The imminent introduction of Open Banking (facilitated by the new Consumer Data Right law), as well as growing concern over the use of personal data by Google and Facebook, is driving a new debate over how personal data is being used and whether our privacy laws should be strengthened.
I recently saw the Netflix documentary The Great Hack about the use of Facebook data by Cambridge Analytica in elections in a number of countries, including the USA, as well as in the Brexit referendum in the UK.
A key point of the documentary was that the collection of user data is central to the business model of Facebook.
The recent ACCC Inquiry into Digital Platforms (including Google and Facebook) reached the same conclusion.
While the Consumer Data Right legislation will require the express consent of consumers for their personal data (such as bank transactions) to be disclosed to accredited third parties, the ACCC report concludes that user data (including search data) is given to digital platforms without awareness of the use of their data because digital platforms provide a wide range of valuable services to Australian consumers, often for zero monetary cost.
The future of the digital economy (including open banking) relies on trust, by both consumers and business users.
The ACCC’s review of several large digital platforms’ terms of service found that each of the terms of service reviewed required a user to grant the digital platform a broad licence to store, display, or use any uploaded content.
Digital platforms may passively collect data from users, including from online browsing behaviour across the internet, IP addresses, device specifications and location and movement data and other online identifiers. Once collected, digital platforms often have broad discretions regarding how user data is used and also disclosed to third parties.
The data held by Google and Facebook is particularly valuable not just because of the scale and scope of user data collected, but also its quality and accuracy, given key data (for example, gender and age) are provided by users directly on sign-up.
The ACCC and the Privacy Commissioner both consider that the Privacy Act needs reform in order to ensure consumers are adequately informed and protected as to how their data is being used and collected.
The ACCC has recommended that consent by a consumer should require a clear affirmative act that is freely given, specific, unambiguous and informed (including about the consequences of providing or withholding consent).
This means that any settings for data practices relying on consent must be pre-selected to ‘off’ and that different purposes of data collection, use or disclosure must not be bundled. Where the personal information of children is collected, consents to collect the personal information of children must be obtained from the child’s guardian.
The Government is expected to respond to the ACCC Report later this year.