[BreachExchange] The Australian government is going after social media companies with $10 million fines for privacy breaches

[Terrell Byrd]

https://www.startupdaily.net/2021/10/the-australian-government-is-going-after-social-media-companies-with-10-million-fines-for-privacy-breaches/
The government is getting ready to hand out $10 million fines for companies
mismanaging user information with new legislation targeting social media
companies.
A draft of the Privacy Legislation Amendment (Enhancing Online Privacy and
Other Measures) Bill 2021 – or the Online Privacy Bill for short – was
circulated on Monday.

The bill aims to make online companies, especially social media platforms
and data brokers, more accountable to the data they collect and share about
users and will see the development of an Online Privacy code to govern how
these companies comply with the Australian Privacy Principles.

Body corporates that commit repeated or serious privacy breaches could be
fined up to 10 per cent of their last year’s turnover under the bill if a
court can’t work out the monetary value a company gained from its breach.

Attorney-General Michaelia Cash said companies will be “punished heavily”
if they don’t meet Australian privacy standards.

“We know that Australians are wary about what personal information they
give over to large tech companies,” she said. “We are ensuring their data
and privacy will protected and handled with care.”

The new bill, which is open for public consultation until 6 December, comes
amidst a wholesale review of the Privacy Act.

Online privacy bill
The Online Privacy Bill outlines the creation of a new code targeting the
behaviour of social media services, data brokers, and “large online
platforms”.

Under the proposed legislation, social media services are companies that
primarily enable online social interaction between multiple end-users in
such a way that users can interact with “some or all of the other
end-users” and can “post material on the service”.

Alongside existing social media services, such as Facebook, this definition
would target online gaming platforms, blogs and forums, as well as
messaging apps and videoconferencing services like Zoom.

Data brokers are companies that collect personal information from people
through electronic services for the purpose of disclosing that personal
information (or information derived from it) while large online platforms
are any service that collects personal information about people and has
over 2.5 million Australian users.

The designation for “large online platforms” covers the likes of Google
Search, Spotify, and Amazon that don’t necessarily connect other end-users
for social purposes but do collect large swathes of information on users.

A provision in the code would allow users to request their personal
information is not further used or disclosed, such as for direct marketing,
but a user’s request would not stop companies from sharing information to
law enforcement.

The code will be developed in consultation with industry – something Dr Rys
Farthing, Data Policy Director for Reset Australia, said was cause for
concern.

“Given what we know about social media companies, the prospect that they
might be involved in the first drafting of this code is worrying,” he said.

“It would be appalling if Facebook, or any industry representative bodies
they work with, were to have the first opportunity to draft the very code
that is meant to protect children from them.”

Children are a key demographic for this code which must require social
media companies “take all reasonable steps” to verify the age of their
users.

For users under the age of 16, parental or guardian consent will be
required before the companies can share any data.

Facebook has come under immense scrutiny in recent weeks following the leak
of internal documents from whistleblower Frances Haugen which showed, among
other revelations, that the company is aware of how its Instagram product
negatively affects the well-being of young users.

In July Instagram enacted a policy of defaulting users under the age of 16
to private accounts and said it would no longer let advertisers target
people younger 18 based on demographic information beyond their gender,
age, and location.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211026/32df4f08/attachment.html>