding fairness test and maybe targeted marketing and profiling for ad tech will be opt-in only,” Johnston said. 

Consumers’ rights over their data could also be strengthened under changes to Australia’s privacy laws, bringing it closer to Europe’s legislation. 

“GDPR is the current European privacy law, and they have extra data subject rights. Here we have rights of access and correction [of personal data], they’ve also got rights of erasure or deletion and algorithmic fairness and transparency. So possibly we’ll see the Australian law beefed up to try and mirror the European law,” Johnston said.

Regulatory changes could also introduce and increased focus on accountability through methodologies like privacy impact assessments on new projects or by making privacy by design mandatory, Johnston said. 


Privacy reforms may be accompanied by greater powers for regulators as well as the ability for consumers to sue companies directly over privacy breaches. 

“The OAIC is obviously going for more powers and a bigger budget, and possibly a direct right of action, meaning consumers could sue companies directly for breaches of the privacy principles, rather than have to go through the privacy regulator,” Johnston said.   

Johnston also noted the Privacy Commissioner Angelene Falk has signalled that she is more willing than her predecessors to use section 52 determined action – a decision published by the OAIC which sets a precedent. The alternative is to conciliate and settle privacy complaints “relatively privately”. 

The OAIC has also embraced the co-regulatory model, which is gaining momentum overseas as well, to join forces with the ACCC. Johnston noted regulators are increasingly forming new alliances to police digital platforms, marketing and adtech industries.

She cited a speech by New Zealand Privacy Commissioner John Edwards delivered in the wake of the Christchurch massacre, calling for regulators to join forces “to deal with the power of symmetry of the big tech companies”.  

“So he’s actually talking about not just the consumer and competition regulators and privacy regulators but also online safety regulators, and to a lesser extent those covering intellectual property and publishing issues.”

Previous post

Optus poaches new execs from Paypal, NBN and Westpac

Next post

CDR accreditation opens to fintechs as open banking roll out progresses

Join the digital transformation discussion and sign up for the Which-50 Irregular Insights newsletter.