The recent decision in Commissioner Initiated Investigation into IRE Pty Ltd (Privacy) [2026] AICmr 24 (the IRE Decision) marks an important milestone in the Privacy Commissioner’s efforts to define a clearer legal standard for proportionality under the Privacy Act 1988 (Cth) (Privacy Act) and to address what the Commissioner considers to be ‘intrusive’ or ‘excessive’ information collection practices by businesses.

Why this decision is important

• The decision signals an intent by the Commissioner to impose restrictions on the ability of businesses to freely choose the types of information they wish to request from consumers according to the business’ views on what is relevant and necessary for its operations.
• Businesses must be able to provide an objective justification for any information requests using a ‘necessity’ standard that is tied to the immediate transaction or activity for which the information is being collected.
• This regulatory stance is intended to push back on what the Commissioner views as excessive questioning by businesses (particularly where there may be a power imbalance), and to restrain businesses from pre-emptively ‘stockpiling’ data points that are merely ‘nice to have’ or ‘potentially relevant’ (rather than objectively necessary).
• Notably, the Commissioner intends to enforce these limits even where the business has been transparent with the consumer about how the information will be used and the consumer has answered voluntarily. This suggests that transparency and consumer choice mechanisms (such as privacy notices and consents) may not be sufficient to ‘fix’ underlying problems with the scope of questions being asked.
• While this approach is consistent with the Commissioner’s long-standing best practice recommendations on data minimisation, it is at odds with much of current market practice and the common assumption made by many businesses that they are free (in the absence of clear intimidation, deception or coercion) to negotiate with consumers regarding the scope of personal information the consumer is willing to provide in order to access a service.
• Instead, the Commissioner will adopt a more interventionist stance towards assessing what is fair and proportionate in the circumstances based on objective criteria other than the commercial ‘bargain’ reached by the business and the consumer.
• Businesses should consider reviewing their information collection practices and incorporating proportionality considerations (including data minimisation and ‘just-in-time’ data collection models) and impact assessments into the design, review and approval processes for consumer-facing workflows.

Background and facts

The IRE Decision considered a platform called 2Apply which allows real estate agents to list rental properties and receive rental applications from prospective tenants through an online application form within the platform.

The application form asked the applicant to answer various questions and provide various supporting documents as part of their application. The platform allowed the real estate agent to customise these questions and document requests by selecting options from a default list of questions which had been compiled by IRE Pty Ltd (IRE), the owner and operator of 2Apply.

This default list of questions covered a wide range of topics, including the applicant’s gender, details of dependents, previous living history, current applications for other properties, citizenship status and visa expiry date.

The agent also had the option to include an additional note in the application form stating that the agent ‘has requested the following information to help speed up your application process’.

The platform allowed applicants to submit their application without providing all the requested information and documents, but this involved ticking a box stating: ‘I am unable to provide some of the required information above’ and being asked to provide an explanation for the missing information and documents. The platform also displayed a message to the applicant stating: ‘You will be able to submit your application without supporting information, but this may affect whether you are considered as a suitable tenant for the property’.

The footer of the application form presented individuals with a ‘Personal information collection statement’ which stated that IRE would need to collect, use and disclose the applicant’s personal information to provide its technology and services to them, and encouraged the applicant to read IRE’s Privacy Policy.

The commissioner’s decision

The Commissioner found that IRE had breached its Privacy Act obligations by including the following non-compliant features in the 2Apply platform:

• a default list which contained questions that a real estate agent would not be legally permitted to ask an applicant under the Privacy Act (because they sought information that went beyond what the Commissioner considered to be reasonably necessary to consider a rental application, and were therefore unreasonably intrusive to the applicant’s privacy); and
• the use of harmful ‘Online Choice Architecture’ techniques (such as emotive language, biased framing and consent bundling) in the application form. The Commissioner found that these techniques had the effect of unfairly manipulating or pressuring the applicant into providing more information than they otherwise would have if these techniques had not been used.

The effect of including these non-compliant features in the platform was that IRE received (and collected) personal information in a manner that breached:

• Australian Privacy Principle (APP) 3.2, because IRE was collecting information that was not reasonably necessary for its functions or activities; and
• APP 3.5, because IRE was collecting personal information by unfair means.

The Commissioner ordered IRE to:

• modify the online application form functionality (and the default list) to remove certain questions that the Commissioner held were excessive and impermissible; and
• engage an independent reviewer to review other aspects of the 2Apply model that the Commissioner considered potentially problematic (including 2Apply’s data retention practices, online choice architecture and certain other questions from the default list that the Commissioner considered to be borderline) and provide recommendations to 2Apply and the Commissioner.

Why was IRE held responsible even though the agent had ultimate control of the application form?

The Commissioner held that, although the real estate agent had the ability to customise the questions (and therefore the final say over what specific types of information were collected from the applicant), IRE was nevertheless collecting the application information in its own right (in order to provide the 2Apply platform’s functionality of facilitating the processing of ‘complete’ tenancy applications). IRE was not merely collecting the information on the real estate agent’s behalf.

The Commissioner found that IRE had ‘operational involvement’ in developing and maintaining the default list of questions (and offering that default list to the real estate agent users) and was accountable for the information and documents that were collected from applicants through the 2Apply rental application forms. The Commissioner emphasised that: ‘RentTech platforms are more than just a ‘middleman’ between renters and real estate agents; they directly collect and enable the collection of personal information‘.

While the decision focused on IRE’s responsibilities as the platform provider, there are also implications for the real estate agent users. Given that certain questions were found to be impermissible, any agent which included such questions in its application form (by not actively de-selecting them from the default list) would likely also be breaching its own Privacy Act obligations.

Why were 2apply’s information collection practices found to be disproportionate and unfair?

The Commissioner adopted a strict approach towards assessing proportionality and fairness that focused on:

• seeking to reach an objective characterisation of how personal information was actually being used for the relevant business activity (in this case, processing rental applications) and using this as the benchmark for assessing proportionality and necessity, rather than relying on the stated intentions of 2Apply (or its real estate agents) or the commercial agreement reached between 2Apply and its users through the platform’s terms and conditions; and
• considering the commercial context for that business activity and the user experience for the applicant (including the power dynamics between the lessor / real estate agent and the applicant, and the structure and design of the 2Apply platform from the user’s perspective), and how that context impacted the applicant and their decisions regarding whether to provide the requested information.

Applying this model to the 2Apply platform, the Commissioner determined that:

• the relevant business activity which 2Apply, the real estate agent and the applicant were engaging in was the processing of rental applications, and 2Apply’s role or ‘function’ in that activity was to gather and provide ‘complete’ rental applications to the real estate agents for consideration;
• a ‘complete’ application was one which contained sufficient information for a real estate agent to assess an individual’s application for a tenancy – this was to be assessed objectively with regard to the types of information that a reasonable real estate agent would require to assess an application (and assuming that the agent sought to avoid collecting any more information than was reasonably necessary);
• the objective function of a real estate agent in assessing a rental application was to assess the applicant’s ability to pay rent and the likelihood that the applicant would take care of the property; and
• a number of the questions in the default list sought additional types of information from the applicant that did not have any reasonable bearing on the applicant’s ability to pay rent or likelihood to take care of the property – for example, questions regarding the applicant’s:
  • gender;
  • names, ages and other details of dependents;
  • student status;
  • bankruptcy status (where the applicant has provided other evidence of income or financial resources);
  • retirement status;
  • previous living history;
  • current or intended ownership of their principal place of residence or investment property;
  • current applications for other properties;
  • bond and rent assistance application status; and
  • citizenship status and visa expiry.

The Commissioner also found that the excessive nature of these information requests was compounded by:

• the commercial context of rental applications (including the tightness of the rental market which favours landlords and the growth of rent tech applications such as 2Apply as the exclusive manner to apply for rental properties); and
• the applicant’s user experience on the platform (including aspects of the platform’s design which the Commissioner considered were harmful and undermined the applicant’s choice and control over their personal information).

These factors exerted additional pressure on applicants to provide all information requested by the real estate agent (even where such information was not, in the Commissioner’s view, reasonably necessary for the agent to properly consider the application). This impacted the ‘fairness’ of the decision by 2Apply (and, by implication, the real estate agents) to collect these types of information – presumably on the basis that 2Apply and the estate agents were taking unfair advantage of their commercial position and leverage to extract additional and unnecessary information.

The decision is notable as it marks the first time the Commissioner has taken enforcement action to address ‘dark patterns’ in website and app design. ‘Dark patterns’ are design choices that seek to influence the user’s behaviour in a manner that is contrary to the user’s interests (in this case, by encouraging the user to offer more personal information than is reasonably necessary, or which the user would otherwise have offered in the absence of the ‘dark patterns’).

The OAIC identified the following aspects of the 2Apply platform as involving ‘dark patterns’:

• Statements on the 2Apply website which encouraged the user to provide all of the information requested by the real estate agent (eg that answering the questions would ‘help speed up your application process’, and that a failure to answer might ‘affect whether you are considered as a suitable tenant for the property’). While the Commissioner acknowledged that these statements were ‘not necessarily untrue or misleading’, the Commissioner held that they nevertheless constituted ‘confirmshaming’ (the use of emotive language to make a user feel guilty or embarrassed for not taking an action that is beneficial to the business) and ‘biased framing’ (the practice of presenting choices in a way that emphasises the benefits of sharing more information while failing to mention potential downsides for the user).
• A requirement for users to agree to receive direct marketing by default (subject to an ability to unsubscribe at a later date) in order to use the platform to submit a rental application, which the Commissioner held to constitute ‘consent bundling’ (the practice of requiring users to consent to additional, non-essential matters in order to use a service).

The OAIC’s recently updated guidelines on APP 3 also cite ‘harmful nudges and sludge’ and ‘default settings’ as additional examples of ‘dark patterns’, based on a joint position paper on harmful online choice architecture practices by the UK’s Information Commissioner’s Office and Competition and Markets Authority.¹

It is not clear to what extent the ‘unfairness’ of these design practices was linked to the specific context of the 2Apply platform (including the broader commercial pressures on applicants, and the Commissioner’s views that some of the questions went beyond what was reasonably necessary). There is also scope for further guidance as to whether (or how) the impact of these design choices could have been mitigated (for example, whether the analysis would have been different if the online application form had clearly differentiated between mandatory and voluntary questions).

Where to from here?

IRE has appealed the decision to the Administrative Review Tribunal (ART), but it seems clear that the Privacy Commissioner intends to push ahead with its regulatory stance in the interim. The Commissioner has already moved to incorporate these positions (and the outcomes from the IRE Decision) in its most recent update to the APP 3 guidelines.

It remains to be seen whether the ART will endorse the Privacy Commissioner’s expansive view of APP 3 and conclusions regarding 2Apply’s level of accountability as a platform operator.

If the Commissioner’s position is upheld by the ART, it would give the Privacy Commissioner significant jurisdiction to intervene in the ‘bargaining’ process between consumers and businesses regarding the collection and use of personal information. It would also confirm that the Privacy Act imposes a duty on businesses to:

• justify the operational relevance of any personal information they request from consumers (ie why that information is necessary for a reasonably immediate or foreseeable task or activity), even where the consumer has agreed to provide the information voluntarily; and
• proactively balance fairness considerations, taking the consumer’s perspective into account (rather than assuming that consumer choice alone is determinative of fairness).

This would represent a significant challenge to many of the common practices and assumptions that underpin modern website and app design and workflows, and may necessitate a broader rethink of the role that consumer information harvesting can play in value creation for businesses.

Even if the Commissioner’s interpretation of APP 3 is overruled on appeal, it is notable that there are upcoming reforms in other areas that will also require businesses to consider many of the substantive topics flagged by the Commissioner in the IRE decision (such as fairness, power imbalance and the use of ‘dark patterns’). You can read more about these other reforms in our articles on the Children’s Online Privacy Code and the proposed Unfair Trading Practices regime.

It seems likely that the Commissioner, together with its partner regulators in the Digital Platform Regulators Forum, will continue to explore ways to tackle these issues and drive outcomes across a range of regulatory frameworks including privacy laws, consumer protection laws and online safety laws.

In the interim, businesses can position themselves for these changes by:

• familiarising themselves with the Commissioner’s views on proportionality and fairness (including on emerging topics, such as ‘dark patterns’ and data minimisation);
• incorporating appropriate risk and impact assessments (such as privacy impact assessments) into the review and approval process for new workflows or initiatives that collect personal information from consumers; and
• ensuring that risk and compliance reviews consider these workflows and initiatives holistically (including their context, scope and design), rather than being limited to legal notices (such as privacy statements and consents).

Please reach out to the authors or a member of the HWLE Lawyers’ Privacy, Data Protection and Cyber Security team if you’d like to discuss how we can assist your organisation with any of the matters in this article.

This article was written by Matthew Craven, Partner, and Tim Lee, Special Counsel.

¹ ‘Harmful design in digital markets: How Online Choice Architecture practices can undermine consumer choice and control over personal information’, a joint position paper by the Information Commissioner’s Office and the Competition and Markets Authority: harmful-design-in-digital-markets-ico-cma-joint-position-paper.pdf.