Google and Meta have weighed in on the current review of Australia’s Privacy Act with arguments for the benefits of ad-supported apps and cloud services, in a bid to soften data collection rules and have location data excluded from the category of protected “sensitive” data. The Privacy Act 1988, the primary Australia privacy law, has been under review since 2020 as lawmakers seek to modernize it.
Meta’s submission to the review collected statistics and survey results that ranged across small business benefits and consumer preferences, while Google took a more specific focus on exempting non-specific location data from the category of sensitive data.
Tech firms seek to put their stamp on Australia privacy law update
Meta opened its statement by lauding the federal government review of the outdated Australia privacy law, which applies pre-internet terms and views to an internet-connected world in some cases, and stating that it agrees with stronger protections for consumers. However, the company clearly has a very distinct vision of what those protections should look like.
As it did when it publicly opposed Apple’s recent on-device privacy changes, Meta invoked the needs of small businesses. But in this case, it focused more on free ad-supported services that display ads rather than the businesses that purchase targeted ads.
One of its points of contention was a proposed blanket “right to object” to the use of personal data, which would allow Australian consumers to essentially opt out of any marketing service upon request. Meta argued that this would impede ad-supported business models, essentially forcing these services out of business if they are required to continue operating without a revenue stream. It is seeking protected access to information that is “necessary to provide the service,” which would include collected personal data in the case of ad-supported apps and websites.
Meta also requested that the definition of “personal data” be refined to only include data that can be reasonably expected to identify an actual person, and suggested that the online targeted advertising industry is receiving an unfair amount of focus when the Office of the Australian Information Commissioner (OAIC) reports similar or even greater amounts of privacy complaints in other industries (for example in finance and retail).
Finally, the company cited a survey showing that a majority of Australians prefer to “pay” for online services with personal data rather than money. However, the question was framed in terms of an absolute: a theoretical internet where either everything costs money to access or services are supported by ads.
Google took something of a different tack with its submission, zeroing in on technical specifics. The central focus was on location data. Google argued that more generalized location data, for example a “suburb or postcode” but not a specific block or address, should not be considered special protected information under Australia privacy law.
The submissions to the Australia privacy law review were made public on the Attorney General’s website in late February, in cases where the submitter granted permission for their letters to be made public. 199 organizations filed public responses including the Australian Association of National Advertisers, Telstra, the Australian Banking Association, Microsoft, Snap and Amazon Web Services.
Australia privacy law under revision in series of slow steps
The Privacy Act review ties in with the development of the Online Privacy Bill, introduced in late 2021 with a focus on what are sometimes called “gatekeeper” companies: large social media platforms and online services with 2.5 million or more annual users. It also addresses data brokers in the targeted advertising space, adding fairly strict new rules and data protection obligations in addition to guaranteeing the right of data subjects to opt out and have access to their collected personal information.
The entire process began in late 2019 with the Australian Competition and Consumer Commission’s Digital Platforms Inquiry Report, with predictable delays attributed to the Covid-19 pandemic. It remains unclear what Australia privacy law will ultimately look like, with both the Privacy Act review and Online Privacy Bill developing along parallel tracks. Lawmakers have expressed desire to bring the national law into relative parity with Europe’s General Data Protection Regulation, but that will require significant revision as the two bills are presently far apart in a number of areas. Australia’s present law has no concept of data processors or controllers, clear demonstration of user consent, or rights to certain things such as data portability and access to stored data.
In addition to the requests enumerated by Meta and Google in their submissions, there has been some controversy over other aspects of the bill and which way the Australia privacy law should ultimately lean. Privacy advocates are looking for the definition of personal information to be expanded, covering not just the expected sensitive categories of firsthand information but also items that are related to a person in such a way that they could render someone individually identifiable. There have also been calls for a right to “speedy review” of complaints by the OAIC (a required first step before being able to file a court case) and the end of data privacy exemptions for registered political parties.