This appeared last week:
Privacy time bomb: Australian businesses have six months to avoid legal firestorm
Chris Brinkworth
18 Sept,2024
The Australian Business Network
Many business entities and their marketing partners are unknowingly using tools and data in ways that could expose them to legal action within six months.
The long-anticipated Australian privacy reforms have arrived, offering businesses a unique opportunity to lead in data protection and consumer trust, while compelling them to act swiftly to avoid serious privacy penalties from very basic practices of which they may be unaware.
The “carrot and a stick” central to these reforms is the introduction of a “privacy tort”, which presents an opportunity (carrot) for companies to strengthen consumer trust by using a very big “stick” in the shape of class action and litigation.
It’s crucial to understand that these changes represent just the beginning of a broader reform agenda. This is the first tranche of agreed recommendations from the Privacy Act Review, with consultation on a second tranche of reforms likely to come in 2025.
Forward-thinking businesses have a unique opportunity to get ahead of the curve by embracing these initial changes.
With a 25-year career in targeting and tracking hundreds of millions of people using billions of pieces of behavioural data, identifiers, pixels, cookies and more, I must emphasise the profound impact these partial reforms will have on basic current business practices.
Many entities and their marketing partners are unknowingly using tools and data in ways that could expose them to legal action within six months. The early warnings are evident in published comments from the OAIC, ACCC and legal academics.
Attorney-General Mark Dreyfus articulates the context succinctly: “The digital economy has unleashed enormous benefits for Australians. But it has also increased the privacy risks we face through the collection and storage of enormous amounts of our personal data.”
This statement underscores the delicate balance between the industry’s desire for better targeting, measurement and identity resolution and the need to protect personal privacy. The introduction of a new privacy tort, set to take effect in six months, represents a strategic approach to reforming data practices in the digital economy, potentially reshaping how businesses approach these marketing objectives.
The reach of this new tort is extensive and should not be underestimated. While many may be quick to point out the failure to implement the vast majority of the proposed privacy reforms, we must give credit where it’s due.
The Attorney-General’s department has clearly thought strategically about how to significantly reform unethical and risky privacy practices in the digital economy through the use of the tort, a tool that has been in discussion for many years. This targeted approach, rather than rushing through wholesale reform just before an election, shows a measured response to a complex issue.
Do not be fooled into thinking partial reform means “no teeth that can bite”. The growing dependence on data and changes in global regulatory frameworks have led to a significant increase in privacy-related legal actions, providing plenty of examples of where to focus attention.
Privacy Commissioner Carly Kind has previously highlighted the extent of data collection: “Social media platforms and other websites receive personal information about internet users as they browse the web. This data can range from basic site visits to more detailed personal information like email addresses and mobile numbers.” She has noted “most people wouldn’t reasonably expect household brands, medical providers or news sites to disclose details about site visits, duration and content consumption to social media platforms,” describing such practices as “harmful, invasive and corrosive of online privacy.”
The new tort could potentially apply to various business practices, including excessive tracking and profiling, unauthorised mixing of personal data across business units, misleading privacy disclosures, risky data sharing practices, use of deceptive identifiers, lack of genuine user choice in data collection, and attempts to circumvent user privacy preferences.
Business leaders need immediately to ask themselves what our teams and technology partners are doing with customer data and are we aligned with reasonable consumer expectations? Are we inadvertently crossing lines that could expose us to legal action under the new privacy tort?
Kind has previously warned that “pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms,” underscoring the sophisticated nature of tracking technologies and the need for robust regulation.
Dreyfus emphasises public sentiment driving these changes: “We know Australians are concerned about the protection of their personal information, and of the risks associated with the misuse or mismanagement of their information.” He adds, “Australians … expect that when they do (share their personal information), their information will be protected and that they will maintain control over it.”
For businesses, these reforms necessitate a thorough review of data practices. Companies must discuss with their legal and privacy teams the need to conduct Privacy Impact Assessments on every technology touching their customer data life cycle, overhaul processes and ensure comprehensive staff training.
As Kind has asserted, website providers “have an obligation to ensure that sharing web browsing data with social media platforms is in line with what internet users might reasonably expect”. This sets a new standard for transparency and user consent in data collection and sharing practices.
While these reforms may not represent a complete overhaul of Australia’s data protection landscape, the tort signals a significant shift towards greater accountability and transparency in data practices that will impact many businesses’ practices.
However, the complexity of modern data ecosystems and interwoven stacks, products and data partnerships means that internal reviews will not be sufficient. Without getting ahead of this through specialised audits and reviews that scrutinise data flows, tools and consents, businesses risk having these issues uncovered not by themselves or their BAU agency partners – but instead by litigators in the courtroom. The choice is clear: invest in expert-led Privacy Impact Assessments of your activity now, or potentially face costly legal battles and reputational damage.
Chris Brinkworth is managing partner at Civic Data.
Here is the link:
I can hear the yelps now from those who thought change would never happen!
I predict a lot of fun and surprise about six months from now!
David.
I doubt the biggest culprits will go unscathed and continue to operate as they currently do. Smaller entities will no doubt be used as evidence of enforcement with some being near pawns of the larger fish who have unwittingly deployed technologies from above without knowing what trickery is going on with their customers data.
ReplyDeleteGood and well intentioned but the top 5% are no longer held accountable.
What do you 6:52 AM mean? Do you mean you think they will go unscathed? Or, you are unsure (doubt) whether or not they will go unscathed? Clear unambiguous English.is very tricky!
ReplyDeleteMy bad - the biggest offenders will continue without repercussion. For all the usual reasons.
ReplyDelete