Hostname: page-component-745bb68f8f-f46jp Total loading time: 0 Render date: 2025-02-04T20:48:45.619Z Has data issue: false hasContentIssue false
  • English
  • Français

Protecting Consumer Privacy and Data Security: Regulatory Challenges and Potential Future Directions

Published online by Cambridge University Press:  01 January 2025

Stephen Corones  and
Juliet Davis
Stephen Corones
Affiliation:
BCom, LLB (UQ), LLM (UCL), PhD (UQ); Faculty of Law, Queensland University of Technology
Juliet Davis
Affiliation:
BA, LLB (UQ), MA (Columbia University), MSc (London School of Economics and Political Science)
Get access Rights & Permissions [Opens in a new window]

Abstract

This article considers the regulatory problems of online tracking behaviour, lack of consent to data collection, and the security of data collected with or without consent. Since the mid-1990s the United States Federal Trade Commission has been using its power under the United States consumer protection regime to regulate these problems. The Australian Competition and Consumer Commission (ACCC), on the other hand, has yet to bring civil or criminal proceedings for online privacy or data security breaches, which indicates a reluctance to employ the Australian Consumer Law (‘ACL’) in this field. Recent legislative action instead points to a greater application of the specifically targeted laws under the Privacy Act 1988 (Cth) (‘Privacy Act’), and the powers of the Office of the Australian Information Commissioner (OAIC), to protect consumer privacy and data security. This article contends that while specific legislation setting out, and publicly enforcing, businesses’ legal obligations with respect to online privacy and data protection is an appropriate regulatory response, the ACL's broad, general protections and public and/or private enforcement mechanisms also have a role to play in protecting consumer privacy and data security.

Type
Article
Information
Federal Law Review , Volume 45 , Issue 1 , March 2017 , pp. 65 - 95
Copyright
Copyright © 2017 The Australian National University

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 The ACL is located in Competition and Consumer Act 2010 (Cth) sch 2.

2 Timothy J Muris, ‘The Federal Trade Commission and the Future Development of US Consumer Protection Policy’ (Paper presented at the Aspen Summit, Cyberspace and the American Dream, Aspen, Colorado, 19 August 2003) 15–25. See also Maureen, K Ohlhausen and Alexander, P Okuliar, ‘Competition, Consumer Protection, and the Right (Approach) to Privacy’ (2015) 80(1) Antitrust Law Journal 121Google Scholar.

3 ASIC, ‘Cyber Resilience: Health Check’ (Report No 429, ASIC, March 2015) 16 [26].

4 Telstra, ‘Cyber Security Report 2014’ (Report, Telstra, 2014).

5 Telstra, above n 4, 30.

6 ASIC, above n 3.

7 Vince Morabito, ‘An Empirical Study of Australia's Class Action Regimes’ (Report 4, 29 July 2016).

8 15 USC §§ 41–58.

9 Gina Stevens, ‘The Federal Trade Commission's Regulation of Data Security under Its Unfair or Deceptive Acts or Practices (UDAP) Authority’ (Research Paper, Congressional Research Service, United States Congress, September 11 2014) 1.

10 ACMA, ‘Privacy and Personal Data, Emerging Issues in Media and Communications’ (Occasional Paper No 4, ACMA, 2013) 15–16.

11 Ibid 23.

12 Ibid.

13 Ibid 15–16.

14 PricewaterhouseCoopers, ‘Managing Cyber Risks in an Interconnected World: Key Findings from the Global State of Information Security Survey 2015’ (Report, PricewaterhouseCoopers, 30 September 2014) 7.

15 ‘The Terrorist in the Data: How to Balance Security with Privacy after the Paris Attacks’, The Economist 26 November 2015, 23.

16 Lennon, Y C Chang, Lena, Y Zhong and Peter, N Grabosky, ‘Citizen Co-production of Cyber Security: Self-help, Vigilantes and Cybercrime’ (2016) 10 Regulation and Governance 2Google Scholar.

17 Karen, Yeung, ‘Privatizing Competition Regulation’ (1998) 18 Oxford Journal of Legal Studies 581, 583Google Scholar.

18 Ibid.

19 Ibid 587.

20 Ibid 590.

21 Chang, above n 16.

22 Yeung, above n 17, 589.

23 Allens Linklaters, Class actions in Australia (August 2016) Allens Linklaters <https://www.allens.com.au/pubs/pdf/class/papclassaug16-01.pdf>, 1.

24 Sasha, Romanosky, ‘Empirical Analysis of Data Breach Litigation’ (2014) 11(1) Journal of Empirical Legal Studies 74, 83, 101Google Scholar.

25 Privacy Act 1988 (Cth) s 6(1).

26 Ibid; APP ss 11.1–11.2.

27 Margaret, Jackson and Gordon, Hughes, Private Life in a Digital World (Thomson Reuters, 2015), 134135Google Scholar.

28 OAIC, ‘Guide to Securing Personal Information’ (Guide, OAIC, January 2015) 12.

29 OAIC, ‘Loyalty Program Assessment: Flybuys’ (Summary report, OAIC, July 2016).

30 OAIC, ‘Loyalty Program Assessment: Woolworths Rewards’ (summary report, OAIC, July 2016).

31 Attorney-General's Department, Mandatory Data Breach Notification, (Discussion Paper, December 2015) 2.

32 Ibid.

33 Exposure Draft Privacy Amendment (Notification of Serious Data Breaches) Bill (Cth), s 26WB(2)(a).

34 Ibid s 26WF.

35 Ibid s 26WB(3).

36 Explanatory Memorandum, Exposure Draft Privacy Amendment (Notification of Serious Data Breaches) Bill (Cth), 5.

37 Leif, Gamertsfelder, ‘Disclosure Laws and Class Actions: An Irresistible Relationship’ (2016) 68(5) Governance Directions 276, 278Google Scholar.

38 Ibid.

39 Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (May 2008), 1668 [51.3].

40 Michael, D Scott, ‘The FTC, The Unfairness Doctrine, and Data Security Breach Litigation: Has the Commission Gone Too Far?’ (2008) 60(1) Administrative Law Review 127, 129Google Scholar.

41 G S, Hans, ‘Privacy Policies, Terms of Service, and FTC Enforcement: Broadening Unfairness Regulation for a New Era’ (2012) 19(1) Michigan Telecommunications & Technology Law Review 163, 171Google Scholar.

42 Federal Trade Commission, ‘FTC Policy Statement on Deception’ (Poicy Statement, FTC, 14 October 1983).

43 Yan Fang, ‘The Death of the Privacy Policy: Effective Privacy Disclosures after In re Sears’ (2010) 25 Berkeley Technology Law Journal 671, 678.

44 Margaret, P Eisenhower, The Information Privacy Case Book: A Global Survey of Privacy and Security Enforcement Actions with Recommendations for Reducing Risks (International Association of Privacy Professionals, 2008) 26Google Scholar.

45 Fang, above n 43.

46 Ibid.

47 Ibid.

48 Hans, above n 42, 170.

49 Fang, above n 43.

50 Federal Trade Commission, above n 42.

51 Ibid.

52 Ibid.

53 Ibid; Fang, above n 43, 679.

54 Ibid.

55 Ibid.

56 Ibid.

57 FTC, ‘Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers’ (Report, FTC, March 2012) 14.

58 Kristina Rozan, ‘How Do Industry Standards for Data Security Match Up with the FTC's Implied “Reasonable” Standards—And What Might This Mean for Liability Avoidance?’ The Privacy Advisor (online), 25 Novemer 2014 <https://iapp.org/news/a/how-do-industry-standards-for-data-security-match-up-with-the-ftcs-implied-reasonable-standards-and-what-might-this-mean-for-liability-avoidance>

59 Ibid.

60 Daniel, J Solove and Woodrow, Hartzog, ‘The FTC and the New Common Law of Privacy’ (2014) 114(3) Columbia Law Review 583, 628Google Scholar.

61 Ibid.

62 Ibid 629.

63 See, eg, In re Geocities (Agreement Containing Consent Order) (FTC, No C-3850, 13 August 1998) (‘Geocities’) and FTC v ReverseAuction.com (FTC, No 000032, 6 January 2000) in D Reed, Freeman Jr and Elisa, A Nemiroff, ‘Privacy Law: Where Are We Now and Where Are We Headed in 2002 and Beyond?’ (2002) 16 Antitrust 26Google Scholar.

64 Solove and Hartzog, above n 60, 629.

65 In re Google Inc (ND Cal, No C-4336, 26 September 2013); Solove and Hartzog, above n 60, 629.

66 Ibid 636.

67 Courtney, J Merrill, ‘Online Privacy Statements’ (2000) 41 New Hampshire Bar Journal 30Google Scholar.

68 In re Geocities (FTC, No C-3850, 5 February 1999).

69 Ibid.

70 Ibid.

71 Ibid.

72 Ibid.

73 Hans, above n 41, 174.

74 In re Sears Holdings Management (Complaint) (FTC, No. C-4264, 4 June 2009) (‘Sears Holdings’) ; Hans, above n 42, 174.

75 Sears Holdings (FTC, No. C-4264, 4 June 2009).

76 Ibid.

77 Ibid.

78 Hans, above n 41, 174.

79 Sears Holdings (FTC, No. C-4264, 4 June 2009).

80 Ibid.

81 Sears Holdings (Decision and Order) (FTC, No. C-4264, 9 September 2009).

82 Ibid.

83 Ibid.

84 Ibid.

85 Ibid.

86 Ibid.

87 Facebook Inc, (Complaint) (FTC, No 0923184, 10 August 2012) (‘Facebook’).

88 Ibid.

89 Ibid.

90 Ibid.

91 FTC v Wyndham Worldwide Corp. et al (3rd Cir, No. 14-3514 August 24, 2015).

92 Fang, above n 43, 676–7

93 Ibid 677.

94 Federal Trade Commission, ‘FTC Policy Statement on Unfairness’ (Policy Statement, FTC, 17 December 1980).

95 Fang, above n 43, 677.

96 Federal Trade Commission, above n 94.

97 Ibid.

98 Ibid.

99 Ibid.

100 Ibid.

101 Ibid.

102 Ibid.

103 15 USC § 45(n).

104 Federal Trade Commission, above n 94.

105 Ibid.

106 Ibid.

107 15 USC § 45(n).

108 Solove and Hartzog, above n 60, 638.

109 Federal Trade Commission, above n 94.

110 Solove and Hartzog, above n 61, 640.

111 Prepared Statement of the Federal Trade Commission, ‘Protecting Consumer Information: Can Data Breaches Be Prevented?’ before the Committee on Energy and Commerce (5 February 2014), cited in Kathryn, F. Russo, ‘Regulation of Companies’ Data Security Practices Under the FTC Act and California Unfair Competition Law’ (2015) 32(5) The Computer & Internet Lawyer 15Google Scholar.

112 Federal Trade Commission, Commission Statement Marking the FTC's 50th Data Security Settlement (Statement, 31 January 2014).

113 See Federal Trade Commission, Protecting Personal Information: A Guide for Business (November 2011) cited in Gina Stevens, above n 9, 4.

114 Russo, above n 112, 15–6.

115 Ibid 14.

116 Ibid 18.

117 Ibid.

118 Ibid.

119 Ibid.

120 Federal Trade Commission, ‘Administrative Law Judge Dismisses FTC Data Security Complaint Against Medical Testing Laboratory LabMD, Inc.’ (Media Release, 19 November 2015).

121 Ibid.

122 Ibid.

123 Russo, above n 111, 16.

124 Ibid; Woodrow, Hartzog and Daniel, J. Solove, ‘The FTC as Data Security Regulator: FTC v. Wyndham and Its Implications’ (2014) 13 Bloomberg BNA Privacy & Security Law Reporter 623Google Scholar.

125 Russo, above n 111, 16.

126 Ibid.

127 Ibid.

128 Ibid.

129 Ibid 17.

130 Caleb, Skeath, ‘Third Circuit Upholds FTC's Data Security Authority in FTC v Wyndham’ (2015) The National Law Review 1Google Scholar.

131 FTC v Wyndham Worldwide Corporation, et al, (Proposed Stipulated Order for Injunction) (3rd Cir, No 1023142, 12 September 2015).

132 Campomar Sociedad Limitada v Nike International Ltd (2000) 202 CLR 45, 85 (Gleeson CJ, Gaudron, McHugh, Gummow, Kirby, Hayne and Callinan JJ). See also Google Inc v ACCC (2013) 249 CLR 435, 443 (French CJ, Crennan and Kiefel JJ); Astrazeneca Pty Ltd v GlaxoSmithKline Australia Pty Ltd [2006] ATPR 2–106 (Wilcox, Bennett and Graham JJ); ACCC v Telstra Corporation Ltd (2007) ATPR 42–203, [14]–[15] (Gordon J); Energizer Australia Pty Ltd v Remington Products Australia Pty Ltd (2008) ATPR 42–219, [16] (Moore J); ACCC v Prouds Jewellers Pty Ltd (2008) ATPR 42–217, [16]–[19] (Moore J).

133 Miller & Associates Insurance Broking Pty Ltd v BMW Australia Finance Limited (2010) 241 CLR 357; See also Campomar Sociedad Limitada v Nike International Ltd (2000) 202 CLR 45, 86–87; Forrest v Australian Securities and Investments Commission [2012] HCA 39, [49]–[50] (French CJ, Gummow, Hayne and Kiefel JJ).

134 Google Inc v Australian Competition and Consumer Commission (2013) 249 CLR 435, 465–6 (citations omitted).

135 Noor Al Houda Islamic College Pty Ltd v Bankstown Airport Ltd (2005) 215 ALR 625; Wright v Wheeler Grace & Pierucci Pty Ltd (1988) ATPR 40–865, 49, 375–49, 376 (French J); Wheeler Grace & Pierucci Pty Ltd v Wright (1989) 16 IPR 189; Bateman v Slayter (1987) 71 ALR 553, 559 (Burchett J).

136 Miller & Associates Insurance Broking Pty Ltd v BMW Australia Finance Limited (2010) 241 CLR 357 [19]. See Bernard, McCabe, ‘When Silence Misleads, and When it Doesn't’ (2011) 19 Australian Journal of Competition and Consumer Law 47, 4951Google Scholar.

137 The genesis of the ‘reasonable expectation’ approach is to be found in the judgment of Gummow J in Demagogue Pty Ltd v Ramensky (1992) 39 FCR 31,41.

138 See ACCC v Excite Mobile Pty Ltd (2013) ATPR 42–437 (Mansfield J); ACCC v Harvey Norman Holdings Limited (2011) ATPR 42–384 (Collier J); ACCC v GM Holden Ltd [2008] FCA 1428; CPA Australia Ltd v Dunn (2007) ATPR 42–205 (Weinberg J); Osgaig Pty Ltd v Ajisen (Melbourne) Pty Ltd (2004) ATPR 42–036 (Weinberg J); ACCC v Chen (2003) ATPR 41–948 (Sackville J); ACCC v Wizard Mortgage Corp Ltd (2002) ATPR 41–903 (Merkel J); Mark Foys Pty Ltd v TVSN (Pacific) Ltd (2001) ATPR 41–795 (Beaumont, Tamberlin and Emmett JJ); ACCC v Giraffe World Australia Pty Ltd (No 2) (1999) ATPR 41–718 (Lindgren J); Glendale Chemical Products Pty Ltd v ACCC (1999) ATPR 41–672 (Wilcox, Tamberlin and Sackville JJ).

139 Given v C V Holland (Holdings) Pty Ltd (1977) ATPR 40–029, 17, 386. Franki J placed reliance on the High Court's interpretation of ‘false’ as meaning ‘contrary to fact’ in s 234(d) of the Customs Act 1901 (Cth) in Sternberg v The Queen (1953) 8 CLR 646 and Davidson v Watson (1953) 28 ALJ 63,64.

140 Butcher v Lachlan Elder Realty Pty Ltd (2004) 218 CLR 592.

141 ASIC Act, s 12DB(1).

142 ACCC v Breast Check Pty Ltd [2014] ATPR 42–479.

143 Ibid [141].

144 Ibid [139]. There is a line of authority that supports this approach. See Global Sportsman v Mirror Newspapers (1984) 2 FCR 82, 88 (Bowen CJ, Lockhart and Fitzgerald JJ); James v Australia and New Zealand Banking Group Ltd (1986) 64 ALR 347, 372 (Toohey J); Wright v Wheeler Grace & Pierucci Pty Ltd [1988] ATPR 40–865, 49, 375–49, 376 (French J); affirmed in Wheeler Grace & Pierucci Pty Ltd v Wright (1989) 16 IPR 189; Bateman v Slayter (1987) 71 ALR 553, 559 (Burchett J); and Thompson v Ice Creameries of Australia Pty Ltd [1998] ATPR 41–611, 40 (Lehane J). Cf Forrest v ASIC (2012) 247 CLR 486, 525 [103] (Heydon J).

145 Rhone-Poulenc Agrochimie SA v UIM Chemical Services Pty Ltd (1986) 12 FCR 477.

146 Miller & Associates Insurance Broking Pty Ltd v BMW Australia Finance Limited (2010) 241 CLR 357.

147 Ibid [23].

148 Ibid [20].

149 Paciocco v Australia and New Zealand Banking Group [2015] FCAFC 50, [285].

150 Ibid [304]–[305].

151 Ibid [347].

152 Paciocco v Australia and New Zealand Banking Group [2016] HCA 28.

153 Ibid [290].

154 Ibid [290].

155 Ibid [293]–[294].

156 Ibid [188] applying Attorney-General (NSW) v World Best Holdings Ltd (2005) 63 NSWLR 557, 583 [121] (Spigelman CJ); CIT Credit Pty Ltd v Keable [2006] NSWCA 130 (Spigelman CJ, with whom Giles JA and Gzell J agreed).

157 Ibid [190].

158 ACL s 24(1).

159 Ibid s 24(2).

160 Ibid s 24(2)(a).

161 Ibid s 24(2)(b).

162 Ibid s 25(k).

163 Ibid s 236.

164 Ibid s 237.

165 Ibid s 232.

166 See Productivity Commission, Access to Justice Arrangements, (Report No 72, Productivity Commission, 5 September 2014) which identifies a range of access to justice problems under Australia's civil justice system.

167 This is defined in s 87CB(3) of the CCA as one of two or more persons whose ‘acts or omissions (or act or omission) caused, independently of each other or jointly, the damage or loss that is the subject of the claim’. It is irrelevant that a wrongdoer is insolvent, being wound up or has ceased to exist or died. This has the potential to disadvantage consumers where one or more of the wrongdoers is insolvent or has ceased to exist.

168 The history and purposes of Pt IVA are described by French J in Zhang de Yong v Milgea (1993) 118 ALR 165, 183. See Damian, Grave, Ken, Adams and Jason, Betts, Class Actions in Australia (Lawbook, 2nd ed,, 2012)Google Scholar.

169 FCA Act 1976 (Cth) s 33E.

170 Ibid s 33J.

171 ACCC v Safe Breast Imaging Pty Ltd [2014] ATPR 42–464.

172 Ibid [135].

173 CCA s 134A(1).

174 See Australian Competition and Consumer Commission, ‘ Guidelines on the Use of Infringement Notices’ (Report, ACCC, 16 October 2012), [9].

175 CCA s 134A(2).

176 Ibid s 134C.

177 Ibid s 224.

178 Pursuant to s 21 of the Federal Court of Australia Act 1976 (Cth).

179 ACL s 232.

180 Ibid s 239(1).

181 Ibid s 246(1).

182 Ibid s 248.

183 Ibid s 87B.

184 See Australian Consumer Law Regulators, ‘Compliance and Enforcement, How Regulators Enforce the Australian Consumer Law’ (Report, Australian Consumer Law, 2010) 7.

185 Jackson and Hughes, above n 27, 140.

186 See ACCC, ‘Compliance and Enforcement Policy’ (Policy Paper, ACCC, February 2015), 4.

187 ACCC, False or misleading statements <http://www.accc.gov.au/business/advertising-promoting-your-business/false-or-misleading-statements>.