This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Competition & EU law insights

Keeping you up to date on Competition & EU law developments in Europe and beyond.

| 3 minutes read

A data-driven approach: ACCC releases report on competition and consumer issues of data products and services

In the most recent report of the ACCC’s Digital Platform Services Inquiry (‘Report’), the ACCC has found that consumers are unable to exercise choice or meaningful control over their data, and that consumers are mostly unaware of the extent to which their data is collected and how it may be used.

While the previous interim report looked at competition and consumer issues arising from the expanding ecosystems of digital platforms, the Report focuses on data products and services, how data is collected, and how it is used by data firms in Australia. 

How is your data collected?

The types of data collected by businesses or ‘data firms’ include information pertaining to an individual’s identity, demographic, finances, location, and interests. While individuals may explicitly share information about themselves (‘volunteered data’), data can also be captured through an individual’s web browsing (‘observed data’), a combination of volunteered and observed data, or through third parties. 

ACCC considers that consumers are largely unaware of the use and collection of their data 

A blue sign with white text

Description automatically generated

The ways in which a data firm will use an individual’s data is generally set out in the privacy policy connected to the service or product the consumer is accessing.
According to the above infographic from the Report, it takes approximately 29 minutes to read a typical privacy policy. If consumers overcome this initial hurdle of reading through this document, they usually have no choice but to accept the terms and conditions in order to use the service or access the particular product to which the privacy policy relates.

Furthermore, these policies usually include a term that allows the company to share data with unnamed third parties, making it difficult for consumers to keep track of their data or exercise any form of meaningful control over it.

While some data firms de-identify data, which lowers the risk for consumers in the event of a data breach, de-identified data is not necessarily subject to the Privacy Act 1998 (Cth) as it is no longer “personal data”. However, the Report highlights that there is a risk of such data being re-identified by combining it with additional data or where de-identification processes are not applied correctly.


The report does not make any new recommendations to government, instead, the ACCC reiterated its support for the implementation of the recommendations made in the Privacy Act Review Report and further resourcing to the Office of the Australian Information Commissioner. 

The ACCC also restated its recommendation for an economy-wide prohibition on unfair trading practices. This recommendation came up in the 5th interim report of the Digital Platform Services Inquiry and seeks to address certain business practices which would not be covered by the ACL in its current form, such as the use of ‘dark patterns’.

Tensions between competition policy and privacy regulation 

The ACCC notes that there is a tension between protecting consumer interests around the collection, storage, use and disclosure of personal information, and a data firm’s access to data inputs to supply services to business customers. In other words, there is a tension between facilitating competition (for example, by encouraging the sharing of data) and achieving better privacy outcomes for individuals. 

Balancing competition concerns with consumer privacy is precarious. The ACCC acknowledges that the analysis in this space is nascent and remains mostly theoretical. 

For instance, in the European Union, the cost of compliance with data protection regulations may increase market concentration, especially among smaller competitors with fewer resources who have to comply with the same regulatory requirements as larger competitors. The EU Commission has noted that despite the additional burdens placed on smaller enterprises in meeting privacy compliance standards, enforcement by regulators should be consistent regardless. This is because the risk to a consumer’s privacy does not correlate with the size of a firm or business. 

This article was written with assistance from Charlotte Ainsworth.

For more information or further guidance in this area, please contact Thomas JonesDylan McGirr, and Ruby Simpson.



competition, competition law, eu, eu law, antitrust, antitrust law, accc, consumer, data, australia, competition & eu law, privacy and data protection, europe, data access