Is it app-ropriate to require personal information for parking?

elevenM’s Tessa Loftus on the experience of technology solutions that are actually privacy intrusions in our everyday life.

Last week, I needed to take my daughter for an early morning urgent medical appointment in Rhodes. My initial delight at easily finding a park quickly turned to consternation when it seemed that the only option to pay for my parking — on a public street — was to download an app.[1]

As anyone who’s ever needed to get to a specialist appointment on time (i.e., everybody) would know, you don’t have the luxury of being late. So, my options seemed to be: download the app without reading the privacy policy, do not download the app and risk a parking fine or find alternative parking.

Despite being a privacy professional, I did as most people would do and downloaded the app, which immediately asked to access my motion and fitness activity (why?), and to send me push notifications. For the app to work, I was required to provide my full name, email, phone number, credit card details and access to my real time location data. This gave the options of once only, only while using the app, or, again oddly, always.

Even if I’d had time to read the privacy policy (which I didn’t in view of our looming appointment), there was no privacy policy linked in the app store, and the page entitled ‘App Privacy’ was blank.

As we noted in our recent blog on the consent catch-22, “Information privacy is often defined in terms of individual control — the ability to determine for yourself when others may collect and how they may use your information.” But moving basic services into privately-operated technological solutions and making them ‘accept or don’t use’ undermines the basic notion of consent. If my options are ‘not parking in this suburb’ or providing my name, email, phone, credit card and real time location to an organisation that doesn’t provide a privacy policy in its app, that is not a real choice, nor is it genuine consent.

Further, where personal information must be provided to use public facilities or to access government services, there is no possibility of a valid ‘consent’ to data processing. I should not have to give up my information to sit on a public bench or park in a public space.

Needless to say, I deleted the app when I left my park. But how do I divorce myself entirely from this app? While deleting the app stops it accessing my location data, it is unlikely that it deletes my data from the database. So now I have to trust in perpetuity that the app developer is protecting my full name, email, phone number, credit card details and location data.

There are simply too many situations where unnecessary collection of information has been slipped into everyday life without people noticing. It is easy to see why a local council and frequent parkers would value the convenience of an app like this, which offers remote extensions of time and linking to a credit card for repeat payments. But what if I don’t want to share my profile with a company I don’t know (or haven’t had time to investigate), or I just want to remain anonymous? What if I am a person who is only thinking about getting where I’m going, and not about digital risk while I’m parking my car, which causes me to make a decision that later causes me harm?

We should all know by now that with innovation and digital convenience come new risks. And it should not be incumbent on consumers to navigate those new risks (especially when they’re under pressure), but rather to be able to trust the system knowing that the rules of participation for data collectors require that people and our social values are protected.

As organisations – both business and government – increasingly look to technology for solutions to the ‘everyday’ we need to ensure that they meet baseline protections. I feel entirely comfortable in buying the cheapest available car seat for my child, because I know that Australia has strong product safety laws and that someone with more expertise than myself has checked that we will be kept safe.

If I must download an app to park my car, the starting assumptions should include data minimisation, strict use limitation and high standards of security. It should not be used as an opportunity to track and monitor me under the fictional guise of consent. I should be able to feel confident that, even if I do not understand the privacy policy, someone who does has ensured that my welfare is protected.

[1]The Canada Bay council website indicates that app-area parking also offers regular parking meters. However this option wasn’t conspicuous to me – the parking sign said ‘phone ticket’, it was underneath a larger sign saying ‘app-name parking area’, and no parking meter was obvious in the vicinity.

 

Photo by Anne Nygård on Unsplash

 

Privacy in focus: What’s in a word?

In this post from our ‘Privacy in focus’ blog series, we explore arguments for and against changes to the definition of personal information being considered by the review of the Privacy Act, and the implications of those changes.

One of the simplest but most far-reaching potential amendments to the Privacy Act is the replacement of a single word: replacing ‘about’ with ‘relates to’ in the definition of ‘personal information’.

Supporters of the change (such as the ACCC, the OAIC, and the Law Council of Australia) say it would clarify significant legal uncertainty, while also aligning Australia with the GDPR standard and maintaining consistency between the Privacy Act and the Consumer Data Right regime.

Those opposed (such as the Communications Alliance and the Australian Industry Group) warn that the change may unnecessarily broaden the scope of the Act, potentially imposing substantial costs on industry without any clear benefit to consumers.

To understand why, we’ll dig into the origins of the definition and the present uncertainty regarding its application.

Precision is important

The definition of personal information sets the scope of the Privacy Act. All the rights and obligations in the Act rely on this definition. All the obligations that organisations have to handle personal information responsibly rely on this definition. All the rights that individuals have to control how their personal information is used rely on this definition.  Personal information is the very base on which privacy regulation rests.

Any uncertainty in such an important definition can result in significant costs for both individuals and organisations. At best, uncertainty can result in wasted compliance work governing and controlling data that need not be protected. At worst, it can mean severe violations of privacy for consumers when data breaches occur as a result of failure to apply controls to data that should have been protected. Examples of the former are frequent — even OAIC guidance encourages organisations to err on the side of caution in identifying data as personal information. Unfortunately, examples of the latter are even more commonplace — the disclosure of Myki travel data by Public Transport Victoria, the publication of MBS/PBS data by the Federal Department of Health, and Flight Centre’s release of customer data for a hackathon are all recent examples of organisations releasing data subject to inadequate controls in the belief that it did not amount to personal information.

These uncertain times

According to the OAIC, the ACCC, and many others, there is substantial uncertainty as to the scope of ‘personal information’, particularly as it relates to metadata such as IP addresses and other technical information. That uncertainty was partially created, and certainly enhanced, by the decision of the Administrative Appeal Tribunal in the Grubb case, which was upheld on appeal in the Federal Court.

In the Grubb case, the Tribunal found that certain telecommunications metadata was not personal information because it was really ‘about’ the way data flows through Telstra’s network in order to deliver a call or message, rather than about Mr Grubb himself.

The ruling came as a surprise to many. The orthodoxy up until that point had been that the word ‘about’ played a minimal role in the definition of personal information, and that the relevant test was simply whether the information is connected or related to an individual in a way that reveals or conveys something about them, even where the information may be several steps removed from the individual.

Today, it’s still unclear how significant a role ‘about’ should play in the definition. Could one argue, for example, that location data from a mobile phone is information about the phone, not its owner? Or that web browsing history is information about data flows and connections between computers, rather than about the individual at the keyboard?

OAIC guidance is some help, but it’s not legally binding. In the absence of further consideration by the courts, which is unlikely to happen any time soon[1], the matter remains unsettled. Organisations are without a clear answer as to whether (or in what circumstances) technical data should be treated as personal, forcing them to roll the dice in an area that should be precisely defined. Individuals are put in the equally uncertain position of not knowing what information will be protected, and how far to trust organisations who may be trying to do the right thing.  

Relating to uncertainty

Those in favour of reform want to resolve this uncertainty by replacing ‘about’ with ‘relates to’. The effect would be to sidestep the Grubb judgement and lock in a broad understanding of what personal information entails, so that the definition covers (and the Privacy Act protects) all information that reveals or conveys something about an individual, including device or technical data that may be generated at a remove.

Those who prefer the status quo take the view the present level of uncertainty is manageable, and that revising the definition to something new and untested in Australia may lead to more confusion rather than less. Additionally, there is concern that ‘relates to’ may represent a broader test, and that the change could mean a significant expansion of the scope of the Act into technical and operational data sets.

What we think

By drawing attention to ‘about’ as a separate test, the Grubb case has led to an unfortunate focus on how information is generated and its proximity to an individual, when the key concern of privacy should always be what is revealed or conveyed about a person. In our view, replacing ‘about’ with ‘relates to’ better focuses consideration on whether an identifiable individual may be affected.

Industry concerns about expanding the scope of the Act are reasonable, particularly in the telco space, though we anticipate this to be modest and manageable as the scope of personal information will always remain bounded by the primary requirement that personal information be linked back to an identifiable individual. Further, we anticipate that any additional compliance costs will be offset by a clearer test and better alignment with the Consumer Data Right and Telecommunications (Interception and Access) Act, both of which use ‘relates to’ in defining personal information.

Finally and significantly for any businesses operating outside of Australia, amending ‘about’ to ‘relates to’ would align the Privacy Act more closely with GDPR. Aligning with GDPR will be something of a recurring theme in any discussions about the Privacy Act review. This is for two reasons:

  • GDPR is an attractive standard. GDPR has come to represent the de-facto global standard with which many Australian and most international enterprises already comply. It’s far from perfect, and there are plenty of adaptations we might want to make for an Australian environment, but generally aligning to that standard could achieve a high level of privacy protection while minimising additional compliance costs for business.
  • Alignment might lead to ‘adequacy’. The GDPR imposes fewer requirements on data transfers to jurisdictions that the EU determine to have ‘adequate’ privacy laws. A determination of adequacy would substantially lower transaction and compliance costs for Australian companies doing business with the EU.

Click ‘I agree’ to continue

In our next edition of the Privacy in Focus series, we’ll take a look at consent and the role it might play in a revised Privacy Act. Will Australia double down on privacy self-management, or join the global trend towards greater organisational accountability?

Footnote: [1] Because of the way that privacy complaints work, disputes about the Privacy Act very rarely make it before the courts — a fact we’ll dig into more when we cover the proposal for a direct right of action under the Act.


Read all posts from the Privacy in focus series:
Privacy in focus: A new beginning
Privacy in focus: Who’s in the room?
Privacy in focus: What’s in a word?
Privacy in focus: The consent catch-22
Privacy in focus: A pub test for privacy
Privacy in focus: Towards a unified privacy regime