Urgency returns

The biggest upheaval for digital marketing and advertising in 20 years was delayed and bundled into “Tranche 2” reforms without a timetable late last year by the Labor government but Privacy Commissioner Carly Kind told Mi3 she plans to test judicial interpretation of the current Privacy Act with delayed reforms squarely in frame for current privacy practices. 

That’s code for industry that their expectations last year for radical privacy reform in favour of consumer protection should again go to code red. 

Kind wants to set clarity for industry on definitions of personal information, consent and the collection of personal data that are aligned more closely to the ”fair and reasonable” principle diverted into delayed Tranche 2 reforms. Those delayed measures put the entire onus on organisations to ensure consumer privacy compliance in a marked shift away from individual consent that’s enshrined in Europe’s GDPR laws. 

The new investigative and enforcement powers handed to the Privacy Commissioner in Tranche 1 privacy reforms and how she plans to use them put industry back on notice with urgency to overhaul their use of consumer data and tracking - the implications present fundamental change to many consumer and B2B marketing and data practices. In short, Carly Kind is not waiting for Tranche 2 to enforce tighter consumer privacy protection. 

Kind said she did not want “gotcha” moments on company breaches - sectors under her microscope will get advanced notice of “compliance scans”. She said part of her agenda was to ensure that reforms were taken “seriously in the c-suite and at the board table” by pushing benchmark cases that would serve as default precedents for what was a privacy breach.   

She said the issue at present wasn’t that companies “had so much taken their foot off the gas” on privacy overhauls but that the uncertainty around current legislation meant the internal business case for “investment in privacy is on a slightly wobblier footing than perhaps last year when there was quite a lot of momentum being built, particularly by chief privacy officers and their teams.”

Kill uncertainty with enforcement

Kind wants to end the ambiguity. “We are equally resolved now to move ahead with an enforcement agenda independently of those [tranche 2] reforms because there is a lot of uncertainty there about what's going to happen, not least because of the election. But I've got a pretty clear-eyed vision of how to achieve some of the same ends through quite robust enforcement, and I think that that will hopefully have the same effect to increase the cost of non-compliance, to incentivise investment in privacy, to bring privacy to the attention of the C suite, etc. That's really where we're putting our time and resources currently,”

She said the redefinition of what constitutes “personal information” in Tranche 2 – presenting fundamental challenges for current practices in marketing, advertising and data trading – was one area of focus.

“The definition of personal information, the definition of consent, etc, absent those reforms - and it may be that they still happen, certainly the Attorney General has expressed great passion and support for making them happen -  we we can achieve some of those clarifications through judicial interpretation, which we can secure in enforcement proceedings. So it's about edge cases, it's about egregious non-compliance but it's also about test cases that can enable us to advance judicial interpretation of the law as written. So that's part of our regulatory strategy to now think about where we can be taking forward specific matters that enable us to elicit judicial interpretation, that can then bring more clarity for industry and allow us to establish beyond question the kind of legal standards that industry should be aiming at. What we would be aiming at would be to try to both be enforcing the Privacy Act in appropriate circumstances but also to be getting judges to essentially endorse our interpretation of various terms in the Privacy Act. We’re certainly not sitting around waiting for tranche 2.”

While the enforcement remit is wide – from facial scanning in which Bunnings has been at the frontline of the Privacy Commissioner’s attention, to in-car data collection and consumer identity document protection [passports, licenses etc] - Kind said her team’s probe into the use of pixels and tags on websites was “quite far advanced” with significant implications for marketing, advertising practitioners and customer-facing tech vendors. 

The pixel problem

“The one thing I might put on their radar and probably the first thing out of the gate in a concrete enforcement sense will be work on tracking pixels – it’s quite far advanced, actually,” she said. “So we put out guidance last year and then we've been doing some work in the enforcement space on that. So that's probably the first thing for them to look for. We're looking in particular at the providers of websites and how they configure tracking pixels, and in particular, whether the website itself may be collecting sensitive personal information, in which case, consent is required. If a Meta pixel is embedded in a website that is enabling the transmission of health information to Meta then you, as the website provider, need to ensure that you're meeting your Privacy Act requirements, because you're collecting and then disclosing it on.”

When asked where liability landed on pixel use, Kind said: “Basically we're not looking at the platforms that are providing the pixels in the first place. We're looking at the users of the pixels, it’s the sites and how they're configuring pixels.”

Civic Data’s Managing Partner Chris Brinkworth said much of industry was largely unaware of their privacy risk with pixels and tags – essentially bits of code that carried user information that was transferred between different parties, mostly without their awareness or consent.

“There are some websites that will have 50 to 60 of these different [pixel and tag] technologies on their website,” he told Mi3. "Everytime you try something new, you put a new  piece of code on your website, and it's like a sediment layer. You may not be working with them [pixel owners] anymore..each new agency would have tried a new piece of technology, put tags on your page to track or personalise this and that to personalise x, y and z but the real question is who's in control of this data? If you look at My Deal, where they're selling pregnancy tests, are they also letting the consumer know that when I'm looking at a pregnancy test, that information is leaving the website with a cookie going across to a dozen, if not more, vendors.”

Red flag for de-identified data, clean rooms

Anna Johnston, Partner at privacy advisors Helios Salinger, said the Privacy Commissioner had “absolutely stepped up” and was drilling into existing privacy principles to establish clear guidelines. “They will use their new enforcement powers to look at how organisations are treating personal information of Australian consumers and they will definitely be using their enforcement powers to target not only the social media platforms but I think Australian businesses in general.”

For Johnston, de-identified user data, clean rooms and look-a-like user profile matching – in widespread use by media, tech vendors and enterprise - were red flag breaches for industry under the current Privacy Act.“

There’s a lot of practices around data matching and data brokering that definitely the end use case is pushing the bounds of compliance,” Johnston said. “It may well take a test case from the OAIC [Office of the Australian Information Commissioner in which the Privacy Commissioner sits] to trigger a change in those kind of practices. I'm very nervous when I hear organisations say ‘don't worry, we're complying with the privacy law because it's de-identified’. What they mean is they don't think the privacy law applies at all because they’ve de-identified it. It's a lot harder to de-identify data to the point where the privacy laws no longer apply. It is a lot harder than most people think. If it's your own data that you collected from your own customers and you're using it to analyse your own data set, if it's not leaving your organisation, that's one thing. If it's leaving your organisation because you're then sharing it with a social media company or a search engine to do targeted advertising, then I'd be very nervous about that information in terms of compliance with the disclosure rules in the Act."

The difference today is that the Privacy Commissioner has new powers and appetite to take action, enforce and prosecute breaches.   

When asked about de-identified data, Kind told Mi3: “Yes, definitely de-identification…and particularly in the use of data to train AI models. That’s something we’re looking at currently – the definition of personal information and how that extends to a range of different identifiers. We’re certainly interested from a sectoral perspective in data brokerage and that’s obviously highly connected to marketing and other practices. That will be something we take up although I wouldn’t want to overstate expectations on that front. We’re not very advanced yet.”

Yet…but the Privacy Commissioner is coming.