The Privacy Commissioner’s recent decision in Commissioner Initiated Investigation into IRE Pty Ltd (Privacy) [2026] AICmr 24 has significant implications for digital platforms that collect personal information.
Although the case focused on IRE Pty Ltd (trading as InspectRealEstate) (IRE) and its 2Apply ‘RentTech’ platform, the Commissioner’s reasoning has broader implications for online businesses collecting personal information.
This decision is also significant as it considers the role of ‘online choice architecture’ practices or ‘dark patterns’, and concepts of fairness under the Privacy Act.
Background and facts
2Apply is a platform on which real estate agents (REAs) can list rental properties, and renters can apply for those properties. When listing a property, the REA can decide what information and documents renters will be required to provide, based on a list of data fields provided by 2Apply (such as employment status, bankruptcy status and so forth) – this was referred to as the ‘default list’.
To apply for a rental on 2Apply, renters are first required to create a profile. Users can upload information and documents to their profile, enabling future applications to be pre-filled. When applying for a specific property, they can also provide any additional information and documents requested by the REA. Users may still apply without submitting all requested information or documents, although they are warned that this may affect the success of their application.
REAs can review and download the information and documents submitted by prospective renters. The REA decides which rental application is successful, and this is communicated to prospective renters via 2Apply.
What the Commissioner decided
The Commissioner decided that IRE breached:
- Australian Privacy Principle (APP) 3.2 by collecting personal information that is not reasonably necessary for its functions or activities.
- APP 3.5 by collecting personal information by unfair means.
The Commissioner ordered IRE to cease collecting particular categories of personal information, and to engage an independent reviewer to assess its privacy practices, and report on actions taken in response to that assessment.
Collection of information that is not reasonably necessary (APP 3.2)
Who was collecting personal information?
While some of the personal information collected from renters was recorded against the renter’s profile on 2Apply, other information was collected based on the information that the REA requested the renter to apply when applying for a property (based on IRE’s ‘default list’). The information sought differed between REAs and from property to property.
Should a platform, such as 2Apply, be responsible for personal information collected by the users of their platform?
The Commissioner held that IRE was not merely collecting personal information on behalf of real estate agents, but was instead doing so in its own right. This was despite the fact that IRE appeared to use this information only in connection with the particular REA’s relationship with the renter.
What was critical to the Commissioner’s decision was the fact that IRE provided the ‘default list’ of data points that the REA could choose from. IRE’s operational involvement in developing and maintaining the list was key. This suggests that the outcome may have been different if 2Apply did not provide the ‘default list’. For example, the outcome may have been different if 2Apply provided a free-form function that allowed the REA to draft its own questions and information requests.
Online services that enable users to collect personal information from other users should consider how their services are designed, and whether they are collecting personal information for the purposes of the Privacy Act.
Was the collection of personal information ‘reasonably necessary’?
The Commissioner then went on to consider whether the personal information collected by IRE from renters was reasonably necessary for IRE to carry out its function or activity of facilitating the processing of complete tenant applications.
In carrying out this assessment, the Commissioner considered what information is required to assess a rental application.
IRE could not satisfy the ‘reasonably necessary’ test by pointing to the fact that REAs determine what information renters were required to provide. Instead, the Commissioner considered what information REAs ought reasonably to request when assessing rental applications.
In conducting this assessment, the Commissioner relied primarily on tenancy laws, tenancy regulator guidelines and anti-discrimination laws. No evidence from REAs or industry bodies about prevailing industry practices appears to have been put forward.
The Commissioner held that personal information was ‘reasonably necessary’ to assess a rental application where it went to:
- the individual’s identity and contact details
- the individual’s ability to pay rent
- whether the individual is likely to maintain the property
The Commissioner undertook a relatively strict approach in this assessment, and held that the following kinds of personal information are not ‘reasonably necessary’ to assess a rental application:
- gender
- details of dependants, specifically names and ages
- student status
- bankruptcy status
- retirement status
- previous living history
- current or intended ownership of their principal place of residence or investment property
- current applications for other properties
- bond and rent assistance application status
- citizenship status and visa expiry.
The Commissioner also held that the following kinds of personal information are not ‘reasonably necessary’ to complete a rental application, or that a lesser amount of information ought to have been collected:
- emergency contact information
- vehicle details
- identity documents, as individuals could be referred to an appropriately secure third-party ID verification service, or documents could be physically sighted – this suggests the Commissioner considered these to be less privacy-intrusive alternatives
- proof of income documents for the past two years
- employment details, including occupation, start and end date, and employment status – where proof of income is otherwise provided.
The Commissioner appears to have rejected the argument that these data points were relevant to assess longer-term rental risk. It is also not clear the extent to which the Commissioner had regard to how this information may be used by a REA when deciding between multiple, competing applicants. In the Commissioner’s reasoning, the information had to establish an ability to pay or maintain the property, or it did not – and if it did not, then it could not be collected.
Contrast with the recent Bunnings’ decisions
The recent decision of the Administrative Review Tribunal (and the earlier OAIC Determination) in the Bunnings’ matter considered the meaning of the phrase in s 16A: “the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter (emphasis added)”.
While the Bunnings’ decisions considered a different part of the Privacy Act, we note that similar concepts of ‘reasonableness’ and ‘necessity’ used in s 16A are given effect in a substantially different manner in APP 3.2.
In Bunnings, both the ART’s and OAIC’s decisions adopted a structured proportionality test (suitability, available alternatives and proportionality) to assess compliance with this provision, with a degree of latitude provided to business to determine whether particular action is necessary in a given situation (adopting a ‘reasonable person’ test).
However, in IRE’s decision, a stricter assessment was performed having regard to identified functions of IRE and a normative assessment of whether particular information was required to fulfil those functions. Far less latitude appears to be provided to business to determine how they will carry out their functions.
What the Bunnings and IRE decisions have in common is that their outcome turned very much on how the relevant function or objectives of the business were defined.
Collection of information by unfair means (APP 3.5)
The Commissioner considered whether the methods by which IRE collected personal information from renters was fair.
The Commissioner had regard to:
- inherent and significant power imbalances in the rental market
- the current rental crisis
- individuals having limited choice on which rental platform to use
- excessive collection of personal information
- security risks with over-collection
- ‘online choice architecture’ practices or ‘dark patterns’.
We note that while IRE only had influence or control over some of these factors (for example, power imbalances and rental crisis), and some appear to overlap with other parts of the APPs (such as excess collection and security risks), these were all taken into account by the Commissioner in reaching a finding of unfairness.
Dark patterns
While the finding of unfairness was based on a cumulative assessment of the above matters, the decision focused on ‘online choice architecture’ practices or ‘dark patterns’, in particular the harmful practices of:
- Confirm shaming – the use of emotive language to make a person feel guilty or embarrassed for not taking an action (for example, “No, I prefer paying full price”, or “No, I am willing to take my chances”).
- Biased framing – presenting choices that overemphasise benefits and underemphasise risks.
- Bundled consent – a single consent option being presented for multiple types of information or multiple purposes.
The Commissioner held that the text presented to users was factually correct (and the Commissioner recognised that the completeness of an application is a heavily weighted factor in assessing rental applications) but amounted to confirmshaming and biased framing:
- “[REA] has requested the following information to help speed up your application process”.
- “You will be able to submit your application without supporting information, but this may affect whether you are considered as a suitable tenant for the property”.
The use of emotive or biased language in both these statements would seem to be very mild. At the very least, these statements do not, on their face, reveal deliberate or calculated intimidation or deception by IRE. These findings show that the Commissioner will adopt a relatively strict approach to assessing fairness in ‘online choice architecture’ practices or ‘dark patterns’.
Companies should carefully review how they draft similar collection notices while also ensuring that they meet their obligations under consumer laws.
Lastly, the Commissioner found that IRE had used a bundled consent that required renters to agree to direct marketing in order for their application to be processed, with no opt-out provided at the point of collection. In addition to being a ‘dark pattern’, this kind of conduct would also raise issues around the validity of consent under APP 7 and the Spam Act 2003 (Cth) (which were outside the scope of the decision).
Key takeaways
The IRE decision signals a more interventionist and a stricter approach from the Commissioner. It has implications for all businesses collecting personal information in the digital space (including platforms that facilitate the collection of personal information by users from users).
Following this decision, businesses should:
- Assess whether each kind of personal information they collect is ‘reasonably necessary’ for their functions or activities. Where the business allows their users to collect personal information from other users, it should also assess its potential liability for the collection decisions of its users.
- Consider whether they can carry out their functions or activities using less privacy-intrusive methods. The Commissioner was critical of the way that REAs perform identity checks, and indicated that less privacy-intrusive methods ought to be used.
- Review collection notices, consent flows and user interfaces for ‘dark patterns’, noting that the Commissioner has adopted a relatively strict approach to assessing fairness in this context.
- Consider how they will balance their obligations under the Privacy Act against their duties under consumer and other laws.
More broadly, the IRE decision confirms that the Commissioner is prepared to scrutinise both the kinds and volume of personal information being collected, as well as how online environments are designed for that collection. Businesses operating in the digital space should expect continued regulatory focus on data minimisation and privacy-by-design and should proactively review these practices.