Floppy disks, Faith and a Privacy Act for the 21st century

By Lauren Solomon and Chandni Gupta

As we enter the home stretch of 2021, our heads are down preparing CPRC’s response to the proposed Discussion Paper of the review of Australia’s Privacy Act 1988. While a range of other initiatives are currently being proposed – including the Online Privacy Code and a social media inquiry – material change to Australia’s economy wide protection framework rests in an overhaul of our privacy legislation introduced in 1988. We took some time out to briefly reflect and summarise our thoughts in this post.

1988 was a big year. Things were happening:

• CDs overtook vinyl record sales in the US for the first time.
• Information was stored on floppy disks.
• The Netherlands was the first country in Europe to connect to the internet, the second worldwide. Australia would follow in 1989 but use was not yet widespread.
• The world’s first ever cybersecurity attack – The Morris Worm – hit.

And for those among us that mark time by what was on the airwaves, Faith by George Michael was trending No. 1 globally.

What a time indeed. Over the intervening 33 years, we’ve listened to Mp3 players, connected electric vehicles, mapped one-fifth of the ocean floor, put computers in our pockets, and used apps and QR codes to help manage a global pandemic. Yet, our Privacy Act has been stuck on loop, back there reminiscing with George and having Faith that it might hold up to the digital economy that consumers participate in today.

This is important, because we know such significant benefits can be delivered from data-driven products and services for the community and economy. To reap those benefits, we need predictable and sustainable guardrails in place to enable innovation and encourage investment in the technologies that materially improve our lives.

The Discussion Paper released by the Attorney General’s Department last month outlines the most significant opportunity we’ve had in decades to transform Australia’s privacy framework, making it fit for the digital age. Consumers are ready for change.

Australian consumers are ready for change

Digital transformation has delivered extraordinary benefits to the community and economy over the past few decades. Australian consumers in particular, have embraced technology, often leading the way in uptake as early adopters.

During the pandemic, more people than ever before worked, shopped and communicated via digital products and services. This became an essential part of our lives in ways never like before.

At the same time, consumers have become increasingly concerned about their privacy and the way these suppliers have been collecting and sharing information about them.

Our research highlights the lack of agency and understanding consumers have over their privacy, rendering them powerless with no real, meaningful way for consumers to express their preferences. Our 2020 Data and Technology Consumer Survey found 94% of Australian consumers are uncomfortable with how their personal information is collected and shared online. Equally concerning, 94% of consumers don’t read all terms and conditions that apply to them in any given year. But given many could take-up 90 minutes each to read, that’s hardly surprising.

Almost 70% of consumers who have taken the time to read at least one terms and conditions accepted them even when they weren’t comfortable with the terms. Why? Three-quarters of these consumers said it was the only way to access the product or service. Consumers simply aren’t able to express their preferences given terms are often opaque, and mostly presented as a “take-it or leave it” proposition.

Consumers also expect government to play a key role in providing adequate safeguards for citizens in the digital economy, with over 90% of Australians expecting government to:

• protect them against their data being collected shared and used
• improve ways for them to receive more meaningful information about what’s being collected
• protect against misuse.

Empowering consumers with guardrails against misuse – what’s on the table?

As an independent consumer research organisation, we have approached data and digital policy development from the perspective of the economy-wide settings necessary to empower consumers and encourage innovation that enhances consumer wellbeing.

We’ve grouped the key issues we’re focusing on below along with relevant proposals in the Discussion Paper:

Modernising what it means to be identifiable

• Widening the definition of personal information so it includes being identified directly or indirectly.
• Redefining collection of data so it covers information obtained from any source and by any means, including, if it’s only inferred or generated.

The redefining of personal information will be fundamental to the effectiveness of the Privacy Act. Currently, the definition of personal information is limited to data that directly identifies an individual (e.g. name, address, age, date of birth, health records, phone number). But we know that personal information today is much more than that and the ubiquity of multiple sources of non-identifiable data can easily assist in reidentification. In our previous submission on the 2020 Privacy Act Review Issues Paper, we noted examples of service usage data which can be used to infer personal information such as socioeconomic status, sexual orientation, political views, mood, stress levels, health status, personal interests, customer worth or relationship status. Our research also indicates that 8 out of 10 consumers are uncomfortable with the sharing of unique ID numbers for mobile phones and/or devices. Widening of the scope of personal information will be fundamental to addressing the technological advancements of the past few decades.

Enabling transparency and meaningful choice and control

• Privacy notices to be clear, current and understandable with the possibility of standardised privacy notices (i.e. standard layouts, wordings and icons) and for these to be tested for readability and comprehension.
• Requiring clarity on who is collecting data, what is being collected, for what purpose, and which third parties may be involved.
• Enabling the right to erasure under specific circumstances.
• Having pro-privacy settings being enabled by default (which is the preference of most Australians), so the friction lies in opting in instead of opting out of data collection.

With frictionless processes being on-trend, one place where friction is critical is asking for consent. This becomes even more crucial when consumers are facing a choice about using a product or service without monetary charge, often the trade-off being that their data (and predictions that can be drawn from it) are being monetised. When consent is requested, it should be in a way that is meaningful and understood by consumers (i.e. not hidden in clicks and fine print).

Currently firms continue to claim that settings are available for consumers to adjust and opt-out of their data being collected, shared or used. But once again, the onus is placed on the consumers to recognise and adjust these settings. To give consumers genuine choice and control, defaults for data sharing should be set off to enable consumers to make active choices about disclosing their data. Refusing to consent to unnecessary collection of their personal information, should not be at the expense of being precluded from accessing products or services.

Consumers should also be given the right to erase their personal information and data held by companies where there is no legal reason for it to be retained. Right of erasure is a critical complement to strengthened consent requirements because it provides consumers with a mechanism for erasing their personal information later if they’re no longer comfortable with it.

Fair practices

• Embedding a ‘fair and reasonable’ obligation on entities collecting personal information recognises the need for protection of individual’s privacy, considering amount and type of data that is reasonably necessary to achieve functions and activities.

The review is considering the introduction of a ‘fair and reasonable’ test when it comes to data collection. While a welcome development, our position is that this would not negate the need for broader fairness reforms within consumer law, because unfair practices are not constrained to only privacy matters. We support the introduction of an unfair trading prohibition and the strengthening of unfair contract terms in consumer law to address the emerging range of unfair practices adopted by businesses in the digital age. Further protections could be added through the introduction of ‘no go zones’ prohibiting particular kinds of sensitive data collection and amalgamation, however we recognise the challenges of defining and enforcing such a provision considering the rapidly evolving technological advancements.

Exercising rights and accessing redress

• Giving individuals the platform to complain or lodge a privacy request to access, correct, object or erase their data, potentially via currently recognised External Dispute Resolution frameworks or via a separate Federal Privacy Ombudsman.
• Creating a direct right of action for individuals or group of individuals whose privacy has been interfered and enabling consumers to access remedies, including an amount for damages.

There must be effective dispute resolution pathways to enable consumers to seek redress for when things go wrong in the digital environment. As consumers increase their engagement online and with more digital products and services, an appropriate Ombudsman needs to be identified and adequately resourced to meet Benchmarks for Industry-based Customer Dispute Resolution to ensure consumers can effectively resolve any disagreements that will arise.

A right of action will further help strengthen the rights and bargaining power of consumers. Individuals should be given a right to bring actions and class actions directly to court to seek compensation for damages (financial and non-financial) and publicly hold entities to account for engaging in unlawful privacy practices.

Effective, well-resourced enforcement

• Provision of civil penalties to enable OAIC to effectively enforce these reforms.

Proactive monitoring and regulation will be critical in ensuring that these reforms are delivering the intended outcomes for consumers, and that it is not left up to the consumer to identify and report the harm. That responsibility needs to lie with a well-resourced and effective regulator. A clear pathway for businesses to understand their obligations and the relevant regulator having clarity on its scope of and approach to enforcement will be crucial.

Where to from here?

CPRC and other consumer organisations have long been recommending many of the proposals in the Discussion Paper because these are the types of changes that empower consumers to effectively participate and build trust in the digital economy. They also ensure consumers are safer online.

Australia’s privacy laws are at the precipice of emerging out of 80’s double-denim and making a genuine difference in empowering Australian consumers to have real choices and controls, as well as making industry more accountable for the data practices that are fueling the digital economy.

Want to hear more on this from the CPRC? Check out CEO Lauren Solomon on The Mi3 Podcast – Episode 123 De-identified data is no longer enough.

Watch this space for our formal submission in the coming weeks.