Six weeks ago the Federal Government released an issues paper on a review of the Privacy Act. For anyone in advertising, marketing and beyond it signals seismic change, covering everything from the definition of personal information - which could put device IDs, IP addresses and geolocation data out of bounds – to consent and notification requirements to users. Whichever side of the fence you sit, pretty much everything digital is at stake.

It’s not yet clear where or how the Office of the Australian Information Commissioner (OAIC) will land. But given the explosion in data collection and the almost total inadequacy of current protections, we can expect fundamental changes with far-reaching consequences, particularly for marketing, advertising and related industries that have become almost entirely data-driven.

There are many views on how the new regime should look – and the OAIC also has a growing menu of options, thanks to privacy and data overhauls simultaneously being worked through in California and Canada, to take what appears to be working while avoiding the worst unintended consequences. As the ACCC's Rod Sims said last year, Australia's regulators and their international counterparts, "may all end up in a similar position at the same time".

Christmas wish list: regulate ad targeting

So what should form the cornerstone of Australia’s new house rules?

Former Deputy Privacy Commissioner for NSW, Anna Johnston, has a pretty clear view. Now Principal at Salinger Privacy, she thinks the new laws should be further reaching, stricter, and carry a much bigger stick.

The current Privacy Act, says Johnston, has far too many carve outs, with exemptions for small businesses, political parties and media organisations. She says that has to change to level the playing field.

“First on my Christmas list is for all those exemptions to be scrapped, to really expand out the material scope of the organisations regulated by the Privacy Act in the first place so that we in Australia could have a world class privacy law,” she says.

Meanwhile, given the review’s overlap with the ACCC’s Digital Platforms inquiry, “we should also expect the government to focus very much on targeted advertising, personalised content and the role of online identifiers in particular, in facilitating the digital advertising ecosystem,” says Johnston.

In other words, she thinks all profiling, including audience segmentation, should be regulated as if it were personal information.

“At the moment, it's not always clear whether cookies or other online identifiers or the information shared within the ad tech industry is even considered 'personal information' as defined and as regulated by the Privacy Act,” says Johnston. “So next on my wish list is to rethink the scope of the Act by expanding out that definition of personal information.”

Johnston thinks the AOIC should go as far as to state “information that simply links to a consumer via a device is within scope to its definition of personal information”.

That may sound radical, she accepts, but the California Consumer Privacy Act (CCPA) is pushing in that direction - which provides a template for the rest of the world to follow, Australia included.

“Given CCPA's introduction of ‘Do Not Sell’ buttons, and the European Parliament and European privacy regulators moving on adtech, and Google's Chrome browser phasing out third party cookies by 2022 and Apple's operating system being updated to implement opt-in only for tracking users across different apps and websites … There's already plenty happening to nudge the online behavioural advertising industry towards a more privacy protective opt-in model,” says Johnston.

“So, in my view, strengthening the Australian Privacy Act's definition of personal information would be in line with achieving those same objectives but in a technology neutral and industry neutral way.”

Consent, fairness and a bigger legal stick

Another reform on Johnston’s wish list “is a reduction in the Privacy Act's reliance on the transparency model of privacy regulation, instead moving towards stricter limits on collection, use and disclosure.”

The OAIC has expressed preference for an ‘overarching fairness test’ to govern what businesses can and cannot do with consumer data.

For the ad industry, Johnston says that may mean “some of the more intrusive methods of profiling customers would be off the table, as well as advertising or personalised messaging which could lead to obvious harms”. Meanwhile, the ACCC “has noted that multiple submissions requested that children should not be tracked, profiled, subject to marketing or monetised”.

Johnston thinks beefing up fines would also sharpen the collective corporate mind.

“I would love to see increased penalties for breaches, a statutory tort for serious invasions of privacy and reforms to deliver improved access to justice. This could include a direct right of action for individuals with a complaint about a breach of privacy principle,” says Johnston.

“The ability to take a complaint to a tribunal or court with the power to order compensation, as happens already under New South Wales and Victorian state privacy laws … could make a meaningful improvement in access to justice for those people keen to have their day in court,” she adds.

“I also believe a direct right of action could make companies and government agencies more mindful about protecting property in the first place.”

We need to avoid “consent hell”

Peter Leonard, a former global chair of the International Bar Association’s Technology Committee and a specialist in data and technology business law, largely agrees with Anna Johnston’s wish list. But he warns against extending the definition of personal information to include online identifiers – disagreeing with Johnston that all profiling, including audience segmentation, should be regulated as if it were personal information.

“My vision of a hell in privacy reform is … cranking up the requirements around express consent and broadening out the definition of personal information to include, amongst other things, online tracking code, even in circumstances where that code is handled in accordance with good privacy practices,” says Leonard.

“If we go down that road, we are simply continuing the fiction that users should be expected to self manage their privacy settings through reading privacy notices and/or deciding whether or not to give consent.”

He thinks that also risks people being constantly bombarded with meaningless consent notifications so that they end up missing the important ones.

“Let's not try and follow the Mad Hatter - or was it Alice? - who went down that rabbit hole of 'notice and consent' as the way to fix all of this, because all we're going to do is to create a hell of organisations papering their way to compliance,” he suggests.

Look to Canada for ‘reasonable’ data use

Australian regulators should instead look to the likes of Canada and put the onus on companies to take responsibility for data practices, says Leonard, and not expect consumers to try and decipher what is going on.

He quotes a section of the Canadian Bill tabled last month:

“It’s three lines. ‘An organisation may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.’

“It then it goes on to list factors to consider in determining what's appropriate in the circumstances,” says Leonard. “But it is about 20 lines in total, and if we included those 20 lines in our Act, we could fundamentally change how organisations think about privacy.

“Then we start to get the appropriate balance between organisations demonstrating accountability and users, consumers, somehow being expected to self-manage what other organisations are doing, collecting information in ways that they simply cannot understand – that we can't explain to them in terms that they will understand and that often we don't understand ourselves.”

Unintended consequences: higher walls

Ana Milicevic, principal and co-founder of Sparrow Advisers, hopes the protections being worked up will actually give the consumer some say in “how their data is packaged, used or activated”.

She warns that creating new regulation, as a relative minnow in global terms, also requires careful consideration, given a fragmented global landscape could mean companies effectively decide Australia isn’t worth the hassle, while locking in the market dominance of the big platforms and their walled gardens.

She also thinks industry has not done a good enough job in explaining the value exchange –and says asking people to accept cookies is a pretty poor proxy.

“I agree that the onus here really should be on companies rather than individuals. But at some point, we need to find a way to articulate the value to consumers of this data exchange - and maybe [adopt] the ‘reasonable person’ clause from the Canadian legislation.”

Peter Leonard agrees with Milicevic that regulators must tread carefully to avoid locking-in incumbent power.

“Because if we get these settings wrong, one hell that we might create is the inability for independent players in the advertising sector to be able to create audience segments and markets outside the digital giants,” he says.

“We run a real risk that if we get these settings wrong, we're going to promote further concentration in the market in favour of a few global digital players.”

Those views echo fears expressed by Joshua Lowcock, Chief Digital and Innovation Officer at UM in the US and UM’s global brand safety officer, who told Mi3 in October that unless regulators get data regulation right, “we will all end up working for a subsidiary or a part of one of the major monopoly organisations”.

That future is the definition of an existential threat to Australia’s advertising and marketing industry. While turkeys rarely vote for Christmas, it’s notable that advertisers were reluctant to engage with the ACCC’s Digital Platforms inquiry, running in lockstep with the Privacy Act overhaul.

Peter Leonard accepts the invitation to provide a betting man’s assessment on where all of this leaves industry, given the size of the changes coming down the track.

“I think the sector is the outside runner in a handicap race where the adtech industry has probably been responsible for its own handicapping. And the horse that is way out in front, because it started at least last July, is the ACCC and its vision of what new privacy laws in Australia should look like,” says Leonard.

“Unless the advertising services sector gets some bloody good jockeys and gets itself back in the race, the outcome will be whatever the ACCC tells the Attorney-General what they think the outcome should be.”

But the race is not yet won or lost. Early next year the Attorney-General will seek views on more specific potential reforms.

In the meantime, the ad industry’s best jockeys should probably avoid mince pies. Come the new year, they need to make all the running.

* This feature and podcast is an edited version of the IAB's Privacy Nirvana and Privacy Hell  webinar and panel debate moderated by Mi3's Executive Editor Paul McIntyre