OAIC submission to Treasury – Consultation regulation impact statement on unfair trading practice reform

Introduction

1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to respond to Treasury’s consultation regulation impact statement on unfair trading practice reform (the Consultation Paper).
2. The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information (FOI) functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Australian Information Commissioner Act 2010 (Cth)).
3. The Consultation Paper invites feedback on policy options to address unfair trading practices in the Australian Consumer Law (ACL). It follows a number of inquiries and reviews which identified types of commercial conduct that are not covered by existing provisions of Australia’s consumer protection laws but nevertheless can result in significant consumer and small business harm.[1] In recognition of these potential harms, the Australian Competition and Consumer Commission (ACCC) has previously recommended the introduction of an economy-wide prohibition on unfair trading practices, in order to address consumer harms in both the online[2] and offline[3] context.
4. The OAIC has observed growing intersections domestically and internationally between regulatory frameworks in the context of data issues, including between privacy, competition and consumer law, and online safety and online content regulation. In particular, the objectives of consumer protection and privacy law often complement one another.
5. While there are synergies between these regulatory frameworks, it is important to note that there are also variances given that each regulatory framework is designed to address different economic, societal and policy issues. Protections under the Privacy Act apply a unique privacy law lens by assessing personal information handling and impacts to privacy in terms of their reasonableness, necessity, and proportionality. Consumer protection law regulates the relationship between consumers, businesses and manufacturers with the objective of promoting fair and efficient markets for consumers and is not specifically focussed on the handling of personal information.
6. Treasury’s consultation also comes at a time when the Government is progressing privacy law reform to ensure that the Privacy Act remains fit-for-purpose in the digital age. The Government has agreed or agreed-in-principle to a broad range of proposals, including the introduction of a new positive obligation to ensure that the collection, use and disclosure of personal information is fair and reasonable in the circumstances.[4]
7. The OAIC broadly supports the policy options presented by Treasury that would improve protections in relation to unfair trading practices and operate to reduce consumer and small business harms. We submit that the Government’s proposed reforms to both privacy and consumer protection frameworks are crucial to ensure comprehensive protection against harms in both the online and offline environment.

Intersections between the Australian Consumer Law and the Privacy Act

8. The Privacy Act is the principal piece of Australian legislation that governs the handling of personal information. It applies to Commonwealth agencies, as well as to private sector organisations with an annual turnover of $3 million or more.
9. Entities that are regulated by the Privacy Act are required to manage personal information in accordance with the Australian Privacy Principles (APPs), which establish important guardrails around the handling of personal information. The APPs govern how entities must handle personal information and contain requirements that apply across the information lifecycle, including in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information. Among other requirements, the APPs:
   • ensure that APP entities manage personal information in an open and transparent way by having a clearly expressed and up to date APP privacy policy and by notifying individuals of certain matters at the point of collection;[5]
   • outline the circumstances in which an APP entity can collect personal information or sensitive information.[6] In relation to sensitive information,[7] APP entities must generally obtain consent for collection unless another exception in APP 3 applies. The APP Guidelines provide four key elements for consent to be valid, including that the individual is adequately informed before giving consent, the consent is given voluntarily, the consent is current and specific, and the individual has the capacity to understand and communicate their consent.[8]
   • outline the circumstances in which an APP entity may use or disclose personal information that it holds,[9] including for direct marketing purposes.[10] Generally, APP entities may only use and disclose an individual’s personal information for the purpose for which it was collected, in ways the individual would reasonably expect or where one of the exceptions in APP 6 applies;[11]
   • require entities to take reasonable steps to ensure the quality and security of personal information that they hold;[12] and
   • provide individuals with the ability to request access to, or correction of, their personal information.[13]

10. The ACL governs standards of business conduct when interacting with consumers and other businesses. It applies economy wide and generally applies to entities that engage in trade or commerce. In contrast to the Privacy Act, the ACL is not specifically focussed on the protection of personal information and encompasses consumer and fair trading harms that do not necessarily involve the handling of personal information. The ACL includes, among other provisions:
    • core consumer protection provisions prohibiting misleading or deceptive conduct, unconscionable conduct, and unfair terms in standard form consumer contracts;
    • specific protections in relation to certain defined practices, including particular instances of false or misleading representations, pyramid selling, unsolicited supplies of goods and services, component pricing and the provision of bills and receipts;
    • regulation of certain aspects of consumer transactions, including a system of statutory consumer guarantees for consumer goods and business goods;
    • a national law for consumer product safety; and
    • enforcement and consumer redress provisions.[14]
11. In addition to having different scopes and requirements, the Privacy Act and ACL are also informed by different policy objectives. As a result, the two regimes tend to assess conduct from different perspectives, particularly in the interpretation and application of principles-based requirements. The Privacy Act has a basis in the fundamental human right to privacy and is a partial implementation of Australia’s obligations under Article 17 of the International Covenant on Civil and Political Rights (ICCPR).[15] The Privacy Act therefore seeks to prevent individuals from arbitrary interferences with their personal information and provides a framework for assessing whether any impacts on individuals’ privacy rights are necessary, reasonable and proportionate to achieving legitimate functions and other public interests.[16] By contrast, consumer law is more broadly concerned with protecting and informing consumers, fostering fair trading between businesses, promoting effective competition and enabling the confident participation of consumers in markets in which both consumers and suppliers trade fairly.[17]

Reform of the Privacy Act

12. The Attorney-General’s Department has undertaken a review of the Privacy Act to consider whether its scope, protections and enforcement mechanisms are fit-for-purpose. In September, the Government released its response to the Privacy Act Review Report which agreed or agreed in-principle to 106 of the 116 proposals.
13. In order to aid Treasury’s policy consideration,  we take this opportunity to highlight some of the proposals of the final Privacy Act Review Report[18] that would operate to improve privacy protections and individuals’ control over the handling of their personal information , and which may intersect with the unfair trading practice reforms. Treasury may wish to take into account the Government’s privacy reform agenda as part of its own reform process, including consideration of whether the regulated community requires further guidance as to how the two sets of reforms complement each other.

Fair and reasonable personal information handling

14. Notice and choice are foundational principles in privacy law across the world, including in the Privacy Act. However, our 2023 Australian Community Attitudes to Privacy Survey found that while the majority (96%) of Australians believe that their privacy is important when choosing a product or service,[19] only 21% of individuals always or often read privacy policies.[20]
15. Even where individuals do read privacy policies and collection notices, they may feel resigned to consent to the use of their information to access online services as they do not feel there is any alternative. As digital products and services become more entrenched in individuals’ lives and in the way in which they work, study and socialise, it is increasingly difficult to avoid personal information handling practices that do not align with their preferences. In these circumstances, it is inappropriate for entities to place the full responsibility on individuals to protect themselves from harm.
16. In recognition of these challenges, the Privacy Act Review Report has proposed to establish a positive obligation that would require entities to handle personal information in a manner that is ‘fair and reasonable in the circumstances.’[21]
17. The proposal would require entities to proactively consider legislative factors, including the reasonable expectations of individuals, whether their personal information handling activities are proportionate and possible risks of unjustified adverse impact or harm.
18. The fair and reasonable test will provide a baseline level of privacy protection and will allow individuals to engage with products and services with confidence that—like a safety standard—privacy protection is a given. It would also prevent consent from being used to legitimise handling of personal information in a manner that is, objectively, unfair or unreasonable.
19. The Government response to the Privacy Act Review acknowledged that the fair and reasonable test will also help to protect individuals from the use of deceptive design patterns, which may be employed to nudge users towards consenting to more privacy intrusive practices.[22] Such an approach would align with recent data protection enforcement action in Europe, whereby the fairness principle under Article 6 of the General Data Protection Regulation (GDPR) was found to have been breached by TikTok through their use of  unfair design practices in the sign-up process.[23]
20. The OAIC views the proposed fair and reasonable test as a new keystone for the Privacy Act. The fair and reasonable test would provide individuals with greater confidence that they will be treated fairly when they choose to engage with digital services and would help to build trust in the digital economy.

Intersection with unfair trading practice reform

21. The OAIC considers that the proposed fair and reasonable test under the Privacy Act and any potential unfair trading practice prohibition in the ACL would have important yet distinct roles to play in addressing harms in both the online and offline environment. The fair and reasonable test would apply a unique privacy law lens in assessing the permissibility of personal information handling practices and in providing protection in relation to privacy rights. By contrast, an unfair trading practices prohibition in the ACL would provide economy-wide protection in relation to harmful or oppressive business practices, including those that do not involve the handling of personal information.
22. The following examples demonstrate the necessity of progressing both the proposed fair and reasonable test and unfair trading practice reforms:
    • An unfair trading practice prohibition could address online services’ use of unreasonably difficult opt-out or cancellation procedures (including the use of obstructive and manipulative design patterns) that work to undermine consumer autonomy and dissuade consumers from cancelling a subscription or service.[24] This practice may fall outside the privacy jurisdiction to the extent that it does not involve handling of personal information.
    • The fair and reasonable test would be well-positioned to address harmful and excessive collection, use and disclosure of personal information, such as the building of intrusive consumer profiles and the sharing of highly sensitive information for targeted advertising purposes.[25] The fair and reasonable test would analyse these practices from a unique privacy law perspective insofar as it will require consideration of impacts to privacy and of concepts such as reasonable expectations, necessity and proportionality.
    • An unfair trading practice prohibition could address predatory or aggressive business conduct about other aspects of an entity’s business practices (unrelated to personal information handling), such as omitting to notify consumers of changes in their insurance policy[26] or the targeting of consumers experiencing vulnerability with inappropriate credit products or transactions.[27]
    • The fair and reasonable test would regulate excessive or disproportionate handling of personal information by Commonwealth government agencies, which would fall outside the jurisdiction of consumer protection law.

23. To the extent that there is overlap between the proposals, the OAIC does not consider this to necessarily be a negative outcome, particularly where it is well managed. It is more problematic if regulatory gaps expose individuals to harm or lead to inconsistent or inefficient regulatory outcomes. In this regard, the OAIC has several effective co-operation initiatives in place with the ACCC (see ‘Regulatory co-operation’, below) and strong bilateral co-operation. On this basis, the OAIC submits that both sets of reforms should be progressed to ensure comprehensive and complementary protection against consumer and privacy harms in both the online and offline environment.

Transparency and control over personal information handling

24. The Privacy Act Review Report also put forward several proposals that are directed at improving the transparency of personal information handling practices and the level of control that individuals have over how their information is handled.
25. These proposals include an express requirement in APP 5 for collection notices to be ‘clear, up-to-date, concise and understandable’ as well as the development of standardised templates, layouts, terminology and icons for privacy policies and collection notices to improve consumer comprehension.[28] The Privacy Act Review Report also proposed additional transparency requirements in relation to automated decision-making[29] and online targeting, including clear information about the use of algorithms and profiling to recommend content to individuals.[30]
26. In recognition of stakeholder concerns about vaguely worded or bundled consents, as well as the use of deceptive design patterns,[31] the Privacy Act Review Report also proposes to codify existing OAIC guidance on consent to require that consent is ‘voluntary, informed, current, specific, and unambiguous.’[32] The proposed definition of consent would be an important safeguard for ensuring that individuals are able to make real choices about the handling of their information on the basis of transparent and clear information.
27. Finally, the Privacy Act Review Report proposes a number of individual rights modelled on the European Union’s General Data Protection Regulation (GDPR) including a right to erasure and an enhanced right of access. [33] The Government response to the Privacy Act Review Report has agreed to each of these proposals in-full or in-principle.[34]

Regulatory co-operation

28. The intersection of competition, consumer and privacy law also highlights the importance of regulatory cooperation. Where different regulators exercise different functions under various laws, it is important for regulators to work together to avoid unnecessary or inadvertent overlap for consumers and industry. An effective approach requires complementary expertise, and collaboration and coordination between regulators to ensure proportionate, efficient and cohesive regulation.
29. In this regard, the OAIC has an effective, collaborative and longstanding working relationship with the ACCC, including through memoranda of understanding on exchanges of information and the Consumer Data Right, as well as our participation in regulatory forums such as the Digital Platform Regulators Forum (DP-REG) and the Cyber Security Regulator Network (CSRN).
30. DP-REG is an initiative between the OAIC, ACCC, Australian Communications and Media Authority (ACMA) and Office of the eSafety Commissioner (eSafety) to share information about, and collaborate on, cross-cutting issues and activities on the regulation of digital platforms. This includes consideration of how competition, consumer protection, privacy, online safety and data issues intersect in order to promote proportionate, cohesive, well-designed and efficiently implemented digital platform regulation.

^[1] For our previous submissions to these inquiries see: OAIC, Digital Platforms Inquiry — submission to the Australian Competition and Consumer Commission, 17 April 2018; OAIC, Digital Platforms Inquiry Preliminary Report — submission to the Australian Competition and Consumer Commission, 15 May 2019; OAIC, Digital Advertising Services Inquiry – Interim Report: Submission by the Office of the Australian Information Commissioner, 31 March 2021; OAIC, Digital Platform Services Inquiry Discussion Paper for Interim Report No 5 – submission to the ACCC, 22 April 2022.

^[2] ACCC, Digital platforms inquiry – final report, 26 July 2019, Recommendation 21; ACCC, Digital advertising services inquiry - final report, 28 September 2021, p 41; ACCC, Digital platform services inquiry - September 2022 interim report - Regulatory reform, 11 November 2022, Recommendation 1.

^[3] ACCC, Perishable agricultural goods inquiry report, 10 December 2020, Recommendation 2.

^[4] Attorney-General’s Department, Privacy Act Review Report, 16 February 2023, Chapter 12; Attorney-General’s Department, Government response to the Privacy Act Review Report, 28 September 2023.

^[5] Privacy Act 1988 (Cth), sch 1, APP 1 and APP 5.

^[6]Privacy Act 1988 (Cth), sch 1, APP 3.

^[7] Sensitive information is a subset of personal information and includes information or an opinion (that is also personal information) about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record. The definition also includes health information about an individual, genetic information, biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or biometric templates. Sensitive information is generally afforded a higher level of privacy protection under the APPs than other personal information. This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual or those associated with the individual.

^[8] OAIC, Chapter B: Key concepts, Australian Privacy Principles Guidelines, 22 July 2019. These elements guard against the use of exploitative or opaque consent requests and seek to ensure that individuals are fully aware of the implications of providing or withholding consent (including though the provision of information written in plain English, without legal or industry jargon) and have a genuine opportunity to provide or withhold consent. The Government has agreed in-principle to codify these elements in the Privacy Act in response to Proposal 11.1 of the Privacy Act Review Report, see: Attorney-General’s Department, Government response to the Privacy Act Review Report, 28 September 2023.

^[9]Privacy Act 1988 (Cth), sch 1, APP 6.

^[10]Privacy Act 1988 (Cth), sch 1, APP 7.

^[11] OAIC, Chapter 6: APP 6 Use or disclosure of personal information, Australian Privacy Principles Guidelines, 22 July 2019.

^[12]Privacy Act 1988 (Cth), sch 1, APP 10 and APP 11.

^[13] Privacy Act 1988 (Cth), sch 1, APP 12 and APP 13.

^[14] Treasury, The Australian Consumer Law: A framework overview, July 2013, p 1.

^[15]Privacy Act 1988 (Cth), Preamble.

^[16] See, OAIC, Privacy Act Review – Issues Paper: Submission by the Office of the Australian Information Commissioner, 11 December 2020, 21-22.

^[17] See, Treasury, Consumer Policy in Australia, March 2011, p 3; Council of Australian Governments, Intergovernmental Agreement for the Australian Consumer Law, 30 August 2019,p 3.

^[18] Attorney-General’s Department, Privacy Act Review Report, 16 February 2023.

^[19] Lonergan Research, Australian Community Attitudes to Privacy Survey 2023, 8 August 2023, accessed 8 August 2023, p 25.

^[20] Lonergan Research, Australian Community Attitudes to Privacy Survey 2023, 8 August 2023, accessed 8 August 2023, p 21.

^[21] Attorney-General’s Department, Privacy Act Review Report, February 2022, accessed 4 August 2023, p 110-121.

[22] Attorney-General’s Department, Government response to the Privacy Act Review Report, 28 September 2023, p 8.

^[23] See, European Data Protection Board, Following EDPB Decision, TikTok ordered to eliminate unfair design practices concerning children, 15 September 2023. See relatedly, European Data Protection Board, Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them, 2 May 2022.

^[24] See, Consumer Policy Research Centre, Unfair Trading Practices in Digital Markets – Evidence and Regulatory Gaps, December 2020, p 10 and Treasury, Protecting consumers from unfair trading practices – Consultation Regulation Impact Statement, 31 August 2023, p 32, 43.

^[25] See for example, Norwegian Consumer Council, Out of Control: How Consumers are Exploited by the Online Advertising Industry, January 2020. The Norwegian Consumer Council analysed ten popular mobile applications, including dating apps and menstrual cycle trackers, which were found to transmit data to at least 135 different third parties for targeted advertising. See also, Kayleen Manwaring, Katharine Kemp and Rob Nicholls, (Mis)informed Consent in Australia, March 2021, 97, where the authors noted that consumer profiles ‘may include, or permit inferences about, the consumer’s age, gender, relationship status, pregnancy, children, income, health issues, financial position, property ownership, purchasing intentions, sexual orientation, sexual activity, drug use, alcohol consumption, psychological biases, political views, religious affiliations, ethnicity, consumption preferences and personality predictions.’

^[26] Treasury, Protecting consumers from unfair trading practices – Consultation Regulation Impact Statement, 31 August 2023, p 9, 15.

^[27] See, Consumer Policy Research Centre, Unfair Trading Practices in Digital Markets – Evidence and Regulatory Gaps, December 2020, p 11 and Treasury, Protecting consumers from unfair trading practices – Consultation Regulation Impact Statement, 31 August 2023, p 17.

^[28] Attorney-General’s Department, Privacy Act Review Report, 16 February 2023, Proposals 10.1, 10.3.

^[29] Attorney-General’s Department, Privacy Act Review Report, 16 February 2023, Proposals 19.1-19.3.

^[30] Attorney-General’s Department, Privacy Act Review Report, 16 February 2023, Proposal 20.9.

^[31] Attorney-General’s Department, Privacy Act Review Report, 16 February 2023, p 103.

^[32] Attorney-General’s Department, Privacy Act Review Report, 16 February 2023, Proposal 11.1.

^[33] Attorney-General’s Department, Privacy Act Review Report, 16 February 2023, Proposals 18.1-18.10.

^[34] Attorney-General’s Department, Government response to the Privacy Act Review Report, 28 September 2023.