Australia’s Privacy Act Review: Another missed opportunity?

Privacy 108 has submitted its response to the Privacy Act Review Discussion Paper.  You can read that response here.

Generally, it looks like our tired 1980s Privacy Act will be pulled into somewhat better alignment with more modern privacy regimes.  Some of the proposed changes are good – like those to key definitions such as ‘personal information’ and ‘consent’, the introduction of an overarching ‘fair and reasonable’ principle and giving individuals some additional rights. And some are terrible – like re-introducing legislation to criminalise the re-identification of ‘de-identified’ personal information.  See our earlier blog post on whether this was the dumbest privacy idea of 2021.

Overall, however, there’s nothing really new or innovative and no real attempt to address some of the biggest issues for privacy in Australia like the small business, employee record and political party exemptions or the lack of harmonisation between Federal and State privacy regimes.

According to the OAIC, the Privacy Act has been amended almost 90 times since it was introduced in 1989.  It’s unlikely that any of the amendments raised in the Discussion Paper will make a significant difference to privacy protection in Australia. As we argue below, without re-thinking what privacy actually means to Australia, and doing that as part of a comprehensive strategic policy on how data should be managed going forward (for national security, for business innovation, for research and development, for the development of a properly skilled workforce and for individual protections) it’s unlikely that we will get more than the minimum action needed for us to stay roughly in alignment with other economies… But could we and should we do better?

Information policy

Australia is awash with regulatory initiatives impacting different aspects of on-line activity.   Some of this activity includes:

  • Moves by the Department of Home Affairs to introduce regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy by a range of measures from mandatory codes of practice to notification of ransomware payments;
  • Allowing law enforcement greater and easier access to data via encryption back doors and co-operation with foreign governments (e.g. via the US CLOUD agreement);
  • Increasing sharing of personal data by government agencies via the Data Availability and Transparency Bill , said to be for the purposes of delivering tangible public benefits, innovation and efficiencies in the areas of: delivery of government services; informing government policy and programs; and research and development; and
  • Introducing the Consumer Data Rights data sharing regime, which ostensibly increases the ability to share consumer data but only in limited industry sectors and with doubtful usefulness for consumers.

All these initiatives have some impact on the way personal information is collected, shared, accessed or secured.  However, they are driven by a range of different regulatory concerns: from supporting innovation by Australian businesses, to improving service delivery by federal government agencies, to increased and easier access to on-line data by law enforcement.

Photo by Mitchell Luo on Unsplash

All of these initiatives are in addition to those coming out of the ACCC’s Digital Platforms Inquiry, perhaps the most influential work in the data space in Australia.

The inquiry was commissioned in 2017 to look at the effect that digital search engines, social media platforms and other digital content aggregation platforms (together referred to as big tech) have on competition in media and advertising services markets. The enquiry’s final report went much further proposing a wide range of changes. In particular, the report looked at the impact of digital platforms on the supply of news and journalistic content and the implications of this for media content creators, advertisers and consumers.

So far, the Digital Platforms Enquiry has been the basis for:

  • the Online Privacy Bill, which proposes a privacy code for social media and other online platforms, ‘to ensure that Australia’s privacy law framework empowers consumers, protects their data and best serves the whole of the Australian economy.’[1]
  • The Social Media Anti Trolling Bill, and
  • the proposed amendments to the Privacy Act, raised in the Discussion Paper.

And the ACCC clearly has more plans for big tech.[2]

Why the interest in big tech? It’s likely that this will be a key pillar for the next election: keeping Australian’s safe online by taking on big tech. For example, on 1st December 2021, the federal government announced a parliamentary inquiry to scrutinise major technology companies and the “toxic material” that resides on their online platforms and its impact on the mental health of Australians.

However, not all the woes of the on-line world are caused by big tech.  Is the lens of reining in the power of big tech the right one to direct reforms of the Privacy Act? It certainly does not provide a basis for considering how to deal with cyber security concerns, law enforcement access to data or the growing concern of Australians about data use and the consequential loss of trust.

We have written before about the siloed approach to regulatory reform in Australia.   We covered how Australia’s 2020 Cyber Security Strategy makes only one reference to privacy (and in the context of how regulatory intervention might be made), notwithstanding the well accepted overlap and interdependence between cyber security and privacy. (See our previous blog post.)

Another example of a siloed approach to regulating the way we deal with information is the right to data portability, which is now one of the data subject rights included in the GDPR.

The Privacy Act Discussion Paper devotes one paragraph to that right.[3]  It says that Australia decided to adopt a sectoral approach to data portability (via the Consumer Data Right system) and that introducing any further right may duplicate aspects of that scheme ‘and create unnecessary regulatory complexity.’[4]  Arguably, it was not made clear at the time that the introduction of the CDR was intended to be the only right to data portability ever available to Australians.  The CDR dealing with data portability as a sectoral issue, only makes sense if viewed solely through the lens of competition law, and supporting innovation in certain industry sectors by greater access to data, rather than the lens of privacy rights.

We strongly recommend that the government consider a cohesive, high level policy covering information processing in all its forms, to help provide strategic direction and clarity for all Australian businesses and all Australians.  A strategic position would help identify the roles that competition law, consumer protection, cyber security as part of the national interest and the protection of privacy rights should all play in regulating on-line activities and the way personal data is handled. It would hopefully prevent the development of siloed, disconnected responses to individual issues that we are currently trying to grapple with.

Perhaps, reference could be made to the EU’s proposed declaration on digital rights and principles, which aims to give everyone a clear reference point about the kind of digital transformation Europe promotes and defends. The declaration will also provide a guide for policy makers and companies when dealing with new technologies. It will ensure that the rights and freedoms enshrined in the EU’s legal framework, and the European values expressed by the principles, are respected online as they are offline.

Without this high-level strategic direction, amendments to the Privacy Act will continue to be a game of catch up by Australia trying to keep pace with more agile, future focused nations who are able to leverage support for innovation and business while at the same time respecting a deeply rooted understanding of the importance of the protection of personal data as a key tenet of our liberal democratic way of life.

Privacy as a human right

One of the core pillars of any strategy for the way information is handled must be the recognition that in Australia, protecting data about Australian people is a core right, fundamental to our freedoms and the democratic society we want for our country.

The last comprehensive review of the Privacy Act was in 2008 with the publication of the Australian Law Reform Commission Report For Your Information – Australian Privacy Law and Practice (the ALRC Report). The ALRC Report recognised privacy as a human right. It also found that privacy protection should take precedence over a range of countervailing interests, such as cost and convenience.

However, in the current discussion paper, cost and convenience are introduced as preeminent concerns particularly in relation to:

  • The small business exemption
  • The treatment of employee records
  • The rights individuals have over their data.

Should cost and convenience, and concerns around regulatory complexity prevent real reforms to Australia’s privacy law?

We have posted previously about whether cost and convenience are the right justifications for continuing to exempt small businesses from the application of the Privacy Act. See our blog post here. After reviewing the literature referred to in the Discussion Paper, we found little evidence of what the cost and impact of privacy compliance might be for small business.

Is it acceptable that unsupported concerns about cost and convenience should trump risks and impacts to Australians?  Given that the continued exemption of small business is likely to prevent Australia ever being regarded as an adequate jurisdiction for EU cross border data transfers, should the impact on small business outweigh the loss of business opportunities and increased compliance costs for larger businesses who wish to operate internationally, including within the EU.

If there was a clearer strategic direction or underlying principles directing regulatory reform, it would be easier to find the balance between the interests of small and large business and individuals.

Fair and reasonable

Although we are pleased to see the proposed introduction of over-arching concepts of fairness and reasonableness, we are concerned that the operation of this approach will be hampered by the absence of regulatory scaffolding to support what is meant by ‘fair and reasonable.’

We appreciate the suggestion of introducing a list of factors to be considered, but ultimately, there should be some foundation for what is meant.  Without the broader recognition of the right to protection of one’s personal data as a fundamental right of individuals, the question of whether a use is going to be fair and reasonable will never be able to be properly addressed.

Of course, there are other ways of helping move the dial in favour of individuals such as putting the  burden of proof of establishing that a practice is fair and reasonable on the covered entity.  However, we have already seen the imbalance of power between Australia’s privacy regulators and big tech and wonder whether this is a fight that the OAIC could ever win.

It’s also proposed that some uses are not fair and are subject to overwhelming public interest e.g. use of facial recognition in public areas. As we know, the one thing we are sure of is we never know where technology or its use will go next.  It’s difficult to see the OAIC being able to keep up with a list of the sort of practices that should never be regarded as fair and reasonable in the rapidly changing data driven techno sphere.

What happened to the Australian Law Reform Commission?

The ALRC Report from 2008 is widely acknowledged as a well researched, balanced and thoroughly considered set of recommendations designed to improve Australia’s privacy regime.  It comprehensively reviewed then current privacy issues and proposed changes to the Privacy Act that would have maintained the alignment with the maturing of the privacy regimes on other jurisdictions. It is a shame that many of those recommendations were butchered on implementation (for example, the final wording of the recommended principles particularly APP 7 and 8), long delayed (data breach notification?) or have never been progressed (statutory right to sue for beach of privacy?).

Perhaps if the current review of the Privacy Act had been conducted by an independent body like the Australian Law Reform Commission, we would not be seeing the same issues raised again or the clear decision to pursue interests such as cost, convenience and reduced regulation for small business at the expense of coherent, consistent and effective regulation.

Conclusion

Proposals such as the change to the definition of ‘personal information’ and the introduction of a fair and reasonable test and greater individual rights are good initiatives and will provide clearer direction on the application of the Privacy Act which will be helpful to covered entities.

But, by and large, in the absence of a clearer strategic direction, concerns about cost and convenience and an interest in taking on big tech, triumph over protecting the personal data of Australians and the development of an internationally aligned fit for purpose privacy regime.  The move to include concepts like ‘fair and reasonable’ use seems premature, without recognition of the importance of the different drivers behind privacy and data policy, including the protection of human rights.

The current Discussion Paper represents another missed chance for reform of Australia’s privacy laws. Primarily directed at concerns around the operation of big tech, if passed the proposed amendments will leave unanswered many of the concerns of privacy professionals (who are interested in a cohesive, well enforced privacy regime harmonised across federal and state government agencies, broadly consistent with other international regimes so as to support adequacy findings and with limited exemptions and carve-outs).  Nor will they significantly improve the protection of the interests of Australians.

Perhaps a quick game of Platform Policy Bingo might be a good starting point for Australian policy makers.

Privacy 108’s response to the Privacy Act Review Discussion Paper: available here.

References:

[1] https://consultations.ag.gov.au/rights-and-protections/online-privacy-bill-exposure-draft/

[2] https://www.afr.com/technology/big-tech-faces-tough-new-laws-under-accc-plan-20210905-p58p0r

[3] Discussion Paper, 114.

[4] Ibid.