BP Australia Pty Ltd’s Application for Authorisation (AA1000619)– submission to the Australian Competition and Consumer Commission (ACCC)

15 August 2022

Submission by the Office of the Australian Information Commissioner

Introduction

  1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission on the Australian Competition and Consumer Commission’s (ACCC) consultation on BP Australia Pty Ltd’s (BP) application for authorisation to expand the existing BP Rewards loyalty program (BP Rewards Program).[1]
  2. The OAIC understands that BP proposes to expand the BP Rewards Program by introducing fuel and non-fuel offers at BP sites and participating BP Reseller sites for all or certain groups of consumers who are members of the existing BP Rewards Program. BP proposes to offer cents-per-litre fuel discounts and discounts or benefits on convenience items or ancillary services, in addition to existing offers. BP Rewards Program members will continue to be able to earn and redeem BP or Qantas points, however under the expanded program members will also have the opportunity to obtain discounts based on eligible purchases at BP or participating BP Reseller sites, or engagement with or use of BP proprietary or third-party platforms or services.
  3. The ACCC has invited the OAIC to make a submission in relation to the likely public benefits and effect on competition, or any other public detriment, which might result from the proposed arrangement.
  4. The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act), freedom of information (FOI) functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)). The public detriment that the OAIC is considering in this submission is the impact on the privacy of individuals.
  5. The OAIC was consulted by the ACCC in September 2019 in relation to BP’s application for authorisation to establish the BP Rewards Program, and provided a submission on 15 October 2019.[2] The OAIC made a subsequent submission on the ACCC’s draft determination on 28 January 2020.[3]
  6. We have considered BP’s current application and note that it does not address how personal information will be collected, used and disclosed under the proposed expansion of the BP Rewards Program. In the absence of this information, it is not possible to assess whether the expanded program may involve unmitigated privacy risks resulting in potential public detriment. The OAIC recommends that the ACCC seek further information from BP to obtain a clearer understanding of the data flows under the expanded BP Rewards Program, including a copy of the relevant Privacy Impact Assessment (PIA).

BP’s current application for authorisation

  1. BP’s application for authorisation does not identify privacy risks or address whether, and if so to what extent, the expansion of the BP Rewards Program will involve changes to the collection and handling of personal information.
  2. In particular, we note that clause 5.1 of the application states that proposed offers may be provided to BP Rewards members conditional on them completing research or providing extra data through other means. It is not clear what types or amount of information may be collected from consumers or the intended use or disclosure of the collected data. Further information is required to understand the impacts this collection, use and disclosure of information would have on consumers and whether such collections are reasonably necessary.

BP’s obligations under the Privacy Act

  1. Given privacy risks can result in detriment to consumers, it is important for BP to take a holistic approach to considering the personal information flows within the existing BP Rewards Program and how these will be impacted by the proposed expansion. By understanding the information flows, BP can identify, assess and mitigate any privacy risks that may arise.
  2. An expansion of the BP Rewards Program is likely to result in additional handling of personal information. The OAIC is concerned that some entities involved in the proposed scheme may not be subject to the Privacy Act and the protections it affords for consumers.  In our submissions on BP’s original application for authorisation, the OAIC raised a number of privacy issues. The OAIC recommends that the ACCC consider whether those earlier issues have been addressed in relation to this proposed expansion of the BP Rewards Program, as well as any new privacy risks that are likely to arise in the context of the expansion. Those issues include whether:
    1. all entities involved in the proposed expansion are within the jurisdiction of the Privacy Act, and if not, whether they should be required to opt into the Privacy Act
    2. whether any additional collection, use or disclosure of personal information under the expanded program is necessary for the functions or activities of the BP Rewards Program.
  1. As noted above, a PIA is a valuable tool to identify, understand and assess compliance with the Privacy Act, and mitigate any risks that may arise from new or amended information handling practices.

Conclusion

  1. The privacy impact on consumers whose information is mishandled or used in ways they did not expect as part of the expanded BP Rewards Program could constitute a public detriment. However, without further information from BP, it is not possible to assess the privacy impacts of the expanded program. We reiterate that BP should provide information to demonstrate that its existing privacy safeguards remain effective to address the collection and handling of personal information under the expanded program.
  2. Undertaking a PIA of the proposed expansion, and publishing the PIA and BP’s response to PIA recommendations, is an effective way for BP to demonstrate commitment to good privacy practices and provide assurance to the ACCC that those risks and potential detriment have been adequately addressed.
  3. The OAIC is available to discuss any aspect of this submission and we welcome further engagement with the ACCC as it progresses through the assessment of BP’s application for authorisation to expand the program.

Footnotes

[1] Australian Competition & Consumer Commission, Authorisations Register: BP Australia Pty Ltd & Ors, ACCC website, accessed 5 August 2022.

[2] OAIC, Submission to the Australian Competition and Consumer Commission regarding BP Australia Pty Ltd’s application for authorisation [AA1000452], OAIC, 15 October 2019, accessed 5 August 2022.

[3] OAIC, Submission to the Australian Competition and Consumer Commission regarding Draft Determination in respect of BP Australia Pty Ltd’s application for authorisation, OAIC, 28 January 2020, accessed 5 August 2022.