This appeared a little while ago.
Data Privacy in a Data and Algorithm Enabled World
Gilbert + Tobin Peter Leonard
- Data privacy statutes around the world are no longer fit for purpose.
- Adoption of recommendations of the ACCC’s Digital Platforms Inquiry and other current proposals for revision of the Privacy Act 1988 will not fix this problem: the proposals do not envisage moving decisively away from notice and choice as the foundation for data privacy regulation.
- The often misdescribed ‘gold standard’ of GDPR is not the solution.
- We need to go back to basics, and ask ‘what harms should privacy law address’, or as Prof Julie Cohen put it, ‘what is privacy for’? We then need to redraft our statutes to (at least) protect the right and interests of individual humans to go about their lives without excessive intrusion upon reasonable expectations of seclusion.
Almost all data privacy statutes around the world are no longer reasonably fit for purpose.
The long list of unfit statutes includes:
- the Privacy Act 1988 (C’th) and its State and Territory counterparts,
- the Workplace Surveillance Act 2005 (NSW) and the Workplace Privacy Act 2011 (ACT),
- the Surveillance Devices Act 2004 (Cth), and the Surveillance Devices Act 2007 (NSW) and all other State and Territory counterparts dealing with surveillance devices and listening devices.
Twenty years into the 21st century, the design specification for 21st century data privacy laws is finally becoming clear.
The problem that needs to be addressed can be simply stated: data privacy statutes are intended to protect human dignity, but instead focus on data, not humans. Humans have an interest (and should have a legal right) in and to reasonable seclusion. Data is completely indifferent as to whether it relates to humans or machines. Data has no concept of human frailties and needs. So humans need to make decisions about how and when data about humans is collected and used. Humans within entities that collect and use data about other humans should have a concept of frailties and reasonable expectations of affected humans - I avoid use of the term ‘data subject’, which term is not appropriately respectful of humans.
However, views as to what is a reasonable intrusion into seclusion vary widely, culture by culture, and often within cultures. And some entities, and humans making decisions within those entities, simply do not care, or allow business incentives or self-interest to overwhelm fundamental decency.
For those entities and humans, we need:
- transparency (daylight is the best antiseptic),
- accountability of each data handling entity and specific decision -makers within each entity,
- appropriate incentives and sanctions, and
- demonstrated enforcement and consequences.
If incentives for humans within entities and the entities are not properly aligned, or humans within entities are not individually accountable, we should expect many entities to be undisciplined and unprincipled. Not necessarily or deliberately bad, but undisciplined, leading to bad, sometimes quite unacceptable, outcomes. Australians need look no further than the last five years of reports of Royal Commissions – indigenous youth in custody, institutional abuse of minors, banks, nursing homes. With power of entities to visit poor outcomes upon vulnerable people, comes responsibilities of greater transparency, responsibility and accountability.
Most data privacy laws are intended to empower individuals by informing them how data about them may be being collected and used, and thereby enable them to exercise a choice. This foundation of 20th century data privacy regulation was (and remains) variously called ‘notice and consent’, ‘notice and choice’, ‘individual choice’ or ‘privacy self-management’.
The mechanism to give effect to this foundational theory is a requirement that each regulated entity:
- makes available a privacy policy that explains generally how the entity deals with personal data,
- provides to an affected individual a more specific and targeted privacy notice at or near the point or time of collection of particular categories of personal data, and
- seeks consent in relation to collection and uses of certain narrower categories of more ‘sensitive’ personal data.
Critiques of this mechanism focus upon the ‘illusion of consent’, as described by Profs Paul Ohm, Fred Cate and other privacy scholars, or the more recent restatement (by Prof Dan Solove and others) of this illusion as ‘the privacy self-management problem’.
In brief, these criticisms revolve around the problem of expecting affected individuals to properly understand and make a choice about whether to accept an act or practice which affects the individual’s privacy, and particularly when there is often no practical ability for each of us to say no, or even no to that, but it might be OK if you did it this way other way…[insert here].
Critiques of ‘notice and choice’ generally suggest that this framework needs to be supplemented, or replaced, by an additional requirement of demonstrated organisational accountability of the entity that is collecting, handling or disclosing personal information about the affected individual, or instituting surveillance of a human (whether identifiable or not).
Many data privacy statutes are deficient in bridging the chasm between ensuring:
- that there is a fair description created and provided to an affected individual about the purpose and extent of a proposed data collection, use or disclosure or surveillance activity, and
- that this data collection, use or disclosure or surveillance activity is necessary and proportionate to achieve a reasonable outcome, with reasonableness judged by consideration of:
- the degree of risk and extent of impact upon legitimate expectations of privacy,
- whether an individual suffers a harm that arises from this act or practice, and
- taking into account societal interests (such as in health and safety of other individuals) and the interests of the regulated entity that wants to collect, use or disclose data in a disclosed and properly risk evaluated way.
Does this sound difficult? It really should not. The much lauded GDPR of the European Union broadly requires just this. Business in Europe has not ground to a halt. Post-Brexit free trade Britain has not shown any interest in ditching or loosening up its inheritance of GDPR requirements. Now North America is moving towards enactment of similar laws.
Of course, Australia is different. The situation is worse.
Australian data privacy and surveillance statutes generally do not tie particular statutory requirements back to any stated right of privacy, standard of reasonableness or fairness, or any test as to the necessity or proportionality of a relevant, privacy affecting, act or practice.
Let us go to what should be the basics.
Human dignity requires us to be able to go about our private lives without unreasonable or unknown intrusions into what we do, why we do it, with whom and where. This includes a right to go about in public (including online) without unreasonable intrusions upon our ability to be our private selves in public (including online). Not an absolute right, and not a right to prevail over other rights (such as a right to health, safety and security), but a basic right.
The operation of this right becomes contentious when it bumps up against other rights and interests. Privacy is easy to define, and often overlooked because it is not readily defined, but this does not make it any less important to legally recognise and protect data privacy. As the NSW Law Reform Commission stated over a decade ago when recommending a new statutory cause of private action for serious invasion of privacy, “[t]o suggest that it is impossible to protect privacy generally in the manner proposed in our Bill because the concept cannot be precisely defined is to succumb to what Lord Reid once described as “the perennial fallacy that because something cannot be cut and dried or lightly weighed or measured therefore it does not exist”. That Commission’s recommendation (for a new statutory cause of action for serious invasion of privacy) disappeared without trace, like similar recommendations from all other law reform bodies that have looked at that question since then.
The perennial appearance of a call for a new cause of private action for serious invasion of privacy is due to the manifest need for control over (and self-help empowerment of citizens in relation to) pervasive civil surveillance and manifestly excessive collections of personal information.
The corresponding disappearance has been largely due to a combination of disinterest of parliamentarians and sustained focus of a few powerful media interests whose news outlets mischievously present a private right of action for privacy invasion as an existential threat to freedom of journalism, while simultaneously (but elsewhere) asserting that global digital platforms unfairly profit from privileged access to information about attributes and preferences of individuals.
It is time to confront the shibboleths shrouding a private action for serious invasion of privacy. We still cannot all agree as to how to define democracy after over two thousand years, but we share a broad consensus as to what it is not, and that consensus enables us to entrench democracy in law and make democracy more or less work. Even our literalist High Court of Australia found an implied right of political communication (well) hidden under the text of our Australian Constitution. If we do not start taking data privacy seriously as a human right, the slippery slope to a dystopian surveillance state is largely unimpeded by red flags and checkpoints. And after all, the proposals for a private right of action for privacy invasion are framed as only responding to invasions that are serious, deliberate or reckless, and that cannot be justified in the public interest. These proposals cut no free lunch for plaintiffs’ lawyers.
In many advanced democracies, human dignity is embedded in the law as an enforceable human right. That is not the case across Australia. No Australian Parliament has enacted a baseline human rights statute against which privacy impacting acts and practices of Australian entities must be considered. Some Australian States and Territories have charters of human rights which reference privacy as a right that is relevant in consideration and interpretation of rights-affecting statutes. However, relevant Australian data privacy statutes generally do not create sufficient scope for such ‘charter rights’ to be likely to significantly affect a court’s interpretation of the relevant provisions in the data privacy statute.
New readers of the Privacy Act 1988 are often surprised that this statute does not define “privacy” or the circumstances in which an act or practice is to be taken to cause privacy harm to an individual. The Overview in Schedule 1 - Australian Privacy Principles states that Part 1 of the APPs (APP 1 and AAP 2) “sets out principles that require APP entities to consider the privacy of personal information, including ensuring that APP entities manage personal information in an open and transparent way”. However, the APPs do not state how APP entities should determine the circumstances in which rights or interests of individuals in and to privacy are affected, or how to evaluated the nature or extent of harm to those rights or interests for the purpose of application of the APPs. Most operative provisions in the Privacy Act 1988 use privacy as an adjective (occasionally an adverb) in a description of something else: privacy policy, Privacy Act, Australian Privacy Principle, privacy authorities and so on. A reader can carefully read all 330 pages of the Privacy Act 1988 and still not know:
- what privacy is,
- the circumstances in which an act or practice is to be taken to cause privacy harm to an individual, or
- when a prospective privacy harm should be considered a serious harm and subjected to a careful privacy impact assessment.
Now, you may object to my reading of the Privacy Act 1988 and direct me to section 2A, which sets out the objects of the Act as including:
- “to promote the protection of the privacy of individuals”,
- “to promote responsible and transparent handling of personal information”, and
- “to implement Australia’s international obligation in relation to privacy”.
I endorse grand and pious objectives, but (doffin’ m’cap to Norman Lindsay) proof of puddin’ is ina eatin’. On a plain reading of the APPs, it is reasonable to ask whether section 2A has any relevance at all in interpretation of the APPs. A court applying Australian legal principles of statutory interception to interpret the APPs might not look at section 2A at all.
I suggest that our approach to data privacy laws needs a reboot. ‘
We need to go back to: what is privacy for? Whether protected as a human right or not, I suggest that most Australian citizens who actually stop to think about such matters would contend that a right of reasonable seclusion for each human is as fundamental an aspect of the rule of law in our advanced democracy as is the principle of equal treatment before the law. Of course, often that right of human seclusion gives way to other personal and societal rights, such as a right of protection of life and limb of an affected human and of others in our society. However, protection of life and limb of an affected human and others in our society should prevail only to the extent that intrusion of this right upon our right of seclusion is reasonably justified as proportionate and necessary. To take an obvious example: facial recognition cameras recognising everyone on every street might solve street crime and reduce terrorism. However, most Australian citizens would consider universal surveillance, at least when coupled with automated facial recognition, as a patently unreasonable intrusion upon our reasonable expectation of seclusion.
Data privacy statutes should be designed to be a sensible tool to protect human expectations of seclusion, whether that expectation is recognised as a human right or not. Data about what we do, why we do it, with whom and where, is increasingly captured, made useful, corelated, compared and shared, by technology. Data is therefore an increasingly powerful means to capture and tell others, including global businesses and governments, all of those things. Pervasive collection of data about what we do online and offline (in the physical world) increases capabilities of businesses and governments to unreasonably intrude into our private lives, often without our knowledge. By enthusiastically adopting smartphones, ‘personal wellness’ devices and other Internet of Things (IoT) devices, we allow powerful technologies into our intimate lives. These technologies open the flow of data about us and bring us daily benefits including personalisation, carrying around less stuff and ‘ask me once’ - as well as the much less visible risk of being singled out to our detriment.
Much, much more here:
https://www.lexology.com/library/detail.aspx?g=66159941-430e-4f6c-bdd4-56898a9afad1
This is a really great review of the issues surrounding data privacy and the laws in Australia and elsewhere that I have seen in many a long year.
It is really worth setting aside a half hour to read slowly and carefully to come to realise just how far Australia is behind where we all would like to be and get a sense of what might be an approach to dramatically improving things.
Enjoy the read!
David.
"what is privacy for’ is the wrong question. A better question is "what privacy do people want and what are they prepared to pay for it (in consequences and costs)"
ReplyDeleteThat's a much harder question and the answer will vary according to person and circumstances. Which is why it will never get asked.