The federal government is moving to pass a bill that would bind social media platforms in Australia to a newly-established Online Privacy code that would act to prevent platforms from hoarding and selling children’s data, and require parental consent for users under the age of 16.
Under the bill, the code would require platforms to take “all reasonable steps to verify” a user’s age, and put the “best interests of the child” at the centre of all decisions related to how a user’s personal information is handled across platforms like Facebook, Google and Snapchat.
Forcing platforms to put the “best interests of the child” — a long-standing principle of human rights law visible in various sector-specific legislation — at the centre of all decision-making related to the gathering of personal information and data tracking would in effect mean that platforms would not be able to profit off the data of children under 16.
Experts say that one provision alone would make notable inroads to curbing services like Google AdSense, as well as ad data and insight produced on Facebook for children. It’s an approach that has so far only seen notable success in the UK, when the Age Appropriate Design Code was legislated in September last year.
With the new legislation would come new powers for the Australian Information Commissioner, Australia’s privacy regulator, who would be responsible for cracking down on platforms in breach of the code, and have broader powers to issue fines and other, heavier penalties.
Attorney-General Michaelia Cash said the legislation would offer Australians some semblance of relief that their privacy would be treated more seriously.
“We know that Australians are wary about what personal information they give over to large tech companies,” Cash said.
“We are ensuring their data and privacy will be protected and handled with care,” she said. “Our draft legislation means that these companies will be punished heavily if they don’t meet that standard.”
However, under the Privacy Act, which stipulates that all privacy codes need to be co-developed with industry groups, there’s no guarantee the bill will pass in its current form.
It’s offered cause for concern among policy experts and digital rights activists alike, who suggest that platforms like Facebook and their industry representatives getting the first shot at drafting amendments to the bill could see it weakened dramatically.
Another area of concern among experts is the Bill’s scope. Rys Farthing, data policy director at tech policy think tank, Reset Australia, said the Bill’s user threshold is too high, and it fails to address critical digital ecosystems that mightn’t necessarily be social-first.
“Unless you’ve got 2.5 million users [or more], you won’t fall under the code,” Dr Farthing told Business Insider Australia. “There’s only 2.9 million under 18-year-olds in Australia.”
“You could have 85% of Australia’s kids all downloading some really hectic app, and it wouldn’t be covered by the code.”
“None of this will apply to edtech,” she said. “And actually, that’s a huge part of kids’ lives. A lot of games that are targeted at children [also] won’t be counted because the requirements are [primarily] for social media platforms.”
Even still, Dr Farthing suggests that the bill and the online privacy code that would be established as a result is likely to thrust Australian regulators into the global spotlight, as it could be the first of its kind that doesn’t lean on another piece of legislation.
“I think Australia doing it is just such a fantastic thing — if we get a strong code, it is a … gift to the world,” Dr Farthing said.
“Because, everyone’s looking at the UK regulation and thinking, ‘God, that was really good.’ But the UK regulation is reliant on GDPR, and would only sort of work in GDPR contexts.”
Australia’s approach is one that is currently being considered in other countries around the world, too.
In the US, a similar bill is before the House of Representatives, while Senator Richard Blumenthal has launched an effort in the Senate that borrows elements of the UK’s Age Appropriate Design Code for the US.
“Canada is looking at it, Brazil is starting to look at it, there are a lot of places in the world that are starting to look at it, but none of them have GDPR,” Dr Farthing said.
“So if Australia can get a strong code, it will be a sort of global gift to the world in terms of, here’s one way you can do this outside of GDPR.”
Others said concerns remain over the Bill’s requirement for platforms to take “all reasonable steps” to verify a person’s age. Samantha Floreani, program lead at Digital Rights Watch, said it’s a requirement that could pose significant privacy risks itself.
“The requirement for platforms to take all reasonable steps to verify people’s age is very concerning,” Floreani told Business Insider Australia.
“Practically, all approaches to implementing age verification require the provision of additional personal information, which, when we consider the value of identity documentation, creates significant privacy and security risk,” she said.
“We need to be really careful that in an attempt to protect children online, we don’t end up undermining privacy and security for everyone.”
But Dr Farthing said it’s worth noting that there are various ways a platform could seek consent from a parent, like providing either a phone number or email address for a parent, and having them sign off on access like two-factor authentication.
She said that there aren’t likely to be any major privacy infringements through the process, as some have noted, because platforms employ various “age estimation techniques”, like data and cohort analysis.
“And so it’s just about saying that actually, you need to systematically do that as well. There’s loads of different ways you can do a really helpful and meaningful age estimation,” Dr Farthing said.
“It just places a requirement and places the onus back on social media companies to demonstrate that they are doing everything they possibly can,” she said.
“[I] can guarantee [you] that they are going to be out in the press today saying, ‘we’re going to need to see childrens’ passports, this is so risky’. But they know full well that that’s not how it works,” she said.
“You don’t have to do that.”