Ƶ

Facts & figures

In Australia, the Privacy Act allows
for the large-scale accumulation of data with relatively few restrictions
Companies can develop a '360-degree view of the consumer'
by bringing together thousands of data points
Changes to current legislation are needed
in order to offer greater protection for the individual
Improved regulation with a focus on ‘fair and reasonable’ data practices will reduce the misuse of consumer data.

Australia’s data privacy laws require urgent reform to protect consumers from data misuse, says Dr Katharine Kemp, an expert in data privacy regulation from UNSW Law & Justice. Digital services have become embedded in our daily lives, from search engines and social media to banking, retail and health and wellbeing apps. Many of us are unaware of the full extent of the data that companies collect about us and what they do with it. 

“As our lives become increasingly digitised, companies wield growing power over the consumers they track and target,” Dr Kemp says. “The recent large-scale cyberattacks on Medibank, Optus and Latitude have put a spotlight on some of the risks of excessive data collection and retention. We need urgent law reform to better protect consumers.”

In the wake of the cyberattacks of 2022, the Federal government enhanced the enforcement powers of the privacy regulator and dramatically increased maximum penalties for breaching the Privacy Act. However, so long as the substantive rules governing data practices remain weak, changes in companies’ treatment of consumer data will be limited, Dr Kemp says.

As it stands, the Privacy Act allows for the large-scale accumulation of data with relatively few restrictions. Data can be bought and sold to enable companies to bring together thousands of data points to create what’s known as a 360-degree view of the consumer.

Australia has failed to keep up with advances in global regulation, such as the General Data Protection Regulation (GDPR) that offers greater protection of the individual, Dr Kemp says. 

“We need to see changes in the substantive rules about how companies can use data, and what is counted as personal information and valid consent under the Act.”

Dr Katharine Kemp

“Because at the moment many companies are arguing their data practices do not involve personal information, and therefore no rules apply to them. Where they admit to using personal information, many companies are presenting consumers with take-it-or-leave-it privacy terms that really give them no choice at all.” 

Bringing our legislation in line with international standards will facilitate greater accountability and help address the power imbalance between consumers and companies that can lead to , she says. 

Dr Kemp is the co-lead of the Data as a Source of Market Power research stream for The Allens Hub for Technology, Law & Innovation at UNSW. She specialises in data privacy, competition law (particularly the misuse of market power) and consumer protection regulation.  

Failures in fertility apps exemplify issues in current law

In March, Dr Kemp conducted in Australia raising public awareness and evidence to support law reform. The research, funded by the Allens Hub, proposed legislative amendments to address unfair and unsafe privacy practices, including the lack of choice on further uses of data, misleading privacy messages, unsafe retention of intimate health data and incomplete data de-identification. 

“Fertility apps are striking for the immensely intimate data that they collect. While people might expect that from their name, just how detailed, and how sensitive it is, is surprising,” she says.

The apps collect data on sexual practices and frequency, contraceptives, period symptoms, reproductive health, miscarriages and infertility treatments. They also gather “inferred information” based on consumer behaviour: clicking on articles about terminations suggests a consumer is considering or has had a termination; accessing information on support groups for survivors of sexual assault suggests they personally have lived experience.

“What's really concerning is what these apps are doing with that data,” she says. “In many cases, the apps are sharing data with other companies because they are wrongly treating it as mere “usage data” rather than health information that receives greater protections under the Act.” 

Additionally, they’re holding on to data far longer than can be justified, in some cases seven years after the consumer has stopped using the app, the research found. This increases its likelihood of being subject to a data breach. 

The research built on an influential report Dr Kemp presented to the ACCC National Consumer Congress in 2022 on . Some fertility apps were found to make misleading claims about the anonymisation and further use of consumer data.

“Some of the apps say, in big bold letters, ‘We never sell your data’. And then in the fine print, in an entirely separate policy located elsewhere, it says they reserve the right to sell your data as a business asset.”

Dr Katharine Kemp

Apps can be purchased by businesses with entirely different agendas, such as drug development companies and media companies, making such data sales highly questionable, she says. Other apps were repurposing data for research without express consent from consumers. Additionally, the research found that many used de-identification processes that leave data vulnerable to re-identification after it has been shared, sold or re-purposed. 

“When we’re talking about information about someone’s mental and sexual health, we’re getting into territory that can be highly prejudicial,” she says. Blackmail and discriminatory profiling are just some of the ways this can be harmful for individuals, she says. “We need legislation that enables individuals to request their data erasure.”  

Data privacy issues are not the responsibility of consumers: “the power imbalance is such that even consumers who are highly educated about data protection can't in fact appropriately protect their information,” she says. However, greater education can help drive impact.

Dr Kemp also partnered with to produce a separate advising consumers on how to best protect their privacy and raising public awareness about the findings of the full report. Both the Choice report and the full report received extensive nationwide media coverage and privacy practitioner engagement, building vital foundations for law reform. 

Political appetite for value-driven reform

In February, the Attorney General’s Department released the proposing reforms to strengthen the protection of personal information and the control individuals have over their information. The report acknowledged that stronger privacy protections would both support digital innovation and enhance Australia’s reputation as a trusted trading partner. 

The review followed the (2019) that considered the impact of search engines, social media and digital platforms on competition in the media and advertising services markets; the report recommended major privacy law reform to address the imbalance in bargaining power and information asymmetries between digital platforms and their consumers.

Dr Kemp’s research – including her research on – was cited extensively and influentially throughout the Privacy Act Review and the Digital Platforms Inquiry, as well as in the ACCC (2022) on potential upfront data rules for digital platforms. 

The Privacy Act Review represents a once-in-a-generation opportunity to implement broad legislative reform. Dr Kemp is engaging in knowledge exchange with global scholars, civil and consumer organisations, such as , and thinktanks, such as the and , to cultivate value-driven reform, including an amendment that requires data practices to be ‘fair and reasonable’.  

“Rather than asking if consumers received notice in the form of a 10,000-word privacy policy and assuming that they’ve given consent by continuing to use the service, [the revised law] would instead ask whether data practices are in substance ‘fair and reasonable’ and how they impact the consumer,” she says.

The proposal is facing substantial opposition, particularly from the ad-tech industry, based on the argument that fairness is an uncertain or subjective concept. “But fairness exists as a guiding principle in various [other] areas of law, including under our financial services law and our consumer law in respect of unfair contract terms,” she says. Its inclusion would place the emphasis on substantive rather than mechanistic consumer protection, she says.

As a constructive example of ensuring consumers are treated fairly, Dr Kemp was commissioned by the ACCC to conduct training for ASEAN competition and privacy regulators on the abuse of dominance and the unexplored interaction of competition and privacy regulation in digital markets in 2022. The training formed part of the that builds economic partnerships among ASEAN Member States and Australia and New Zealand.

Closer to home, Dr Kemp has improved UNSW’s own student data protection and influenced future digital law scholars and practitioners. She designed UNSW’s popular that launched in 2022. The course challenges tomorrow’s scholars and practitioners to consider how data use impacts our most vulnerable consumers and how innovative regulation could better align business and consumer interests. 

“Technological advances offer untold benefits; however, the speed of innovation often outstrips law. We rely on our legislative frameworks to prevent its exploitation,” she says. 

“Reforming our laws to encourage data practices that are both fair and trustworthy can improve the lives of all Australians.”

Dr Katharine Kemp    


Written by Kay Harrison

Researcher