Spinning globe map with books on digital privacy in Australia in the left corner

Digital Privacy in Australia in 2021: 3 Lessons for Australian Businesses from Global Privacy Laws

Global privacy law is undergoing massive change. Different countries are trying to keep up with rapid developments in technology, and associated ethical and trust issues. At the same time, they must meet the dynamic threats posed by cybersecurity breaches, and all in a way that is consistent with local cultures and norms. These laws need to balance supporting innovation with protecting the public and individual interest in the right to privacy.

This means privacy laws around the globe undergo more frequent changes than you’d typically see.

Since January 2019, ten countries have enacted privacy laws, bringing the total number of countries with privacy laws up to 142. California also amended its revolutionary privacy laws in November 2020 by enacting the California Privacy Right Act (CPRA). As these laws develop, it’s possible to glean insight into the future of digital privacy in Australia looks like.

But are there any consistent lessons for Australian businesses in the constantly changing privacy landscape?

In this post, we cover 3 important lessons for businesses about the direction of digital privacy in Australia:

 

1. Data breach notification obligations are increasing.

Jurisdictions around the globe are increasingly enacting notifiable data breach schemes. These are already well established in Australia, the US, the EU, and more recently in New Zealand. Similar rights are cropping up everywhere, albeit with lesser protections, including in China, Bahrain, and Ghana.

The NSW State Information Privacy Commissioner has referred to the introduction of mandatory data breach notification for NSW State Government agencies as the one of the most important strategic initiatives for the office in 2021.

Digital privacy & data breach notifications: why are they so important?

The spate of recent ransomware attacks make it clear that cyber-attacks must be regarded as more or less a certainty.  As part of their resilience and continuity planning, business must have a data breach response capability. Notification is an important part of data breach preparedness.

Not meeting statutory reporting obligations can result in significant fines, as Twitter found out. Twitter was hit with a fine of €450,000 for failing to promptly declare and properly document a data breach under Europe’s General Data Protection Regulation.

Business consequences of failure to notify following a data breach.

But there is more at stake than regulatory fines. It’s important to consider the business ramifications of notifying users following a data breach, and the impact that a data breach can have on user trust. A recent study by Kaspersky indicates that businesses that voluntarily inform users about a breach suffer less financial damage than those with customers and stakeholders who find out about the breach via media leaks. The usual reduction in financial damage ranges from 28% to 40% depending on the size of the organisation.

Here, it’s clear that more may be required than compliance with the law.

When considering your notification obligations, as part of your data breach response, your decision making should include consideration of issues like community expectations and how to maintain trust as well as meeting ethical standards.

Planning for a breach gives your business time to consider how you will comply with all the different legal obligations that might apply but also how you might minimise harm to trust and reputation by using a data breach notification process.

2. The world is moving in the direction of transparency and choice.

Two of the biggest changes introduced by the GDPR were heightened expectations in regard to transparency and the creation of new user rights, to help balance increased usage of personal data.

Notice and choice are cornerstones of consumer protection and are increasingly being embedded in data protection laws. California’s newest privacy legislation imparts the Importance of letting users choose their privacy settings, including the right to be forgotten and the right for their data not to be ‘sold’ or used for marketing purposes. California voted in the California Data Privacy Act (CPRA) in November 2020. One of the more important privacy rights which was expanded by the act is the Right to Opt-Out. Under the CPRA, transferring a data subject’s personal information to a third party for ‘cross-context behavioural advertising’ must be subject to consent. Users should be given a right to opt-out of third-party sharing for advertising purposes, including via cookie-based collection.

 

Screenshot from Google Analytics showing user data collected via cookies

Image by Negative Space on Unsplash

User demand for control over their data is increasing across the globe.

Users across the globe are demanding more control over the use of their data and we expect to see further protections being introduced around the globe in this regard. Meeting that demand can be a competitive advantage in jurisdictions where users aren’t protected by opt-out laws, including Australia. To do this properly, transparency and support for user control over data needs to be built into the design of products and services.

Australia’s response to the increasing demand from users:

The Australian Privacy Commissioner is looking at beefing up protections for users as part of its re-vamp of the Australian Privacy Act current under consideration. The Australian Privacy Commissioner confirmed in an address as part of the IAPP’s Privacy Awareness Week activities, that greater choice and consent will be included in the amendments but only where consent can be provided in a meaningful way.  The Australian Privacy Act will recognise that, as part of the overarching principles of fairness and accountability, there will be limitations on some privacy practices (that will operate outside a notice and choice regime).

Spotlight: farewelling cookies in the ad tech industry.

One example of how data protection laws are impacting businesses processes is changes to the use of cookies in the ad tech space. Negotiations around updates to the cookie requirements in the ePrivacy Directive are likely to be one of the reasons Google has decided to move towards a more privacy supportive model to support its advertising revenues. The search engine recently announced its plans for Google Chrome to phase out third party cookies by the end of 2022.  Similarly:

  • Safari is no longer accepting third party cookies,
  • Firefox is threatening to stop accepting them, and
  • Microsoft has turned on ‘Do Not Track’ setting by default.

3. It’s Time to Remove Your Website or App’s Dark Patterns.

Aligned with the move to greater transparency is the move away from ‘dark patterns’ and increasing regulatory action in regard to the use of dark patterns.

Dark patterns are design features built into websites or app’s that make it more difficult for users to provide informed consent about or otherwise manage their privacy. Examples of the use of dark patterns are features that require users to click through multiple pages to change their privacy settings. Other ‘digital traps’ associated with use of dark patterns include:

  • forced continuity programs that make it difficult to cancel charges,
  • trick questions to frustrate user choice, and
  • ‘free’ trials that automatically convert into paid memberships.

Dark patterns in practice.

Google was recently found to have misled customers about its location data settings in an action brought by the Australian Consumer Commission.  In that case, the Australian Federal Court ruled that, when creating an account, Google misrepresented that the ‘Location History’ setting was the only Google Account setting that affected whether Google collected, kept, or used personally identifiable data about the user’s location. In fact, another Google Account setting titled ‘Web & App Activity’ also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.

One of the biggest concerns with dark patterns is their use to nudge users into making more privacy intrusive decisions.  The Norwegian Consumer Council (NCC) released an in-depth report on ‘dark patterns’ in 2018 to demonstrate some of these issues. In research done in 2019, the NCC tracked the use of data by the top 10 dating apps on Google Play. In this research, the NCC identified that a majority of those ten apps transmitted data to ‘unexpected third parties’ with users not being clearly informed about where their information was being sent and how it was being sent.

Global trends: banning dark patterns.

Based on this research, Norway’s Data Protection Authority announced in January 2021 that it planned to fine dating app Grindr 100 million Norwegian crowns ($11.7 million) for what the regulator said was illegal disclosure of user data to advertising firms.

California recently enacted legislation banning certain dark patterns. A similar bill is being considered at the federal level in the US. Read more about legislative trends regarding dark patterns here.

To future-proof your website and app’s, you should prioritise user-friendly privacy settings and consumer-centric consent functionality. It’s likely that you’ll need to update your site and apps to meet changing laws and changing consumer sentiment in the near future if you embed any dark patterns today.

Better Privacy Governance and Planning with Privacy108

The team at Privacy108 keeps abreast of all the current and changing trends in global privacy laws, as well as digital privacy in Australia. We use that knowledge to advise you on your legal obligations, while providing practical, future-focused recommendations based on consumer sentiment and foreseeable legal changes.

To build in better privacy governance and planning at your organisation, get in touch.

  • This field is for validation purposes and should be left unchanged.