The ACCC’s Digital Platforms Inquiry Preliminary Report and its Ramifications in the Cyber Security
“At that point Google had accumulated seven months’ worth of maps tracking my daily activities, and I had no recollection of ever opting in to it.”
Caroline Dry discusses the Digital Platforms Inquiry.
If you have used Google to search for a location in the past year or so, you may have noticed a notification informing you that you had ‘visited this place two months ago’. If you had happened to click on that notification, you might have discovered that Google had started tracking your phone’s location in early 2018, creating maps of your daily movements which you could explore if you felt the need to remember exactly what you had done on the 24th of April last year. I chose to disable this ‘feature’ as soon as I learned of its existence. At that point Google had accumulated seven months’ worth of maps tracking my daily activities, and I had no recollection of ever opting in to it.
This experience is testament to both my lack of vigilance as a consumer and Google’s dedication to the accumulation of personal information. The ACCC’s preliminary report on its upcoming Digital Platforms Inquiry addresses the callous attitude towards data collection and storage that pervades Australian culture, both by escalating the consequences organisations might face should data in their possession be lost and by empowering consumers to attach more value to their data.
As it stands, Australia’s laws surrounding data storage and breach are underdeveloped and reactive in nature. The Notifiable Data Breaches Scheme, which was introduced in February 2018, deals with the steps an organisation must take after a data breach has occurred. It focuses largely upon reporting data breaches to affected parties, and the penalties attached to non-compliance with the scheme are negligible to many private entities (a maximum of 2.1 million AUD). This system does little to disincentivise organisations from accumulating as much personal information as they can on the vague understanding that data is simply good to have, which, of course, unnecessarily places that data at risk of breach. Furthermore, it does not empower individuals to see their data for what it is: a commodity with a monetary value attached to it. It certainly does not encourage them to seek redress when their data is lost. Those who wish to be compensated for an organisation’s loss of their personal information may request that the Australian Information Commissioner take disciplinary action for non-compliance with the Privacy Act, an approach which has so far earned public apologies rather than monetary compensation (see 'PB' and United Super Pty Ltd as Trustee for Cbus (Privacy)  AICmr 51). Class actions in this space are underway, but have not seen the same success in Australia as their counterparts in the United States.
The recommendations within the Digital Platforms Inquiry will hopefully address many of these issues. Preliminary Recommendation 8(e) suggests that the penalty for breach of the Privacy Act be brought into line with the penalties in the Competition and Consumer Act (a substantial increase in severity). Preliminary Recommendation 8(c) calls for an obligation to obtain a more active level of consent from consumers when their data is being collected and Preliminary Recommendation 11 suggests that ‘unfair contract terms’ be made illegal under consumer law, which may attach negative consequences to the ‘opt out’ data collection and privacy settings commonly used by social media giants. By increasing the risks attached to loss of data, organisations might be encouraged to consider exactly why they need so much information. Consumers, in turn, might take more ownership of their data.
The Interim Report has also proposed that individuals have a direct cause of action under the Privacy Act for data loss (Preliminary Recommendation 8(f)) and a statutory cause of action for ‘serious invasions of privacy’ has been recommended (Preliminary Recommendation 10), meaning that they would no longer have to seek redress via the Information Commissioner.
These changes, if implemented, might allow a body of case law to accumulate which attaches monetary value to personal data and its loss. The ACCC’s release of its Digital Platforms Inquiry in June of this year will hopefully establish a mindset among consumers that their information is worth something, and it should be protected both by themselves and the organisations hoping to use it.