Why the OAIC's proposed online privacy bill is going to be a game-changer for Australian internet privacy

In the age of cookies, artificial intelligence, and targeted digital advertising, it is nearly impossible to do anything online without giving away some form of personal information.

Several countries, including the US and the UK, are in the process of instituting federal policies to protect consumer information online. And Australia is no exception.

The Office of the Australian Information Commissioner (OAIC) has been mulling over changes to its age-old privacy act to include provisions that cater to online privacy, especially on social media. Unsurprisingly, it has experienced pushback from social media organizations.

What brought this on?

The Cambridge Analytica scandal led to the government initially contemplating a code of practice that social media platforms would adhere to.

In December 2019, in response to the Australian Competition and Consumer Commission's (ACCC) Digital Platform's Enquiry report, the government announced its commitment to creating a digital platforms privacy code, aka the Platform Code, which would be legally binding and more in line with the current privacy requirements of consumers than the previously existing Privacy Act. Until 2018, the Privacy Act focused more on regulating federal agencies and private sector organizations. The onset of the GDPR in 2018 and the ACCC's report shed light on the need for consumers to be protected by better privacy regulations while using digital media platforms. The OAIC was in charge of creating the Platform Code, which would apply to social media and all digital platforms that collect personal information.

Progress was delayed due to COVID-19; two years later, in October 2021, the government announced the draft legislation for the Online Privacy Bill, or OP bill. It also requested and sourced recommendations from the general public on the exposure draft. The bill is set to be introduced in parliament sometime in the latter half of 2022.

Why is this important?

Online privacy has become a vital issue for governments due to increasing dependence on digital advertising and marketing by most brands. The majority of these platforms target users based on information collected from websites that use cookies to accumulate information about their behavior and preferences.

Consumers are worried about how their data is being used. According to Deloitte's Australian Privacy Index 2021, 79% of consumers would like to exercise their right of erasure when they are on a brand's website. The right of erasure is a consumer's right to ask that a brand delete all personal data it has on them. However, only 5% of Australian brands actually allow consumers to exercise this right. The report also states that 89% of users believe that the Privacy Act must have a provision to protect the information they reveal online.

This is a growing concern in all countries, as is evident by the recent online privacy bill passed by a US House of Representatives panel. The bill prevents organizations like Meta from collecting any personal information from users except for the bare minimum required to provide its services.

Who will have to comply?

The bill covers Australian and non-Australian organizations that collect citizen data, and social media organizations, data brokerage services, and any large online platform that collects personal data and has over 2,500,000 Australian end users in the past or current year.

What are the proposed changes?

Here are three important changes that the OP bill proposes to make to the existing Privacy Act:

• Addition of the OP code, which regulates how social media and other online platforms collect and utilize personal consumer data. The OP code will apply to private organizations that fall under the Privacy Act. The introduction of the code means that going forward, if an individual requests that an organization not disclose or use their data, they are required to comply. There was no stringent regulation that bound them to do this before the OP code.
• Expansion of the OAIC's powers to enforce the OP code and the penalties that can be imposed in case of non-compliance.
• Specifying that all foreign organizations that do business in Australia will also have to comply with the new OP code whether they have directly collected personal consumer information from an Australian source or not.

Apart from this, the draft bill has also significantly increased the penalty charges faced by organizations for misuse of personal data collected. From the existing maximum amount of AUD 2.1 million, the charges have been increased to AUD 10 million or thrice the value of gains generated due to misusing the data, whichever is higher, as determined by the court. If the court is unable to determine the amount of benefits reaped by the company due to data misuse, the third option is to collect 10% of the company's annual turnover.

The bill also addresses strict Australian internet privacy measures for children, like age verification and parental consent. It mandates that social media organizations verify whether the user is above 16 years old before collecting any of their personal data. If they are below 16 years of age, they must obtain parental consent before proceeding further.

OAIC faces pushback from affected organizations

As expected, there is pushback from social media organizations and other tech giants, which claim that collecting certain information and following particular processes banned under the new measures are a necessity for them to function.

Social media giant Meta expressed how the law could negatively affect businesses that rely on targeted advertising and asked that the OAIC redefine what it meant by "personal data" to include reasonable information that is necessary to identify a person. Google, on the other hand, requested that while specific details of a person's location, like their postal code, can be considered personal information, more general data like their block could be exempted.

A recent incident involving retail brand 7-Eleven collecting biometric and facial recognition data of customers as part of its feedback mechanism led to the OAIC adding a provision asking retail stores to be more mindful in complying with privacy laws. Australian information and privacy commissioner Angelene Falk expressed her views on the subject, stating that the store didn't need to collect biometric data for feedback.

The OAIC stopped collecting recommendations on the exposure draft in December 2021, and it is all set to introduce the bill in parliament in the coming months. There are a total of 191 responses, of which 105 are published on the official website.

Information is the new currency, and Australia's measure to improve the existing privacy laws to suit the current digital era is a welcome one. It is not only an ethical requisite but an immediate necessity. Much like every consumer has control over their money and the right to exchange it for any commodity or service of their choice, they must also have the right to control how their information is being used by brands and whether it should be used in the first place.

This can often be challenging for most corporations, since it can be tough to keep track of the huge amount of sensitive employee information generated every year. A good idea would be to invest in a SIEM solution that can discover, classify, store, and monitor said data to help users better exercise their right to erasure.

To learn more about how Log360, a SIEM solution, can help your employees exercise their consumer rights better in line with the new OP bill, get in touch with our product experts through a personalized demo request.