In whose interest?
Why businesses need to keep consumers safe and treat their data with care

Australia’s privacy laws rely on notification and consent as the primary means of protecting consumers. The onus is on consumers to navigate complex privacy protections in a continuously complex digital economy.  It is time to consider reforms that hold businesses accountable for how they collect, share and use consumer data.  It is time to give regulators the power to pause and assess data practices that are causing or likely to cause consumer harm.

The working paper explores two concepts to address current and emerging data harms:

1. Duty of care or best interest dutya framework to hold businesses accountable so that the interests of consumers and the community are front of mind when it comes to how they collect, share, and use consumer data.

  • 2. Privacy Safety Regime: a framework to enable governments and regulators to stop or limit obviously harmful uses of data as well as a process for regulators to proactively restrict and test new harmful practices as they evolve.

Duty of care or best interest duty

Duty of care or best-interests duty

A framework that aligns with the interests of consumers and community has the opportunity to make numerous positive impacts in the privacy and consumer data space:

  • Naturally shift the onus of responsibility from consumers to businesses.

  • Help move away from individual level of consent and shift the focus to system set-up and embedding safety by design.

  • Protect people that may have the inability to consent such as children, people living with a disability or other consumers who are unable to participate in the consent model regardless of how well it may be set-up.

  • Align interests of organisations and consumers as taking on new data will mean taking on new responsibilities and this can help engender a culture of data minimisation (collect only what you need not what you think you might need).

  • Address issues of trust and confidence in both government and industry.

Privacy Safety Regime

Regulators need the power to quickly pause and assess harmful data practices before widespread harm occurs. Product intervention powers in the finance sector and interim and permanent bans under the product safety laws are two approaches that already exist in the Australian consumer protection framework for emerging harms. They are a starting point on how data practices could be regulated.

Next steps

The working paper is by no means a fait accompli. 

It is designed to start the conversation on how concepts from other sectors that have existed for decades could be applied to the evolving world of privacy in a digital economy space. Here, at CPRC, we value the need for diverse conversation and thought to help take this idea further.

CPRC welcomes the opportunity to work further on this issue with government, regulators, policy makers, academia and the community sector.

For a one-on-one briefing or if you wish to collaborate book a briefing with Chandni Gupta. 

About the Author

Chandni Gupta

Digital Policy Director 

Chandni leads CPRC’s research stream on protecting consumers in a digital world. Her work to date includes exploring the consumer shift from the analogue towards the digital economy, the impact of deceptive and manipulative online design on Australian consumers and the key gaps that currently exist in Australia’s consumer protections.