Sunday, January 22, 2023

Data Dealers: Corporate giants and the data free-for-all

 Corporate giants such as News Corp, Nine Entertainment and the big four banks have invested so heavily in amassing and sharing lucrative personal data that consumer advocates fear they will campaign against anticipated reforms to privacy laws. By Michael Sainsbury.

Corporate giants and the data free-for-all 

A photo of a crowd watching a gig at sunset, with the lighting red and all people's faces attentive towards the front right of the photo.
A crowd watches a performance at the Domain in Sydney. 

A secretive network of Australia’s major media, retail and ticketing corporations is building detailed databases of tens of millions of Australians, with data that is matched directly to individuals and being traded between companies.

Consumers are increasingly in the dark as to who has their data, what information they have and how long these corporations are keeping it – and which other companies they are sharing it with, using a process known as bundled consent that consumer advocates describe as deceptive.

At the centre of this burgeoning data and analytics ecosystem are corporate giants such as News Corp, Nine Entertainment, Woolworths, Coles, TEG/Ticketek, Live Nation/Ticketmaster, the big four banks, consumer goods groups, telcos and the airlines.

In 2021, Woolworths paid $223 million to increase its stake in analytics group Quantium from 47 per cent to 75 per cent. The company has since created joint ventures with the Commonwealth Bank of Australia and Telstra.

TEG/Ticketek set up a rival, Ovation, in July 2021. It provides so-called “de-identified” data and analytics to clients including News Corp and Seven West Media, music groups such as Sony, retailers including Coles Group, Qantas and sports organisations such as Cricket Australia.

The company boasts that it has accumulated detailed data on more than 16 million individuals in its Australian and New Zealand market.         

There is concern among consumer advocates that privacy reforms will be more difficult now that media companies have invested in big databases and analytics. They worry that legislation will face opposition from News Corp, Nine and Seven West Media.

“What they basically want is the reins to be tightened around big tech,” says Kate Bower, consumer data advocate at Choice, “but without touching the Australian advertising market.”

More than a dozen major corporations that responded to The Saturday Paper’s request for comment on their data collection practices, including CBA, National Australia Bank, Coles, Woolworths and Telstra, admitted they both collect additional data on their customers from third parties and share customer data with other parties. This is laid out in their privacy policies but consumers have no opt-out option if they decide to buy goods and services from these companies.

In response to the dominance of Google and Facebook in the digital advertising market, media companies including News Corp, Nine Entertainment and Seven West Media have spent millions of dollars building their own platforms for ads. News Corp, in particular, has been active in selling the benefits of its databases and platform to clients.     

News Corp also claims to reach 16 million consumers through its News Connect platform. “Today we can put our hand on our heart and say … we can recognise 16 million individuals, which takes us up to the level of big tech,” News client product managing director Pippa Leary told marketing podcast Mi3 in May 2022. Nine claims it can reach 14 million Australians and Seven West Media 12 million through its SWM-iD system.

At the same time, changing technology has meant the end of internet browsers tracking consumers using data cookies and other methods – yielding so-called “third-party” data.

In a presentation to the Australian Competition and Consumer Commission, UNSW Sydney professor Katharine Kemp writes that companies are focusing on accumulating more “first-party” data, which is data collected about their own customers while on the firm’s websites and apps. This requires consumers to log in, identifying themselves whenever they use the service.

Companies are also using data matching to find out more about consumers by matching their own first-party data with information that other companies and data brokers have collected, she wrote.

Data analytics companies claim they are “de-identifying” data but, with access to so many different data sets, the companies, or the organisations that buy data from them, are able to reverse the process. This is known as “re-identifying” and new digital tools are emerging all the time to improve this process.

“When you consent to a transaction you’re also consenting to the terms and conditions and privacy policy and there’s no way to opt out,” says Bower.

“Once you have handed over your data, what happens with it is completely opaque. Even for the diligent consumers who do read the privacy policies, the language is vague legalese that doesn’t tell people plainly that their data is monetised and shared with dozens, maybe hundreds, of other businesses.

“We need much stronger consumer protections and well-resourced regulators to clamp down on these unfair practices. Whether you’re reading an online media publication, buying groceries or a ticket to your favourite band, you shouldn’t be forced into participating in the secondary data market.”

The attorney-general, Mark Dreyfus, has promised a review of the Privacy Act 1988. The review is the completion of a process that was belatedly started by the previous government as part of its response to the ACCC’s digital platforms inquiry in 2019.

The review is aimed at bringing Australia’s privacy laws in line with those now in operation in the European Union and United States. Laws here are softer and less enforced compared with the European Union’s 2018 General Data Protection Regulation (GDPR). These are often held up as the best example of privacy law in the world. In Europe, consumers can obtain access to the data that companies hold on them, object to the collection of data and have that data deleted.

The Saturday Paper understands that Dreyfus, who kicked off privacy reforms during his first stint as attorney-general in the Rudd–Gillard government, will take recommendations to cabinet as early as next month, with a public release and consultation process to begin soon afterwards.

Alec Christie, a partner at global firm Clyde & Co in the digital law team, says the government needs to be careful if it is considering any carve-outs for certain sectors, in the name of, say, competition.

“What’s good for the goose is good for the gander. And if it’s good enough for Google, and it’s good enough for Coles or Qantas, it’s good enough for the media companies,” he says. “Whoever is doing it, it shouldn’t be who you are, it’s what you are doing and what are you doing with it – and that’s what should be regulated. And that’s whether you are the government, News Corp or a small enterprise out of a garage.”

The issue is not just unwanted marketing offers. There are also downstream issues in terms of competition in the market. These comprehensive databases allow bigger conglomerates to push out smaller players. They also have the ability to offer discriminatory pricing and personalised pricing, where consumers won’t know that they’re being served a different price to other people.

“We can learn from what’s happened with GDPR in Europe,” Bower says. “We don’t want to make the consumers solely responsible for managing this. We want to put the focus back on businesses to do the right thing in the first place. We are pushing a broader scale of a duty of care or best interest duty on businesses. Don’t make consumers consent to things, make sure that the business does the right thing in the first place.”

Christie said there is already a framework for restricting the collection and use of our personal data for secondary purposes, under the Australian Privacy Principles. However, the principles are broad and some businesses struggle to apply them correctly or deliberately push the envelope on what they permit.

“The Australian Privacy Principles are clear,” Christie says. “Once you’ve used the personal information for the notified purpose and as soon as any legal obligation to hold it expires there is a positive obligation to delete or de-identify that personal information. But many claim not to understand this, so this could be strengthened in the legislative review.”

He added that the review should be clear about what de-identified means and what limitations there are on the use of data. “For areas of the privacy law where business says ‘we don’t know what to do’, perhaps it’s time to build specific requirements or guidance into the law … In other words, give them clear prescriptive requirements or guidance, so it’s clear what businesses need to do.”

None of the media companies mentioned in this story responded to questions about their practices.

This article was first published in the print edition of The Saturday Paper on January 21, 2023 as "Data dealers".