Skip to main content

Clifford Chance

Clifford Chance
Data<br />


Talking Tech

Unfair Data Practices? The Australian Competition and Consumer Commission (ACCC) continues its call for a prohibition on Unfair Trading Practices

Big Data Antitrust 11 June 2024

The ACCC wants greater regulation of both data firms in Australia and businesses which collect Australians' data, including limiting how such businesses can use data obtained from Australians.

On 21 May 2024 the ACCC published its eighth interim report as part of the Digital Platform Services Inquiry 2020-25 (the Data Report). The Data Report focuses on the services offered by data firms in Australia and how their services shape the digital economy.

Data Firms

The Data Report broadly defines data firms as "businesses which supply data products and services, including those which lack a direct relationship with the consumers whose personal or other information they collect, use, process, analyse, supply or otherwise deal with".  This is a broader definition of data broker than what was originally adopted in the Ministerial Direction which initiated the Digital Platform Services Inquiry 2020-25.

The Data Report found that data firms can operate largely outside the purview of the Privacy Act 1988 (Cth) (which focuses on regulating the collection, use and exchange of Personal Information (as defined in the Privacy Act) by de-identifying any datasets to remove any Personal Information. To address this perceived shortfall with current laws, The Data Report reiterates recommendations first raised by the ACCC in its submission to the Privacy Act Review Report, including:

  • expanding the statutory definition of Personal Information to include information which 'relates to' an individual (rather than information which is 'about' an individual)
  • introducing a 'fair and reasonable' test for the collection, use and disclosure of Personal Information
  • introducing a right for an individual to have Personal Information erased.

The Data Report also recommends implementing a requirement for data firms operating in Australia to be on a public registry and ensuring that an individual can easily enforce its right to have their Personal Information erased.

Businesses collecting, using, and disclosing Australian data

The Data Report also examined how businesses in Australia were collecting, using, and disclosing Personal Information. The Data Report found that the typical privacy policy was too long and complex such that the average consumer was unable to meaningfully engage with them. In an attempt to remedy the impugned concerns with the length and complexity of privacy policies, the Data Report reiterates calls for a prohibition on unfair trading practices, claiming that the current complexity of privacy policies is unfair to consumers. The Data Report claims that such a prohibition would ensure that privacy policies would become shorter, easier to understand and may provide consumers with greater control over their Personal Information.

In supporting this recommendation, the Data Report considered the current state of privacy policies in Australia, and claimed that on average:

  • there are 6,876 words in a typical privacy policy in Australia
  • it would take an Australian 29 minutes to read a typical privacy policy; and
  • it would take an Australian 46 hours a month to read each privacy policy they encountered.

In forming these conclusions, the Data Report relies on a single blog post by Australian website mi3 which itself summarises a study undertaken by NordVPN. The Data Report omits several key findings from the NordVPN study, including that:

  • on average privacy policies in Australia were the seventh longest (out of only 20 jurisdictions monitored) and shorter than the typical privacy policies in other major economies such as the USA and UK.
  • there was a correlation between longer privacy policies being easier to read, as evaluated against the FRES readability test and the Coleman-Liau test. 

By way of example:

  • the privacy policies of Meta Companies (Facebook and Instagram) had the longest privacy policies on average; however, those policies were ranked second and third respectively in terms of readability by the FRES test.
  • the average UK privacy policy was the most readable in anglophone countries by both FRES and Coleman-Liau tests, however on average, the UK had the second longest privacy policies (second only to Germany).
  • the privacy policies in the European Union were some of the most comprehensive (and accordingly longest) due to requirements under the General Data Protection Regulation.

Despite the NordVPN study being inconclusive in finding any material issues with how privacy policies are used by businesses in Australia, the Data Report suggests a prohibition on unfair trading practices is required to further protect consumers. Specifically, the Data Report suggest that a prohibition on unfair trading practices would force businesses to obtain consent clearly and explicitly from consumers for the collection, use and sharing of Australians' data.

The Data Report also claims that the practice of including a provision within privacy policies to allow for the sharing of any consumer data with 'partners', 'suppliers' or 'affiliates' does not sufficiently allow consumers to understand how their data is shared. The Data Report suggests that the prohibition on unfair trading practices could require businesses to expressly identify which parties they may share data with and identify the specific purpose for which that data will be shared. If the unfair trading practice prohibition extends this far, there will be significant ramifications for businesses operating in Australia who will have to disclose the partners with which they wish to share information.

Competition vs Privacy

The Data Report notes how data is non-rivalrous and can therefore be shared between data firms to improve the relevant data firms' offerings. The sharing of data between data firms should result in data firms having more homogeneous datasets which can cause an increase in price competition between the data firms. The Data Report ultimately finds that the sharing of data may have pro-competitive benefits, however, may be at odds with data privacy and security, as data is shared with a wider network of firms. The Data Report refers to a research paper which found a potential positive correlation between market concentration and data security standards for data firms based in the USA. The report found that:

  • there is less sharing of consumer data between business customers and data firms in more concentrated markets; and
  • the more concentrated markets have a decreased risk of data privacy breaches.

Vertical Acquisitions

The Data Report also raises concerns in respect of potential input foreclosure, the process of a business refusing to supply an essential input (in this case, data) to competitors in a downstream market, effectively 'foreclosing' the ability for its rivals to compete in the downstream market. The Data Report believed this may occur by reason of:

  • Data firms entering exclusive agreements with businesses to receive unique first party data (such as a data firm entering into an agreement with a supermarket to exclusively receive its checkout data); or
  • Data firms becoming vertically integrated (such as REA Group's proposed acquisition of Dynamic Methods).

Without undertaking any analysis, the Data Report notes that data firms that are vertically integrated with a firm that is a source of data may have greater access to that data and may be able to leverage its position to access data not available to other data firms. The Data Report finds that these vertical acquisitions may provide a competitive advantage for the acquired data firm and accordingly, the ACCC has concerns in respect of potential input foreclosure.