Privacy in focus: The consent catch-22

In this post from our ‘Privacy in focus’ blog series we discuss notice and consent — key cornerstones of privacy regulation both in Australia and around the globe — and key challenges in how these concepts operate to protect privacy.

From the 22 questions on notice, consent, and use and disclosure in the Privacy Act issues paper, there is one underlying question: Who should bear responsibility for safeguarding individuals’ privacy?

Privacy in focus: What’s in a word?

In this post from our ‘Privacy in focus’ blog series, we explore arguments for and against changes to the definition of personal information being considered by the review of the Privacy Act, and the implications of those changes.

One of the simplest but most far-reaching potential amendments to the Privacy Act is the replacement of a single word: replacing ‘about’ with ‘relates to’ in the definition of ‘personal information’.

Supporters of the change (such as the ACCC, the OAIC, and the Law Council of Australia) say it would clarify significant legal uncertainty, while also aligning Australia with the GDPR standard and maintaining consistency between the Privacy Act and the Consumer Data Right regime.

Those opposed (such as the Communications Alliance and the Australian Industry Group) warn that the change may unnecessarily broaden the scope of the Act, potentially imposing substantial costs on industry without any clear benefit to consumers.

To understand why, we’ll dig into the origins of the definition and the present uncertainty regarding its application.

Precision is important

The definition of personal information sets the scope of the Privacy Act. All the rights and obligations in the Act rely on this definition. All the obligations that organisations have to handle personal information responsibly rely on this definition. All the rights that individuals have to control how their personal information is used rely on this definition.  Personal information is the very base on which privacy regulation rests.

Any uncertainty in such an important definition can result in significant costs for both individuals and organisations. At best, uncertainty can result in wasted compliance work governing and controlling data that need not be protected. At worst, it can mean severe violations of privacy for consumers when data breaches occur as a result of failure to apply controls to data that should have been protected. Examples of the former are frequent — even OAIC guidance encourages organisations to err on the side of caution in identifying data as personal information. Unfortunately, examples of the latter are even more commonplace — the disclosure of Myki travel data by Public Transport Victoria, the publication of MBS/PBS data by the Federal Department of Health, and Flight Centre’s release of customer data for a hackathon are all recent examples of organisations releasing data subject to inadequate controls in the belief that it did not amount to personal information.

These uncertain times

According to the OAIC, the ACCC, and many others, there is substantial uncertainty as to the scope of ‘personal information’, particularly as it relates to metadata such as IP addresses and other technical information. That uncertainty was partially created, and certainly enhanced, by the decision of the Administrative Appeal Tribunal in the Grubb case, which was upheld on appeal in the Federal Court.

In the Grubb case, the Tribunal found that certain telecommunications metadata was not personal information because it was really ‘about’ the way data flows through Telstra’s network in order to deliver a call or message, rather than about Mr Grubb himself.

The ruling came as a surprise to many. The orthodoxy up until that point had been that the word ‘about’ played a minimal role in the definition of personal information, and that the relevant test was simply whether the information is connected or related to an individual in a way that reveals or conveys something about them, even where the information may be several steps removed from the individual.

Today, it’s still unclear how significant a role ‘about’ should play in the definition. Could one argue, for example, that location data from a mobile phone is information about the phone, not its owner? Or that web browsing history is information about data flows and connections between computers, rather than about the individual at the keyboard?

OAIC guidance is some help, but it’s not legally binding. In the absence of further consideration by the courts, which is unlikely to happen any time soon[1], the matter remains unsettled. Organisations are without a clear answer as to whether (or in what circumstances) technical data should be treated as personal, forcing them to roll the dice in an area that should be precisely defined. Individuals are put in the equally uncertain position of not knowing what information will be protected, and how far to trust organisations who may be trying to do the right thing.  

Relating to uncertainty

Those in favour of reform want to resolve this uncertainty by replacing ‘about’ with ‘relates to’. The effect would be to sidestep the Grubb judgement and lock in a broad understanding of what personal information entails, so that the definition covers (and the Privacy Act protects) all information that reveals or conveys something about an individual, including device or technical data that may be generated at a remove.

Those who prefer the status quo take the view the present level of uncertainty is manageable, and that revising the definition to something new and untested in Australia may lead to more confusion rather than less. Additionally, there is concern that ‘relates to’ may represent a broader test, and that the change could mean a significant expansion of the scope of the Act into technical and operational data sets.

What we think

By drawing attention to ‘about’ as a separate test, the Grubb case has led to an unfortunate focus on how information is generated and its proximity to an individual, when the key concern of privacy should always be what is revealed or conveyed about a person. In our view, replacing ‘about’ with ‘relates to’ better focuses consideration on whether an identifiable individual may be affected.

Industry concerns about expanding the scope of the Act are reasonable, particularly in the telco space, though we anticipate this to be modest and manageable as the scope of personal information will always remain bounded by the primary requirement that personal information be linked back to an identifiable individual. Further, we anticipate that any additional compliance costs will be offset by a clearer test and better alignment with the Consumer Data Right and Telecommunications (Interception and Access) Act, both of which use ‘relates to’ in defining personal information.

Finally and significantly for any businesses operating outside of Australia, amending ‘about’ to ‘relates to’ would align the Privacy Act more closely with GDPR. Aligning with GDPR will be something of a recurring theme in any discussions about the Privacy Act review. This is for two reasons:

  • GDPR is an attractive standard. GDPR has come to represent the de-facto global standard with which many Australian and most international enterprises already comply. It’s far from perfect, and there are plenty of adaptations we might want to make for an Australian environment, but generally aligning to that standard could achieve a high level of privacy protection while minimising additional compliance costs for business.
  • Alignment might lead to ‘adequacy’. The GDPR imposes fewer requirements on data transfers to jurisdictions that the EU determine to have ‘adequate’ privacy laws. A determination of adequacy would substantially lower transaction and compliance costs for Australian companies doing business with the EU.

Click ‘I agree’ to continue

In our next edition of the Privacy in Focus series, we’ll take a look at consent and the role it might play in a revised Privacy Act. Will Australia double down on privacy self-management, or join the global trend towards greater organisational accountability?

Footnote: [1] Because of the way that privacy complaints work, disputes about the Privacy Act very rarely make it before the courts — a fact we’ll dig into more when we cover the proposal for a direct right of action under the Act.


Read all posts from the Privacy in focus series:
Privacy in focus: A new beginning
Privacy in focus: Who’s in the room?
Privacy in focus: What’s in a word?
Privacy in focus: The consent catch-22
Privacy in focus: A pub test for privacy
Privacy in focus: Towards a unified privacy regime

Happy birthday Notifiable Data Breaches Scheme. How have you performed?

A year ago today, Australian businesses became subject to a mandatory data breach reporting scheme. Angst and anticipation came with its introduction – angst for the disruption it might have on unprepared businesses and anticipation of the positive impact it would have for privacy.

Twelve months on, consumers are arguably more troubled about the lack of safeguards for privacy, while businesses face the prospect of further regulation and oversight. Without a fundamental shift in how privacy is addressed, the cycle of heightened concern followed by further regulation looks set to continue.

It would be folly to pin all our problems on the Notifiable Data Breaches (NDB) scheme. Some of the headline events that exacerbated community privacy concerns in the past year fell outside its remit. The Facebook / Cambridge Analytica scandal stands out as a striking example.

The NDB scheme has also made its mark. For one, it has heralded a more transparent view of the state of breaches. More than 800 data breaches have been reported in the first year of the scheme.

The data also tells us more about how breaches are happening. Malicious attacks are behind the majority of breaches, though humans play a substantial role. Not only do about a third of breaches involve a human error, such as sending a customer’s personal information to the wrong person, but a large portion of malicious attacks directly involve human factors such as convincing someone to give away their password.

And for the most part, businesses got on with the task of complying. In many organisations, the dialogue has shifted from preventing breaches to being well prepared to manage and respond to them. This is a fundamentally positive outcome – as data collection grows and cyber threats get more pernicious, breaches will become more likely and businesses, as they do with the risk of fire, ought to have plans and drills to respond effectively.

And still, the jury is out on whether consumers feel more protected. Despite the number of data breach notifications in the past year, events suggest it would be difficult to say transparency alone had improved the way businesses handle personal information.

The sufficiency of our legislative regime is an open question. The ACCC is signalling it will play a stronger role in privacy, beginning with recommending a strengthening of protections under the Privacy Act. Last May, the Senate also passed a motion to bring Australia’s privacy regime in line with Europe’s General Data Protection Regulation (GDPR), a much more stringent and far-reaching set of protections.

Australian businesses ought not be surprised. The Senate’s intent aligns to what is occurring internationally. In the US, where Facebook’s repeated breaches have catalysed the public and polity, moves are afoot towards new federal privacy legislation. States like California have already brought in GDPR-like legislation, while Asian countries are similarly strengthening their data protection regimes. With digital protections sharpening as a public concern, a federal election in Australia this year further adds to the possibility of a strengthened approach to privacy by authorities.

Businesses will want to free themselves of chasing the tail of compliance to an ever-moving regulatory landscape. Given the public focus on issues of trust, privacy also emerges as a potential competitive differentiator.

A more proactive and embedded approach to privacy addresses both these outcomes. Privacy by design is emerging as a growing discipline by which privacy practices are embedded at an early stage. In short, with privacy in mind at an early stage, new business initiatives can be designed to meet privacy requirements before they are locked into a particular course of action.

We also need to look to the horizon, and it’s not as far away as we think. Artificial intelligence (AI) is already pressing deep within many organisations, and raises fundamental questions about whether current day privacy approaches are sufficient. AI represents a paradigm shift that challenges our ability to know in advance why we are collecting data and how we intend to use it.

And so, while new laws introduced in the past 12 months were a major step forward in the collective journey to better privacy, in many ways the conversation is just starting.