Regulation of digital platforms as part of economy-wide ...Regulation of digital platforms as part of economy-wide improvements to Australia’s privacy laws 2 ACCC R17.1 Objectives

Regulationofdigitalplatformsaspartofeconomy-widereformstoAustralia’sfailedprivacylaws

AustralianPrivacyFoundationsubmissiontotheAustralianGovernmentonimplementationoftheACCC’sDigitalPlatformsInquiry—FinalReport

Graham Greenleaf, David Lindsay, Bruce Arnold, Roger Clarke, Katherine Lane, Nigel Waters & Elizabeth Coombs1 – on behalf of the Australian Privacy Foundation. 10 September 2019

ExecutiveSummary.................................................................................................................................................3

AsubmissionbytheAustralianPrivacyFoundationtotheAustralianGovernment.................4

Fundamentalissues:Limitingadverseprivacyeffectsofmarketdominance...............................4

ACCC’sfundamentalRecommendation:Economy-wideprivacyreforms.......................................6

Recommendations1-3–MeasurestoaddressmarketpowerofGoogleandFacebook...........6

ACCCR1-Additionalprivacy-relevantfactorsinmergerlaws.......................................................6ACCCR2-Priornoticeofacquisitions........................................................................................................7ACCCR4-Requiredchoicesratherthandefaults(browsersandsearchengines)................7ACCCanddataportability................................................................................................................................7

Recommendation16–StrengthenprotectionsinthePrivacyActacrosstheeconomy...........7

ACCCR16(a)Update‘personalinformation’definition......................................................................7ACCCR16(b)Strengthennotificationrequirements............................................................................8ACCCR16(c)Strengthenedconsentrequirementsandpro-consumerdefaults......................8ACCCR16(d)Enabletheerasureofpersonalinformation..............................................................10ACCCR16(e)Introducedirectrightsofactionforindividuals......................................................10ACCCR16(f)HigherpenaltiesforbreachofthePrivacyAct..........................................................11

AustralianGovernmentproposedreformstothePrivacyAct(March2019).............................13

Govt.1:Increasepenalties.............................................................................................................................13Govt.2:OAICinfringementnoticepowers.............................................................................................13Govt.3:OAIC‘otheroptions’.........................................................................................................................13Govt.4:Socialmedia‘deletion’requirement.........................................................................................13Govt.5:Extraprotectionforvulnerablegroups...................................................................................13Govt.6:A‘codeforsocialmediaandonlineplatforms’....................................................................14Govt.7:AdditionalfundingtoOAIC...........................................................................................................14

Recommendation17–BroaderreformofAustralianprivacylaw(ACCCproposals).............15

1Graham Greenleaf AM is Professor of Law & Information Systems at the University of New South Wales;; Dr Bruce Arnold is Assistant Professor, School of Law & Justice, University of Canberra; David Lindsay is Professor of Law, University of Technology Sydney; Roger Clarke is Principal, XamaX consultancy, and Professorial Visiting Fellow, University of New South Wales Faculty of Law; Katherine Lane is a consumer law expert and Vice-Chair of the APF; Nigel Waters is an information practices consultant and former deputy Australian Privacy Commissioner; and Elizabeth Coombs is a researcher at the University of Malta and former NSW Privacy Commissioner.

Electronic copy available at: https://ssrn.com/abstract=3443337

Regulationofdigitalplatformsaspartofeconomy-wideimprovementstoAustralia’sprivacylaws 2

ACCCR17.1Objectives....................................................................................................................................15ACCCR17.2Scopeandexemptions............................................................................................................16ACCCR17.3Higherstandardofprotections..........................................................................................16ACCCR17.4Inferredinformation...............................................................................................................16ACCCR17.5De-identifiedinformation.....................................................................................................16ACCCR17.6OverseasdataflowsandEU‘adequacy’..........................................................................16ACCCR17.7Third-partycertification.......................................................................................................17

Recommendation18–OAICPrivacyCodeforDigitalPlatforms.......................................................18

ACCCR18.1.Informationrequirements:.................................................................................................18ACCCR18.2.Consentrequirements...........................................................................................................19ACCCR18.3.Opt-outcontrols.......................................................................................................................19ACCCR18.4.Children’sdata..........................................................................................................................19ACCCR18.5.Informationsecurity..............................................................................................................19ACCCR18.6.Retentionperiod......................................................................................................................19ACCCR18.7.Complaints-handling.............................................................................................................19

Recommendation19–Statutorytortforseriousinvasionsofprivacy..........................................19

ACCCeconomy-wideconsumerlawrecommendationsaffectingprivacy....................................20

Recommendation20–ProhibitionagainstUnfairContractTerms............................................20Recommendation21–Prohibitionagainstcertainunfairtradingpractices..........................21

SummaryofsubmissionsmadebyAPF........................................................................................................22



ExecutiveSummary The Australian Privacy Foundation (APF)welcomes the contributionmade by the ACCC toimproving theunderstandingofhowtheprotectionofprivacy iscentral toaddressinganti-competitiveconcernsandconsumerprotectioninthedataeconomy.APF'sprimaryfocusinthis submission is on the consumer privacy aspects of the Inquiry, but with an eye to theissuesofmarketpower,andthetrustthatisfundamentalforpublicadministrationinonlineenvironments.TheAPFstronglysupportstheACCC'sanalysisandrecommendations,acrossthe board. ACCC’s analysis is consistent with a wide range of Australian and internationalofficialandprivatereportsoverthepastthreeyears,demonstratingthatthereisinternationalrecognition of a substantive problem thatmust be addressed. In particular, APFurges theGovernment’sadoptionoftherecommendationsinChapter7toachievevitalandsubstantialupgradesinAustralia’sprivacyprotection,inordertoaddressthemajorinroadsintoprivacybecause of the enormous growth in data surveillance by the private sector since 2000, thepressingneed for amorepowerful andmuchmore effectivePrivacyCommissioner, and toachievetheprivacyrightofactionpreviouslyrecommended.

For reasons detailed in this Submission (and summarised at its end), APF accordinglyexpresses its strong support for the adoption by the Australian Government of all of thefollowingRecommendations:

16: StrengthenprotectionsinthePrivacyAct (a) Update‘personalinformation’definition (b) Strengthennotificationrequirements (c) Strengthenconsentrequirementsandpro-consumerdefaults (d) Enabletheerasureofpersonalinformation (e) Introducedirectrightsofactionforindividuals (f) HigherpenaltiesforbreachofthePrivacyAct17: BroaderreformofAustralianprivacylaw,havingregardto: 1. Objectives 2. Scope 3. Higherstandardofprotections 4. Inferredinformation 5. De-identifiedinformation 6. Overseasdataflows 7. Third-partycertification18: OAICprivacycodefordigitalplatforms,includingbutnotlimitedto: 1. Informationrequirements 2. Consentrequirements 3. Opt-outcontrols 4. Children’sdata 5. Informationsecurity 6. Retentionperiod 7. Complaints-handling19: Statutorytortforseriousinvasionsofprivacy20: Prohibitionagainstunfaircontractterms21: Prohibitionagainstcertainunfairtradingpractices



AsubmissionbytheAustralianPrivacyFoundationtotheAustralianGovernment The Australian Competition and Consumer Commission (ACCC) released the Final Report in its Digital Platforms Inquiry2 on 26 July 2019, following a Preliminary Report (December 2018). The Australian Government is conducting a public consultation on the ACCC report3 from 1 August 2019 for twelve weeks,4 and will announce its response to the report before the end of 2019.

ThissubmissiontotheGovernmentisbytheAustralianPrivacyFoundation,andispreparedby thebelow-listed authorswith expertise in privacy-related regulation and trust issues. Itfocuses on the ACCC recommendations that are particularly relevant to privacy issues. Itfollowsanearlier submissionon theACCCdraft report.5The authors who have contributed to this submission are: Graham Greenleaf, Bruce Arnold, David Lindsay, Roger Clarke, Katherine Lane and Elizabeth Coombs. It is consistent with a range of detailed official and civil society analyses over the past three years.6

Fundamentalissues:LimitingadverseprivacyeffectsofmarketdominanceTheAustralianPrivacyFoundation(APF)givesstrongsupporttotheACCC’sidentificationofthemarketdominanceoftheGoogleandFacebookplatformsastheunderlyingcoreproblemwhich exacerbates or creates the other problems identified in its Report. As ACCC said‘strategic acquisitions by bothGoogle andFacebookhave contributed to themarket powerthattheynowhold’.7WesubmitthatitisessentialthattheGovernmentgivefullweighttoallofthecompaniesthattheyhaveacquired,andalsotoallthestreamsofpersonalinformationto which they have access because of those acquisitions and because of other businessarrangements.

With theemergenceof thedataeconomy, thecollectionanduseofpersonaldatarepresentthemainsourceofvaluefordigitalplatforms.Theeffectivecontroloflargedatasetsexercisedbyplatforms,suchasGoogleandFacebook,supportsandreinforcesnetworkeffectsandthesubstantial market power possessed by platforms. Moreover, the market power of theplatforms creates a power imbalance between platforms and users such that any consent2ACCCDigitalPlatformsInquiry<https://www.accc.gov.au/focus-areas/inquiries/digital-platforms-inquiry>.

3JointMediaRelease(Treasurer;MinisterforCommunications,CyberSafetyandtheArts)PublicconsultationontheACCCDigitalPlatformsReportnowopen, 1 August 2019 <http://ministers.treasury.gov.au/ministers/josh-frydenberg-2018/media-releases/public-consultation-accc-digital-platforms-report-now>.

4Written submissions are due by 12 September 2019, and invited consultation meetings will take place after that:<https://consult.treasury.gov.au/structural-reform-division/digital-platforms-inquiry/>..

5Australian Privacy Foundation submission on ACCC draft report ‘Digital Platforms: The Need to Restrict SurveillanceCapitalism’,22February2019<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3341044>.

6See for example Canada, House of Commons Committee on Access to Information, Privacy and Ethics (ETHI) andInternational Grand Committee (May 2019). Big Data, Privacy & Democracy; Canada, House of Commons Committee onAccess to Information, Privacy and Ethics (ETHI)(2018). Democracy Under Threat: Risks and Solutions in the Era ofDisinformationandData-opoliesOttawa:GovernmentofCanada;Canada,JointinvestigationofFacebook,Inc.bythePrivacyCommissioner of Canada and the Information and Privacy Commissioner for British Columbia (April 25, 2019). PIPEDAReport of Findings; Canada, Elizabeth Denham, Assistant Privacy Commissioner of Canada (July 16, 2009). Report of theFindingsintotheComplaintfiledbytheCanadianInternetPolicyandPublicInterestClinic(CIPPIC)againstFacebookInc.UnderthePersonal InformationProtectionandElectronicDocumentsAct; EuropeanCommission (2019)CompetitionPolicy fortheDigital Era. Commissioned report by Jacques Crémer, Yves-Alexandre de Montjoye, Heike Schweitzer; France, FacebookMission (May 2019).Regulation of social networks – Facebook experiment. Submitted to the French Secretary of State forDigital Affairs; Germany, Bundeskartellamt (Feb. 6, 2019). Facebook, Exploitative business terms pursuant to Section 19(1)GWB for inadequate data processing (Case Summary); Germany, Bundesministerium für Wirtschaft und Energie (2017).WeißbuchDigitalePlattformen [WhiteBookDigitalPlatforms];OECD (2019).AnIntroductiontoOnlinePlatformsandTheirRoleintheDigitalTransformation;UnitedKingdom,InformationCommissioner’sOffice(Nov.6,2018).Investigationintotheuseofdataanalyticsinpoliticalcampaigns:AreporttoParliament.

7ACCCdraftreport,p.9.



givenbyuserstothecollectionanduseofpersonaldataisillusory.Establishinganeffectivedata privacy regime is therefore essential to correct market imperfections in the dataeconomy.

TheAPFconsiders,however, thatthe issuesatstakealsogobeyondquestionsofcorrectingmarket imperfections, and that the ACCC should explicitly recognise that they constitute anewanddangerouseconomicformation.Theseflowsofdatahavebeenusedtocreatewhatisnow widely described as ‘the surveillance economy’ (or ‘surveillance capitalism’ 8 )substantially inventedbyGooglenearly twodecadesago,andshortly thereafteradoptedbyFacebook,whicharestill itsdominantexponents.Theyarethemostsignificantprovidersofboth data and data acquisition channels to themarket for surveillance services, as distinctfromtheir imitators,and themanypurchasersof thoseservices,whoalsocontribute to theresulting problems. In relevant recent developments, German regulators have orderedFacebooktorestrictdatacollection,byrequiringthatexpressuserconsentbeobtainedbeforecombiningWhatsApp,Instagram,andFacebookaccountdata.9

There are three aspects of the surveillance economy that are of particular relevance to thereformsitisnecessaryfortheGovernmenttonowimplement:

(i) its mechanisms compel the providers to a market for surveillance services toconstantly seek to expand the scope of their collection of behavioural data, thuscreatingmarketpowerrisks(addressedinACCCRecommendations1-3);

(ii) the nature and sources of data usedby thosewith access to surveillancemarketdata (particularly Facebook andGoogle) are largely invisible to those consumersand citizens involved in transactions with them, thus exacerbating privacy risksandproblemsofeffectiveprivacyregulation(addressedinACCCRecommendations16-17);and

(iii) theglobaloperationofleadingdigitalplatforms,whichprovidethesecorporationswith both sufficient revenue to disregard small scale penalties, and a strongincentive to engage in regulatory arbitrage, in particular to resist effectiveregulation in a jurisdiction such as Australia because an effective regime here islikely to influence policymakers in existing or emerging markets (addressed inACCCRecommendations8(e)-(g)).

More broadly, failure by Government to effectively address the issues highlighted in thissubmissionwillservetoerodethetrust that is fundamental toelectroniccommerce,andtotheengagementbycitizenswithe-governmentinitiatives.Erosionoftrustindigitalplatformsarisingfrominsufficientprotectionofpersonalinformationisnotsimplyconfinedtochillinge-commerce, but extends to broader trust deficits in digital services, such as digital healthservicesandelectronicservices,andmoregenerallytounderminingtrustinGovernment.

8ThemechanismsofsurveillancecapitalismareexplainedinthemostcomprehensivedetailbyShoshanaZuboffTheAgeofSurveillanceCapitalism (PublicAffairs,NY,2019),and inherearlierarticles.Zuboffargues thatsurveillancecapitalism isanewformofcapitalismdistinguishedbyitsextractionandexploitationof ‘behaviouralsurplus’(personaldatacollectedfortheprimarypurposeofpredictingandchangingindividualbehaviours,ratherthanfortheprimarypurposeofimprovingaservicetoindividualusers).Shearguesthatoneoftheprincipaldangersofsurveillancecapitalismisthatitskeypractitionersarecompelledtoexpandtheextentoftheirsurveillanceofindividualsinordertomaintaintheirdominantpositions.

9 Alex Hern ‘German regulator orders Facebook to restrict data collection’ The Guardian, 7 February 2019<https://www.theguardian.com/technology/2019/feb/07/german-regulator-orders-facebook-to-restrict-data-collection>



The APF submits that the Government should be conscious of the global and regionaldimensions of the issues addressed by the ACCC, which present both challenges andopportunitiesforeffectiveregulation(egconsistencywithpracticeintheEuropeanUnionandrecognitionthatcorporationssuchasFacebookhaveconsistentlydemonstratedawillingnessto evade responsibility by claiming that they operate outside EU law). Furthermore, indeveloping an effective regulatory regime the Government should be conscious that digitalplatforms are susceptible to misuse for ‘fake news’ (including inappropriate politicalcommunication and data gathering, whether directly by the platform operator or by thatoperator’s partners), and that privacy involves more than concerns about undisclosed ordeceptivedatagatheringfordirectmarketing.

ACCC’sfundamentalRecommendation:Economy-wideprivacyreformsACCCrecommendsthatalmostallitsprivacy-relatedrecommendations(16(a)–16(f),and17,and19),shouldbeimplementedbygeneralamendmentstothePrivacyAct1988applyingtoallorganisationstowhichtheActapplies,andshouldnotbe limitedtoapplyonlytodigitalplatforms. It ‘considers that economy-wide regulatory reform is needed in somecircumstances,andshouldapplytobusinessesbeyonddigitalplatforms.’ACCCisoftheviewthat the proposed reformswould rarely cause significantly increased compliance costs forbusinessesnotprincipally involved incommercializingpersonaldata.ACCC’srecommendedchanges to consumer law (Recommendations 20 and 21) are also economy-wide. The onlysignificantsector-specificexceptionisRecommendation18,theOAICPrivacyCodeforDigitalPlatforms.

TheAPFsupportsverystronglytheseACCCrecommendationsfortheeconomy-widescopeofdesirable regulatory reform. The APF regards them as crucial to the effectiveness of theGovernment’s privacy reforms and its broader digital initiatives, including in e-health anddigitalisation of government services at the national and state/territory levels. All of theseACCC recommendations, even if they apply with special force to platforms, are equallyapplicabletoallorganisationsprocessingpersonaldata,becausetheywouldredressgeneraldeficiencies to the existing Privacy Act, deficiencies which help make Australia’s privacyprotectionsweak and inadequate, and sub-standard compared to those in other countries,andparticularly in comparisonwith theEUGDPR.Reformsbasedon theACCC’sproposals,and those proposed by the Government in March 2019, therefore present a long-overdueopportunityforacomprehensivereformofAustralia’sprivacyprotections.

Theadditionalcompliancecostsclaimedbysomebusinessesopposingeconomy-wideprivacyreformsareunconvincingobjectionsbecausetheyover-estimatethecostsofcomplianceandtheyareoutweighedbythebenefitsofeconomy-wideprivacyprotection,especiallyintermsof increased trust. Further, to define some protections as ‘platforms only’, would causeconfusionanddifficulties inapplication indrawingboundariesaround ‘platforms’,and thusresultinincreasedcompliancecosts.

Recommendations1-3–MeasurestoaddressmarketpowerofGoogleandFacebookAPFsupportsstronglythefollowingACCCrecommendations:

ACCCR1-Additionalprivacy-relevantfactorsinmergerlaws• Recommendation1 (additional relevant factors inmerger laws, to include the (j)

the likelihood that the acquisitionwould result in the removal from themarket of apotentialcompetitor;and(k)thenatureandsignificanceofassets,includingdataandtechnology,beingacquireddirectlyorthroughthebodycorporate).



ACCCR2-Priornoticeofacquisitions• Recommendation 2 (prior notice of acquisitions). However, we submit that ACCC

Recommendation 2 is not strong enough, because ACCC only recommends that theplatforms ‘agree toaprotocol’without consequences forbreaching it.ThehistoryofGoogleandFacebookshowsthatanyvoluntarymeasuresarelikelytobeevadedanddefeated (as shown in the FTC’s recent enforcement action against FacebookconcerningCambridgeAnalytica).Theonlyrealisticapproachwhendealingwiththesecompaniesislegalcompulsioncoupledwithpenaltiessevereenoughtobedeterrents.TheGovernmentshouldenactattheoutsetthattheplatformsarelegallycompelledtogivetherequirednotice,thereforeintroducealegalobligation,backedbyappropriatepenalties,forplatformstogivetherequirednoticeofacquisitions.

ACCCR4-Requiredchoicesratherthandefaults(browsersandsearchengines)• Recommendation3 (requiredchoices rather than defaultswhenoperating system

providers supply browsers, and when browser providers supply search engines).However, the ACCC recommendation is too narrow, being limited to the currentpositionwithAndroidbrowsers.APF submits that theGovernment should enact theACCC’sdraftrecommendation(notitsfinalversion)asageneralprinciple.Suchchoicein both browsers and search engines is essential to avoiding the concentratedaggregationofuserdata,andisalsoconsistentwiththePrivacyByDesign&ByDefaultprinciplenowacceptedasakeyinnovationin3rdgenerationdataprivacylawssuchastheEU’sGeneralDataProtectionRegulation(GDPR).

ACCCanddataportability• Data Portability –The ACCC Report [2.10.1] says ACCC ‘considered whether to

recommendspecificdataportabilitymechanismsasameansofaddressingthemarketpower of digital platforms’, but decided not to do so ‘at this point in time’ despiteseeing advantages. However, the ACCC only considered data portability of personaldata from a competition perspective, whereas it has already been accepted as adesirable general principle in in 3rd generation data privacy laws such as the EU’sGeneralDataProtectionRegulation(GDPR).APFsubmitsthattheGovernmentshouldincludedataportabilityaspartof itseconomy-widereforms to thePrivacyAct1988,andshouldnotlimitittotheConsumerDataRight.

Recommendation16–StrengthenprotectionsinthePrivacyActacrosstheeconomyTheAPF submits that theGovernment should adopt the followingACCC recommendations,althoughinsomecaseswithclarificationsoramendmentsindicated.

ACCCR16(a)Update‘personalinformation’definitionACCC recommends ‘Update the definition of ‘personal information’ in the Privacy Act toclarifythatitcapturestechnicaldatasuchasIPaddresses,deviceidentifiers,locationdata,andanyotheronlineidentifiersthatmaybeusedidentifyanindividual.’

APFsupportstheaboverecommendation,butnotesthatspecialcaremustbetakentoensurethatanydefinitionalchangesclearlyovercomethedifficultiescreatedbythedecisionoftheFederal Court inTelstra v Privacy Commissioner,10. Such a change would involvemaking itclearthatinformationis‘aboutanindividual’ifitcan(givencurrenttechnologies),contributeto the identification of an individual. Such a clarification of the definition of ‘personalinformation’isimportanttotheACCC’sconcerns,becauseIPaddresses,URLsandsimilardataareamongthetypesofdatamostcommonlycorrelatedbyGoogle,Facebooketc inordertoidentifydatathatisaboutanindividual.TheGDPRnowexplicitlyincludesonlineidentifiers10PrivacyCommissionervTelstraCorporationLimited[2017]FCAFC4(‘GrubbCase’)



and location data within its definition of ‘personal data’, and a similar approach is highlydesirableinAustralia.

APFfurthersubmitsthatthedefinitionof‘personalinformation’inthePrivacyActoughttobeamended to clarify that it encompasses data drawn from the profiling or tracking ofbehavioursormovementssuchthatanindividualcanbesingledout(i.e.disambiguatedfroma crowd or cohort) and thus can be subjected to targeting or intervention, even if anindividualcannotbe‘identified’,intheconventionalsense,fromthedataorrelateddata.TheGovernmentshouldconsidersuchanamendment,whichwouldplaceAustralia’sPrivacyActonaparwiththebestlawsdealingeffectivelywiththeharmswhichtheACCChasidentified.

ACCCR16(b)StrengthennotificationrequirementsACCCrecommends‘RequireallcollectionofpersonalinformationtobeaccompaniedbyanoticefromtheAPPentitycollectingthepersonalinformation(whetherdirectlyfromtheconsumerorindirectlyasathirdparty),unlesstheconsumeralreadyhasthisinformationorthereisanoverridinglegalorpublicinterestreason.‘

ACCC recommends ‘The notice must be concise, transparent, intelligible and easilyaccessible,writteninclearandplain language,providedfreeofcharge,andmustclearlyset out how the APP entity will collect, use and disclose the consumer’s personalinformation.Wherethepersonalinformationofchildreniscollected,thenoticeshouldbewritten at a level that can be readily understood by theminimumage of the permitteddigitalplatformuser.’

ACCC recommends ‘To provide consumers with a readily understood and meaningfuloverviewofanAPPentity’sdatapracticesandasameansof reducing their informationburden, itmayalsobeappropriatefortheserequirementstobe implementedalongwithmeasures such as the use of multi-layered notices or the use of standardised icons orphrases.’

APFsupportstheserecommendations,butsubmitsthattheGovernment’s legislationshouldbe more specific and should specify (as ACCC suggested in its draft Report, p. 227) ‘theidentityandcontactdetailsof theentity collectingdata; the typesofdata collectedand thepurposes forwhicheachtypeofdata iscollected,andwhetherthedatawillbedisclosedtoany third parties and, if so,which third parties and forwhat purposes’. It is essential thatindividualsbe told thepurposes forwhich theirpersonaldata is collected, so that theycaninsist that the collector should only use the data for that purpose (subject to legislativeexceptions). Such informed consent and consequent control reaffirms individual autonomyandservestobuildtrust inonline interactionsacrossthepublicandprivatesectors,atrustweakened by public awareness of recurrent large-scale data breaches and other problemsinvolvinglargeorganisations.

IfthereisthirdpartycollectionthereshouldalsobeadutyontheAPPentitytorequire(bycontractorotherwise) the thirdparty todeliver thenotice.A thirdpartycollectormaynotitselfbeanAPPentity,sotheobligationneedstorestwiththeAPPentity.

ACCCR16(c)Strengthenedconsentrequirementsandpro-consumerdefaultsACCC recommends ‘Require consent to be obtained whenever a consumer’s personalinformation is collected, used or disclosed by an APP entity, unless the personalinformation is necessary for the performance of a contract to which the consumer is aparty, is required under law, or is otherwise necessary for an overriding public interestreason.’



ACCCrecommends‘Validconsentshouldrequireaclearaffirmativeactthatisfreelygiven,specific, unambiguous and informed (including about the consequences of providing orwithholdingconsent).Thismeans thatany settings fordatapractices relyingonconsentmustbepre-selectedto‘off’andthatdifferentpurposesofdatacollection,useordisclosuremustnotbebundled.Wherethepersonalinformationofchildreniscollected,consentstocollectthepersonalinformationofchildrenmustbeobtainedfromthechild’sguardian.’

ACCC recommends ‘It may also be appropriate for the consent requirements to beimplemented alongwithmeasures tominimise consent fatigue, such as limiting consentrequirements to when personal information is collected for a new purpose, or usingstandardised icons or phrases to refer to certain categories of consents to facilitateconsumers’comprehensionanddecision-making.’

APFsupporttheserecommendations,butsubmitthatitshouldspecificallystatethattheonusofproofofcompliancewithallconsentconditions lieswiththecollectorofthe information.APF also submit that separate consents should be required for each separate purpose(‘unbundling’ of bundled consents), and that furthermore, information forwhich consent isrequired should be unbundled from any information forwhich consent is not required. AsACCC states, steps need to also be taken tominimize ‘consent fatigue’, and particularly toavoidrequiringthesameconsentonmultipleoccasions.

However APF also submits that tightening up the meaning of ‘consent’ alone will not besufficient. It is also necessary to tighten up thewording in relation to collection necessity(APP3.1-3.2), anduse/disclosure for ‘related’ secondarypurposes (APP6.2(a)), inorder torequire companies to rely on genuinely informed ‘consent’ as the legal basis for collecting,usingordisclosinganypersonalinformationthatisnotstrictlynecessarytofulfiltheoriginaltransaction. Otherwise Facebook, Google and other companies will simply sidestep anynew/stricterconsentrules,eitherbydefiningtheirprimarypurposeinanoverlypermissivemanner,orbyarguingthattheirhandlingofpersonalinformationis ‘related’totheprimarypurposeinsomewayasoutlinedintheirprivacypolicy.

Theextraordinarybreadthallowedunderthe ‘relatedsecondarypurposewithinreasonableexpectations’ test, given the OAIC’s interpretation of APP 6.2(a) in dismissing a complaintabout the deliberate release by Centrelink to themedia11of the personal information of awelfarerecipient,andparticularlythepersonalinformationofherpartner,demonstratestheinabilityofAPP6.2toconstrainevenegregiousbehaviours.

AfurtherconcernthatneedstobeaddressedisthetendencyofAPPentitiestoadopta'takeitorleaveit'approach,andrequireconsentasanon-negotiabletermofcontract.APFcontendsthatconsenttocollectionoruseordisclosureofanyitemofpersonalinformationcanonlybeaconditionofuseifthedenialofconsentcanbedemonstratedtounderminetheprovisionoftheservice.Thegovernmentshouldensurethatthe“takeitorleaveit”approachtoconsentand“bundled”consentarebothclearlyinterpretedasunfairtermswhichtheACCCcantakeactiontoremoveundertheunfairtermsprovisionsintheAustralianConsumerLaw.

Finally,thegovernmentshouldensurethattheeffectivenessofconsentis“consumertested”.Many consumers have been worn down and effectively trained to give consent as part ofservice provision. To ensure that consent is meaningful and not illusory it is necessary toindependentlytestwhatconsentiseffective.Whenaneffectivemethodisdesignedthenthatdesignshouldbemademandatory.11 See https://www.oaic.gov.au/media-and-speeches/statements/centrelink-debt-recovery-system#concluding-statement-centrelink-release-of-personal-information(currentlyunavailableduetowebsitechanges)



ACCCR16(d)EnabletheerasureofpersonalinformationACCCrecommends ‘RequireAPPentitiestoerasethepersonalinformationofaconsumerwithout undue delay on receiving a request for erasure from the consumer, unless theretention of information is necessary for the performance of a contract to which theconsumer is a party, is required under law, or is otherwise necessary for an overridingpublicinterestreason.’

APFsupports this recommendation, andgivesparticular strongsupport to the fact that therecommendationisnotlimitedinitsscopetoinformationprovidedbythedatasubjectonthegroundsof‘consent’inthefirstplace.

This broader erasure right is essential to amodern data privacy law. The EuropeanUnionexperiencewiththeso-called‘righttobeforgotten’pre-datesthe‘erasure’rightinGDPRart.17,andoriginatesintheGonzalezdecisionof2014.12Inbothpre-andpost-GDPR,therightto‘de-linking’ (and thusprivacy throughobscurity),or insomecasesactualerasure,hasbeenavailabletothosewhosepersonaldatawascollectedwithouttheirconsent, includingunderstatutoryauthority.Theoverallexperience in theEUhasbeenpositive,anddataprotectionauthorities and courts have been prudent in determining where use of the right isappropriate.APFsubmitsthatsucharight,notlimitedtoconsent-basedprovisionofdatabydatasubjects,shouldalsobeadoptedinAustralia.GiventheresistanceofAustraliancourtstoadoptanyexpansiveinterpretationsofprivacyprotections(onthebasisthatlawreformisamatter for legislatures informed by recommendations from a succession of law reformreports),theGovernmentneedstoensurethatanyerasurerightiswordedsoastoexpresslyincorporateade-linkingrightsuchasadoptedbycourtsintheEU.

TheAPFhaswatchedwithconcernthatarighttodeletionorerasurewasdroppedfromtheConsumerDataRight(CDR)legislation(alsoknownasopenbanking).Weunderstandthereissome negotiation to reinstate that right. However, although concern remains that thisfundamentalright (one that isavailable in theEU) isnotpresent inrecently legislateddataportabilitylegislation,itsvalueisnotinanywaylimitedtothecontextofdataportability,anditshouldbeexplicitlyincludedinreformsbasedontheACCCrecommendations.

Establishment of such a right is constitutionally permissible andwould not be contrary torecurrentHighCourt judgments about the implied freedomof political communication.Weemphasise,consistentwithEUjurisprudence,thatconsentshouldbesubstantiveratherthanmerelyformal,andwedrawtheGovernment’sattentiontoexplorationbytheDepartmentofthe Treasury about technical mechanisms to facilitate informed consent in relation to theAustralianConsumerDataRight.

ACCCR16(e)IntroducedirectrightsofactionforindividualsACCCrecommends‘GiveindividualsadirectrighttobringactionsandclassactionsagainstAPPentitiesincourttoseekcompensationforaninterferencewiththeirprivacyunderthePrivacyAct.’

‘TheACCCrecommendsthatindividualsshouldhavearightofactionintheFederalCourtor the Federal Circuit Court to be able to seek compensatory damages as well asaggravatedandexemplarydamages(inexceptionalcircumstances) for the financialandnon-financialharmsufferedasaresultofaninfringementofthePrivacyActandtheAPPs.’

WegivestrongsupporttothisRecommendation.Itiscrucialthatindividualscanseekaccessto justice when there has been an interference with their privacy. To provide meaningful12GooglevAEPD&Gonzalez(2014)CJEU



accesstojusticetheremustbetwopathsavailable:(i)accesstoCourttoseekcompensationandotherorders;and(ii)accesstoanalternativefreedisputeresolutionscheme(whichistheOAIC).ItisessentialtohavebothoptionsbecausemanypeoplecannotaffordtogotoCourt,butmustbeabletoseekcompensationwithoutneedingtodoso.However,theinvestigationand enforcement functions of the Privacy Commissioner have operated in a veryunsatisfactorymannerformanyreasons(someofwhicharediscussedbelow),onlysomeofwhich can be addressed by providingmore resources to theOAIC. It is therefore of equalimportancetoallowdirectaccesstothecourtstothosewhowishtotakethatroutetoobtaincompensation,andhavethemeanstodoso.

APFnotesthattheLawReformCommissionsofatleasttheCommonwealth,NSWandVictoriahavepublisheddetailedanalysesandRecommendationstothiseffectin2008,2009and2010respectively, alongside recommendations by parliamentary inquiries. Thoserecommendationsarepractical,andhavenotbeenopposedbyconsensusbodiessuchastheLawCouncilofAustralia.

Where individuals have sufficient resources to take a breach of the Privacy Act before thecourts,withoutneedtofirstcomplaintotheOAIC,thereareverygoodreasonstoenablethemtodoso,includingpracticalreasonssuchas:(i)whereplaintiffsarewillingtofundtheirownlitigation, with the risk of the award of costs against them, this is one indicator of theseriousness of a complaint; and (ii)where cases go before the courts, thismay reduce thecoststotheOAICofcomplaintinvestigationandenforcementactions.

However,themostimportantreasonforsupportinganalternativeenforcementrouteisthatitwillmeanthatCourtswillhavetheopportunitytointerpretthePrivacyAct,andCourtswillthroughtheirjudgmentssetstandardsforwhatareappropriatetypesandlevelsofpenaltiesandcompensationforprivacybreaches.

The APF notes the importance of the transparency provided by both litigation and by theACCC’s engagementwith professional and other communities. A keyweakness of theOAICregime under the Privacy Act 1988 is that agency’s ongoing emphasis on closed-doorcomplaintresolution,anditsresistancetodisclosureofhowitmakesdecisionsinresponsetocomplaints.SuchresistanceisironicgiventheOAIC’sroleastheCommonwealth’sfreedomofinformation agency and the strong desire across both industry and civil society forinformation that will enable stakeholders to understand how the OAIC is interpreting thePrivacy Act. Litigation would provide the sunlight that is the best disinfectant foradministrative inefficiency and consumer exploitation. It offsets the disquiet amongconsumers evident in empirical research about the timeliness and sufficiency of theOAIC’shandlingofcomplaints.13Itwouldhelpprovidethecertaintythatbusinessexpectsindealingwithconsumers,governmentsandotherenterprises.

ACCCR16(f)HigherpenaltiesforbreachofthePrivacyActACCC recommends ‘Increase the penalties for an interference with privacy under thePrivacy Act to mirror the increased penalties for breaches of the Australian ConsumerLaw.’

The current Australian Consumer Law (ACL) maximum penalties are the highest of A$10million, or three times the benefit received, or 10% of the turnover of the business. The

13See for example JodieSiganto and Mark Burdon, ‘The Privacy Commissioner and Own-Motion Investigations into Serious Data Breaches: A Case of Going Through the Motions?’ (2015) 38 (3) University of New South Wales Law Journal 1145



Governmenthasalreadyproposedsuchanincrease,notingthatthe10%iscalculatedagainstlocalannualturnover.

WhileanyincreaseinpenaltiesforbreachesofthePrivacyActwillbeanimprovementonthecurrent situation, APF does not consider that paritywith the penalties for breaches of theAustralian Consumer Law is the appropriate standard. The standard set by the EuropeanUnion’sGeneralDataProtectionRegulation (GDPR) is that, depending onwhich provisionshavebeenbreached,therecanbeafineof2to4%ofthe‘totalannualworldwideturnover’ofacompany,orafineof10to20millioneuros,whicheveristhehigher(GDPRart.83(4)-(6)).InJanuary2019thefirstadministrativefinewasmadeundertheseprovisions,whenFrance’sdata protection authority (the CNIL) fined Google 50million euros, and since then the UKInformationCommissioner’sOffice in July2019hasproposed two fines for large-scaledatabreachesof£183million(BritishAirways)and£99million(Marriotthotelchain).

This‘EUbenchmark’of‘2-4%’isbeingreflectedinBillsintheprocessofenactmentinmanycountries.IthasalreadybeenenactedinKorea,atthelevelof3%ofglobalannualturnover.OnefineofUS$4.5million(approximately)hasbeenmadeagainstashoppingmallforadatabreach.IthasbeenproposedinIndia.

WesubmitthatifAustralianprivacylawistohaveadeterrenteffectonglobalcompaniesofthe scale of Google and Facebook, the maximum fines that can be issued should beproportionaltotheglobalturnoverofthecompanyconcerned,andtheproportionshouldbein the range 2-4%. As things stand, a small penalty will be accepted by leading platformoperators and their partners as an acceptable cost of business, one that does not tangiblyaffecttheirprofitability,doesnotresultindisinvestment,thatdoesnotgaintheattentionofthemassmediaandthatdoesnotmeaningfullyerodetheoperator’ssociallicence.Meaningfulpenalties are consistent with recurrent calls by the ACCC for higher penalties to influencecorporatebehaviour.TheyarealsoconsistentwiththeconclusionsoftheRoyalCommissionintoMisconductintheBanking,Superannuation&FinancialServicesIndustry.

In addition to this proposed penalty proportional to turnover, APF submits that anotherpotent form of deterrent, particularly applicable to data privacy breaches, should beintroduced.InSouthKorea,statutorydamagesmaybeawardedtoallpersonswhosepersonaldatawasdisclosedasaresultofadatabreachduetonegligentsecurity(orotherreasonsinbreach of the law), with a statutory penalty able to be awarded of up to 3 million won(US$3,000)perpersontoaclassofthosewhosedatawasleaked.Claimantshavenoneedtoproveactualdamage.SomeUSlawshavesimilarprovisions.Thepotential liabilityresultingfrom a $3,000 statutory liability, for even a data breach of sensitive data of one millionindividuals could amount to 3 billion dollars. Some data breaches involve millions ofindividuals, and they often include biometrics, ID numbers and other most sensitiveinformation.TherelevanceofstatutorydamagestotheACCC’sdeterrentobjectivesisthattheriskof impositionof suchdamages can convertdatawhichplatforms (or their surveillancemarket customers) consider valuable only because of its surveillancemarketing uses, intopotentiallytoxicdata,andthusdetercompaniesfromretainingitbeyondwhenitsnecessaryuseshaveexpired.Aproperlyframeddamagesprovision,wherethepurposeforwhichdatawasretainedisoneofthecontributingfactorstothequantityofthepercapitadamages,couldbeapowerfuldeterrent.WesubmitthatACCCshouldrecommendsuchastatutorydamagesprovision.

Reflecting comments above about the global nature and offshore incorporation of leadingplatformswenotethattheACCCisnotinapositiontoprovideeffectivedeterrencethroughimprisonment or disqualification of overseas corporate executives. Tangible financial



penaltiesandformalundertakingsnottorepeatmisbehaviourarethereforesalient;theyareconsistentwiththeACCC’scompliancepyramidstrategy.

AustralianGovernmentproposedreformstothePrivacyAct(March2019)InMarch2019 theGovernmentannounced14that amendments to thePrivacyActwouldbemadetoachievethefollowingobjectives(italicisedbelow).Itsaid‘Legislationwillbedraftedforconsultationinthesecondhalfof2019.’Sincethesereformswillprobablybeenactedatthe same time as those recommended by the ACCC, APF takes the opportunity to makesubmissionsontheseGovernmentproposalsaswell.

Govt.1:IncreasepenaltiesIncrease penalties for all entities covered by the Act, which includes social media andonlineplatformsoperatinginAustralia,fromthecurrentmaximumpenaltyof$2.1millionfor serious or repeated breaches to $10million or three times the value of any benefitobtainedthroughthemisuseofinformationor10percentofacompany'sannualdomesticturnover–whicheveristhegreater.

This isessentiallythesamepenaltyregime,andscope,asACCCrecommendation16(f).APFsupportssuchachange,butconsidersthattheEUapproachof2-4%ofglobalturnoverwouldbepreferable,asdiscussedabove.

Govt.2:OAICinfringementnoticepowersProvide the Office of the Australian Information Commissioner (OAIC) with newinfringementnoticepowersbackedbynewpenaltiesofupto$63,000forbodiescorporateand$12,600forindividualsforfailuretocooperatewitheffortstoresolveminorbreaches.

APFnotes that this isavery limitedpowerwhichonlyapplies tonon-cooperationwith theOAIC,andisnotapenaltythattheOAICcanapplyforminorbreachesoftheAct.Itwouldbepreferable if theOAICcould imposedirectlyminorpenalties forminorbreaches, insteadofhaving to take thematter to theFederalCourtbeforeapenaltycanbe imposed(whichhasneveroccurredsincethisreformwasmadein2012).

Govt.3:OAIC‘otheroptions’Expand other options available to the OAIC to ensure breaches are addressed throughthird-partyreviews,and/orpublishprominentnoticesaboutspecificbreachesandensurethosedirectlyaffectedareadvised.

APFsupportsthisproposedchange.

Govt.4:Socialmedia‘deletion’requirementRequire social media and online platforms to stop using or disclosing an individual'spersonalinformationuponrequest.

Thisproposalisconsistentwith,butcannowbesupersededby,ACCCrecommendation16(d),whichispreferable.

Govt.5:ExtraprotectionforvulnerablegroupsIntroduce specific rules to protect the personal information of children and othervulnerablegroups.

14Attorney-General,ChristianPorterandMinister forCommunicationsandtheArts,MitchFifield,Mediarelease: ‘Tougherpenalties to keep Australians safe online’ 24 March 2019 <https://www.attorneygeneral.gov.au/Media/Pages/Tougher-penalties-to-keep-australians-safe-online-19.aspx>



APF supports thisproposed change inprinciple, butnodetails are given except that itwillinclude ‘even stronger regimes to address these issues when the user is a child or othervulnerableperson’inrelationtorequesttostopusingpersonalinformation.

Govt.6:A‘codeforsocialmediaandonlineplatforms’Thegovernmentalsoproposeslegislativeamendments:

whichwillresult inacodeforsocialmediaandonlineplatformswhichtradeinpersonalinformation.Thecodewillrequirethesecompaniestobemoretransparentaboutanydatasharingand requiringmore specific consent of userswhen they collect, use anddisclosepersonalinformation.

Thisproposal isconsistentwith,butcannowbesupersededby,ACCCrecommendation18,whichisinmuchgreaterdetailandispreferable.

Govt.7:AdditionalfundingtoOAICThegovernmentalsoproposesthat:

‘TheOAICwillbeprovidedwithanadditional$25millionover threeyears togive it theresources it needs to investigate and respond to breaches of individuals' privacy andoverseetheonlineprivacyrules.’

APF supports the provision ofmore resources to the OAIC. The OAIC at present has a sixmonth delay before it even starts to investigate a complaint. However, the provision ofresources is only part of the reason why the Privacy Act and the OAIC have been soineffectual,arguablydysfunctional,forprivacyprotectionforsolong.AnothermajorreasonisthatCourtsandTribunalshavehadsofewopportunitiestointerpretthePrivacyAct,anditsenforcement, and thus to instruct the Privacy Commissioner on how the Act must beinterpretedandenforced.PartofthereasonforthisisthatsuccessiveCommissioners’actionshavecontributedtokeepingcomplaintdecisionsawayfromtheAATandtheCourts.

Although thePrivacyAct1988 has been in force for 30 years, only a handful of non-trivialcases have been decided by the Courts. The recent inclusion in the Privacy Act of thes96(1)(c) right of appeal against s52 Determinations by the Commissioner15should haveallowedAATandcourtdecisionstoshinesomelightintocornersoftheAct.However,thishasnotoccurred,because(putbluntly)successivePrivacyCommissionershaverefusedtomakes52Determinations.ThetrackrecordofallCommissionersto2014wasthat,onaverage,noteven one person per year would obtain a s52 determination, so that they could considerappealingagainst it.16For2011-14 theaveragewas twoperyear.17Since2014 theaveragehasrisento5.5peryear,18but thisstill represents less thanoneappealabledecisioneverytwomonths. Furthermore, thesearesomethingclose to ‘self-selected’ complaints, theones

15PrivacyAmendment(EnhancingPrivacyProtection)Act2012,inforce2014.

16Greenleaf, G, ‘Privacy Enforcement in Australia is Strengthened: Gaps Remain’ (2014) 128 Privacy Laws & BusinessInternationalReport1-5https://ssrn.com/abstract=2468774;

17 Numbers of Determinations for 2011-14 were: 5 (2014); 0 (2013); 1 (2012); 1 (2011); Source: OAIC<https://www.oaic.gov.au/privacy-law/determinations/Page-4#pagelist> ; figures for earlier years can be found from theAustLIIwebsite.

18 Numbers of Determinations for 2015-18 were: 3 (2018); 5 (2017); 9 (2016); 5 (2015); Source: OAIC<https://www.oaic.gov.au/privacy-law/determinations/Page-4#pagelist>asat6February2018.ItispossiblethattheOAIChasfailedtoyetlistsomeDeterminationssinceMarch2018(themostrecentDeterminationrecorded),butthereisnosourceofinformationotherthantheOAIC’swebsite,soiftherearemoreDeterminationsnotyetlisted,thisisanother‘transparencygap’.



thattheCommissionerhas ‘letthrough’totheDeterminationstage,asexplainedbelow,andthe results of the Determinations are overwhelmingly in favour of complainants, withbreachesoftheActbeingfound,andsometypeofremedybeingawarded(compensationorotherwise).Soitisperhapsnotsurprisingif(onthemostpositivefigures),wherethereare5successfulcomplainantsoutof5.5peryear,the0.5DeterminationswherenobreachisfounddonotgeneratemanyappealstotheAATortheCourts. ButwhyaretheresofewnegativeDeterminations?

A major reason for the lack of negative Determinations has been that successiveCommissionershave insistedthattheywilldismisscomplaints if theythink ‘therespondenthasdealtadequatelywiththecomplaint’(s41(2)(a)),eventhoughthecomplainantdisagreesthat they had been dealtwith ‘adequately’. Alternatively, Commissioners have claimed thattherehasbeen‘nointerferencewithprivacy’(s41(1)(a)),evenincaseswherethefactswerenot indispute,but interpretationofthe lawanditsapplicationtothosefactswascontestedbetweentheparties.

It appears from anecdotal reports that the Commissioner insists on such dismissals evenwherethecomplainantstatesthattheywishtohaveaformalDeterminationmade,andevenin caseswhere the complainant is seeking a formalDetermination inorder to test the law,because thematter isofpublic interest rather thansimplyabout theirownprivate right toprivacy. Such dismissals block dissatisfied complainants obtaining s52 determinations, andthusblocktherightofappealtotheAAT.TheresultisthatAATandthecourtshaveclosetonon-existentopportunitiestoconsidertheCommissioner’sinterpretationsofthePrivacyAct,ortheappropriatenessofremediesunderit.Theapplicationofthelawisthusopaque,andasaresultcanhaveunfairconsequences,butwithoutadequaterecoursetoreviewoftheOAIC’sdecisions.

APF therefore submit that the Government should remove the s41(1)(a) and s41(2)(a)impediments to s52 determinations, by amendment to the sub-section to provide that, if acomplainantobjectstotheCommissioner’sdismissalofacomplaintunderthesesub-sections,the Commissioner will then make a formal determination under s52. This will givecomplainants(andrespondents)theopportunitytoappealtotheAAT.

Recommendation17–BroaderreformofAustralianprivacylaw(ACCCproposals)ACCCrecommendthatbroaderreformofAustralianprivacyregimeshouldbeconsideredtoensureitcontinuestoeffectivelyprotectconsumers’personalinformationinlightoftheincreasing volume and scope of data collection in the digital economy, and should haveregardtothefollowingissues:

In addition to the ACCC’s specific recommendations for reform of the Privacy Act, and theGovernment’s March 2019 proposals for reform, the ACCC also recommends that theGovernment examine additional reforms (italicised below). APF supports the Governmentrevising the Privacy Act to address all these issues, except to the extent thatwe commentbelow on some of them. However, it is important that the other reforms specificallyrecommendedbytheACCC,andthereformsalreadyproposedbytheGovernmentshouldnotbedelayedwhiletheseadditionalreformsareconsidered.

ACCCR17.1ObjectivesObjectives: whether the objectives of the Privacy Act should place greater emphasis onprivacy protections for consumers including protection against misuse of data andempoweringconsumerstomakeinformedchoices



ACCCR17.2ScopeandexemptionsScope:whetherPrivacyActshouldapplymoretosomeoftheentitieswhicharecurrentlyexempt(forexample,smallbusinesses,employers,registeredpoliticalparties).

APF gives very strong support to such broadening of the scope of the Act. Removal of themanyunjustifiableexemptionsfromthePrivacyAct,suchasthosecitedbytheACCC,wasoneofthemajorrecommendationsoftheAustralianLawReformCommissioninitsreviewofthePrivacy Act. This is an overdue reform. The Cambridge Analytica/Facebook scandal hasdemonstrated the potential dangers of exempting political parties from the Act. Lack oftransparency in the political uses of personal information increases the risk of votersdisengaging frommainstreamparties in favourof fringegroups.The scopeof ‘employmentinformation’ isnowvastcomparedtowhat itwas in2001whentheAct firstappliedtotheprivate sector, and ‘employment information’ now has a strong overlap with social mediainformation, and other information gathered by intrusive surveillance. The so-called ‘smallbusiness exemption’ is a major impediment to Australia obtaining a positive adequacyassessment from the EU, and provisions in Japan’s laws with similar effect were removedfromitslawpriortoitsadequacyapplication.

ACCCR17.3HigherstandardofprotectionsHigherstandardofprotections:whetherthePrivacyActshouldsetahigherstandardofprivacyprotection,suchasbyrequiringalluseanddisclosureofpersonal informationtobebyfairandlawfulmeans.

APF supports the extension of the ‘fair and lawful means’ requirement to all aspects ofprocessingofpersonalinformation(notonlyuseanddisclosure),whereasatpresentitonlyappliestocollectionofpersonalinformation.

ACCCR17.4InferredinformationInferred information: whether the Privacy Act should offer protections for inferredinformation,particularlywhere inferred information includes sensitive information, suchasinformationaboutanindividual’shealth,religiousbeliefs,orpoliticalaffiliations.

APFsupportssuchachange,whichshouldbedealtwithaspartofthereviewofthedefinitionof‘personalinformation’inACCCrecommendation16(a).

ACCCR17.5De-identifiedinformationDe-identified information: whether there should be protections or standards for de-identification, anonymisation and pseudonymisation of personal information to addressthe growing risks of reidentification as datasets are combined and data analyticstechnologiesbecomemoreadvanced

APFsubmitsthat,ataminimum,Australia’sanonymisationprovisionsshouldbealignedwiththoseof theEuropeanUnion’sGDPR.Thisshouldbedealtwithaspartof thereviewof thedefinition of ‘personal information’ in ACCC recommendation 16(a). It is fundamentallyimportant to recognise that successive empirical research reports have demonstrated theeaseandpotentialimpactofreidentificationofsupposedly‘deidentified’data,withAustralianstudiesrangingfromVictoria’sMykisystemtoverysensitivehealthdata.

ACCCR17.6OverseasdataflowsandEU‘adequacy’Overseas data flows: whether the Privacy Act should be revised such that it could beconsideredbytheEuropeanCommissiontooffer ‘anadequatelevelofdataprotection’tofacilitatetheflowofinformationtoandfromoverseasjurisdictionssuchastheEU,and



APFconsidersthatAustralia’slong-terminterests,andinparticulartheinterestsofAustralianbusinesses,wouldbewell servedbyAustralia strengthening itsprivacy laws sufficiently toallowAustraliatoobtainapositiveadequacyassessmentfromtheEUunderitsGeneralDataProtectionRegulation(GDPR),asJapanhasdonein2019,NewZealanddidin2013,andKoreaislikelytodoshortly.Australianbusinesseswouldthenbeabletoreceivepersonaldatafromcompanies in the EU, without the necessity for any special arrangements in relation toindividual transactions.Many Australian companies are already aiming to complywith theGDPRinordertosatisfytherequirementsofheadofficesbasedintheEUorelsewhere,orasarequirementimposedoncontractorsinthesupplyofservicesprovidedtotheEU.Giventhatthereisalreadysignificant‘GDPRcreep’inAustralia,aformalfindingofadequacyinrelationto Australia would reduce these compliance burdens on Australian companies, as well asincreasingprotectionsforAustralianconsumers.

TofacilitatetheEUfindingAustralia’sprotectionstobe‘adequate’,AustraliashouldalsoapplytoaccedetodataprotectionConvention108+,inaccordancewithRecital105oftheEUGDPR.

ACCCR17.7Third-partycertificationThird-party certification: whether an independent certification scheme should beintroduced.

APF’ssubmissionon theACCC’sdraft reportstated thatsuchcertificationschemesmustbedevelopedwith considerable care to avoid the problems,mentioned below, but APF is notcompletelyopposed,justsceptical,aboutcertificationbeingusedasameansofimplementing‘demonstrableaccountability’(inGDPRterms).ThisisstillAPF’sposition.

Privacy‘seals’,‘badges’andcertificationhavehadapoortrackrecordelsewhere,duelargelyto their capture by industry and with the result that data subjects are misled that theirpersonal information is safe. These dangers are exacerbated by two factors. There is aninherent conflict of interest involvedwhen the certifying organisation depends on revenueflowingfromthoseitcertifies(andparticularlyfromrenewalsofcertification),sothatwhereitrefuses/revokescertification,itisclosingdownitsownrevenueflows.Wherecertificationisvoluntary,thenthecertifyingbodyhastoselltheideaofcertificationatall,whichislikelyto involve implied promises that certification is easy to obtain (otherwise, why wouldcompaniesrisklosingmoneyonfailedcertificationattempts).

TheACCCwillneed toavoid thesedangers in its finalproposals. It isproposing to ‘requirecertain businesses’ to be certified,which should removemany of the above problemswithbothinitialcertificationandre-certification.ItisalsoimportantthattheOAICisnotcertifyingbusinesses itself (but only approving certification agentswho are to carry out the audits),because otherwise the OAIC would have a conflict of interests when investigating allegedbreaches by certified companies. To deal with other possible conflicts concerningappointmentofauditors,werecommend the introductionofobjectivecriteria forcertifyingauditors,andthattheyshouldbesubjecttoperiodicperformancereviewsbytheOAIC.

AnotherdifferenceintheACCC’sproposalsisthatthecertificationbodieswouldbecertifyingagainstcompliancewiththePrivacyAct.IncontrastwiththeverypoorexampleoftheAPEC-CBPRs (Cross-border Privacy Rules system), ‘Accountability Agents’ such as TRUSTe (nowTrustArc), only certify against the far lower standard of the APEC Privacy Framework, notagainst the standard of national laws of the companies certified.19This ACCC-proposedcertification system should not be confused or combined in any way with the Australian19Greenleaf, G, ‘APEC's Cross-Border Privacy Rules System: A House of Cards?’ (2014) 128 Privacy Laws & BusinessInternationalReport,27-30https://ssrn.com/abstract=2468782



government’s proposal to join the APEC-CBPRs, because of these inconsistent andirreconcilablestandardsforcertification.

Recommendation18–OAICPrivacyCodeforDigitalPlatformsThe ACCC considers that ‘this recommendation could align with the Government’s March2019announcementtocreatealegislatedcodeapplyingtosocialmediaandonlineplatformswhichtradeinpersonalinformation.’

An enforceable code of practice be developed by theOAIC, in consultationwith industrystakeholders, to enable proactive and targeted regulation of digital platforms’ datapractices(DPPrivacyCode).Thecodeshouldapplytoalldigitalplatformssupplyingonlinesearch,socialmedia,andcontentaggregationservicestoAustralianconsumersandwhichmeet an objective threshold regarding the collection of Australian consumers’ personalinformation.

APF submits that the range of stakeholders with whom the code is to be developedmustextend well beyond 'industry stakeholders' as that term is commonly and very narrowlyinterpreted, and must include Civil Society organisations, and independent experts, withexpertiseand/or interests in theoperationofdigitalplatforms,not least including theAPF,EFAandACCAN.AsACCCrecommendsbelow,itshouldalsobeinvolvedinthedevelopmentof the code. APF considers ACCC involvement is essential because of the OAIC’s very poortrack-recordinenforcementofthePrivacyAct.

The DP Privacy Code should be enforced by the OAIC and accompanied by the samepenaltiesasareapplicabletoaninterferencewithprivacyunderthePrivacyAct.TheACCCshouldalsobeinvolvedindevelopingtheDPPrivacyCodeinitsroleasthecompetitionandconsumerregulator.TheDPPrivacyCode shouldcontainprovisions targetingparticularissuesarisingfromdatapracticesofdigitalplatforms,suchas:

APFsupportsthedevelopmentofsuchacode,andthatitshouldbeanenforceablecode,butonly to theextent that itsprovisionscannotderogate fromtheprotectionsprovidedby thetermsofthePrivacyAct,asinterpretedbythecourts.Anysuchderogationsshouldbeinvalid.TheOAICmustnotbegivenanyopportunitytoreducestatutoryprovisions.However,courtsshould be able to consider the codewhen interpreting provisions in the Act. As the ACCCnotes (p. 482), codes made by the OAIC under Part IIIB of the Privacy Act ‘may imposeadditionalrequirementstothoseimposedbytheAPPs,solongastheadditionalrequirementsarenotcontraryto,orinconsistentwith,theAPPs’.TheAPFconsidersthatthisispreferableto separate legislation toamend theAct to createa code.APart IIIB codemightalsoallowspeedierdevelopmentwhilelegislationisstillbeingdeveloped.

APF submits that the DP Privacy Code should be enforceable directly in the courts byindividuals,inthesamewaythatACCCrecommendsthattherestoftheActbesoenforceable(ACCCR16(e)).

Submissions by various digital platform representatives that such a code is not neededbecause they already comply with some elements of it are intended to obfuscate, avoiduniformity,andavoidpenalties,andwerecorrectlyrejectedbytheACCC(p.483).

Except to the extent noted in the following comments, APF supports the ACCC’s followingrecommendationsforcontentofthecode.

ACCCR18.1.Informationrequirements:1.Informationrequirements:requirementstoprovideandmaintainmulti-layerednoticesregarding key areas of concernand interest for consumers. The first layer of this notice



should contain a concise overview followed bymore detailed information in subsequentlayersprovidedtoconsumers.Thefinallayershouldcontainallrelevantinformationthatdetailshowaconsumer’sdatamaybecollected,used,disclosedandsharedbythedigitalplatform,aswellasthenameandcontactdetails foreachthirdpartytowhompersonalinformationmaybedisclosed.

ACCCR18.2.Consentrequirements2.Consentrequirements:requirementstoprovideconsumerswithspecific,opt-incontrolsforanydatacollectionthatisforapurposeotherthanthepurposeofsupplyingthecoreconsumer-facingserviceand,whereconsentsrelatetothecollectionofchildren’spersonalinformation,additional requirements toverify thatconsent isgivenorauthorisedby thechild’sguardian.

APF supports this proposal, particularly because it goes some distance toward theimplementation of the ‘Privacy by Default’ principle, by requiring consumers to opt-in tohaving their privacy invaded (the ‘No Privacy By Design’ options usually favoured by theplatforms).Italsoimplementsthe‘unbundling’ofconsents,whichtheAPFhasrecommendedasadesirablegeneralreform.

APF also supports the ACCC’s rejection of bases other than consent for non-core uses ofpersonaldatacollectedbydigitalplatforms,andparticularlya‘legitimateinterests’basisforcollection,whichisstillill-definedwhereitisusedintheGDPR(p.489).

ACCCR18.3.Opt-outcontrols3.Opt-outcontrols:requirementstogiveconsumerstheabilitytoselectglobalopt-outsoroptins,suchascollectingpersonalinformationforonlineprofilingpurposesorsharingofpersonalinformationwiththirdpartiesfortargetedadvertisingpurposes.

ACCCR18.4.Children’sdata4.Children’sdata:additionalrestrictionsonthecollection,useordisclosureofchildren’spersonal information for targeted advertising or online profiling purposes andrequirements to minimize the collection, use and disclosure of children’s personalinformation.

ACCCR18.5.Informationsecurity5. Information security: requirements to maintain adequate information securitymanagementsystemsinaccordancewithacceptedinternationalstandards.

ACCCR18.6.Retentionperiod6. Retention period: requirements to establish a time period for the retention of anypersonal information collected or obtained that is not required for providing the coreconsumer-facingservice.

ACCCR18.7.Complaints-handling7. Complaints-handling: requirements to establish effective and timely mechanisms toaddressconsumercomplaints.

Recommendation19–StatutorytortforseriousinvasionsofprivacyIntroduceastatutorycauseofactionforseriousinvasionsofprivacy,asrecommendedbytheAustralianLawReformCommission (ALRC).This causeofactionprovidesprotectionfor individuals against serious invasions of privacy thatmaynot be capturedwithin thescopeofthePrivacyAct.Thecauseofactionshouldrequireprivacytobebalancedagainstother public interests, such as freedom of expression and freedom of the media. This



statutory cause of action will increase the accountability of businesses for their datapracticesandgiveconsumersgreatercontrolovertheirpersonalinformation.

APFgivesstrongendorsementtoRecommendation19.TheALRC’sexaminationof theneedfor a statutory cause of action for serious invasions of privacy was very thorough and itsrecommendations well-balanced. The recommendation has been supported by all relevantinquiriesthathaveconsideredthisissue,andisalong-overduereformthatfillsaglaringgapinthelaw.20

TheAustralianPrivacyFoundationmadesubmissions21totheALRCduringitsenquirywhichwere stronger at various points than the ALRC’s final recommendations. A NSWParliamentary Committee also recommended in 2016 a statutory cause of action22whichwentfurtherthantheALRCrecommendations(whichwereconfinedtointentionalorrecklessconduct), and proposed that corporations (and government) should also be liable fornegligent conduct which otherwise met the criteria for the statutory cause of action. TheGovernment should examine both the APF submission and the NSW report, and considerstrengthening its recommendationaccordingly.TheFoundationnotes that therehasbeenasuccessionofotherreportsrecommendingestablishmentofastatutorycauseofaction.Whilethe introduction of a privacy cause of action has historically been opposed by mediaorganisations, such development is consistent with the implied freedom of politicalcommunication and, as evidenced by experience in comparable jurisdictions with privatecausesofaction,wouldnotimpermissiblyencumbertheoperationofestablishedoremergingmediaorganisations.TheACCCcorrectlyarguesthattheimpactonfreedomofspeech,andonmediaoperations,willbeminimal(pp.494-5).

For reasons well-explained by the ACCC (p. 496), the proposed right of individual directenforcement of the Privacy Act (ACCC R16(e)) is a necessary complement to the statutoryaction for serious invasions of privacy. APF gives strong support to both reforms beingenacted.

ACCCeconomy-wideconsumerlawrecommendationsaffectingprivacyACCCmakestworecommendationsinvolvingamendmentstotheCompetitionandConsumerAct2010which,ifadopted,willhaveaverysignificanteffectontheprotectionofprivacyinrelationtodigitalplatforms,andtoothercategoriesofbusinessesadverselyaffectingprivacy.These reforms will also bring consumer protection regulators into central roles in theprotectionofprivacyinAustralia,takingthesoleresponsibilityforthisoutofthehandsoftheOAIC.APFsupportsbothrecommendations,andregardsthemascentraltotheACCCreformagenda.

Recommendation20–ProhibitionagainstUnfairContractTermsAmend the Competition and Consumer Act 2010 so that unfair contract terms areprohibited(notjustvoidable).Thiswouldmeanthatcivilpecuniarypenaltiesapplytotheuseofunfaircontracttermsinanystandardformconsumerorsmallbusinesscontract.

20ALRC(2008)'ForYourInformation:AustralianPrivacyLawandPractice'Report108,AustralianLawReformCommission,August2008;NSWLRC (2009) 'InvasionofPrivacy'Report120,August2009;VLRC (2010) 'Surveillance inPublicPlaces',VictorianLawReformCommission,August2010.

21AustralianPrivacyFoundation‘SeriousInvasionsofPrivacyintheDigitalEra’AustralianPrivacyFoundationSubmissiontotheAustralianLawReformCommissionhttps://papers.ssrn.com/sol3/papers.cfm?abstract_id=2360928

22https://www.parliament.nsw.gov.au/lcdocs/inquiries/1877/Reportno57Remediesfortheseriousinvasionof.pdf



The ACCC has concluded that the current unfair contract terms (UCT) provisions do notprovidesufficientdeterrence.‘ThisrecommendationwouldallowtheACCCtoholdbusinesses(including digital platforms) to account for includingUCTs, not just to haveUCTs declaredvoid(asiscurrentlythecase).’Furthermore,itsays‘Thisisparticularlysignificantinstandardformcontractswherethereisazeromonetaryprice,likemanydigitalplatforms’termsofuseand privacy policies, where the impact of declaring a term void is less likely to haveimmediate impacts on the parties’ financial rights and obligations. Introducing penalties tothe use of UCTs will help lessen the bargaining imbalance between digital platforms andconsumersoveranypotentialUCTs thatdigitalplatformsmaywish touse in their termsofuseandprivacypolicies’(p.497).Thisisthereforeaneconomy-widerecommendation.

Thisrecommendationisthereforea fundamentalaspectoftheACCC’sproposals forprivacyregulationofplatforms,andonetowhichtheAPFgivesstrongsupport.

Recommendation21–ProhibitionagainstcertainunfairtradingpracticesAmendtheCompetitionandConsumerAct2010toincludeaprohibitiononcertainunfairtradingpractices.Thescopeofsuchaprohibitionshouldbecarefullydevelopedsuchthatitissufficientlydefinedandtargeted,withappropriatelegalsafeguardsandguidance.

ACCC considers that an ‘unfair practices’ prohibition‘ would be appropriate to addressconductnotcurrentlycaughtbytheconsumerprotectionlawsbutwhichhasthepotentialforsignificant consumer harm’. It would go beyond the scope of the misleading or deceptiveconductprovisionsonwhichAustralianconsumerlawislargelybased.Because‘thepracticesof concern identified during the Inquiry are not confined to digital platforms’, it proposeseconomy-widereforms.SuchaprohibitioniscurrentlybeingconsideredbyconsumeraffairsauthoritiesinallAustralasianjurisdictions,anditisthroughthisforumthatACCCintendstopursueitsrecommendation.

ACCC identifies the privacy-related reasons for these reforms: ‘consumer transactionswithdigital platforms often feature acute information asymmetries and bargaining powerimbalances and the existing regulatory frameworkdoesnot effectivelydeterdatapracticesthatexploitthesecharacteristics’(p.499).TheexamplesidentifiedbyACCCwhichcouldfallunderthisprovision(ofwhichmoredetailsaregiven–seep.498)include:

• “businesses collecting and/or disclosing consumer data without express informedconsent

• businessesfailingtocomplywithreasonabledatasecuritystandards,includingfailingtoputinplaceappropriatesecuritymeasurestoprotectconsumerdata

• businessesunilaterallychangingthetermsonwhichgoodsorserviceareprovidedtoconsumers without reasonable notice, and without the ability for the consumer toconsider thenew terms, including in relation to subscriptionproductsandcontractsthatautomaticallyrenew

• businesses inducing consumer consent or agreement to data collection and use byrelying on long and complex contracts, or all or nothing click wrap consents, andproviding insufficient time or information thatwould enable consumers to properlyconsiderthecontractterms

• businesspractices thatseektodissuadeconsumers fromexercising theircontractualorother legalrights, includingrequiring theprovisionofunnecessary information inordertoaccessbenefits.”



Thislistofexamples,itsclearrelevancetokeyprivacy-abusingpracticesofdigitalplatforms,anditsfurtherrelevancetootherprivacy-abusingbusinesses,makesitclearthatthisreformwould add a new form of analysis and regulatory action to Australian privacy regulation,complementarytotheanalysisandactionoftheACCC.

AsACCCpointsout,overseasconsumerprotectionauthorities(includingintheEU,UK,USA,CanadaandSingapore)hassomeformofunfairpracticesauthority.Inparticular“IntheUS,theFTC[FederalTradeCommission]viewsthatits ‘unfairnessauthority’undertheFTCAct,along with its ‘deception authority’ (similar to the ACL’s misleading or deceptive conductprovisions)provideacomplementarysetofprovisions thatallow it toaddress the typesofharmthatarenototherwisecapturedbyastandalone‘deceptionauthority’.”AdoptingsuchanapproachwouldthereforealignAustralianlawwiththeprincipalcurrentformofprivacyprotection in the USA. APF considers this would be very valuable, enabling Australianregulators to benefit from American experience, and from equivalent experience in otherjurisdictions,inregulatingwhatwilloftenbethesameonlineplatforms.

SummaryofsubmissionsmadebyAPFThe Australian Privacy Foundation’s submissions to the Government concerning the ACCCFinalReportmaybesummarisedinthefollowingpropositions:

ACCC’s fundamentalRecommendation:Economy-wideprivacyreforms –APFsupportsvery strongly ACCC recommendations for the economy-wide scope of desirable regulatoryreform(recommendations(16(a)–16(f),and17,and19)).

Recommendations1-3–MeasurestoaddressmarketpowerofGoogleandFacebook–APFsupportsstronglythefollowingACCCrecommendations:

• Recommendations1(additionalrelevantfactorsinmergerlaws);• Recommendation2 (prior notice of acquisitions), butAPF submits it isnot strong

enough, and that the Government should enact at the outset that the platforms arelegallycompelledtogivetherequirednotice.

• Recommendation3 (requiredchoices rather than defaultswhenoperating systemproviderssupplybrowsers,andwhenbrowserproviderssupplysearchengines),butAPF submits the ACCC recommendation is too narrow, and that the Governmentshould enact the ACCC’s draft recommendation (not its final version) as a generalprinciple.

DataPortability–APFsubmitsthattheGovernmentshouldincludedataportabilityaspartofitseconomy-widereformstothePrivacyAct1988,andshouldnotlimitittotheConsumerDataRight.

Recommendation16–StrengthenprotectionsinthePrivacyActacrosstheeconomy–TheAPFsubmits that theGovernment shouldadopt the followingACCCrecommendations,althoughinsomecaseswithclarificationsoramendmentsindicated:

• ACCCR16(a)Update ‘personal information’definition–APFsubmits thatspecialcare must be taken to ensure that any definitional changes clearly overcome thedifficulties created by the decision of the Federal Court in Telstra v PrivacyCommissioner.APFfurthersubmitsthatthedefinitionof ‘personalinformation’inthePrivacyAct ought tobeamended toclarify that it encompassesdatadrawn fromtheprofiling or tracking of behaviours or movements such that an individual can besingledout.



• ACCC R16(b) Strengthen notification requirements – APF submits that theGovernment’s legislation shouldbemore specific and should specifydetails asACCCsuggestedinitsdraftReport.

• ACCCR16(c) Strengthened consent requirements and pro-consumer defaults –APFsubmitthatthisrecommendationshouldspecificallystatethattheonusofproofofcompliancewithallconsentconditionslieswiththecollectoroftheinformation;thatseparate consents should be required for each separate purpose (‘unbundling’ ofbundled consents); and that information for which consent is required should beunbundled fromany information forwhich consent isnot required; that the ‘relatedsecondary purposewithin reasonable expectations’ testmust also be tightened; andthat the “take it or leave it” approach to consent shouldbe clearly interpretedasanunfairterm.

• ACCCR16(d)Enable theerasureofpersonal information–APFsubmitsthatanyerasurerightsshouldexplicitlyincludea‘de-linking’right(sometimescalledthe‘righttobeforgotten’).

• ACCCR16(e) Introducedirect rightsof action for individuals –APFgivesstrongsupporttothisRecommendation,bothbecauseanalternativeenforcementroutewillbenefit complainants, and because is that it will mean that Courts will have theopportunity to interpret thePrivacyAct, andCourtswill throughtheir judgmentssetstandardsforwhatareappropriatetypesandlevelsofpenaltiesandcompensationforprivacybreaches.

• ACCCR16(f)HigherpenaltiesforbreachofthePrivacyAct–APFsubmitsthatthepreferable standard is that set by the European Union’s General Data ProtectionRegulation(GDPR)sothat,dependingonwhichprovisionshavebeenbreached,therecanbeafineof2to4%ofthe‘totalannualworldwideturnover’ofacompany,orafineof10to20millioneuros,whicheveristhehigher.

• APF submits that another potent form of deterrent, particularly applicable to dataprivacy breaches, should be introduced: statutory damages should be able to beawardedtoallpersonswhosepersonaldatawasdisclosedasaresultofadatabreachdue to negligent security (or other reasons in breach of the law), with a statutorypenalty able to be awarded of up to a limit (in SouthKorean, it is 3millionwon orUS$3,000) per person to a class of those whose data was leaked, without need forclaimantstoproveactualdamage.

AustralianGovernmentproposedreformstothePrivacyAct(March2019)–APFgivesgeneralsupporttotheAustraliangovernmentreformstothePrivacyActproposedinMarch2019.

Recommendation 17 – Broader reform of Australian privacy law (ACCC proposals) –APF supports theGovernment revising thePrivacyAct to address all the issueswhere theACCCrecommends thatbroader reformsof thePrivacyAct shouldbeconsidered,except totheextentthatwecommentonsomeofthem.

Recommendation18–OAICPrivacyCodeforDigitalPlatforms–APFsubmitsthat:

• the stakeholders’ withwhom the code is to be developedmust extendwell beyond'industrystakeholders'asthattermiscommonlyandverynarrowlyinterpreted;

• that ACCC involvement is essential because of the OAIC’s very poor track-record inenforcementofthePrivacyAct;

• thatitshouldbeanenforceablecode,butonlytotheextentthatitsprovisionscannotderogatefromtheprotectionsprovidedbythetermsofthePrivacyAct,asinterpretedbythecourts;



• thatthecodeshouldbeenforceabledirectly inthecourtsby individuals, inthesamewaythatACCCrecommendsthattherestoftheActbesoenforceable;

• theACCC’srecommendationsforthecontentofthecodeshouldbefollowed.

ACCCeconomy-wideconsumer lawrecommendationsaffectingprivacy–APFsupportsbothACCCconsumerlawrecommendations,andregardsthemascentraltoitsreforms:

• Recommendation20–ProhibitionagainstUnfairContractTerms• Recommendation21–Prohibitionagainstcertainunfairtradingpractices
