1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the exposure draft of the Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020 (the draft Bill).
2 The draft Bill will amend the Competition and Consumer Act 2010 to establish a mandatory code of conduct to address bargaining power imbalances between digital platforms and Australian news businesses (the draft code). The draft code will enable news media businesses to bargain individually or collectively with digital platforms over payment for the inclusion of news on their services through a framework based on negotiation, mediation and arbitration.
Minimum standards – Giving explanations of information
3 The draft code also introduces a series of ‘minimum standards’ that digital platforms must comply with in their dealings with news media businesses. These minimum standards include a requirement for digital platforms to provide news media businesses with clear information about the data they currently collect through news content.
4 The draft code sets out the information that a digital platform must provide to a news media business, which includes, but is not limited to, a list and explanation of all types of data the digital platform collects about the news media business’ users through their engagement with relevant news content on the digital platform’s services and information about how the registered news business can gain access to the data.
5 The draft explanatory memorandum states that the obligations imposed by this minimum standard are not intended to require digital platforms to share any ‘particular user data’ and any disclosure of data must comply with the Privacy Act 1988 (Privacy Act).
6 Accordingly, we understand that it is not the intention or function of the draft code to implement new data sharing measures or authorise the disclosure of identifiable user data. However, for the avoidance of all doubt, we recommend that the draft Bill includes a provision, similar to the requirement in cl 52V around revealing trade secrets, that nothing in the Act requires or authorises the disclosure of personal information in a manner inconsistent with the Privacy Act.
7 The OAIC understands that news media businesses may elect to negotiate with the digital platforms for access to more user data but, as outlined above, the protections in the Privacy Act will continue to apply and any personal information sharing must be in compliance with the Privacy Act.
8 Subject to our comments below, the OAIC is broadly supportive of this approach. The OAIC is concerned to ensure that the code does not authorise or require additional personal information handling practices. Rather, the Privacy Act framework should continue to apply without derogation in order to ensure that individuals’ privacy is not directly impacted as a result of the code.
9 The bargaining framework does place the option of access to more user data on the table as an issue that may be negotiated between the parties. Any negotiations between parties to share user data, or increase the amount and types of user data currently being shared, raise a number of important privacy issues that warrant careful consideration to ensure the handling of user data is consistent with the Privacy Act and community expectations. The OAIC generally expects digital platforms and news media businesses would undertake a PIA, either independently or jointly, of any proposed arrangements to share user data, particularly those that pose a high privacy risk.
10 To that end, the OAIC would also seek to remind digital platforms and news media businesses of their existing obligations under Australian Privacy Principle (APP) 1 to take a ‘privacy by design’ approach to projects, activities and initiatives involving personal information. A privacy impact assessment (PIA) can help to facilitate ‘privacy by design’ because it encourages entities to develop projects with privacy designed into the project, rather than being bolted on afterwards.
11 A PIA can help to ensure that the risks around the sharing of any user data between parties are appropriately considered and steps can be taken to minimise the risk of re-identification. The Privacy Act and the APPs do not apply to ‘de-identified information’, however, it is not always possible to draw a bright line between personal information and de-identified information. Whether information can ‘reasonably identify’ an individual requires a contextual consideration of the particular circumstances and the entities that hold the information. A PIA will help to identify the risk of re-identification of de-identified user data, for example, whether it will be used for data analytics activities within the news media business, or whether the de-identified data will be disclosed to another entity for this purpose. 
12 Finally, cl 52M of the draft Bill enables the Governor-General to make regulations specifying other requirements that digital platforms must comply with in relation to providing information to news media businesses about the collection and availability of data. The draft explanatory memorandum indicates that this regulation making power is required to keep the regulatory regime flexible and in line with changing industry practices.
13 While we acknowledge that a certain level of flexibility is required, the OAIC considers there is a risk that a broad regulation-making power may enable the scope of the current provisions to be broadened in the future to require or authorise digital platforms to disclose additional types of data, including identifiable user data. This may be inconsistent with community expectations as it is unlikely consumers would expect a news media business to have access to their identifiable user data collected through their use of a digital platform.
14 Further, a regulation that sought to require digital platforms to share identifiable user data with news media businesses removes the ability of parties to fully consider the privacy impacts of any potential data sharing arrangement and negotiate an outcome that is consistent with privacy requirements and community expectations. A regulation has the ability to override certain protections in the Privacy Act by authorising or requiring acts or practices.
15 Consequently, we recommend that the ACCC consider how the power to make regulations could be narrowed to preclude this scenario. For example, we consider that it should be made explicit in the draft Bill that regulations cannot be made under cl 52M that would require digital platforms to disclose identifiable user data.
16 We also ask the ACCC to consider including a provision in the draft code which provides for consultation with the Information Commissioner before the making of any regulations related to user data, and data derived or inferred from user data, to provide additional oversight and transparency. There is precedent for such consultation requirements in other legislation, for example, s 53 of the Office of the National Intelligence Act 2018, s 355-72 of the Taxation Administration Act 1953 (Cth) and s 56AD of the Competition and Consumer Act 2010.
 Australian Competition and Consumer Commission, Q&A’s: Draft news media and digital platforms mandatory bargaining code, July 2020, https://www.accc.gov.au/focus-areas/digital-platforms/draft-news-media-bargaining-code#draft-code-q-amp-as
 More information can be found in the OAIC’s Guide to undertaking privacy impact assessments and PIA tool.
 Section 6(1) of the Privacy Act defines ‘de-identified’ as: ‘personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.’
 Office of the Australian Information Commissioner, Guide to data analytics and the Australian Privacy Principles, 21 March 2018, https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-data-analytics-and-the-australian-privacy-principles/