Facebook and Snap Inc call for a GDPR-aligned Australian Privacy Act
Two of the largest social media platforms have asked that the Australian government consider implementing many of the elements present in Europe's General Data Protection Regulation (GDPR) when refreshing the country's 33-year old Privacy Act.
In a submission [PDF] to the Attorney-General's review of the Privacy Act 1988, Facebook called for "effective privacy and data protection" as part of a "globally harmonised framework". It believes failing to do runs the risk of creating a "splinternet", where some countries or regions of the world adopt approaches to privacy and data protection that are mutually exclusive to other regimes.
From 2017: How Europe's GDPR will affect Australian organisations
To avoid this risk, Facebook has recommended that Australian privacy laws be reformed to make them more aligned with the "best practice privacy frameworks of Australia's main trading partners and leading digital economies in the world".
"Ensuring alignment with global norms enhances Australia's global competitiveness and this type of regulatory harmonisation reduces unnecessary compliance costs and leads to increases in productivity," it wrote.
Some alignments include changing "personal information" within the Act to "personal data" as defined in the GDPR; adopting "multiple flexible legal bases for using or disclosing data", similar to the EU process; and implementing the right to erasure.
Facebook also claimed it is in "strong support" of a notification process that gives individuals a clear understanding of how their data is collected and how it will be used.
Let's not forget: How Cambridge Analytica used your Facebook data to help elect Trump
Snap Inc agrees with Facebook's argument to align the Privacy Act with the GDPR, recommending the Attorney-General's Department "review endeavours to pursue a principles-based and proportionate approach in its revisions to the Act, drawing on the strengths of, and the lessons learned from, the [GDPR] in Europe".
Of concern to Snap is that the Privacy Act does not currently contain a controller/processor distinction. Under the EU's rules, controllers are responsible for determining the means and purposes of data processing, and processors act on behalf of the instructions of controllers.
"This distinction between controllers and processors increases accountability between parties," Snap says in its submission [PDF].
"To increase the flexibility, and thus efficiency, of Australia's privacy legislation we recommend aligning with the definitions of controllers and processors as defined in the EU [GDPR]."
Controller/processor notions are present in privacy laws outside of Europe, such as India, Japan, and Brazil.
Snap said, from the outset, its privacy principles have aligned with those of the GDPR. It has asked the Australian government to follow the GDPR closely, in particular, its principles-based approach.
"The GDPR already covers a number of the areas that this consultation seeks to address, including transparency and proportionality," Snap wrote.
"Consequently, we would urge the Attorney-General's Department to, as far as possible, mirror the principles-based approach of the GDPR which provides sufficient flexibility for businesses to decide how they will comply with the standards set by the Regulation as well as sufficient flexibility for data protection authorities to apply the rules in a smart, contextual way.
"We would also urge against any undermining of the delicate balance of interests carefully struck during the GDPR negotiations."
On consent, Snap said consent alone is not an effective way to manage personal information as it places a lot of responsibility on users, which can result in consent fatigue.
"The legislator should consider legitimate interest as a basis for processing, combined with the requirement for controllers to conduct legitimate interest assessments. Legitimate interests place the burden on controllers, and require them to think critically about the data they process. This creates an accountability framework, and also offers users a more seamless user experience, without jeopardising their privacy," it wrote.
This makes consent more meaningful, Snap believes.
Facebook, however, said the current definition of consent in the Act is sufficient and provides sufficient flexibility for consumers and businesses.
Agreeing with Google, Snap also believes 13 should be the age at which parental consent is no longer required. While Facebook did not provide comment on the age of consent, in its submission, it pointed to "Messenger Kids", which is a video and chat app specifically for those under the age of 13, as being an environment where children can "develop digital literacy and safe online behaviours" and be "empowered".
Facebook has previously warned the looming changes to phone giant Apple's operating system could negatively impact its advertising revenue, with Mark Zuckerberg arguing that Apple's changes are aimed at benefiting iMessage and harm small businesses. It will also harm one of Facebook's recipe to success -- tracking-based ad targeting.
Snap also took concern with the iOS 14 changes, saying they present a risk of interruption to demand after they're implemented, but the company said it's prepared for the changes.
During the company's Q4 earnings call, CEO Evan Spiegel said the policy changes Apple is making will impact Snap's ability to "effectively measure and optimise advertising outside of Snapchat".
"The reality is we admire Apple, and we believe that they are trying to do the right thing for their customers," CNBC quotes Snap chief business officer Jeremi Gorman as saying. "Their focus on protecting privacy is aligned with our values and the way we've built our business from the very beginning. Overall, we feel really well prepared for these changes, but changes to this ecosystem are usually disruptive and the outcome is uncertain."
MORE FROM THE PRIVACY ACT REVIEW
- Privacy Act review to examine privacy tort, direct action rights, and GDPR compliance
- ACCC calls for Privacy Act changes to protect loyalty scheme customers
- Google says consent over every aspect of data processing would be burdensome
- Optus warns not to punish whole economy for tech giant sins in Privacy Act changes
- Over 4,000 privacy complaints made about Aussie telcos in FY20
- OAIC wants stronger enforcement powers in Australia's revamped Privacy Act