Australia is Looking Beyond the GDPR

20|30 Group
Alex Tweeddale
September 2019
Australia’s Digital Platform Inquiry encourages a movement away from the loopholes in the GDPR and towards a more consent-centric data protection framework. Alex Tweeddale, Regulatory and Compliance Associate at IDWorks suggests that Self-Sovereign Identity is the perfect technology to facilitate this evolution.

On 26th July 2019, the Australian Competition and Consumer Commission (ACCC) published a 623-page report relating to the ongoing problems with data protection and data processing by Google and Facebook. It highlights that “Innovation and rapid technological change has transformed the ability and incentive of entities to collect, use and disclose the personal information of Australian consumers in the digital economy.” Specifically, it suggests that companies have now evolved to process data in a way in which the GDPR does not provide sufficient protection.

The main takeaways from the report can be summarised in five points:

  1. Consents should be required whenever personal information is collected, used or disclosed by an entity subject to the Privacy Act unless the personal information is necessary for the performance of a contract to which the consumer is a party, is required under law, or is otherwise necessary for an overriding public interest reason.
  2. Companies can no longer rely on ‘legitimate interests’ as a ground to process personal data.
  3. Click-wrap consent is not enough to ensure adequate protection
  4. Higher penalties must be implemented for breach of the Privacy Act: which increase the penalties for an interference with privacy under the Privacy Act to mirror the increased penalties for breaches of the Australian Consumer Law
  5. The ACCC recommends that this be achieved via an enforceable Privacy Code of Practice to be developed by the OAIC to apply to digital platforms
“All consumers will be better off when they are sufficiently informed and have sufficient control over their user data, so that they can make informed choices that align with their privacy and data collection preferences.”

What this means?

Companies like Google and Facebook, as well as Australian banks and internal companies will need to gain consent through alternative methods to process personal data. Currently, these companies rely heavily on the uncertain processing ground which is ‘legitimate interests’. This ground has been described by S.S. Rana & Co as a ‘loophole in the GDPR’ and a barrier to its proper implementation.

Furthermore, the ways that companies do gain consent currently, such as click-wraps have been written to leverage platforms’ bargaining power and deepen information asymmetries. This prevents consumers from providing meaningful consents. If the ground of legitimate interests was removed, and click-wraps were formally legislated as insufficient, society may see companies forced to use more transparent consent mechanisms or face significant fines.

Self-Sovereign Identity as a Solution

Given that society is moving towards consent as a necessary basis for processing, and click-wraps are being held as insufficient, there is a gap in the market for a technology which enables freely given consent to be built into the architecture of the technology.

“changes to laws which give consumers greater control over their personal information […] are needed”

Self-Sovereign Identity is a technology which puts the ability to process personal data, into the hands of the end-user. The personal data is, by default, stored and controlled by the individual, on their mobile device. Therefore, if a company wants to use someone’s personal data and store it, there must be explicit and freely given consent from the device of the user. The individual also has the ability to revoke personal information it shares with companies at the touch of a button.

It is therefore contended that this movement to an extended and defined version of the GDPR, could open the door to technologies such as self-sovereign identity. The Digital Platforms Inquiry will not be the last of its kind, and as such, companies should begin looking beyond the GDPR to have real privacy by design, built into data management architecture, such as the consent-approach used in self-sovereign identity.

IDWorks Ltd
9 Appold Street
London EC2A 2AP
United Kingdom
© IDWorks Ltd, 2019.
© IDWorks Ltd, 2021. All Rights Reserved.