Digital Platforms: The Need to Restrict Surveillance Capitalism (Australian Privacy Foundation Submission to the Australian Competition and Consumer Commission (ACCC) – Digital Platforms Inquiry – Preliminary Report

Abstract

On 4 December 2017, the Australian government directed the Australian Competition and Consumer Commission (ACCC)a to conduct an inquiry into digital platforms. The inquiry, says the ACCC, ‘is looking at the effect that digital search engines, social media platforms and other digital content aggregation platforms have on competition in media and advertising services markets. In particular, the inquiry is looking at the impact of digital platforms on the supply of news and journalistic content and the implications of this for media content creators, advertisers and consumers’. On 10 December 2018 the ACCC released its preliminary report for the inquiry, and called for submissions. The final report by the ACCC is due by 3 June 2019. \n \nThis submission by the Australian Privacy Foundation (APF) has been prepared by the above-listed authors with expertise in privacy-related issues, and focuses on the ACCC recommendations that are particularly relevant to privacy issues. The APF gives general support to all of the draft Recommendations made by the ACCC, but makes the following eighteen specific submissions as to how those recommendations should be strengthened: \n \n(i) We submit that it is essential that the ACCC give full weight to all of the companies that Google and Facebook have acquired, and also to all the streams of personal information to which they have access because of those acquisitions and because of other business arrangements. \n \n(ii) The issues at stake also go beyond questions of correcting market imperfections. We submit that the ACCC should explicitly recognise that they constitute a new and dangerous economic formation, where flows of data have been used to create what is now widely described as ‘surveillance capitalism’, or ‘the surveillance economy’, \n \n(iii) We support strongly Recommendations 1 (additional relevant factors in merger laws, to include the amount and nature of data acquired in a merger), Recommendation 2 (prior notice of acquisitions), and Recommendation 3 (required choices rather than defaults when operating system providers supply browsers, and when browser providers supply search engines). \n \n(iv) We submit that Recommendation 2 is not strong enough, because the history of the platforms shows that any voluntary measures will be evaded and defeated, and that the only realistic approach when dealing with these companies is legal compulsion coupled with penalties severe enough to be deterrents. The ACCC should state that platforms will be legally compelled to give the required notice. \n \n(v) We support Recommendation 8(a), but submit that it should be more specific and should specify (as ACCC suggests) ‘the identity and contact details of the entity collecting data; the types of data collected and the purposes for which each type of data is collected, and whether the data will be disclosed to any third parties and, if so, which third parties and for what purposes’ \n \n(vi) We submit that Recommendation 8(a) will not be sufficient to achieve its aims unless the definition of ‘personal information’ in the Privacy Act is amended to clarify that it does include an IP address, a URL, or other information which can be used to identify an individual. \n \n(vii) We further submit that the definition of ‘personal information’ in the Privacy Act ought be amended to clarify that it encompasses data drawn from the profiling or tracking of behaviours or movements such that an individual can be singled out and thus can be subjected to targeting or intervention, even if the individual cannot be identified per se from the data. \n \n(viii) We submit that the certification schemes proposed in Recommendation 8(b) must be developed with considerable care to avoid problems identified in the submission, but do not oppose appropriate certification being used as a means of implementing ‘demonstrable accountability’. \n \n(ix) We support Recommendation 8(c) concerning consent, but submit that it should specifically state that the onus of proof of compliance with all consent conditions lies with the collector of the information; that such separate consents should be required for each separate purpose; and that information for which consent is required should be unbundled from any information for which consent is not required. \n \n(x) We further submit that the ACCC should require companies to rely on ‘consent’ as the legal basis for collecting, using or disclosing any personal information that is not strictly necessary to fulfil the original transaction. \n \n(xi) We support Recommendation 8(d) to enable the erasure of personal information, but submit that it is far too limited in its scope, being restricted to information provided by the data subject on the grounds of ‘consent’ in the first place. We submit that it should be expanded to encompass an Australian equivalent of the EU’s ‘right to be forgotten’. \n \n(xii) In relation to Recommendation 8(e) concerning increase in the penalties for breach, we submit that if Australian privacy law is to have a deterrent effect on companies of the scale of Google and Facebook, the maximum fines that can be issued should be proportional to the global turnover of the company concerned, and the proportion should be in the range 2-4%. \n \n(xiii) We further submit that ACCC should in addition recommend a statutory damages provision whereby a specified amount of statutory damages may be awarded to all persons whose personal data was disclosed as a result of a data breach due to negligent security (or other reasons in breach of the law), without need for proof of actual damage by the data subject whose personal data was disclosed. \n \n(xiv) We give strong support to Recommendation 8(f) to introduce direct rights of action for individuals to take actions for breach of the Privacy Act before the Courts, without need to first complain to the OAIC. \n \n(xv) While not opposing Recommendation 8(g) to expand resourcing for the OAIC, we submit this is not the most significant cause of the lack of interpretation of the Privacy Act by courts or tribunals. We submit that the ACCC should recommend the removal of the s41(1)(a) and s41(2)(a) Privacy Act impediment to s52 determinations, by amendment to the sub-section to provide that, if a complainant objects to the Commissioner’s dismissal of a complaint under these sub-sections, the Commissioner will then make a formal determination under s52. This will give complainants (and respondents) the opportunity to appeal to the AAT. \n \n(xvi) We support Recommendation 9, and in particular the involvement of the ACCC in the development of such a Code of Practice. \n \n(xvii) We endorse strongly Recommendation 10 that there should be a statutory cause of action for serious invasions of privacy. The ALRC’s examination of this issue was very thorough and its recommendations well-balanced, but we further submit that the ACCC may also wish to examine both the APF submission to the ALRC and the NSW Parliamentary Committee report on this topic, and to consider strengthening its recommendation accordingly. \n \n(xviii) The ACCC preliminary report identifies 9 areas which require further analysis and assessment, and we submit that two of those areas are particularly relevant to privacy protection and do require such further consideration: deletion of user data and opt-in targeted advertising.