AI Anyone? 2023 Reflections from the Privacy Perspective

As the end of 2023 approaches (thank goodness say some!),  let’s reflect on some of the pivotal privacy themes of 2023 and anticipate what 2024 holds. We’ve picked 5 highlights for the year. And of course, AI is a major feature…

1. AI regulation is coming

In 2023, AI transitioned from theoretical discussion to a global boardroom concern. Governments unified to address the risks of biased algorithms, discrimination, misinformation, manipulation and job displacement.

• The EU took a pioneering step with a provisional deal, taking the groundbreaking EU AI Act a step closer to establishing a legal framework to govern AI systems.
• Australia too, made strides, with the Government releasing a discussion paper on “Safe and Responsible AI in Australia” which garnered 448 published responses, and establishing the Artificial Intelligence in Government Taskforce.
• Additionally, at the AI Safety Summit in the UK in November, Australia along with the EU and 27 countries, signed the Bletchley Declaration underscoring the commitment to ensuring safe, human-centric, trustworthy and responsible AI development.

Throughout the year, we assisted clients in navigating challenges tied to personal data in large language models and observed a notable uptick in demand for AI acceptable use policies and AI risk frameworks.

Anticipating 2024, the transformative influence of AI is set to persist. Businesses delving into AI should consider embracing risk mitigation practices aligned with Australia’s Eight AI Ethics Principles. Global collaborations underscore a collective dedication to responsible AI development and use, with the possibility of additional laws in this space not being ruled out.

2. Who do you trust less: Government or AI?

Staying on the AI topic, the Centrelink ‘robodebt’ scandal vividly illustrates the human toll resulting from flawed algorithm design, exacerbated by human indifference to the resulting hardships. In July of this year, the Royal Commission into the Robodebt Scheme concluded with its final report, revealing substantial shortcomings in both government operations and the mechanisms designed to ensure accountability during the administration of the scheme.

For those unfamiliar, the Commission was established in 2022 to investigate the federal government scheme, known as robodebt, aimed at recovering alleged overpayments from welfare recipients dating back to the financial year 2010-2011. This initiative involved the automated issuance of debt notifications to individuals. The commission’s 900-page report harshly characterised the scheme as ‘cruel and crude’ deeming it neither fair nor legal.

Among the 57 recommendations was the establishment of a body to monitor automatic decision-making processes and the proposal for a new legal framework governing the use of automation in government services, complete with a transparent review process for those affected by related decisions.

Before embracing AI for its efficiency benefits, the robodebt scandal underscores the necessity to scrutinize automated decision-making systems and ensure the implementation of robust review and oversight procedures.

3. Privacy Act reforms

Inevitably, alongside the surge in AI discussions, the impending Privacy Act reforms also share the spotlight in 2023. These reforms mark a shift towards heightened privacy regulation in Australia to align more closely with global privacy and data protection standards.

The pivotal moment arrived with the release by the Attorney-General’s Department of the Privacy Act Review: Report 2022, accompanied by a call for public feedback. Come September, the Government responded to the Report by indicating that it agrees with 38 of the 116 proposals made, and a further 68 in principle.

Noteworthy is the government’s prudent approach – while endorsing proposals in principle, it acknowledges the need for yet further extensive engagement with organisations and industry and a thorough impact analysis before final decisions are made.

See our 2023 articles on Privacy Act reforms [here, here, here and here].

The Government is committed to introducing legislative amendments in 2024. We will continue to closely monitor the progress and support organisations to be well prepared and compliant in this dynamic environment.

4. Regulatory enforcement activity in 2023

The regulatory landscape in 2023 witnessed proactive responses to privacy events.

January – June 2023

Investigations, fines and legal actions marked the year. The first half of the year witnessed the launch of a joint investigation into Latitude Finance by the OAIC and New Zealand’s Office of the Privacy Commissioner, the announcement of a standalone Privacy Commissioner and the publication of the OAIC’s bi-annual Notifiable Data Breaches Report for the period of July to December 2022. (See our key takeaways from the OAIC’s July – December 2022 Data Breach Report)

Clearview Inc

In May, the Administrative Appeals Tribunal handed down its decision in Clearview Inc v Australian Information Commissioner affirming that the Privacy Act 1988 (Cth) applies to Clearview AI because it had a sufficient Australian link as it was ‘carrying on business’ in Australia by collecting personal information from Australian servers; it had also breached multiple Australian Privacy Principles by scraping images of Australians’ faces from publicly available sources on the internet.

Medibank Private Breach

In June, APRA imposed a $250 million capital adequacy requirement on Medibank Private following its scrutiny of Medibank’s information security environment after the cyber security incident it faced in October 2022. July witnessed the Federal Court imposing a $20 million fine against Facebook subsidiaries in an ACCC case involving misleading representations on data collection practices.

Simultaneously, the OAIC initiated proceedings against Facebook Inc and Facebook Ireland in the Australian Federal Court, alleging “serious or repeated interferences with the privacy of an individual” in contravention of section 13G of the Privacy Act 1988 (Cth).

July – December 2023

In the second half of 2023, the OAIC commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs (ACL) stemming from an investigation into its privacy practices. Notably, this case involves the timeliness of assessing and reporting a data breach, emphasising the importance of organisations having expeditious response processes. This case becomes only the second time that the OAIC has taken court proceedings despite having the power to do so since 2014; it also signals the regulator’s priority in ensuring that cyber security incidents are responded to swiftly.

The increased regulatory scrutiny follows large-scale data breaches, such as those faced by Medibank Private and Optus, resulting in consumer and investor class actions.

Key Takeaways

• The risks associated with passive compliance and inadequate disclosures include the potential for investigations by both the ACCC and the OAIC.
• Heightened expectations from consumers and regulators loom in 2024, urging organisations to conduct comprehensive reviews of their data handling practices.

5. Cyber security and resilience

Throughout the year, organisations we’ve worked with demonstrated a keen interest in enhancing data management and governance, with cybersecurity concerns at the forefront.

A discernible trend in 2023 is the increasing occurrence of data incidents in Australia, particularly in the financial and healthcare sectors. In November, the Australian Signals Directorate released its Cyber Threat Report 2022-2023, revealing a surge in cyber threats impacting businesses and individuals. The Australian Securities and Investments Commission’s Cyber Pulse Survey Report in the same month exposed deficiencies in cybersecurity risk management, prompting a stern warning from ASIC and a call for a proactive approach.

On 22 November 2023, the Federal Government revealed the 2023-2030 Australian Cyber Security Strategy and accompanying 2023-2030 Australian Cyber Security Action Plan. These initiatives address key cybersecurity concerns in light of the high-profile Optus and Medibank cyber events, the nationwide Optus outage, and the ransomware attack on DP World Australia in November 2023.

Proposed legislative reforms include a no-fault, no-liability ransomware reporting obligation, amendments to data retention requirements, and the introduction of a mandatory cyber security standard for IoT devices.

The Government will release a strategy consultation paper to collaborate with industry on these legislative reforms, with the consultation period running until March 2024.

Happy 2024!

As we step into 2024, active engagement with Government on these reforms remains crucial and we will continue to closely monitor its steps to adapt to the dynamic digital landscape. Safeguarding your organisation against cyber threats remains a critical imperative.

We look forward to embarking on another dynamic year in 2024, continuing our mission to help and support organisations manage risks and opportunities at the intersection of privacy, cyber security, and data governance.

Jodie Siganto

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.