On October 25, 2021, the Australian Attorney General’s Office released for public consultation a draft law introducing amendments to the Data Protection Act 1988 (Cth) (The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) or Online Privacy Bill) and a discussion paper proposing broader reforms of Australian data protection legislation. You can find our overview of the Online Data Protection Act and the discussion paper here.
One of the major changes to the Online Privacy Act is the introduction of a framework that would allow the Australian Information Commissioner’s Office (OAIC) to register an enforceable online privacy code developed by OAIC or industry (OP code), which would be binding for all major online platforms, social media services and providers of data brokerage services (OR organizations). This would complement the current provisions of Part IIIB of the Data Protection Act, which deals with the development and registration and compliance of APP codes that define how one or more of the Australian Data Protection Principles (APPs) applies to a specific company or category of company (and may impose additional requirements).
As described below, large online platforms and social media services are generally defined in the Online Data Protection Act. This means that a large number of organizations with online businesses could be affected by the proposed OP code, which goes beyond the recommendation of the ACCC in its final report on the investigation of the digital platform of 2019 to create a data protection code against social media -Platforms, search engines and other digital content aggregation is enforceable platforms.
Along with removing the requirement that a foreign organization in Australia must collect or retain personal data in order to be subject to the Data Protection Act, this would also include an organization that collects Australian personal data from a digital platform that doesn’t have servers in australia.
In this briefing, we look at the implications of the Online Data Protection Act for a possible new OP code.
The central theses
The filings for the new online data protection act will be completed on December 6, 2021. When consulting and preparing for the implementation of the OP code, organizations concerned should consider the following aspects:
- The proposed OP code will dictate how OP organizations must comply with certain APPs (including the description of the use and disclosure of personal data in privacy policies, and notification and consent requirements). In addition, additional requirements are imposed on OR organizations to cease using or disclosing information in response to reasoned requests and in relation to their interactions with children or other vulnerable persons.
- Many of the changes that the draft online data protection law is intended to introduce through the OP Code in relation to OP organizations reflect similar reforms that were considered in the context of the discussion paper for the broader economy (e.g. introduction of a right of objection and Amendment of the Data Protection Act to explicitly stipulate that the consent should be voluntary, informed, current, specific and unambiguous and the data protection information should be clear, up-to-date and understandable).
- Breach of the OP Code would be treated as an intrusion into an individual’s privacy, exposing OP organizations to increased penalties (up to $ 10 million, 3 times the value of that benefit if determinable, or 10% of the relevant Amount). Annual sales) and reinforced enforcement mechanisms that are otherwise provided for in the Online Data Protection Act and in the discussion paper.
- Particular restrictions on the use of children’s personal data are based on similar provisions of foreign data protection regulations, including the EU General Data Protection Regulation (GDPR) and reflect a global regulatory focus on the safety of children while using social media and the internet in general.
The OP code is intended to apply to the following types of organizations:
PROVIDER OF SOCIAL MEDIA SERVICES
Organizations that provide an electronic service (that is, services that enable end-users to access material through a telecommunications “delivery service” or that deliver material to individuals using a delivery service) that:
- Have the sole or primary purpose of facilitating online social interactions between two or more end users, including online interactions that enable end users to share material for social purposes;
- Allow end users to link or interact with any or all of the other end users; and
- Allow end users to post materials on the Service.
EXAMPLES (DECLARATION PAPER)
According to the explanations of the Online Data Protection Act (EP), this category:
- would cover network platforms; Dating apps; Online content services; Online blogs or forums; Game platforms with online multiplayer games with chat functions; and online messaging and video conferencing platforms.
- would not include services that enable online communication or content sharing as an additional function, such as: Online Security Act 2021 (Ct.).
PROVIDERS OF DATA BROKERAGE SERVICES
Organizations that collect personal data from an individual (directly or indirectly) for the sole or primary purpose of disclosing that data in the context of or in connection with the provision of a service.
EXAMPLES (DECLARATION PAPER)
The EP explains that this is intended to cover organizations whose business model is based on trading in personal information collected online or information derived from such personal information, such as: B. Quantium, Acxiom, Experian and Nielsen Corporation.
LARGE ONLINE PLATFORMS
Organizations that at a certain time of the year:
either had 2.5 million end-users in Australia in the previous year or 2.5 million end-users in Australia this year if they were not active in the previous year; and
Collect personal data about individuals in the course of or in connection with the provision of access to information, goods or services (other than data brokerage services) through the use of an electronic service (as defined above) other than social media services.
EXAMPLES (DECLARATION PAPER)
While the EP states that this is intended to cover organizations that collect a large amount of personal data online (such as Apple, Google, Amazon and Spotify), the breadth of this definition has the potential to affect organizations from a wide variety of sectors and activities (with most businesses now operating online and using electronic services to deliver their goods or services). The Online Data Protection Act explicitly excludes loyalty programs and services that have the sole purpose of processing payments or accessing a payment system (but this could also include online banking platforms that offer broader services).
It is currently unclear how inactive accounts or end users with multiple accounts are counted to assess whether the 2.5 million end user threshold is reached.
For comparison (albeit in a slightly different context): The law on digital markets proposed by the EU regulates gatekeeper organizations – essentially organizations with a turnover of at least 6.5 billion euros in the last three financial years (or one average market capitalization of at least 65 euros). Billion) and with 45 million monthly active end-users of the central platform service in the EU (around 10% of the EU population) and more than 10,000 annual active business users in the last three years.
SCOPE OF REQUIREMENTS OF THE OP CODE
EXISTING APP REQUIREMENTS
The draft law on online data protection provides that the proposed OP code regulates the use of the following APPs on OP organizations:
NEW REQUIREMENTS AND RESTRICTIONS
The Online Privacy Draft Act states that the proposed OP Code would also impose additional requirements and restrictions on:
DESIGN PROCESS & ENFORCEMENT
A breach of the OP Code would be treated as an intrusion into an individual’s privacy, exposing the companies concerned to increased penalties (up to $ 10 million, 3x the benefit resulting from the breach, if determinable, or 10 % of the respective annual turnover if the benefit cannot be determined) and reinforced enforcement mechanisms that are otherwise provided for in the Online Data Protection Act and in the discussion paper. We will publish another briefing on these changes shortly.
CODE GENERATION PROCESS AND POWERS
The explanatory paper suggests that the industry will lead the initial drafting of the OP code over 120 days after receiving royal approval of the Online Data Protection Act with a public consultation lasting at least 28 days. However, the online data protection bill also stipulates that the OAIC may, under certain circumstances, develop the first draft with a consultation period of at least 40 days.
When deciding whether to register the OP code, the OAIC must at least consult the Australian Competition and Consumer Commission and the eSafety Commissioner. This will allow each of these regulators to unify their approach to current reform and enforcement actions related to online platforms, taking into account the overlap of data protection, competition and online security issues in the digital environment.