Protecting Consumer Privacy and Data Security: Regulatory Challenges and Potential Future Directions

Date01 March 2017
Published date01 March 2017
AuthorJuliet Davis,Stephen Corones
DOI10.1177/0067205X1704500104
Subject MatterArticle
PROTECTING CONSUMER PRIVACY AND DATA
SECURITY: REGULATORY CHALLENGES AND POTENTIAL
FUTURE DIRECTIONS
Stephen Corones* and Juliet Davis**
ABSTRACT
This article considers the regulatory problems of online tracking behaviour, lack of
consent to data collection, and the security of data collected with or without consent.
Since the mid-1990s the United States Federal Trade Commission has been using its
power under the United States consumer protection regime to regulate these problems.
The Australian Competition and Consumer Commission (ACCC), on the other hand,
has yet to bring civil or criminal proceedings for online privacy or data security breaches,
which indicates a reluctance to employ the Australian Consumer Law (ACL) in this field.
1
Recent legislative action instead points to a greater application of the specifically
targeted laws under the Privacy Act 1988 (Cth) (‘Privacy Act’), and the powers of the
Office of the Australian Information Commissioner (OAIC), to protect consumer privacy
and data security. This art icle contends that while specific legi slation setting out, and
publicly enforcing, businesses’ legal obligations with respect to online privacy and data
protection is a n appropriat e regulatory response, the ACL’s broad, general protections
and public and/or private enforcement mechanisms also have a role t o play in
protecting consumer privacy and data security.
I INTRODUCTION
In the mid-1990s online privacy became a major consumer protection issue in the United
States of America as a consequence of the development of the internet and the online
environment.
2
Since that ti me, the transformation of communications and computer
processing power has radically affected global commerce. Ecommerce, and ‘apps’ now
available on smartphones, tablets and other devices, have enabled suppliers of goods
* BCom, LLB (UQ), LLM (UCL), PhD (UQ); Professor Emeritus, Faculty of Law, Queensland
University of Technology.
** BA, LLB (UQ), MA (Columbia University), MSc (London School of Economics and Political
Science).
1
The ACL is located in Competition and Consumer Act 2010 (Cth) sch 2.
2
Timothy J Muris, ‘The Federal Trade Commission and the Future Development of US
Consumer Protection Policy’ (Paper presented at the Aspen Summit, Cyberspace and the
American Dream, Aspen, Colorado, 19 August 2003) 1525. See also Maureen K Ohlhausen
and Alexander P Okuliar, ‘Competition, Consumer Protection, and the Right (Approach) to
Privacy’ (2015) 80(1) Antitrust Law Journal 121.
66 Federal Law Review Volume 45
_____________________________________________________________________________________
and services to collect, store, analyse, and re-sell personal information about consumers’
online trading activities. While some of this information is supplied by consumers
voluntarily, online behaviour tracking is also occurring without the informed consent of
consumers.
A related problem is the security of this personal information and data, including
financial information such as credit card details, whether collected with or without
consent, from cyberattacks. A cyberattack has been defined as:
an attempted or actual incident that either:
(a) uses computer technology or networks to commit or facilitate the commission of
traditional crimes, such as fraud and forgeryfor example, identity or data theft
(computer assisted); or
(b) is directed at computers and computer systems or other communication
technologiesfor example, hacking or denial of services (computer integrity).
3
Due to the ubiquitous nature of online transactions, sensitive personal information
including financial re cords, health information, and even intimate relationship de tails,
as seen in the 2015 hack of the online dating service Ashley Madis on, are vulnera ble to
non-consensual expo sure and exploitation. The release of this i nformation may cause
significant financial and personal costs to the affected parties. As such, businesses and
consumers are increasingly recognising the need for cyber protection of personal
information. In 2013, Telstra published its Cyber Security Report 2014, its first annual
survey aimed at compiling and analysing security event data gathered from Telstra
infrastructure and security products.
4
It also c ontains the result of an online survey of
professionals re sponsible for making IT security decisions within their organisations.
According to the report’s authors:
As a sign of growing public interest in digital security, the organisations we surveyed
perceived reputational damage (22%) as the greatest business risk they faced due to
security breaches, alongside productivity loss (22%) and financial loss (21%). Loss of
sensitive data wasn’t far behind at 20%.
5
In March 2015, the A ustralian Securities & Investment s Commission (ASIC)
published a report highlighting the importance of cybe r resilience and how the risk of
cyberattacks and incidents should be met in order to meet current legal and compliance
obligations in relation to the supply of financial products and financial services.
6
However it is submitted tha t current Australian laws protecting consumer privacy and
data security have struggled to keep up with the exponential transformations occurring
in the online environment. Additionally, it is argued that the current regulatory regime
ignores the emerging popularity of self-enforcement mechanisms such as class actions.
7
Australia’s curren t regulatory approach to this issue has been the adoption of the
Privacy Act, specific legislation setting out specific legal obligations for businesses with
respect to online privacy and data protection. The Privacy Act, administered by the
OAIC, establishes economy wide protections and privacy principles for the handling of
personal information. However it does not contain a private enforcement mechanism,
3
ASIC, ‘Cyber Resilience: Health Check’ (Report No 429, ASIC, March 2015) 16 [26].
4
Telstra, ‘Cyber Security Report 2014’ (Report, Telstra, 2014).
5
Telstra, above n 4, 30.
6
ASIC, above n 3.
7
Vince Morabito, ‘An Empirical Study of Australia’s Class Action Regimes’ (Report 4, 29 July
2016).

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT