Digital Advertising Services Inquiry – Interim Report

15 An important part of the CDR is that it generally requires consumers to expressly consent to any disclosures, collections and uses of their CDR data.

16 Data portability regimes internationally are similarly consumer-led, with both the European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act containing a right to data portability at the request of consumers.[8]

17 Accordingly, the OAIC recommends that any data portability right in relation to ad tech should only be with the voluntary, express, informed, specific as to purpose, time limited and easily withdrawn consent of the individual and not exercisable by advertisers or other third parties without this consent.

18 The interim report acknowledges that data portability raises privacy risks for consumers. Relying on individual requests for a data portability right will require appropriate transparency measures and controls to ensure that individuals can provide valid consent. Strong organisational accountability measures should also be included to reduce the risk of misuse of the personal information, for example, mandating secure transfer methods and other security requirements.

19 The CDR scheme seeks to address privacy risks through obligations around consent, transparency, accreditation and data minimisation. This scheme also expressly prohibits the use or disclosure of CDR data for certain purposes.

20 The OAIC recommends that the ACCC consider the applicability of the privacy-enhancing features of the CDR as a model for developing any new data portability proposals for the ad tech sector.

21 The OAIC suggests consideration is given to whether any new data portability right could sit appropriately in an existing regime such as the CDR scheme, or whether a new regime should be created. In doing so, it will be important to consider how this right aligns with the purpose of the CDR.

22 If a separate regime is created, it will be necessary to consider the interaction of the regime with the CDR scheme, the Privacy Act and other global privacy regimes. In doing so it should ensure that the scheme is not unnecessarily duplicative and minimises additional regulatory burden on entities. It will also be important to consider how the regime can be structured to avoid confusion for individuals as to which regime they should use to access their data portability rights.

23 Proposal 1 also considers measures to increase data interoperability and proposes standardised sharing of non-personal, aggregated or anonymised data in limited circumstances without consent.

24 While enhancing data interoperability may promote competition in the ad tech sector, the interim report acknowledges that this may carry privacy risks. These risks primarily relate to ensuring that this information is appropriately de-identified, and then managing the subsequent risk of re-identification.

25 Information that has undergone an appropriate and robust de-identification process is not personal information and is therefore not subject to the Privacy Act. This requires there to be no reasonable likelihood of re-identification occurring in the context that the data will be made available.

26 Appropriate de-identification may be complex, especially in relation to detailed datasets that may be shared widely and combined with other data sets. In this context, de-identification will generally require more than removing personal identifiers such as names and addresses. Additional techniques and controls are likely to be required to remove, obscure, aggregate, alter and/or protect data in some way so that it is no longer about an identifiable (or reasonably identifiable) individual.

27 This may be particularly challenging in relation to ad tech. As stated in the interim report, bid requests that contain more detailed data will be more attractive. This creates a commercial incentive to continually collect and link information to profiles of individuals, which will likely increase the difficulty in ensuring that this information is able to be appropriately de‑identified.

28 Similarly, any sharing of data, even at an aggregated level, increases the risk of re‑identification. This is because de-identification is not a fixed or end state. Data may become personal information as the context changes. Managing this risk will require regular re‑assessment, particularly if an entity receives additional data, even at an aggregate level, through these data mobility proposals.

29 Accordingly, if the ACCC develops this proposal further, the OAIC recommends that the ACCC have regard to the OAIC’s guidance on de-identification as well as the De-Identification Decision-Making Framework, produced jointly by the OAIC and CSIRO-Data61.[9]

30 The requirements around de-identification arise in the Privacy Act Review. The OAIC recently recommended additional protections for de-identified data including:

• Amending Australian Privacy Principle 1 (APP) to insert an express obligation that an APP privacy policy must notify individuals that their information may be anonymised and used for purposes other than those permitted for the initial collection (recommendation 9).
• Extending the obligations of APP 11 to require APP entities to take reasonable steps to protect anonymised information from misuse, interference and loss, and from unauthorised access, modification or disclosure (recommendation 10).
• Introducing a prohibition on APP entities taking steps to re-identify information that was collected by them in an anonymised state, except in order to conduct testing of the effectiveness of security safeguards that have been put in place to protect the information (recommendation 11).
• Extending Part IIIC of the Privacy Act to require notification where:
• there is unauthorised access to or unauthorised disclosure of anonymised information, or a loss of anonymised information, that an entity holds, in circumstances where there is a risk of re-identification of that information
• if this information is re-identified, it is likely to result in serious harm to one or more individuals, and
• the entity has not been able to prevent the likely risk of serious harm with remedial action (recommendation 12).

The OAIC recommends:

• Any data portability right in relation to ad tech should only be with the voluntary, express, informed, specific as to purpose, time limited and easily withdrawn consent of the individual and not exercisable by advertisers or other third parties without this consent.
• The ACCC consider the applicability of the privacy-enhancing features of the CDR as a model for developing any new data portability proposals for the ad tech sector.
• The ACCC consider whether any new data portability right could sit appropriately in an existing regime such as the CDR scheme. In doing so, that it consider how this right aligns with the purpose of the CDR.
• If a new data portability regime is created, the ACCC consider the interaction of the scheme with the CDR scheme and the Privacy Act.
• If the ACCC develops a data interoperability regime, the ACCC have regard to the OAIC’s guidance on de-identification as well as the De-Identification Decision-Making Framework, produced jointly by the OAIC and CSIRO-Data61.

31 Proposal 2 considers data separation mechanisms such as data silos, which would prohibit the combining of certain data sets, and purpose limitation requirements, which would prohibit the use of certain data such as health information for ad targeting purposes. The ACCC also proposes additional controls for consumers over how their information is used for an organisation’s ad targeting function.

32 The interim report acknowledges that there will be some overlap between this proposal and the Privacy Act to the extent that the relevant data is personal information. That said, while the Privacy Act does create certain requirements and limitations around the use of personal information for direct marketing, it does not contain explicit prohibitions on the combination of data sets or the use of particular types of personal information for direct marketing.

33 It is becoming increasingly clear, however, that some types of information handling practices in the digital age simply do not meet the expectations of the Australian community. For example, the results of the Australian Community Attitudes to Privacy Survey 2020 showed that 79% of Australians consider an organisation inferring information about them (for example, sexual orientation, mental health, political views) based on what they do online to be misuse.[10]

34 The OAIC’s submission to the Privacy Act Review recommended the introduction of full or partial prohibitions on certain information handling practices into the Privacy Act, including:

• profiling, tracking or behavioural monitoring of, or directing targeted advertising at, children
• the collection, use and disclosure of location information about individuals.[11]

35 Similar restrictions have been proposed overseas. In his opinion on the EU Digital Services Act, the European Data Protection Supervisor (EDPS) wrote:

• The EDPS invites the co-legislature to consider further restrictions in relation to (a) the categories of data that can be processed for targeting purposes (e.g., limitations regarding the combination of data collected “off platform”); (b) categories of data or criteria on the basis of which ads may be targeted or served (e.g., criteria that directly or indirectly correspond with special categories of data or might be used to exploit vulnerabilities); and (c) the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising.[12]

36 Accordingly, the OAIC supports the ACCC’s proposal to restrict or prohibit the combination of data sets or the use of certain information, such as health information, for targeted advertising.

37 If the ACCC continues to develop this proposal, consideration will need to be given to how these prohibitions would intersect with the Privacy Act and the proposed code for social media and online platforms which trade in personal information.[13]

The OAIC recommends:

• Proposal 2 be considered further, especially in relation to location information, and profiling, tracking or behavioural monitoring of, or directing targeted advertising at, children
• The ACCC consider the interaction between Proposal 2, the Privacy Act and other regulatory initiatives such as the Privacy Act Review and proposed code for social media and online platforms which trade in personal information.

The OAIC recommends:

• The ACCC undertake a PIA to determine whether the proposed common user ID and common transaction ID are reasonable, necessary and proportionate. The PIA should consider issues such as:
• The risk that a common user ID or common transaction ID are or may become personal information, and the extent that this can be managed or mitigated through the implementation of appropriate policies, procedures and privacy controls.
• The extent to which any other privacy risks stemming from these proposals can be managed or mitigated through the implementation of appropriate policies, procedures or privacy controls.
• Whether the objectives of these proposals can be achieved through other means that are less privacy intrusive.
• The parties that will have access to a common user ID or common transaction ID, and whether these parties are subject to the Privacy Act.