Optus warns not to punish whole economy for tech giant sins in Privacy Act changes

Optus has said that any changes made to Australia's Privacy Act out of the review being conducted by the Attorney-General's Department (AGD) should not focus on problems relating to the power of tech giants in Australia.

"Optus cautions against extrapolating the behaviour of global monopolistic companies to the behaviour of competitive firms across the wider Australian economy," the Singaporean-owned telco said in a submission to the review.

"Optus submits that this review should be assessed within a competitive market framework. Any identified problem which gives rise to regulatory action must be a problem observable in effectively competitive markets. Problems arising from monopolistic behaviour are issues for competition law, not privacy law."

The telco said any wholesale changes to the Act would lead to "substantial compliance costs and place a further drag on innovation and limit the benefits of digitalisation", and therefore a high level of justification is needed.

One area where Optus said changes could be made was removing Part 13 of the Telecommunications Act -- which prevents telcos from using the content of communications or personal information except in specified circumstance -- as it has hamstrung local operators when competing against over-the-top (OTT) providers and tech giants.

"Telecommunications carriers are subject to greater obligations under these two telecommunications acts than under the general Privacy Act. However, these Acts do not apply to the dominant over-the-top providers such as Facebook, Google, Apple, etc. It is these OTT providers that have been subject to investigation by the ACCC and whose behaviour ultimately led to this review," it said.

"Further, the favourable treatment of these multi-trillion dollar global companies over Australia-based and licensed telecommunications companies risks delaying the development of the Australian digital economy."

Optus added that as Part 13 was written prior to the Privacy Act, and the wider economy now has privacy protections, it believes the section could now be removed.

In the October issues paper, AGD asked whether Australia has a "right to erasure", which would be an analogue version to Europe's right to be forgotten. On this point, Optus was firmly against it.

"There are significant technical hurdles to implement this for most sectors of the economy and much more research needs to be conducted," the company said.

"Optus submits that the compliance cost of an express right to erasure in the Privacy Act is likely to far exceed the benefits that flow from the right. There is insufficient evidence of a problem which would justify the costs."

Also in disagreement with the idea was Telstra. It said the existing Australia Privacy Principles meant companies were already required to delete data when it was no longer needed.

"The imposition of any obligation to automatically delete personal information may not always be practical or even possible, particularly considering the suggestion that technical information should be treated as personal information," it said.

"Requiring network operators to routinely purge their networks of all technical information could also present operational risk if the information is needed for the proper functioning of those networks. Further, imposing an obligation to delete information may also create uncertainty for organisations who have legitimate reasons to retain what they have generated, such as to comply with other legal obligations (as is the case under the telco metadata retention regime) or in order to be able to effectively deal with and respond to customer queries and complaints.

"There are also cases where deletion of personal information of an individual would impact the accuracy or quality of personal information we hold about another individual, for example in the case of a joint account or transactions between individuals such as call records."

Telstra further warned that if the review headed too far towards what the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry (DPI) recommended, then it would lead to increased regulatory burden with minimal benefit to consumers.

The incumbent Australian telco dismissed many of the changes the review was looking into, such as the definition of personal information; protections for de-identified, anonymised, or pseudonymised information; notification; or the introduction of a statutory tort or direct right of action.

"Information that has been de-identified should no longer be regarded as personal information and, therefore, should not be regulated under the Privacy Act as its use or disclosure should have no privacy-related consequences for any individual," Telstra said.

"Any reforms intended to clarify this position should stop short of imposing a higher standard of 'anonymisation' whereby de-identified data may continue to be personal information until all possibility of re-identification has been eliminated. Given the practical challenges of achieving that standard, any such change could have a chilling effect on innovation whereby useful research and analytics currently carried out with very low risk to privacy could be prevented simply because it is not possible to absolutely eliminate all possibility of re-identification."

In the opposing corner, security researcher Vanessa Teague said de-identification does not work.

"A person's detailed individual record cannot be adequately de-identified or anonymised, and should not be sold, shared, or published without the person's explicit, genuine, informed consent," she said.

"Identifiable personal information should be protected exactly like all other personal information, even if an attempt to de-identify it was made."

Elsewhere, the telcos agreed that current enforcement arrangements were theoretically sufficient, provided outfits like the Office of the Australian Information Commissioner (OAIC) and Telecommunications Industry Ombudsman were well resourced.

"A direct right of action has the capacity to divert consumers from OAIC's complaint and investigative processes, which we believe are well-suited to complaints under the Privacy Act, and which already permit applications to the Federal Court of Australia by the OAIC and the consumer in appropriate circumstances," Telstra said.

The telco said the average time to finalise a complaint to OAIC is under 5 months, while Federal Court action could take that long to hear a matter, let alone hand down a final decision.

Telstra added it would be good if state and federal privacy laws were harmonised, as well as surveillance device laws and health data records laws.

"Most individuals would expect the level of protection afforded to their personal information to be the same nationally," it said. 

"Again, this harmonisation will make it easier for businesses to comply and for individuals to better understand their rights so they can exercise them. Alignment across jurisdictions would also provide wide ranging benefits including for industry as suppliers of systems that design and manage controls for these data across jurisdictions."

Agreeing with the telco on the need to provide resourcing to OAIC, and little else, was the ACCC.

"At the heart of our submission is the view that, in order to protect consumers and address market failure, the Privacy Act requires fundamental redesign that goes beyond our DPI recommendations, so that it will better reflect the modern day realities of consumers' increasing lives online," the consumer watchdog said.

The ACCC said it was possible to create regulations for stronger privacy protections, consumer awareness, and obligations for business in such a way that the benefits would outweigh any compliance costs.

"The market failures and consumer protection issues related to privacy and consumer choice and control over data that we identified in the DPI are unlikely to be limited to digital platforms or the businesses and sectors we have since examined in our inquiries," it said.

"A number of the DPI's observations in relation to the data practices of digital platforms extend to businesses beyond search and social media digital platforms. This includes businesses in media and advertising services, customer loyalty schemes, and platforms providing online private messaging services. This informed our economy wide privacy reform recommendation in the DPI."

Related Coverage

• Privacy Act review to examine privacy tort, direct action rights, and GDPR compliance
• Global pandemic opening up can of security worms
• Over 4,000 privacy complaints made about Aussie telcos in FY20
• Apple now shows you all the ways iOS apps track you
• Apple introduces privacy information for apps across all of its stores