In this post from our ‘Privacy in focus’ blog series, we explore the key voices and perspectives shaping the review of the Privacy Act.
If you want to know where the review of the Privacy Act is going to land, the first question to ask is ‘who’s in the room’.
That’s why, in this post on the Privacy Act review, we’ve analysed public submissions in response to the Government’s issues paper to see what they reveal about the perspectives of interest groups, and how this might shape the review process.
It’s loud in here
There are 154 submissions published on the Attorney General’s website, totalling 2,103 pages by our count. That’s quite a few by comparison with other consultation processes. The ACCC’s Digital Platforms Inquiry issues paper only attracted 76 submissions.
More than half of all submissions come from private companies (around 30%) and industry bodies or professional associations (around 23%). Within this segment, a wide range of industries are represented – it really is a cross section of the economy. Contributions from the Shopping Centre Council of Australia, the Obesity Policy Coalition and the Federal Chamber of Automotive Industries might have been surprising a few years ago. Today their presence is a testament to how central data has become in our lives.
The remaining submissions come from academics and research centres (around 16%), various government entities (around 13%), charities and advocacy groups (around 10%) and individuals (around 7%).
Reading the room
There are so many issues and so many differing interests and perspectives that it is difficult to draw many clear through-lines. By our rough (and inevitably subjective) count:
- A little over 50% of all submissions are broadly in support of stronger privacy protections.
- Around 20% advocate little or no change to the current regime.
- The remainder are either explicitly neutral, focus on a specific issue or provide commentary on a specific industry without taking a clear position.
- Only a small handful of submissions advocate for weaker protections.
What’s the chatter?
The small business and employee records exemptions are shaping up as a key battleground, with an unlikely alliance between privacy advocates (Electronic Frontiers Australia, New South Wales Council for Civil Liberties) and tech/data companies (Google, Data Republic) against the exemptions on one side, pitted against representatives of small business and sole traders in a range of fields (Arts Law Centre of Australia, Clubs Australia and the Australian Small Business and Family Enterprise Ombudsman) favouring the exemption on the other.
The role of consent will be another area of contention. A large number of submissions have raised concerns about the ACCC Digital Platforms Inquiry recommendations for enhanced consent requirements. Some note the failure of the notice and consent model as a whole and emphasise the need for additional controls on how organisations use data (see particularly the Consumer Policy Research Centre and the Association for data-driven marketing and advertising). Others emphasise the dangers of consent fatigue and the need for an alternative basis for processing (see e.g., Facebook).
Finding your friends – opposing unnecessary regulation
As one might expect, submissions from industry are more likely to oppose or raise concerns about higher regulatory standards. Those worried about the potential costs of reform include:
- Insurers (Insurance Council of Australia, MIGA (Medical Insurance Group Australia), Avant Mutual) are worried about the potential impact of a direct right of action and a statutory tort for serious invasions of privacy.
- Journalists and media organisations (Australia’s Right to Know Coalition, Nine, ABC, The Guardian Australia) are similarly concerned about the potential impact of a statutory tort, as well as any changes to the journalism exception.
- Telcos (Communications Alliance, Telstra Corporation Ltd and Telstra Health Ltd, Optus) could be significantly affected by an expansion of the definition of personal information to include technical data, as well as a right to erasure.
Finding your friends – supporting higher standards
Perhaps surprisingly, many of the most data centric businesses and industry groups support reform. Data service providers (such as illion and Experian), advertisers (such as the Association for data-driven marketing and advertising), and software/technology services (such as Adobe, Atlassian, Data Republic) are much more open to reform, particularly in pursuit of GDPR adequacy.
Submissions from human rights groups (such as Digital Rights Watch, New South Wales Council for Civil Liberties) and consumer advocacy groups (such as Australian Communications Consumer Action Network, CHOICE, Financial Rights Legal Centre, Consumer Action Law Centre and Financial Counselling Australia) near-universally support greater protections, as do academics (such as the Centre for AI and Digital Ethics and Melbourne Law School, University of Melbourne, Castan Centre for Human Rights Law – Monash University) and professionals (such as Australian Information Security Association and the Law Council of Australia) also skew heavily towards stronger privacy rules.
Our takeaway is that there are substantially more voices in favour of reform than for the status quo. Add that to the overwhelming public support for stronger privacy protections (83% of Australians surveyed by OAIC saying they would like the government to do more to protect the privacy of their data) and it looks like there will be real pressure on the government to deliver meaningful reform.
Of course, the issues paper is just the beginning, and we’ve just scratched the surface here. So why not stay tuned while we all wait for the discussion paper? In our next edition, we’ll take a deep dive into the definition of personal information.
Read all posts from the Privacy in focus series:
Privacy in focus: A new beginning
Privacy in focus: Who’s in the room?
Privacy in focus: What’s in a word?
Privacy in focus: The consent catch-22
Privacy in focus: A pub test for privacy
Privacy in focus: Towards a unified privacy regime