Friday, October 25, 2019 at 4:19:33 PM GMT+10:00
Adrian Lawrence Allison Manvell Eli Fisher
LISTEN: Adrian Lawrence, Allison Manvell and Eli Fisher provide insights into how the Digital Platforms Inquiry may change the way that personal information is used and collected and the impact this might have on businesses that rely on personal data.
Transcript of podcast:
This is one of the first times we've seen the ACCC as a consumer regulator move into the privacy space. There's one other example where it's getting a roll but this is a really sort of wholesale move by the ACCC into regulating privacy traditionally an area for the Privacy Commissioner and the ACCC's using its powers to regulate and promote consumer interests as a way into this whole question about data and privacy and that is a jumping off point.
Well I think there's been, in terms of the data side of things, a move to give customers, end customers that is, more control over their data and that's playing out in a number of ways. It's playing out in terms of their privacy rights. It's playing out in terms of the information that they are being given about how their data is being held, both from a privacy law perspective but also from a consumer law perspective. Is that information presented in a way that's clear, that's not misleading and I think that those things in terms of the consumer's right to control their data is a real driver here. It's also a real driver in terms of other areas of law that we are looking at sort of at the same time as this digital platforms report, consumer data right is another thing that's on the table at the moment and it's being rolled out in different sectors which really gives consumers a right to direct the transfer of their data between different entities in the market and it opens up that space.
But I think when you look at these things, there's a few tensions between those different aspects as they play out. You have the tension of trying to you know increase privacy protections and at the same time you have this drive to increase innovation and competition by opening up certain data sets and those two things, you know don't necessarily always sit neatly together.
Yeah it's an excellent point I think trying to get that balance right is really important. I think you know many people would say individuals should have a right to a level of control about how their data is collected and used and certainly a level of understanding about what is to be done with their data, but at some point that tension becomes problematic such that if you're giving consumers such significant rights, that's going to start to limit the ability of businesses to use that data to innovate, to provide better products, to move their markets forward and trying to get that balance right is really key here.
And I think it's something that's played out as you read through the digital platforms report. You know there are recommendations in there that talk about the increased privacy rights of individuals, but there's also been many submissions to the report that really say we can compete better if we get more access to data. If we are able to share data more than we do at the moment, we could compete better in this sector and those two things you know as I said, really do just sometimes butt up against each other a little bit. They're two great objectives but they really don't always neatly sit side by side.
The point that Allison just made about consumer data right, the whole idea behind that is there's data collected, big data sets collected by banks, by energy companies, by Telcos and those data sets should be freed up. They should be made available to fin techs to start ups to other organisations to allow those organisations to innovate with that data and that's what that slightly separate piece of regulation is aimed at. Very much from a competition perspective.
I think it's a fair call to say that consumers are becoming more interested in this topic. You know you look at just the press over the last few years and I think that there's definitely an interest in how personal data is being used, that wasn't there a few years ago.
You know having said that, you know you also look at how consumers actually in practice engage with different players online and with different platforms and I think there's sort of some interesting questions around you know where that interest actually goes in terms of consumer behaviour. You know do consumers choose the platform that they're engaging with based on things like privacy concerns or is it really other concerns that override those things for them.
Now the ACCC would say there's a number of reasons for that but they do acknowledge there's this real paradox here what people say they think is important to them and their behaviour, what actually is important to them in terms of how they deal with businesses maybe is not fully aligned as yet.
And I think it also plays out just in terms of how businesses increasingly actually engage with consumers in an online setting. You know how much information that they're providing because it can get to a point I think where you have information overload of a sort.
You know you're providing so much information via your setup processes and otherwise that consumers actually get irritated by that rather than having a position where it's providing you know more visibility and it's better from a consumer perspective. You know there's a few issues there in terms of how that plays out in terms of the consumer experience I think.
That raises a really interesting question about the notice provisions that they want to give consumers and the prospect that it's going to be a lot more onerous on people collecting data and it begs the question whether it's going to create this sort of privacy notice fatigue.
The more you're being told what's happening with your data, the more hurdles you have to click to actually start up an app, the more you don't read them and the more they become less relevant.
I think that's right and there's also a move in the recommendations from current Australian privacy law which is very notice based to a position where Australian businesses operating in Australia would need to seek a lot more consents to use of data and I think there are real questions for the point at which that becomes prohibitive for new apps, you know new start-ups that are coming into markets and are having to put so much in front of consumers in terms of consents before they actually even engage with products as to the point where, at which, consumers just say I can't be bothered with this. I'm not going to do it at all.
For smaller players coming in, that could be a real concern.
There is a real question here about start up versus established business and is it the case that established businesses have actually already done the work, collected all the data and the regulation that's potentially going to come in now will actually just stifle that innovation at the lower level.
It's a really interesting competition question in there.
The other point that Eli you might want to talk to is the statutory right and I think that's another interesting part of this, an actual right to sue for breach of privacy.
Yeah so this has come up again I suppose. We have a recommendation that Australia has a statutory tort of seriously invading somebody's privacy. Now it's been the subject of probably half a dozen Law Reform Commission reports, recommendations consistently saying there should be a statutory tort. It's been like that for a number of years and there's also been some movement in the Courts as well to develop a common law tort. It hasn't quite taken off yet and it remains to be seen whether this recommendation is actually going to change the game at all but there is the statutory tort being recommended and that basically would allow individuals to sue for invasions of privacy that I think in some respects could help the situation. Right now you've got a Privacy Commissioner that is charged with protecting privacy in the first instance and sort of protecting privacy from a public perspective but also from a private perspective would be useful.
Simultaneously, there's also been a recommendation that there's an individual right to bring an action for a breach of the Privacy Act and it sounds somewhat similar. There are differences and I mean a few key differences are that a breach of the Privacy Act is a serious invasion of privacy but by an entity other than an APP entity or for example a media organisation doing it in the course of journalism, those sorts of things wouldn't necessary be a breach of the Privacy Act, but it could still give rise to a right in tort.
So some really interesting recommendations there and to my mind at least probably the Privacy Commissioner needs a little bit of help from the private individuals wanting to enforce their rights.
Yeah and I think one of the potential outcomes of that is you take the individual right and you put that together with our growing push towards class actions in Australia. Add those two things together, quite possibly we will start to see significant class actions based on a breach of privacy.
We're starting to see that in the States. It's on its way in Australia and if this tort came in, then that would be the path for a data breach to give rise to a sort of big piece of litigation against an organisation. That would be quite a game changer.
I think it's probably fair to say that up till now most of the action in this space, because it has to go via the Privacy Commissioner you know that really acts as a gateway to any action happening in this space. So the times that we've seen litigation in the privacy space in Australia in the past have really been more on interesting points of law that go to defining the scope of the current privacy law.
Whereas that change, apart from being quite a change for what individuals, the action individuals can actually take, it really would have opened up to different drivers for the types of actions that people are bringing. You know actions that are based on major breaches and that are based on you know perceived consumer detriment would become a much bigger focus I think.
Yeah the other way in which that could easily play out is shareholder actions against companies if it is felt or shown that there's been a breach of privacy and that's led to a loss of shareholder value, then it's quite possible we might see class actions by shareholders for a failure to maintain appropriate levels of privacy or cybersecurity. That's sort of on its way I think in Australia as well.
Well you are seeing that certainly in the APRA regulated industry so where there's a real push to make it very clear that the Board of Directors are going to have to take responsibility for information security, but I think it's also worthwhile just to come back to that point of enforcement. I mean without enforcement the privacy law is just a regulatory framework and I think traditionally it's been viewed as sort of the benchmark of customer service and not really much more than that. Don't annoy your customers and this is what annoying your customers looks like. But we're seeing already an increase in penalties of breaching the privacy law.
If we have rights in tort, then we're going to be seeing a lot more enforcement I would have thought and part of this picture is what's going on in Europe where since May last year, May 2018, we've had the GDPR, and that's sort of been in the works at least since 2016, and what we're seeing is a much greater push for privacy rights, privacy enforcement. The penalties are getting much more into the realm of what was traditionally anti-trust, the competition law penalties and all of a sudden what I think we're all seeing is that Boards are taking it a lot more seriously than they were a few years ago.
Well I think one of the biggest issues is really having to change the hat that you wear when you're looking at customer engagement from a data perspective.
I think up till now the focus has very much been on privacy. If you're collecting data, you look at the notices that you had to give from a privacy law perspective, make sure that they're compliant and then you go ahead. I think now the fact that the ACCC is showing increased interest in this space, that it's showing a willingness to actually look to the Competition and Consumer Act and the Australian Consumer Law in particular as a source of power to take action around businesses engaging with the consumers on the data front and the fact that recommendations have been made for changes to the law that would go even further means that it's really just coming at businesses from a new angle and that's just not confined to digital platforms or digital players. Those changes will be, if they come out, will be coming out in you know economy wide. It's not something that is specific to the digital space. So looking at the way that a business engages with consumers, saying not only does it have tick all the boxes from a privacy perspective, but am I engaging with them in a way that is clear, in a way that you know that they can understand, in a way that you know perhaps visually hits boxes to make people understand things better as opposed to just getting all of the necessary ticked boxes in front of them.
I think that's a real change in how people are going to think about privacy engagement when they're setting up processes with consumers.
Yeah and I think the other side of that, this is really the next big step change in privacy law. We've seen GDPR come in, we've seen potential for fines, 4% of global revenue, very very significant multi-million dollar fines in Europe.
What we're going to start to see is a push for that in Australia and therefore privacy and other areas like cybersecurity, being issues that Boards must take very careful consideration of. But that's been a journey in Australia in the last 15 years where privacy previously was, as Eli said, you know really something that, yes take it into account but it's a compliance issue, it's a lower level issue. Now it's an issue that can really make or break organisations and Boards because of the level of concern that will be driven through these changes.
And something that I'm seeing a fair bit of is how that affects transactions. So I think it's become a much bigger deal in due diligence reports which is important for customers to understand, clients to understand. It's not just about managing your business on an ongoing basis so that you don't get into trouble. It's also about making sure that all of your documentation is in order, making sure that all of your processes are in order because if down the track you're looking to attract investment or you're looking to sell the business, you're going to want to be able to show that you've been handling your data security really really carefully for a very long time and especially if you're buying things from overseas, if you're dealing with overseas.
Listen to more podcasts: