Banks say they should not be treated like Big Tech by online privacy bill

Australia’s top banks and insurers are worried they will be caught out by a bill that aims to lift the privacy standards of ‘big tech’ companies.

Associations representing the finance sector said the bill’s broad definition of online platforms “would extend to many banks, insurers, finance providers, superannuation funds, intermediaries and other third parties."

This could lead to "complexity, potential conflict of laws and outcomes, and higher administrative costs," the Australian Banking Association, Australian Finance Industry Association, Financial Services Council and Insurance Council of Australia said in a submission (PDF) to the Attorney General’s call for consultation on an exposure draft of the bill .

The Online Privacy Bill Exposure Draft has an online platforms' code — a list of new obligations for how online platforms must collect, disclose and use their customers’ data.  

The submission said that the the Online Privacy Bill is part of the Australian gov's response to the Australian Competition and Consumer Commissioner's 2019 Digital Platforms Inquiry, but the ACCC recommendations for Big Tech — stronger privacy obligations — were not intended for the finance sector.

The ACCC’s Digital Platforms Inquiry defined online platforms as “digital content aggregation platforms, social media platforms and search engines.”

However, the online privacy bill expands the definition to any organisation that “collects personal information about an individual in the course of or in connection with providing access to information, goods or services (other than a data brokerage service) by use of an electronic service (other than a social media service)”, and had “over 2,500,000 end-users in Australia in the past year.”

The online platforms code in the Online Privacy Bill, that financial entities may have to abide by if the Auditor General rejects their call, introduces a number of obligations. For example, an online platform must: 

• 26KC(4)(a) “respond to a request to not use…personal information within a reasonable period.”
• 26KC(2) “Notify an individual…of the purposes for which the organisation collects, uses and discloses personal information.”
• 26KC(6)(a) “take all reasonable steps to verify the age of individuals to whom the OP organisation provides an electronic service.”
• 26KC(6)(b) “obtain the consent of a parent or guardian of a child who has not reached 16 years before collecting, using or disclosing 16 personal information of the child.” 

Consultation on The Online Privacy Bill is being conducted in tandem with the gov’s review of the Australian Privacy Act 1988.

“Should the Government wish to explore any proposals for changes to the operation of privacy regimes in the finance sector, we believe this should be contemplated [in] the ongoing Review of the Privacy Act 1988,” the submission said. 

The terms of reference in the review of the Privacy Act has a broader scope than the online privacy bill, and has the potential to compel online platforms to abide by even stricter privacy obligations.

“The review...considers options for reform on matters including..consent requirements including default privacy settings, overseas data flows, and erasure of personal information” and “whether a statutory tort for serious invasions of privacy should be introduced,” the terms of reference reads.