The release last week of the report into the first 12 months of the federal government’s beleaguered ‘COVIDSafe’ app got me thinking about the importance of Privacy by Design – and in particular, how the ‘design’ part of the equation is not just about the technology.

With the release of the evaluation report – months late and only after a heavily redacted version was released after a concerted FOI push – we now know that the COVIDSafe app has been a terribly expensive flop.

Only 779 users who tested positive to Covid-19, out of around 23,000 positive cases in the relevant time period, consented to having data from the app uploaded to the national COVIDSafe data store between 26 April 2020 and 15 May 2021; that’s a usage rate of around 3%.  From those 779 Covid cases, the app identified 81 close contacts, of whom only 17 were contacts not otherwise identified by manual contact tracing.

I don’t even want to calculate the total cost of the COVIDSafe app divided by 17 because I fear the figure would make me cry.

The COVIDSafe app – as Jacqueline Maley described it, a “cute footnote in the story of pandemic bunglings” – has been “utterly outclassed” by QR Code check-in apps implemented by State governments.

How?  Privacy, utility and trust.

Compare the public acceptance and uptake of the COVIDSafe app, which was relatively low and which generated a fair amount of public angst and discussion about the pros and cons (even before we knew it didn’t work properly on iPhones), versus the NSW Government’s ‘Covid Safe Check-in’ app, which enjoys incredibly high rates of acceptance and use, by both venues and patrons alike, and with almost no push-back from the public at all.

Two covid apps, both by governments, led by the same political party, covering the same population, for the same broad contact-tracing purpose: one a raging success and the other ultimately an eye-wateringly expensive failure.  Why?  It comes down to context.

This is a neat illustration of an argument I have made before: public trust, and therefore rates of use or compliance, is not as simple as asking: “Do you trust this organisation (in this case, the government)?”

It’s about asking: “Do you trust this particular way your data is going to be used for this particular purpose, can you see that it will deliver benefits (whether those benefits are personally for you or for others), and are you comfortable that those benefits outweigh the risks for you?”

When you realise that this more complex set of questions is the thinking behind consumer sentiment, it demonstrates how important it is to assess each different data use proposal on a case-by-case basis, because the nature of the proposal, and the context it is in, will make each value proposition unique.  That means the balancing act between benefits and risks from a privacy point of view needs to done fresh for every different project.

It also shows the importance of Privacy by Design thinking – and how this is not just about the design of the tech, but the design of the entire ecosystem in which the tech is supposed to work, including legal protections, transparency and messaging, which together add up to how well users understand how an app works.  As studies have since shown, how well users understand how an app works makes a difference to their level of trust, because they can make more informed decisions for themselves.

Both apps have built-in privacy features, such as enabling the use of pseudonyms, automated deletion of data after a certain time period, and preventing the data from being accessed unless triggered by a positive covid case.

However the simplicity of the NSW app’s design, and the fact that it puts the user in complete control of when the app is used – instead of the COVIDSafe ‘always on’ design – put it way in front.  (The ‘always on’ design also led to other problems with COVIDSafe, like draining battery life and interference with critical diabetes monitoring systems.)  NSW app users can at any time revert to pen-and-paper when checking in to a venue.

The NSW app is also superior in its embrace of data minimisation as a design principle, only collecting data about when the user checks in to a venue.  By contrast the COVIDSafe’s ‘always on’ design meant vast reams of data being collected on every ‘handshake’ between two devices, and then business rules being written to cull out those which were for less than 15 minutes – an arbitrary time period now known to be meaningless in terms of the likelihood of transmission.

The messaging around the NSW app, and how it works, was clearer too.  (It helps that the user experience is intuitive and the user can see if the app is working or not; that means less complex messaging is needed in the first place.)  By contrast the communications around the COVIDSafe app were truly awful: we had the PM’s sunscreen analogy, seriously misinformed claims from the Government Services Minister that the app “simply digitises a manual process”, plus the Health Minister’s bargaining and the PM’s ‘maybe I’ll make it mandatory after all’ musings, as well as influencers being paid to make false claims about the app, political spin on whether the app works on iPhones, and a 40% take-up target based on no modelling which the government then quietly dropped.

Finally, the NSW app design has been superior in its embrace of an iterative design process, starting with trials, conducting testing, and openness to user feedback, leading to improvements over time.

Compare that with an almost non-existent bug reporting mechanism for the COVIDSafe app design team.  One security researcher – who, four hours after the app launched, found a critical design flaw which meant that Android phone model names and user-assigned device names were transmitted over Bluetooth, allowing for device re-identification and tracking – described the process of trying to report the flaw to the Government as like “yelling into an empty room”.  It took over a month for that flaw to be rectified, by which time the app had been downloaded 6 million times.

This was one of a number of flaws which suggest that the app was not comprehensively tested before its launch.  While there was a Privacy Impact Assessment conducted on the COVIDSafe app, its scope was limited to examining the federal Department of Health’s compliance with the federal Privacy Act.  It did not review whether the app’s build was as described, whether it worked as planned, or whether other models would be preferable.

I am not saying that the NSW check-in app is perfect.  In particular, while there is a Public Health Order directing that contact details collected via the app are only to be used or disclosed for the purposes of contact tracing, it lacks the bespoke legal protections of the COVIDSafe app, which was bolstered by specific amendments to the Privacy Act to prohibit use for secondary purposes such as law enforcement.  As debates about other check-in apps in WA, Queensland, the ACT and Victoria have shown, public trust can be damaged by broken promises about the purpose for which personal information will be used.

Those of us who urged caution in April 2020, rather than jumping on the COVIDSafe bandwagon, were criticised as not part of ‘Team Australia’.  But caution was the right response.  You need to check that the tech works, look for abuse cases and unintended side-effects, strengthen the legal protections, prohibit or prevent secondary uses, be transparent, get the messaging right, and be open to user feedback if you are going to build a successful technology project.

Above all, utility matters.  If the tech doesn’t work, if the benefits of the data collection are not realised, then all the talk about trading off privacy for other objectives like public health is meaningless.  The privacy risks will remain, along with a great big white elephant.

Photograph © Shutterstock

Hey, before we start, can I just ask: are you male, female or other?  Are you bristling at even being asked?

Collecting accurate data on gender can, when done appropriately, be a key way to ensure a product, program or policy is designed with gender differences in mind. In fact, poor design which leads to damaging outcomes can occur when data about gender is not collected.

However, there are many instances where the knowledge of someone’s gender is completely irrelevant to the circumstance at hand, and collecting it is not only an invasion of privacy, but can also increase the severity of harm caused by misuse of that personal information, or in the event of a data breach.

Privacy harms, whether caused by data breaches, surveillance, or other invasions of privacy, do not impact everyone equally. While the focus of this piece is on gender, it’s important to always keep in mind the ways that gender intersects with other factors including race, disability, class, and sexuality.

So, read on to explore the friction between collecting gender data and enhancing privacy, and why it is essential that we consider gender when we assess privacy risks.

Language note: where I refer to ‘women’ I mean both trans and cisgender women. Trans women are women. Where it is necessary to differentiate that I am specifically talking about cis or trans women, I will make that distinction clear. While many of the issues in this piece are framed around women, they also often impact non-binary and gender non-conforming people in similar ways, at the same, if not higher rates. However there remains a lack of research regarding the intersection of privacy and gender non-conforming people and I have chosen not to cast the experience for non-binary communities as the same as it is for women.

Privacy harms are not served equal

Women have been surveilled and policed for centuries, to the extent that until relatively recently they have been perceived as having no right to privacy when it came to their sexual life.  Even now, we see particularly gendered invasions of privacy like doxing (malicious publication of someone’s personal details), stalking, and non-consensual sharing of intimate images.

Often, the harm caused by privacy loss, such as a data breach, disproportionately impacts those who are already part of a marginalised or vulnerable group, including women.

Let’s take a relatively recent, and local, example of a data breach to explore this point. In 2018, Public Transport Victoria (PTV) released a large dataset containing 15 million de-identified details of Melbourne’s contactless smart card public transport ticketing system known as Myki. Later that year, academics Vanessa Teague, Ben Rubinstein and Chris Culnane were able to re-identify themselves and others in the dataset.  The Office of the Victorian Information Commissioner investigated, and found that PTV had failed to address the possibility that individuals in the dataset could be re-identified.  (You can read more in OVIC’s investigation report.)

The point I want to make here is how we think about the impact of data breaches.  Not everyone is affected equally.

According to the Australian Bureau of Statistics, cisgender women are, on average, more likely to use public transport than men. Women are also more likely to experience stalking than men, with approximately 1 in 6 cis women experiencing stalking since the age of 15 (compared to 1 in 15 cis men). On top of this, research conducted by WESNET, Women’s Legal Service NSW and Domestic Violence Resource Centre Victoria, has found that the issue of perpetrators utilising technological means to facilitate their abuse of women is significant, and on the rise.

So with that in mind, when we consider the possible harms caused by the Myki data breach, the picture looks a lot worse for women when we apply a gendered lens to the risk assessment.  The likelihood of individuals being identified from the dataset and their patterns of behaviour analysed, and the ability for perpetrators to use that data to inflict violence or harassment on victims as a result, is much greater for women than for men.

While on the subject of statistics, research conducted by the OAIC showed that when comparing responses between those who identified themselves as men with women, that women are less likely to feel comfortable with location tracking, and significantly more likely to turn off GPS or location sharing on mobile devices.  Zeynep Tufekci found that men are three times more likely than women to include their contact details in their social media profiles, even after controlling for privacy and audience concerns, suggesting women are “seeking to avoid the risk of unwanted attention”.

The possible gendered privacy harms compound further when we look outside the gender binary. Trans and gender non-conforming people experience stigma and discrimination at high rates, and many make deliberate choices regarding to whom they disclose details about their gender identity or biological sex characteristics. Organisations wishing to collect data on gender need to very carefully consider the possible harm that could be caused should the personal information of gender diverse individuals be inappropriately or unlawfully accessed, used, or disclosed. In some cases, the very act of attempting to collect gender data inappropriately can cause unnecessary stress for many individuals.

Sexist algorithms

The public and private sectors alike are increasingly incorporating and, in some cases relying upon, algorithmic systems, including use of machine learning and automated decision-making systems. The existence of bias in these kinds of systems is well documented, with an increasing amount of research into the area. Here is just a small handful of examples:

• Amazon’s AI recruitment tool showed bias against women
• Virtual assistants reinforce gender stereotypes
• Microsoft study found gendered connotations in word embeddings (which underpin a lot of machine learning applications which rely on language processing)
• Machine learning algorithm learns sexism from photographs
• Voice recognition cannot understand women’s voices

The harm caused to women by these systems only increases for those who also intersect with other marginalised or minority identities, including in relation to race, disability, class and sexuality.

While upholding privacy cannot solve all the challenges associated with the use of algorithmic systems and associated risks of bias, discrimination or unfair outcomes, a robust Algorithmic Impact Assessment can go a long way to ensure that the personal information being used as inputs into these systems has been tested for fairness and accuracy. If we take an expansive view of privacy, we can use privacy risk assessment as a tool to examine the power structures of these systems, and put safeguards in place to mitigate potential gendered and other discriminatory harms.

Should we even collect gender?

We all know the drill about collection minimisation: only collect personal information that is necessary for a given purpose.  But it often seems that many organisations go into a kind of autopilot at this step: yes of course we need name, date of birth, gender.  Do you really, though? Collection of gender should not be the default, and it’s worth interrogating when it is actually necessary to know someone’s gender, and for what purpose.

Herein lies another tension: it’s unfortunately not as simple as just not collecting gender data at all. In many cases, a lack of data on gender can cause its own form of harm. In Invisible Women, Caroline Criado Perez highlights the extent to which the world has been designed by and for cisgender men. From medical testing to safety designs and protective clothing, to the size of everyday appliances, Criado Perez emphasises the very real harm that occurs as a result of taking a ‘gender neutral’ approach which actually results in using the ‘standard male’ as the default. While Invisible Women is not without its flaws, and has been criticised for using a male/female binary which ignores other genders and sex variations, it does serve as a useful collection of evidence of how male-default thinking creates real-world problems for anyone who is not a cisgender man.

Collecting accurate gender data in order to ensure a policy, program, or product is designed in a way that meets the needs and experiences of people across all genders is really important. But it always needs to be balanced against the right to privacy, including consideration when it is necessary and proportionate to know someone’s gender.

In a report specifically examining privacy and gender, the UN Special Rapporteur for Privacy suggests that, among other things, any requirement for individuals to provide sex/gender information should be:

• Relevant, reasonable and necessary as required by the law for a legitimate purpose
• Respectful of the right to self-determination of gender, and
• Protected against arbitrary or unwanted disclosure or threatened disclosure of such information.

The report also recognised that “privacy offers protection against gender-based violence, discrimination, and other harms that disproportionately affect women, intersex, and gender non-conforming individuals.”

Once an organisation decides it is indeed necessary to collect gender data, it must also consider carefully how to ask for gender identity in a respectful, inclusive and meaningful way. If you wish to collect accurate data (and meet the requirements of the data quality privacy principle!), then simply offering ‘male’ or ‘female’ options is not good enough.

Here is a non-exhaustive list of tips for organisations to consider when asking for gender details:

• Be really clear what it is you are actually asking people for. For example, do you need to know someone’s biologically assigned sex at birth for a specific medical purpose? Or do you need to understand someone’s gender identity in order to provide them with the correct services?
• Be careful not to confuse gender identity with sexual orientation
• Consider providing an option that enables people to self-determine their gender
• Include a consideration of gendered impacts when assessing and mitigating against privacy risks, including consideration of the possible harms that could occur as a result of inappropriate disclosure of an individual’s gender identity

For more guidance, see this guide to collecting gender data inclusively from the Canberra LGBTIQ Community Consortium, or this one from Monash University.

The 2021 census has provided us with an example of what not to do. While there was an option for people to self-enter their gender in a free-text field, the ABS noted that those who chose the non-binary option would ultimately be randomly assigned a binary sex: male or female.  What followed was outcry that this would not capture an accurate picture of the gender diversity in Australia, and in turn erase trans and gender diverse people.  Further, while the inclusion of a free-text field was a welcome improvement to earlier iterations of the census, it was not an option on the paper form.  This left trans and gender diverse people who wished to complete the form by hand, for reasons including ability and accessibility, with no choice but to misrepresent their gender.

The paper form is also widely regarded as the more privacy-enhancing option, which meant that many were left with a choice: the increased privacy protection of a paper form, or the ability to identify their gender in a way that is meaningful to them. Nobody should have to make that kind of choice. Given that gender diverse people continue to be subject to stigma and discrimination in Australia, the privacy of their personal information should be of utmost importance.

When in doubt, go back to basics

Long established privacy considerations such as necessity and proportionality still go a long way when determining when it is reasonable to collect gender data, and what you may wish to do with it.  Collection of gender information should never be the default, as with collating any other personal information.  However, organisations should take care to avoid applying ‘male-default thinking’ to their programs and projects.  It is not acceptable to cite privacy as the rationale behind avoiding the work of collecting inclusive gender data and ensuring that outcomes do not adversely impact people who are not the considered the ‘male standard’.  Regardless as to whether gender data is collected or not, it is always important to consider the impacts on women, as well as trans and gender diverse people, when assessing privacy risk.

A case involving facial recognition technology and customer satisfaction surveys offers plenty of lessons in how privacy law applies to Australian businesses.

In June 2020, the 7-Eleven chain of convenience stores began using a new customer feedback survey system in 700 stores across Australia.  Each store had a tablet device which enabled customers to complete a voluntary survey about their experience in the store.  Each tablet had a built-in camera that took images of the customer’s face as they completed the survey.

Those facial images were stored on the tablet for around 20 seconds, before being uploaded to a server in the cloud.  A third party service provider converted each facial image to a ‘faceprint’, which is an encrypted algorithmic representation of the face. The faceprint was used to infer information about the customer’s approximate age and gender.  The faceprint was also used to detect if the same person was leaving multiple survey responses within a 20 hour period on the same tablet; if multiple responses were detected, they were excluded from the survey results.

In other words, the company was using a facial recognition technology on its customers, to prevent its employees gaming a customer satisfaction survey by leaving multiple positive survey responses about their own performance.  At least 1.6 million survey responses were completed.  It is not known how many unique customers this represents.

The Office of the Australian Information Commissioner (OAIC) launched an investigation, and on 14 October published the final determination by the Privacy Commissioner Angelene Falk.  Falk found that 7-Eleven had breached APP 3.3 by collecting ‘sensitive information’ (namely, biometric templates) unnecessarily and without consent; and APP 5 by failing to provide proper notice.

The implications of this case extend beyond just the use of facial recognition technology, and offer salient lessons for organisations of all shapes and sizes.

Here are my top takeaways for businesses:

1. You can’t contract out of your privacy obligations

You will be on the hook for what your tech provider is doing with your customers’ data.

7-Eleven tried arguing that it had not ‘collected’ any personal information because the information stored in the cloud was handled by its service provider, and that it had no access to the data.  The OAIC found that the retail company did ‘collect’ the personal information via its service provider, because the data was collected on behalf of 7-Eleven, and it had contractual control over the data.

The lesson here is that both you and your technology provider must comply with the Privacy Act.

2. You can’t escape your privacy obligations by arguing that you couldn’t identify anyone

Sometimes you just have to laugh.  7-Eleven argued that the facial images and faceprints were not ‘personal information’ because they were not used to identify, monitor or track any individual.  But the whole point of facial recognition technology is to identify individuals, in the sense of being able to distinguish one person from another!  (Otherwise, what was the tech vendor selling – photos for the fun of it?)

Further, its deployment in this case was to monitor individuals: to see if anyone was entering multiple survey responses within short spaces of time.

The OAIC made short shrift of 7-Eleven’s claim, and found that the faceprints were ‘personal information’, because the facial images and the faceprints were ‘about’ individuals, who were ‘reasonably identifiable’.

(‘Personal information’ is defined in the Act to mean: “information or an opinion about an identified individual, or an individual who is reasonably identifiable”.)

3. You can invade someone’s privacy without knowing who they are

If your service provider can identify individuals, then in law so can you.  No hiding behind your tech vendor; you’re handling personal information.

Your data is not to be considered in a vacuum; the test is whether it is possible to identify an individual “from available information, including, but not limited to, the information in issue” (at [37]).  If your data can be linked to other available data to identify someone, you’re handling personal information.

The test for identifiability is not whether or not you can figure out a person’s name or legal identity; it is whether one individual can be “distinguished from other individuals” (at [38]).  If your system can single out people to interact with them at an individual level, you’re handling personal information.

4. The collection of any type of personal information, no matter how benign, must be reasonably necessary

Under APP 3, collecting personal information because it will be “helpful, desirable or convenient” is not enough (at [58]); your collection of personal information must be “reasonably necessary” for one of your organisation’s “functions or activities”.

The OAIC in this case formulated this test as involving consideration as to whether the impact on individuals’ privacy is “proportionate to a legitimate aim sought” (at [59]).  While the OAIC noted that “implementing systems to understand and improve customers’ in-store experience” (at [102]) was a legitimate aim of the business, the collection of biometric templates was not a proportionate way to achieve that aim.

In other words, the risk posed to the individuals must be weighed against the business objectives, and serious consideration must be applied to determining whether those objectives could be achieved in a less privacy-invasive manner.

Is using facial recognition to infer age and gender a proportionate response?  No; as the OAIC noted, if such data was necessary 7-Eleven could have simply asked for age range and gender as part of the survey questions.  (Which reminds me: sometimes you don’t need to know about gender at all.)

Is using facial recognition a proportionate response to the desire to improve the accuracy of a customer satisfaction survey?  The OAIC said no:  “Any benefit to the respondent was disproportionate to, and failed to justify, the potential harms associated with the collection and handling of sensitive biometric information” (at [105]).

5. Plus if it is sensitive information, you also need consent

In addition to the ‘reasonably necessary’ test, if the personal information you want to collect is in a sub-category known as ‘sensitive information’, under APP 3.3 you will also need the consent of the individual.  Sensitive information includes biometric information and biometric templates, as well as information about a person’s health or disability, ethnicity, religion or sexuality, amongst other categories.

While consent may either be express or implied, the OAIC noted that generally speaking, when seeking to collect ‘sensitive information’, organisations should aim for express consent, given the greater privacy impact which could arise from the handling of these special types of data.

6. A valid consent is hard to get

All stores had a notice outside with an image of a surveillance camera.  Some of the notices also had text next to the image, which said “By entering the store you consent to facial recognition cameras capturing and storing your image”.

The 7-Eleven Privacy Policy said “By acquiring or using a 7-Eleven product or service or providing your personal information directly to us, you consent to 7-Eleven collecting, storing, using, maintaining and disclosing your personal information for the purposes set out in this Privacy Policy”.

So 7-Eleven argued to the OAIC that “if a customer did not consent to the use of this technology, the customer could elect to not enter the store or not use the tablet”.

Yeah, they really said that.

(By the way, by reading this blog, you consent to give me a million dollars, which I may or may not have spelled out in another document you probably did not see before you began reading this blog.  What, not happy?  You were completely free to not read this blog, what’s your problem?)

Except that’s not the way consent works in privacy law.

As formulated by the OAIC, the four key elements which are needed to obtain a valid consent are:

• The individual must be adequately informed before giving consent
• The individual must give consent voluntarily
• The consent must be current and specific; and
• The individual must have the capacity to understand and communicate their consent.

So let’s spell this out.

Consent is the ‘would you like sauce with that?’ question.  The question must be very specific about what is being proposed, the question must be asked about only one thing at a time, and the customer must be free to say yes or no (or say nothing, which means ‘no’), and still get their sausage roll.

Entering a store does not mean your customer consented to you collecting their personal information.

Answering a survey does not mean your customer consented to you collecting their personal information.

And importantly, your Privacy Policy is not a tool for obtaining consent.  Also, your Privacy Policy is not magic.  It cannot authorise a company to do anything that the privacy principles don’t already allow.  A Privacy Policy is solely there to inform people, in general terms, how your organisation handles personal information.

No surprise, the OAIC found that customers’ consent could not be implied by 7-Eleven.

7. That lame sign in the window is not a collection notice

APP 5 requires organisations to take reasonable steps to notify people about the collection of their personal information – the who, what, when, where, how and why – at or before the time of the collection.  (Offering a clear notice also happens to help you meet the ‘informed’ element of consent, as mentioned above.  But you need to give notice regardless of whether you are also seeking consent for something.)

7-Eleven had signs at the entry to its shops, only some of them with text.  Even those with text did not explain that facial recognition would be used on customers answering the survey.  Even astute customers could have understood the signage to be about CCTV security cameras, not cameras on the tablets used for the customer satisfaction survey.

The OAIC found the signs insufficient to meet the requirements of APP 5, and noted that an easy approach to notice could have been taken:  7-Eleven “should have included a collection notice on, or in the vicinity of, the tablet screen. The collection notice should have notified customers … before the start of the survey, and crucially, before the first facial image of the customer was captured. This was a practical and cost-effective step that the respondent could reasonably have taken in the circumstances, to draw customers’ attention to the collection of their sensitive biometric information and the purpose of that collection”.

The lesson here: don’t let your big tech spend be undone by the failure to include a cheap solution to your privacy notice obligations.

8. Taking a casual approach to using new tech is a legal risk

Companies need to be finely attuned to the risks that come from collecting personal information without care.  ‘Move fast and break things’ should not be your mantra.  A finding that there has been an unlawful collection by a retailer of biometric information about Australians at a large scale should cause company boards and Audit & Risk committees to ask questions about their own data practices.

And facial recognition technology?  Well that’s a whole other world of pain and risk.

When facial recognition technology is attracting calls for a moratorium, or stricter regulation, and when a Bill to use the technology for law enforcement can’t even get through Parliament because it is so controversial, and when some vendors of the technology are even re-thinking its use, and when the technology is criticised by the computer science profession for its problems with racial and gender bias, maybe don’t go around casually implementing facial recognition software for trivial purposes.

Just… don’t.

9. Do proper risk assessments

One of the most striking aspects of this case is that 7-Eleven was only one month into its rollout of the new technology when the OAIC began making preliminary inquiries about the company’s compliance with the law.  Yet the retailer continued with the program for another 13 months before pulling the plug, just before the Privacy Commissioner made her final determination.

That’s some pretty brave risk-taking.

The OAIC noted that a better approach would have been to conduct a Privacy Impact Assessment in advance of the program starting, which could have identified “options for avoiding, minimising or mitigating adverse privacy impacts (including by identifying potential alternatives for achieving the goals of the project without collecting such information)”, and “assisted in assessing the proportionality of collecting biometrics for the purpose of understanding customers’ in-store experience” (at [103]).

Conclusion

So beware, organisations of all shapes and sizes – you have been put on notice by the OAIC.  You can’t hide behind your tech vendors.

You need careful, risk-based consideration of all projects which will collect or use personal information.  The scope of what is regulated as ‘personal information’ is broad.  Your collection must be reasonably necessary for a legitimate purpose, and you must be able to justify the potential harms to individuals as proportionate when measured against your business objective.  Plus, if the personal information is one of the types of personal information defined as ‘sensitive’, you will also need an informed, voluntary, specific and current consent to collect it.

The days of “By entering our store / accessing this website you are consenting to whatever we put in our Privacy Policy” are over.

On 25 October 2021 the Australian government released a Discussion Paper crammed full of proposals to amend the national privacy law, as well as a Bill intended to progress certain reforms ahead of the rest.

Here’s what you need to know, to help you prepare for what’s likely ahead, or to draft a submission in response to the proposals.

The background

The power of social media and online platforms, AI, the Internet of Things and the boom in all things digital point to the need for privacy law to keep up with the challenges posed to individual privacy by new technologies.  In 2019 the Australian Competition and Consumer Commission (ACCC) published the final report from its Digital Platforms Inquiry, which considered the behaviour of the major platforms such as Facebook and Google.  The ACCC’s report highlighted risks for both consumers and businesses from the business models followed by major technology companies, which primarily rely on the collection and analysis of consumer data as the source of their wealth and power.  Amongst their other recommendations, the ACCC suggested that the Australian Government should conduct a review into whether the Privacy Act remains fit for purpose in this digital age.

In late 2019 the Government agreed to review and reform the Privacy Act, which led to an Issues Paper released in October 2020.  That Issues Paper called for submissions on whether the Privacy Act and its enforcement mechanisms remain fit for purpose.

Twelve months and 200 submissions later, the Attorney General’s Department has released a Discussion Paper, containing both specific proposals and less settled options for reform, clustered around 28 topics, each with their own chapter.

At 217 pages it’s not a quick read, so here are the highlights, followed by our take on key elements of the proposals: the good, the bad and the ugly.

The proposals in the Discussion Paper

Not surprisingly given the European Parliament moving on AdTech, Google phasing out third party cookies, Apple lifting the veil on third party online tracking, and wave after wave of public revelations about the toxic impact of Facebook’s activities, the Discussion Paper has much to say about digital harms, targeted advertising, personalised content and the role of online identifiers.

First, the Discussion Paper proposes a re-drafting of the threshold definition of ‘personal information’, so that it explicitly recognises and includes online identifiers and technical data, and encompasses the use of data with individuated effects.  By moving closer to the GDPR’s model which includes online identifiers, indirect identification and the notion of ‘singling out’, this proposal alone will help strengthen and modernise Australia’s privacy laws.

Second, there is an intention to reduce reliance on the ‘notice and consent’ self-management model of privacy regulation, in favour of stricter limits on collection, use and disclosure.  With another proposal likely to gain plenty of attention, the Discussion Paper proposes a ‘fair and reasonable’ test to be applied to collection, use and disclosure, on top of existing rules around collection necessity and purpose limitation.

Third, consent.  While moving away from requiring consent for routine activities, it appears consent will remain as an option for authorising some types of information handling practices.  The Discussion Paper proposes to tighten the legal tests for what constitutes a valid consent, by building into the legislation what has to date been guidance from the Office of the Australian Information Commissioner (OAIC): that consent must be voluntary, informed, specific and current, and requires an “unambiguous indication through clear action”.  Combined with another proposal, which is to require ‘pro-privacy defaults’ when choices are to be offered to users, these proposals should spell the end of companies using dark patterns to trick people into sharing their personal information, and then claiming ‘consent’ as their lawful basis for collection, use or disclosure.

Fourth, the Discussion Paper proposes to abolish an existing rule about using or disclosing personal information for direct marketing (Australian Privacy Principle 7), in favour of applying the same standards as for other activities (APP 6).  But then direct marketing is mentioned again elsewhere, which leads us to the next significant proposal.

Without yet landing on a firm model, the Discussion Paper suggests some options for regulating how organisations deal with scenarios which inherently pose a higher privacy risk.  The Privacy Act currently sets some slightly tougher tests for handling some categories of data known as ‘sensitive information’, such as information about an individual’s health or disability, ethnicity, religion and sexuality.  However the Discussion Paper seeks to broaden out this idea to a notion of restricted acts, to which higher standards will apply.  What is potentially within scope includes not just the handling of ‘sensitive information’, but also some additional types of data such as location data and information about children, and some particular types of practices such as direct marketing, and automated decision-making with legal or significant effects.  The Discussion Paper also asks for further submissions on whether the best way to regulate these types of higher risk practices is by self-management (i.e. requiring individuals to consent), or by organisational accountability and risk management (i.e. requiring organisations to conduct Privacy Impact Assessments or take other steps to identify and mitigate the risks posed by their practices).

GDPR equivalence?

One of the themes running through this review process is the need to ensure that the Privacy Act is brought closer into line with the GDPR, in the hope that Australia could finally secure an ‘adequacy’ decision from the European Commission, which would beautifully simplify matters for businesses, Unis and other organisations which deal with customers or service providers in Europe. To date, an adequacy ruling has escaped Australia, primarily because of a number of carve-outs from the Privacy Act’s coverage of the private sector, including exemptions for small businesses, employee records, political parties and media organisations.  Yet the Discussion Paper has not directly proposed removing these carve-outs; instead, it raises a number of issues and options, and calls for yet more submissions on the pros and cons of abolishing those four exemptions.  So expect to see significant debate, with further pushback from organisations currently benefitting from the exemptions.

Also showing evidence of looking to other jurisdictions for influence and ideas, the Discussion Paper proposes introducing some GDPR-type individual rights, such as the right to erasure and the right to object.

Finally, the Discussion Paper has thrown out a few different models to improve access to justice, including consideration of a statutory tort of privacy (though without yet committing to a particular model, if any), and/or a direct right of action for individuals with a complaint about a breach of a privacy principle.  At present complainants can only approach the OAIC, whose backlog of complaints creates delays and operates as a barrier to resolution.  The ability to take a complaint to a court with the power to order compensation – as happens now under some State privacy laws – could see a meaningful improvement in access to justice for those individuals keen to have their day in court.

Our two cents’ worth

OK, I would like to think that our views are worth more than just two cents, but here’s a taste of what the Salinger Privacy submission on the Discussion Paper will focus on.

Overall I believe the proposals represent some sensible ways to strengthen the law to deliver on both political promises and community expectations to modernise the Act to effectively deal with digital harms, but there are some opportunities not yet grasped, and a few things in need of a fix.

THE GOOD

The definition of personal information

In chapter 2, the Discussion Paper proposes some minor edits to the definition of personal information:

Personal information means information or an opinion that relates to an identified

individual, or an individual who is reasonably identifiable:

1. a) whether the information or opinion is true or not; and
2. b) whether the information or opinion is recorded in a material form or not.

 An individual is ‘reasonably identifiable’ if they are capable of being identified, directly or indirectly.

By amending the definition to cover information that “relates to” an individual, instead of the current test which is “about” an individual, the proposed reforms will address some of the confusion caused by the Grubb v Telstra line of cases, as well as bring the Privacy Act into line with the newer Consumer Data Right (CDR) scheme.  This is good news.

Another welcome development is a proposed non-exhaustive list of what will make someone “capable of being identified, directly or indirectly”, with examples including location data, online identifiers, and “one or more factors specific to the physical, physiological, genetic, mental, behavioural (including predictions of behaviours or preferences), economic, cultural or social identity or characteristics of that person”.

Importantly, the Discussion Paper states that the new definition “would cover circumstances in which an individual is distinguished from others or has a profile associated with a pseudonym or identifier, despite not being named”.  This is a very important and positive development, to help address the types of digital harms enabled by individuation – that is, individualised profiling, targeted advertising or messaging, and personalised content which can cause harm, but which currently escapes regulation because organisations can claim that they don’t know who the recipient of their messaging is.

However, I would like to see this language actually used in the definition itself, to be absolutely sure that ‘identifiable’ in law incorporates the notion ‘distinguished from others even if identity is not known’.  (For more on how the GDPR’s notion of ‘singling out’ may or may not include people whose identity is not knowable, see our research paper on the subject.)

As Sven Bluemmel, the Victorian Information Commissioner, put it recently:  “I can exploit you if I know your fears, your likely political leanings, your cohort.  I don’t need to know exactly who you are; I just need to know that you have a group of attributes that is particularly receptive to whatever I’m selling or whatever outrage I want to foment amongst people.  I don’t need to know your name.  And therefore, arguably depending on how you interpret it, I don’t need ‘personal information’.  I just need a series of attributes that allows me to exploit you.”

That’s why we need the definition of personal information to indisputably cover individuation, as well as identification, of individuals.

Some of the other aspects of the proposals are a mixed bag.  Sticking with the threshold test that a person must be ‘reasonably’ identifiable will not address current weaknesses in the definition.  The word ‘reasonably’ waters down the scope of the definition more so than other international privacy laws, which set the threshold at any degree of identifiability.

Whether or not someone is ‘reasonably’ identifiable is not a measure of the likelihood that someone will suffer harm, but is a test based on ‘reasonable’ levels of resources and motivation.  This leaves a gap between the test applicable to the data holder, and the reality of whether or not an individual can actually be identified from the data, such as by a motivated party willing to go beyond ‘reasonable’ steps.  The OAIC has said that an individual “will be ‘reasonably’ identifiable where the process or steps for that individual to be identifiable are reasonable to achieve”.  So even where re-identification of patients from publicly released MBS/PBS was demonstrated by a team of experts, the OAIC found that the steps the experts took to achieve actual re-identification were more than ‘reasonable’, and therefore the data did not meet the definition of ‘personal information’.

Yet the Discussion Paper also says that on the flipside, to apply de-identification such as to fall outside the scope of the definition of ‘personal information’, an organisation must meet a test which is that there is only an “extremely remote or hypothetical risk of identification”.

In my view there is a gap between the test arising from the definition of personal information (“not reasonably identifiable”) and the test in the proposed definition of de-identified data (“extremely remote or hypothetical risk of identification”), creating a legislative no-man’s land of data which is not personal information but nor is it de-identified.  There should not be a gap between the two.

Not acting to close that gap would represent a missed opportunity to bring within scope for regulation the types of harm evidenced by various submissions made to the review thus far.  Bad actors will continue to argue that because no one is ‘reasonably’ identifiable in their data, they are not regulated by the Act at all.

It’s not difficult to anticipate the argument from AdTech and others: ‘Well it wasn’t reasonably identifiable information because we cleverly used hashed email addresses to match up customer records from different devices and different apps and share user attributes between different companies’.

(I say it’s not difficult to anticipate this argument because that’s how data broker LiveRamp, formerly known as Acxiom, says they draw data from multiple publishers, sites, devices and platforms (aka “gain second-party segments or third-party data”), build customer profiles and then target ads to around 7 million Australians online.  Their website claims to offer ‘data anonymization’ because “LiveRamp removes personally identifiable information (PII) and replaces it with pseudonymous record keys during our matching process so you can use data with confidence”.

Um, what?  As the GDPR makes abundantly clear, use of pseudonymous record keys which enable data linkage does not ‘anonymization’ make.  This marketing double-speak about ‘anonymization’ makes me feel like Inigo Montoya in The Princess Bride: “You keep using that word, but I do not think it means what you think it means”.

So maybe individual identities are hidden during the matching process, but the end result is still that Company A can find out new information about their customers, or individually target people who are not their customers but who have ‘lookalike’ characteristics, using data collected by Companies B, C and D.  This is the kind of online tracking, profiling and targeting of individuals across the web that the phase-out of third party cookies is supposed to stop.)

So Salinger Privacy will be arguing that the word ‘reasonably’ in the definition needs to go the way of the dinosaurs, and that the line between identifiable and not should be based on the “extremely remote or hypothetical risk of identification” test.

The Discussion Paper also proposes to add a definition of ‘collection’ that expressly covers “information obtained from any source and by any means, including inferred or generated information”.  This would be an improvement, but I would argue that the definition of ‘collection’ needs to be pitched not in relation to the nature of the information but to the action of generating or inferring information.

Also, I suggest that inferred or generated data should be included in the list of things which comprise ‘personal information’.  Otherwise here’s the likely conclusion from AdTech and similar players: ‘The inferences we drew happened some time after we collected the data, so that’s not a ‘collection’ but a ‘use’, and the Act doesn’t say that APP 6 (which regulates ‘use’) applies to inferred information, so woo hoo we’re off the hook’.

(I know that’s not what the OAIC or the Discussion Paper mean when they talk about ‘collection by creation’, but instead of letting those arguments play out in some expensive litigation between the OAIC and Big Tech in the future, let’s nip them in the bud now with some clear legislative drafting.)

Again, I’m not just hypothesising here about what certain players might say.  Take a look at Facebook’s submission on the Issues Paper, which says that the information it infers about people is not, and should not be, regulated as ‘personal information’.  Facebook wants to protect its investment of “time, money and resources” in developing and using its inferences about people, which instead of being treated as personal information worthy of legal protection are characterised in the submission as the company’s “intellectual property” which should be protected from “inappropriate interference”, by which it means having to comply with the APPs.

The ‘fair and reasonable’ test

In chapter 10, the Discussion Paper proposes the introduction of a new requirement: that “collection, use or disclosure of personal information under APP 3 and APP 6 must be fair and reasonable in the circumstances”.

This is proposed in relation to routine activities (e.g. use or disclosure for a primary purpose, or a directly related secondary purpose), and activities authorised on the basis of the individual’s consent.  It is not proposed to apply to activities authorised under a different law, or under an exemption such as those relating to law enforcement or research purposes.

To supplement this ‘fair and reasonable’ test, the proposal includes factors which could be legislated as relevant to any application of the test.  The draft list is:

• Whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances
• The sensitivity and amount of personal information being collected, used or disclosed
• Whether an individual is at foreseeable risk of unjustified adverse impacts or harm as a result of the collection, use or disclosure of their personal information
• Whether the collection, use or disclosure is reasonably necessary to achieve the functions and activities of the entity
• Whether the individual’s loss of privacy is proportionate to the benefits
• The transparency of the collection, use or disclosure of the personal information, and
• If the personal information relates to a child, whether the collection, use or disclosure of the personal information is in the best interests of the child

This is a welcome suggestion, but in my view it still needs some strengthening.  Otherwise imagine the argument from tech platforms about why content which might harm teenage girls or push vulnerable people towards extremism is still being fuelled by algorithms designed to generate ‘engagement’:  ‘Well our free services need ad revenue to operate, for ads to be successful we need high levels of engagement with the platform, to get high levels of engagement we need users to see certain content which we know will engage them, and so in those circumstances this [anorexia-promoting / conspiracy-theory fuelled / hate-filled / extremist / genocide-promoting / do I need to keep going about the types of harms here] content is “reasonably necessary to achieve the functions and activities of” our company, and anyway we can’t foresee which of our users are at “risk of unjustified adverse impacts or harm” from that content, but just in case we have included something in our T&Cs to set expectations and be transparent, so we have now met the “fair and reasonable” test’.

Also, I would argue that the ‘fair and reasonable’ test should apply to all instances of collection, use and disclosure, including where the collection, use or disclosure is authorised by another law, or under an exemption.  The ‘fair and reasonable’ test should be able to flex to the circumstances of the use case.  Think about the data hungry activities of Australian Government agencies: the likes of the ATO, Centrelink and the NDIA often operate on the basis of specific legislative authority to collect, use or disclose personal information.  Shouldn’t we expect those activities to also be ‘fair and reasonable’?

Perhaps then agencies wouldn’t be able to get away with releasing deeply intimate information about a person’s relationship history, tax affairs and social security benefits to a sympathetic journalist, in response to some public criticism about their agency.

And don’t we want our law enforcement agencies to also only use personal information in a ‘fair and reasonable’ manner?  Legitimate investigations and even covert surveillance will be ‘fair and reasonable’ in the right circumstances.  After all, police forces with nothing to hide will have nothing to fear, right?

Accountability for high privacy impact activities

Another significant proposal is the idea to create a list of ‘restricted practices’, which while not prohibited will require additional steps from organisations to identify and mitigate privacy risks.

The draft list (at Proposal 11.1) is:

• Direct marketing, including online targeted advertising on a large scale
• The collection, use or disclosure of sensitive information on a large scale
• The collection, use or disclosure of children’s personal information on a large scale
• The collection, use or disclosure of location data on a large scale
• The collection, use or disclosure of biometric or genetic data, including the use of facial recognition software
• The sale of personal information on a large scale
• The collection, use or disclosure of personal information for the purposes of influencing individuals’ behaviour or decisions on a large scale
• The collection use or disclosure of personal information for the purposes of automated decision making with legal or significant effects, or
• Any collection, use or disclosure that is likely to result in a high privacy risk or risk of harm to an individual.

While not explicitly saying so, this proposal looks a lot like the introduction of mandatory Privacy Impact Assessments for certain activities.  (Proposal 11.2 also suggests alternatives to organisational accountability which instead rely on self-management options like requiring consent, explicit notice or opt-outs, but they are clearly not the favoured option and we know that notice and consent is broken, so let’s not even go there.)

The Australian Government Agencies Privacy Code already makes PIAs mandatory for the public sector in relation to ‘high privacy risk’ activities, with the OAIC maintaining a list of the types of activities it considers to inherently pose high levels of risk.  This new proposal looks set to extend the requirement to the private sector as well.

Through its latest determinations against 7-Eleven and Clearview AI, the OAIC was already signalling that PIAs are now expected under APP 1 for what it is calling ‘high privacy impact’ activities, as a way for organisations to demonstrate that they have effective privacy risk management processes in place.

The Salinger Privacy submission will argue that this list of ‘restricted practices’ should be incorporated into APP 1, and be the trigger for a mandatory PIA to be conducted.  However even better would be to adopt the GDPR model, which is that if, after the conduct of a PIA and the implementation of all mitigation strategies, there is still a residual level of high risk, then the regulator must be consulted, and the regulator has the power to stop or prohibit the activity.  (Now that might have stopped a company like Clearview AI in its tracks sooner.)

I will also suggest a tweaking of the list of ‘restricted practices’.  For example instead of just “online targeted advertising on a large scale”, I would throw in behavioural tracking, profiling and the delivery of personalised content to individuals.  (Netflix and the ABC’s iView would otherwise be able to say ‘Well we don’t show ads so this list does not apply to our activities’.)

Conversely, I would not consider all direct marketing to be a high privacy impact, even when delivered at scale.  A brochure mailout or email newsletter delivered to the first party customers of a retailer poses very low privacy risk if there is no personalisation of messaging or pricing, or tracking of engagement or conversions.

Some further food for thought is whether or not the OAIC should be able to add to the list of restricted practices, and/or whether or not some ‘restricted practices’ should instead be prohibited, either by the Act or via OAIC developing guidance over time about ‘no-go’ zones.  Recent calls for a moratorium on the use of facial recognition in government come to mind.

Children’s privacy

Kids’ privacy is getting a lot of attention in these and related proposals from the Australian Government.  Whether or not a proposed activity is in the best interests of a child gets a mention in the list of factors relevant to applying the ‘fair and reasonable’ test (Proposal 10.2), and processing personal information about children on a large scale is included in the list of ‘restricted activities’ which will require additional risk mitigation steps (Proposal 11.1).

Plus Proposal 13 raises the curly and interrelated issues of children’s capacity, parental consent, and age verification.  The Discussion Paper proposes two options on which the Government is seeking feedback: require parents to consent on behalf of children for all instances of handling personal information about children under 16, or only for those instances where the lawful basis for collecting, using or disclosing the information is ‘with consent’ in the first place.

In my view, the first option is utterly unworkable.  So many legitimate and routine activities need to happen in a child’s life without stopping to ask for a parent’s consent for every separate thing.  Imagine a school contacting a parent to ask ‘do we have your consent to collect and use information about what little Johnny did in the playground at recess today?’  (If the parent says ‘no’, then what?)  Such a legal requirement would either cause routine activities to grind to a halt, or organisations will implement horrible unwieldy bundled ‘consents’, which will make a mockery of Proposal 9 – which is to spell out in legislation that every consent must be voluntary (i.e. not part of the conditions of use), informed, current, specific (i.e. not bundled), and an unambiguous indication through clear action.

The Discussion Paper is also asking for feedback on whether organisations should be permitted to assess capacity on an individualised basis, rather than taking a fixed date – the child’s 16^th birthday – as the magical day on which they transform from helpless to capable of making independent decisions.

Plus there’s plenty more about kids’ privacy to be found in the Online Privacy Bill, discussed further below.

Regulation and enforcement

There’s a whole lot going on under this heading in the Discussion Paper (chapters 24-28).

Some of the proposals seek to fix long-standing enforcement problems, or propose sensible measures like a tiered civil penalty regime.  (That will be particularly important if small businesses are brought into the fold.)  So far so good.

Some are more radical ideas like industry funding of the OAIC, as happens now with the corporate regulator ASIC, and splitting apart the OAIC’s functions so that a ‘Privacy Ombudsman’ handles the complaints function.  This idea of splitting policy / strategic / advisory functions off from the complaints-handling / enforcement functions is pretty funny, when you consider that the OAIC was created explicitly to bring those functions all under the one roof for privacy and FOI.  (Just fund the OAIC properly will be my submission in response.)  I should probably move this idea into the ‘Bad’ pile.  Which brings us to…

THE BAD

Ugh, the criminalisation of re-identification rears its head again!  First prompted in 2016 by some egg-on-faces in the Australian Government when the MBS/PBS dataset was shown to have not been properly de-identified before its public release, instead of penalising, say, the release of poorly de-identified data in the first place, the Government moved to criminalise the conduct of researchers and security specialists who conduct re-identification attacks on data.  This terrible, horrible, no good, very bad idea was rightly criticised by the Privacy Commissioner and opposed in Parliament due to fears of its impact on public interest research and cybersecurity efforts.

Why re-introduce the idea now (Proposal 2.6)?  Just… no.  If you’re worried about malicious re-identification attacks on public data, introduce a statutory tort.  Don’t penalise the white hat hackers.

Also: dear governments, please stop drinking the Kool-Aid on the wonders of open data.  De-identification is not a magic solution to privacy compliance, and unit record level data is unlikely to ever be safe for public release unless treated with some pretty complex differential privacy techniques, as was demonstrated in 2016 (MBS/PBS), 2018 (Myki), and 2020 (Flight Centre).

A direct right of action that’s not very… direct

Chapter 25 discusses the idea of a ‘direct right of action’.  The ACCC recommended that “individuals be given a direct right to bring actions and class actions against APP entities in court to seek compensatory damages as well as aggravated and exemplary damages (in exceptional circumstances) for the financial and non-financial harm suffered as a result of an interference with their privacy under the Act”.

The Discussion Paper noted a number of submissions made about the OAIC’s lack of resources, which has caused complaint-handling delays, and means it operates as a ‘bottleneck’.  Unlike in other jurisdictions, the OAIC is effectively the gatekeeper, and can dismiss complaints without proceeding to either conciliation or a formal determination, thus quashing the complainant’s appeal rights.

So you would think a direct right of action would fix that, right?  Er, no.  Proposal 25.1 is to create a right of action which is only triggered if the complainant first goes to the respondent, then to the OAIC, and then can only proceed to the Federal Court if the OAIC first determines that the complaint is suitable for conciliation.  Too bad if they dismiss it instead, or if it languishes in the queue so long that the respondent has skipped town in the meantime.

For a ‘direct right of action’ it’s not very.. direct.  Nor is it very accessible to most people.  Hands up who wants to pay a QC in the Federal Court and be exposed to costs orders if you lose?

Other jurisdictions do this better.  NSW for example allows privacy complainants to lodge a complaint in a no-cost tribunal, so long as they first complained in writing to the respondent and the respondent did not resolve the matter to the complainant’s satisfaction within 60 days.  The NSW Privacy Commissioner has a right to be heard in the tribunal, but does not operate as a brake or a bottleneck on matters proceeding.  A cap on compensation keeps things manageable for respondents.

THE UGLY

There are some aspects of the proposals which are messy, or about which the politics could get messy.

The bits they squibbed

The Discussion Paper kicked the can down the road on the four major exemptions: small businesses, employee records, political parties and media organisations.  Rather than propose specific outcomes, chapters 4-7 of the Discussion Paper dance around these contentious areas, while calling for further submissions on a number of questions.

(So if you have a view, make a submission!)

For example, consideration of the small business exemption includes whether, rather than just bringing all businesses within scope of the Act, as comparable jurisdictions do, certain ‘high risk’ practices should be prescribed in.  In my view, creating yet more exceptions to an exemption will create confusion, and would be unlikely to lead to an ‘adequacy’ ruling from the European Commission.

Then there’s the idea of a statutory tort of privacy (chapter 26), which has been kicking around as an idea for what seems like forever, but which never quite makes it over the line, despite it enjoying pretty widespread support other than from the media and other businesses afraid of being sued for serious invasions of privacy.  The Discussion Paper throws up four options, one of which is to not introduce a tort but extend the application of the Act to “individuals in a non-business capacity for collection, use or disclosure of personal information which would be highly offensive to an objective reasonable person”.

Individuals doing offensive things are hardly going to respond to a letter from the OAIC.  Nor will this resolve the problem for victims who have suffered harm at the hands of organisations which are exempt, or at the hands of rogue employees, whose employers get to escape liability.

Individual rights

OK, so I know that the proposed rights of objection (Proposal 14) and erasure (Proposal 15) will generate a lot of attention, but I just can’t get too excited about them.  We already have a right to opt out of direct marketing, and we can withdraw consent to activities which were originally based on our consent, like participation in a research project.  We also already have a right of correction, which the OAIC has said can include deletion in some circumstances.

While I’m not opposed to introducing more rights, the right to erasure in particular is mostly privacy theatre.  It will cause messy compliance headaches, but deliver little of substance for individuals.  Better to prohibit or prevent bad practices by organisations in the first place, than rely on individuals having to clean up afterwards.

Conversely, the discussion of automated decision-making does not propose any new rights, yet this is an area in which rights could actually make a significant difference.  Think what a right to algorithmic transparency, explainability, auditability and review could do to prevent the next Robodebt-type snafu!  Proposal 17 just suggests that people be told, via an organisation’s Privacy Policy, if automated decision-making is being used.  This will achieve… nothing much.  I think we deserve better.

The Online Privacy Bill

The ABC says it is “committed to protecting your privacy”.  So why are they giving our data to Facebook and Google?

The ABC Privacy Policy was updated in late 2021, to “reflect some changes to the way in which your information will be handled as we look to help Australians find more content likely to be of interest to them”.

The changes include “disclosing hashed email addresses to Google and Facebook to show you promotions for ABC Content likely to be of interest to you on those platforms, unless you choose to opt out”.

In other words, if you have an ABC Account (e.g. if you login to watch iview or use the ABC Listen app), you will be individually profiled and potentially targeted by Facebook or Google, based on information about you given to those companies by the ABC – unless you have first figured out this practice is going on and then activated your privacy settings to opt out.

Is this legal?  Can the ABC really match up data about its viewers and listeners with Google and Facebook, without your consent?

That depends on your interpretation of the Privacy Act as it stands today.  The confusion over what is allowed is a good illustration of why the Privacy Act is in need of reform – but I will come back to that later.

Won’t hashing protect me?

The AdTech and data broking industry like to say that they are protecting your privacy, or sharing only ‘de-identified’ data, by using ‘hashed’ email addresses when they exchange data about you.  Hashing is a one-way scrambling process: your email address becomes a string of gibberish which cannot be reverse-engineered, so your ‘real’ email address cannot be guessed at.  But if you use the same email address to log in to two or more sites (and most of us do), and if those two or more companies use the same hashing algorithm to scramble your email address, the string of gibberish becomes a unique identifier about you, which can be then be used to match and link up all the other data held about you, by those companies.

So that claim about protecting your privacy is a furphy.

The fact that no ‘names’ or even ‘real’ email addresses are exposed in the middle of the data-sharing process makes no difference to the end privacy impact, which is that you will be shown specifically targeted ads or other forms of personalised content, because of the richness of the information about you that has been shared between companies, behind your back.

In this case, the ABC has clearly admitted that what it is doing is giving information about its viewers and listeners to Facebook and Google.

Why would the ABC do this? 

It does so to enable both profiling and individualised targeting of content and ads to its current or prospective viewers.  So, for example, as the ABC itself explains, if the ABC already knows that you have watched The Newsreader, it won’t waste money paying Facebook or Google to show you ads on those platforms exhorting you to watch The Newsreader.  (Sidenote: enjoy the irony of the public media paying to advertise on social media a TV show about a TV show set on commercial media, in a time before social media existed.)

This also means that the ABC can pay to advertise other shows to you, if it thinks – because of your viewing history – that you might like them.  And it can target ads for ABC shows to ‘lookalike’ audiences: people who Facebook and Google have profiled as similar to ABC viewers, but who are not known to be ABC viewers… including all the privacy-protecting people who try to avoid this kind of profiling by laboriously using different email addresses across sites, or who refuse to create accounts to log in at all.

More disturbingly, it also means that Facebook and Google could now know even more information about you than before, and add to your profile.  (Because let’s face it: they’re not mugs.  They’re going to monetise that data as much as they can.)  Which means that – and this is the part that surely the ABC doesn’t fully realise or it wouldn’t be letting its valuable first party customer data out of its own hands – the ABC’s rivals can also now even better target ads for rival TV shows to you.  (Liked The Newsreader?  Forget the ABC, try Apple TV’s Morning Wars!)

(Updated 7/1: Note that it has been pointed out to me that the use of Facebook’s Custom Audiences targeted marketing technique would usually involve terms to preclude Facebook from re-using the data shared with it by advertisers, so perhaps ABC customers are not at risk of this final scenario happening.  However my understanding is that to date the ABC has not released the terms of its engagement with Facebook despite FOI requests from privacy advocates going back some months, so we can’t yet tell what those terms are.  And the Privacy Policy doesn’t mention FB’s Custom Audiences; that’s just what a reader has told me the ABC is using.  Also, the ABC Privacy Policy, after talking about the information it discloses to third parties for the purposes of marketing via other platforms, states “Some third parties may be able to match information about your use of our digital services with personal information they already have about you”.  Because that statement appears before mention of the sharing of hashed email addresses, it is not clear whether that statement is only about data collected via third party cookies and similar online identifiers whether customers are logged in or not (see more about that below), or if it also includes data shared via techniques like using hashed email addresses to build Custom Audiences.)

So, can they really do this?

The sharing of a ‘hashed email address’ is an example of the disclosure of information which, taken alone, might be argued by industry players to be ‘de-identified’, such as to escape regulation under the Privacy Act.  That’s because information which cannot ‘reasonably identify’ an individual is excluded from the reach of our privacy laws.  And a hashed email address, alone, should not be capable of identifying anyone.

But the privacy regulator in Australia, the OAIC, has said that the test as to whether or not something meets the definition of ‘personal information’ (which means it will be regulated by the Privacy Act), is not about considering information in a vacuum: “Some information may not be personal information when considered on its own. However, when combined with other information held by (or accessible to) an entity, it may become ‘personal information’.”

So, given that a hashed email address can be – and indeed is intended to be – linked back to other information held about identifiable individuals by Facebook and Google, I would argue that the hashed email address, along with all the other ABC-collated information shared about the ‘de-identified’ individual it relates to, is ‘personal information’ regulated by the Privacy Act.

But despite the OAIC’s guidance, the letter of the law about what is ‘personal information’, and what is not, is not quite so clear, which leaves room for argument from the digital platforms and others in the AdTech ecosystem.  (Facebook for one argues that this information is not regulated because no-one is ‘identifiable’.)

This alone is a compelling reason why the Privacy Act is currently being reviewed, and why the Australian Government has already proposed strengthening and clarifying the definition of ‘personal information’.

(For more on the Privacy Act review, and to inspire your own submission in support of the proposed reforms, or to argue like me that they need to go further to be truly effective, see our submission to the Privacy Act review.  It includes plenty of other examples to explain why reform is needed to protect our privacy.  But get in quick, submissions are due 10 January.)

But wait, it gets worse!

Let’s say that, like yours truly, you have thus far resisted all encouragements to create an ABC Account, and are therefore still enjoying iview without having to share any email address with the ABC.  Are you immune from the data sharing?  Turns out, no.

Check out this from the updated ABC Privacy Policy:  “If you are not a registered ABC Account holder, or you are accessing an ABC digital platform while not logged into your ABC Account, we may disclose the identifier for your device or browser to Google and Facebook, via Tealium, for the same purpose. … If you don’t want to see promotional information on those platforms that is informed by your use of ABC digital services, you can opt out via the account settings on those platforms. ”

So, the ABC (with whom I have never had an account) is sharing my data with Facebook (with whom I have never had an account) and the way to opt out of that is via Facebook, but I can’t because I don’t have a Facebook account from which to access any ‘account settings’.

Way to go Aunty!  Nice Kafkaesque nightmare you’ve got us in, all so you can show your loyal viewers ads for stuff they probably already know about.

Is this even legal?

Now, if the ABC is indeed found to be sharing ‘personal information’, can it do so legally?  Without customer consent, I cannot see how.

(Have they got consent?  They are relying on telling customers via their Privacy Policy, and letting people ‘opt out’ if they don’t like it.  But in case after case, the OAIC has said that in order to be valid, consent requires an ‘opt in’, not ‘opt out’, and adding something to a Privacy Policy is not nearly enough.  But spelling out the essential elements needed to gain a valid consent under the Privacy Act is also the subject of a law reform proposal: to make it absolutely clear in the letter of the law itself that to rely on ‘consent’, the customer needs to have exercised a clear and affirmative choice.  So that’s reason #2 to make a submission to the Privacy Act review, ‘toot sweet’ as the ABC’s own Kath and Kim would say.)

The disclosure to any third party is regulated by Australian Privacy Principle (APP) 6, unless it is for ‘direct marketing’ in which case the rule is APP 7, which starts to make things murky as to whether or not consent is needed for that disclosure.  But what is clear is that if the information is being disclosed to an organisation outside Australia, it also has to meet APP 8.

And as I previously noted to the ABC when it first proposed last year to make logging into iview mandatory, under APP 8.2, disclosure of personal information to an overseas organisation like Facebook, in jurisdictions such as the USA which does not have privacy protections equivalent to ours, requires the consent of the individual, after they have been expressly informed that their personal information will be sent to a jurisdiction without privacy protections.  (And none of the exemptions to APP 8 are relevant here.)  So that alone could pose a compliance problem for the ABC.

But regardless of whether or not the ABC is currently legally regulated in the way it shares data about the viewing and listening habits of its customers, surely it has a moral responsibility to protect its viewers and listeners from harm?

What’s so wrong with sharing our data?

When you think about it, a person’s ABC viewing or listening habits may be quite sensitive, and harm could be done when they are shared without consent.  Many Australians go to the ABC as a trusted source of information on controversial issues.  A student from an authoritarian country who likes to watch shows about democracy, or a teenager from a conservative family who takes an interest in gender fluidity or religious scepticism, may suffer significant harm if these preferences are exposed.

For example, if an Australian has watched Foreign Correspondent’s episode on the crackdown against Uighurs in Xinjiang, this could be used by Facebook or Google to inform an attribute such as “interested in human rights abuses in China”, which could then be used by the Chinese government to target propaganda directly to those viewers via paid advertising on those platforms.  This has implications for societal political manipulation.  The data is likely to be very easily identifiable by Google, Facebook, the Chinese Communist Party, or other sophisticated data gatherers with whom it might (directly or indirectly) be shared.

So what’s the solution?

If you are less than impressed with this state of affairs, start by making a submission to the review of the Privacy Act, ASAP.  (Submissions close 10 January.)  Tell the Government you are one of the 89% of Australians who believe that the information used to track us online should be protected under the Privacy Act.

Even if you have time for nothing else, email the review team to say that you support proposals 2.1-2.5 and 9.1-9.2, which are to clarify and strengthen the definition of personal information, and the elements of consent.  Want more details?  See our blog explainer here, and our detailed submission here.

And then let the ABC know; the bottom of their Privacy Policy tells you how, or write to the MD like I did.  Letters from a few concerned viewers last year saw the ABC defer its plan to make it mandatory to log into iview, while it re-considered the privacy issues.  Perhaps these recent changes to the Privacy Policy are the result of that review, because 10 points to Aunty for now making it much clearer for everyone to understand exactly what kind of intrusive data sharing is going on, whether people have logged in or not.

But transparency is not enough.  This type of exploitative data extraction and surveillance capitalism has no place on our beloved Aunty.

Australians don’t want to be tracked online.  Our public broadcaster should not be sharing data about its viewers and listeners with global tech behemoths without our active and informed consent.  Aunty’s job is to tell us stories, not tell stories about us to Facebook and Google.

Privacy compliance is not rocket science.  Meeting community expectations about our data is not hard.  It’s about common sense, and good manners.

Perhaps I can best sum it up using my ABCs: Always Be Considerate.

(Post script for our non-Australian readers: ‘Aunty’ is a fond nickname for the Australian Broadcasting Corporation, our publicly funded national broadcasting service and – except on this issue – national treasure.)

Photo (c) Shutterstock

The demise last week of FLoC is not the end of the story for Google’s plans to prop up surveillance-based advertising once cookies are phased out.

As a replacement for third party tracking cookies, Google was – until last week when it was killed off – trialling a new system for delivering personally targeted ads called FLoC.  FLoC’s objective was to hide individuals in a crowd, and keep a person’s web history ‘private’ on their browser.  But it turned out that this initiative was not quite as ‘privacy first’ as Google wanted us to believe.

Nor will its touted replacement – ‘Topics’ – necessarily be much better at preventing privacy harms.

What is changing about the AdTech ecosystem

In his brief history of online advertising, Dan Stinton, the Managing Director of Guardian Australia and former Head of Digital at Yahoo7, explains that “most advertisers or their advertising agencies… purchase consumer data from third parties (credit card purchases, for example), aggregate this with their own first-party data (customer email addresses, for example), and then follow those consumers across the web by dropping cookies on their web browsers and serving targeted ads”.

For a couple of decades now, they have done so in the name of serving up ‘relevant’ ads, targeted to appropriate customer segments.  However Stinton writes that at some point “segmentation (became) consumer profiling, which is where the potential for harm really exists”, and that “relevant ads morphed to become industrial-scale behaviour modification”.

The Cambridge Analytica scandal opened the world’s eyes to the impact of surveillance-based advertising, and the realisation that the AdTech ecosystem, initially developed to enable ‘free’ online platforms supported by advertising revenue, has resulted in harms well beyond being subject to unwanted ads.

Fast forward a few years, and community sentiment has shifted.  Where the public goes, legislators and courts – and even big business – eventually follow.  First we saw Apple and Mozilla block tracking cookies by default in their web browsers, and then when Apple blocked app-based tracking as well unless iPhone customers opted in, only very small numbers of people consented to let the tracking continue.  Privacy-first providers of digital services which offer alternatives to the dominant Google and Facebook suite of surveillance-driven products, such as DuckDuckGo (search engine), Signal (messaging) and Protonmail (email), are also growing in market share.

In parallel, European courts have made findings against the use of tracking cookies without consent; and European privacy regulators have cracked down on the difficult-to-use opt-out mechanisms used by Facebook and Google.  Meanwhile the European Parliament is considering a Digital Services Act to regulate online behavioural advertising, recent amendments to the California Consumer Privacy Act have jumped into the regulation of digital ‘dark patterns’, and a Bill to ban surveillance advertising has just been introduced into the US Congress.

Sensing the tide turning on community expectations around privacy and online tracking, and a new market for privacy-enhancing tech, Google announced it would address privacy concerns by also phasing out third party tracking cookies on its Chrome browser.  Since Chrome is the dominant browser used globally, the final demise of the third party cookie is now scheduled to occur in 2023.

But the end of third party tracking cookies is not the full story when it comes to surveillance, profiling and personalised targeting, based on your online movements.

Inside the birdcage

Once third party tracking cookies are gone, more and more companies will require their customers to log in to their website or access services through an app.  This means that the customer’s use of that company’s website or app can be tracked, without needing cookies.  That tracking generates what’s called ‘first party data’.  When customers use their email address to log in to a site (or download and use an app), their email address becomes a unique identifier, which can then be matched up with ‘first party data’ from other companies, for customers who use the same email address across different logins.

(Our recent blog about the ABC offered an example of even a publicly funded broadcaster succumbing to the drive to collect more ‘first party’ customer data, and then use hashed email addresses to enable ad re-targeting on third party platforms like Facebook and Google.)

But how about outside the birdcage?

Flying, but still tagged

While plenty of companies will push their customers inside their own birdcages, that still leaves plenty of web activity happening when you are not logged into sites.  But just because you’re not logged in doesn’t mean you are as a free as a bird; you can still be tracked, profiled and targeted.

As part of its planned phase-out of third party cookies, in 2021 Google proposed FLoC – or Federated Learning of Cohorts – as a new browser standard.  The objective of FLoC was to “allow sites to guess your interests without being able to uniquely identify you”.

Google started using machine learning to develop algorithms which reviewed each individual’s web search and online browsing activity to profile them, and place them into ‘cohorts’ of 1,000 or more people with similar demographics, qualities or interests, before allowing advertisers and others to target their ads or content to individuals in that cohort. While advertisers, in theory, were not supposed to learn the identity of anyone in the cohort, or their particular browsing history, they were still able to reach the precise individuals they want to target.

FLoC therefore still allowed individuated targeting or differential treatment of the individual by an advertiser, via Google as the ‘middle man’ who knows all your secrets, even as Google promised to prevent identification of the individual to the advertiser.

The result was highly privacy-invasive for Chrome browser users included in the FLoC trials (which included Australians): your intimacy and honesty turned against you, your hopes, fears, questions and plans extracted and exploited by Google to track, profile and segment you into multiple ‘cohorts’, so they can make a buck targeting you with personalised ads.

Plus in fact identification or additional, intrusive leaking of attribute data about individuals to third parties could also be possible from FLoC.  This is because the Chrome browser on an individual’s device would tell every website they visit what that individual’s ‘FLoC ID’ is.  A FLoC ID tells the website operator that this particular individual is in the cohort ‘ABCDE’, which means they have a certain profile which reflects the habits, interests and potentially demographics of people in that cohort (e.g. young women interested in physical well-being, or middle-aged men interested in cricket), as determined from their recent online activity.

That way, a publisher (i.e. a website which hosts paid third party ads) can show the ‘right’ kind of ads to that person.  Advertisers will have already told the publisher to show their ad to people with certain profiles; so a person profiled as interested in physical well-being might be shown an ad for yoga gear or diet pills, and a person profiled as interested in cricket might be shown an ad for cricket bats or sports betting.  So when an individual with a FLoC ID of ‘ABCDE’ landed on a particular website, the publisher would know what kind of ad to display.

Being FLoC’d together does not guarantee privacy

There are two risks associated with this type of online behavioural surveillance and targeting, even if individuals are ‘hidden’ within cohorts, or allocated loose ‘Topics’.

First, websites or advertisers could potentially reverse-engineer from some cohorts the likelihood that certain individuals visited particular websites.

Second, if a website operator already knows other information about that user, either because they are tracking the user’s IP address or the individual has had to log in to the publisher’s birdcage – e.g. the individual subscribes to read the Sydney Morning Herald, or has a free account to watch SBS On Demand – the publisher can combine their ‘first party data’ (i.e. what they learn about their customer from what the customer reads or watches within the confines of that site) with the new information inferred from the fact that that individual is now known to be in cohort ‘ABCDE’ – for example, that this person is likely to be a young woman interested in physical well-being.

This may be no better using ‘Topics’ instead of FLoC.  Topics will apparently still use an individual’s recent browsing history to group them into up to 15 ‘baskets’ out of about 350 ‘interest’ categories, based on the IAB’s Audience Taxonomy instead of FLoC’s AI-built cohorts.  As well as categories built around demographics (gender, age, marital status, income level, employment type etc), the IAB’s taxonomy has ‘interest’ categories such as #404: Healthy Living > Weight Loss; and #624: Sports > Cricket.  Publishers will be shown three of the 15 baskets at random.

However FLoC was particularly egregious, because of the tendency of its algorithms to create ‘cohorts’ based around not only ‘interests’ but also particularly sensitive matters such as ethnicity, sexuality, religion, political leanings and health conditions.  (The IAB taxonomy on which Topics will be based may not be entirely immune from allowing publishers to infer sensitive personal information from its ‘interest’ categories either; for example interest #503 is Music and Audio > Religious, while #521 is Music and Audio > World/International Music.)

Just for a moment consider the extent to which even public interest health information websites leak data to Google about who visits their sites: an investigation by The Markup found that even non-profits supposed to be protecting their clients, like Planned Parenthood in the US (which offers information on contraceptives and abortions), addiction treatment centres and mental health service providers, are leaking information about their web users to Google and Facebook.

Now think about combining that surveillance of online behaviour, with the power of inferences drawn from people’s Google search terms and click-throughs, and you can start to see how FLoC could enable highly intrusive profiling and personalised targeting at an individual level.

Even FLoC developers admitted that owners of walled sites (such as the Sydney Morning Herald or SBS in my example) “could record and reveal” each customer’s cohort, which means that “information about an individual’s interests may eventually become public”.  The GitHub site for FLoC described this, in somewhat of an understatement, as “not ideal”.

For example, the Sydney Morning Herald could potentially find out which of its subscribers are interested in abortions, anti-depression medication, substance abuse, gambling or suicide; who is questioning their religion or exploring their sexuality; and how they are profiled by Google in terms of their age, gender, ethnicity, political leanings, income, employment status and education level.  It could then add that to its own ‘first party’ customer data, and potentially share it with others.  Because each user’s FLoC ID was continually updated to reflect their latest online activity, website operators could infer more and more about their subscribers over time.

While Google has said that ‘Topics’, at this stage, will shy away from any demographic categories, it is still proposed to be continuously updated to reflect each individual’s browsing history over time.

Publishers can then use this information to sell ad space to those offering arguably harmful messaging (e.g. promoting sports betting to gambling addicts, or promoting pro-anorexia content to teenage girls) as easily as they can target beneficial messaging (e.g. promoting Headspace centres to vulnerable young people).  Individuated messaging and content can also as easily exclude people from opportunities as include them.

The risks are not confined to publishers selling ad space, because the FLoC ID was shared with all websites you visit, not just publishers hosting third party ads.  So even government websites could have gleaned information about you from your FLoC ID.  Are we comfortable with the ATO or Centrelink knowing that Google has profiled someone as interested in crypto-currency?

So there’s plenty to be concerned about from a privacy perspective.  However perpetuating online privacy harms was not the only criticism of FLoC.  The competition regulator in the UK, for example, raised concerns about the effect of FLoC and other of Google’s ‘Privacy Sandbox’ initiatives.  In the words of Cory Doctorow, writing for the Electronic Frontier Foundation, “the advertisers that rely on non-Google ad-targeting will have to move to Google, and pay for their services… Google’s version of protecting our privacy is appointing itself the gatekeeper who decides when we’re spied on while skimming from advertisers with nowhere else to go”.

Can we ever fly free?

FLoC may have been dumped for now, but whether it is ‘Topics’ or something else which Google ultimately uses to replace third party tracking cookies, there appears little appetite from Google to join its rivals in moving away from surveillance-based online behavioural targeting any time soon.

So what can you do?

First, choose your browser and devices wisely.  Tracking cookies are already blocked in Apple’s Safari and Mozilla’s Firefox, and Apple devices are much better at blocking third party tracking both inside apps and on the open web as well.

Second, if you are using Google’s Chrome as your browser, try to find out if you were included in the global FLoC trials, using EFF’s ‘Am I FLoCed?’ tool.  Also keep an eye out for instructions on how to opt out of the trials of ‘Topics’, due to start later this month.

Third, if you are a website operator, declare that you do not want your site to be included in your users’ lists of sites for cohort (or ‘interest’ topic) calculations.  Government, health, non-profit, human rights and other public interest organisations in particular should strongly consider blocking Topics, in order to protect their users from being subject to profiling and personalised ads or messaging based on any association with their website.

Finally, agitate for law reform.  Perhaps it is no coincidence that the trials of FLoC were conducted in 10 countries including Australia, but not in the EU.  The major AdTech players and digital platforms like Google and Facebook will keep exploiting our data unless the law stops it.

FLoC is a perfect example of why the law needs to change to keep up with tech: FLoC still allowed individuated targeting, if not identification of users to the advertiser.  Topics will do the same.  That’s why the current review of the Australian Privacy Act and the definition of ‘personal information’ is so important – we need a law which reflects the role of online identifiers in the AdTech ecosystem, and respects the wishes of the 89% of Australians who believe that the information used to track us online should be protected under the Privacy Act.

Otherwise, in the words of the 80’s band which I now think of as FLoC of Seagulls, we might find that while we can run, we just can’t get away from surveillance-based online targeting:

And I ran, I ran so far away
I just ran, I ran all night and day…
I couldn’t get away

Photo by Glen Carrie on Unsplash

Anorexia.  Violent extremism.  Holocaust denial.  Anti-vaccine conspiracy theories.  Gambling addiction.  Hate speech.  False claims about stolen elections.  Genocide.

You might not think of these as privacy harms, but they have one thing in common: they have all been promoted or fuelled by the manipulation and abuse of our personal information.

We are currently witnessing a profound fracturing of societies and communities, driven by the hyper-personalisation of content consumed in the digital environment.  This is squarely a privacy concern, for two reasons.

First, because it is the sucking up of our data in privacy-invasive ways which creates digital platforms’ power.

Second, because the power of those platforms is then used to target us individually: to segment us, manipulate us, and shape our experience of the world through filter bubbles built by algorithms fed on our data.

The end result of all the filter bubbles and echo chambers and dark patterns and ‘emotional contagion’ and misinformation and disinformation and manipulation of news feeds is that instead of being enriched, our world actually becomes smaller, our choices more limited.  The products we are offered, the prices we pay, the job ads we see, the news stories we read, the ‘truth’ we are told: all of this becomes decided for us by machines built not to serve us, but to deliver profits to Big Tech’s owners.  And the more divisive and outrageous the content, the higher the ’engagement’, and the more astronomical the profits.

That algorithmic narrowing and manipulation of our choices ultimately affects our autonomy, and our dignity.  Yet that is what privacy law is supposed to protect: our autonomy, which is our ability to make choices for ourselves.

Much has been said in recent years about the role of Big Tech in political polarisation, the spread of misinformation, the lessening of trust in both experts and traditional institutions and the consequent weakening of democratic governments.  But not many mainstream commentators identify the root cause of these problems as invasions of privacy.  (In the documentary The Social Dilemma, privacy doesn’t even rate a mention until near the end.)

Sure, privacy advocates, regulators and academics have been saying it.  As NZ Privacy Commissioner, John Edwards passionately warned of the need for regulation to  address the power asymmetry of Big Tech.  And as Chair of the consumer protection and competition regulator, the ACCC, Rod Simms called out how the privacy issues raised by Google and Facebook can’t be divorced from issues of market power.  But privacy law has not stopped them.

With the benefit of largely untrammelled intrusive data collection and profiling practices, online behavioural advertising has become online behavioural engineering: manipulation and behaviour modification on steroids.

Social media and digital platforms have become addictive and toxic because of the data that is harvested from us.  Our personal information has not just been monetised, it has been weaponised, against us.  ‘Personalised experiences’ have become chambers and filter bubbles, in which political divides become entrenched, hatred builds and misinformation and disinformation about everything from vaccines to elections thrive.  Waleed Aly has compared the power of Google with the power of a nation state like China, and says “Imagine a foreign nation with the power to manipulate our individual psychology. Imagine us handing them such power over the critical infrastructure of our democracy. To be fair, we didn’t knowingly hand it to the tech giants either. They seized it when we weren’t looking, algorithm by algorithm.”

The result is a roll-call of human misery.

Pharmaceutical companies side-stepping consumer protection laws to bombard users with ads for addictive opioids based on their Google search terms.

Instagram damaging teenage girls’ health, with an algorithm which “led children from very innocuous topics like healthy recipes … all the way to anorexia-promoting content over a very short period of time”.

Betting companies grooming suicidal gambling addicts.

Facebook allowing advertisers to target – and exclude – people on the basis of their ‘racial affinity’, amongst other social, demographic and religious characteristics.

Facebook facilitating targeted crypto scams.

YouTube allowing misinformation about covid, disinformation about elections, and the amplification of hate speech.

Facebook promoting to advertisers their ability to target psychologically vulnerable teenagers.

Facebook knowingly radicalising users by recommending groups like QAnon.

Inciting the riot in Washington DC.

Fomenting ethnic violence in Ethiopia.

Inciting genocide in Myanmar.

Yet from the digital platforms to the advertisers and companies which benefit, organisations engaging in intrusive online tracking, profiling and targeting have largely been able to side-step privacy regulation, often by claiming that the data they are using is not identifiable, thus not ‘personal information’ regulated by privacy laws.  This ignores the underlying objective of privacy laws which is to prevent privacy harms, in favour of semantic arguments about what is ‘identifiable’.

Some of those companies might say that they are protecting your privacy because they do something fancy like hash (scramble) your email address before sharing and matching up your data, but let’s call that for what it is: bullshit.

So maybe your ‘real’ email address is never shared out in the open, but the fact is that if data about your online habits is being tracked, and shared between unrelated companies on the basis of your email address, and then used to profile you and then treat you differently (for example, show you different products or prices), or to reach you with micro-targeted ads or personalised content or messaging – your personal information is being shared without your consent, and your privacy is being invaded.

Let’s look at Facebook, for example.  Advertisers provide details about their customers to Facebook, using a hashed version of their customers’ email address.  Facebook can then target ads to precisely those people, having matched the hashed email addresses from the advertiser to the hashed email addresses it already holds about Facebook users.  But because neither company is sharing ‘identifiable’ data (i.e. ‘raw’ or unhashed email addresses), the chief privacy officer at Facebook claims that they can serve ads “based on your identity… but that doesn’t mean you’re ‘identifiable’”.

In other words: data which Facebook and other industry players describe as not identifiable, and thus not regulated by privacy laws, is being used to match up customer records from different devices and different apps, and share user attributes between different companies, without your consent.

Another example can be found in the data broking industry.  Data broker LiveRamp, formerly known as Acxiom, says they draw data from multiple publishers, sites, devices and platforms (aka “gain second-party segments or third-party data”), build customer profiles and then target ads to around 7 million Australians online.  Their website states that “LiveRamp removes directly identifiable personal information and replaces it with pseudonymised record keys during our matching process. This means you can use data with confidence”.  (A previous version of their website I saw described this as ‘anonymization’, but it has since been revised to label this as ‘pseudonymisation’.)

But as Justin Sherman wrote recently in Wired, the carefully deployed language around de-identification is a furphy: “that data brokers claim that their ‘anonymized’ data is risk-free is absurd: Their entire business model and marketing pitch rests on the premise that they can intimately and highly selectively track, understand, and microtarget individual people”.

This semantic misdirection about data not being ‘directly identifiable’ is happening not only in the United States where the narrower phrase ‘PII’ is used instead of ‘personal information’.  Australian industry analysts have written about how entirely unrelated companies are now matching their own sets of customer data, in order to target individual consumers – such as personally targeted ads for Menulog shown on smart TVs during breaks in Channel 7 content, using hashed email addresses via data broker LiveRamp.

So while individual identities are hidden during the matching process, the end result is still that Company A can find out new information about their customers, and/or individually target people who are not their customers but who have ‘lookalike’ characteristics, using data collected about those individuals by Companies B, C and D.  Using various methods, the data collected about you while you are using your banking app can now be matched with the data collected about you when you look up flight prices while logged into your frequent flyer account, and then matched to the data collected about you when you watch streaming TV, including whether or not you instantly respond to the fast food ad you saw on TV.  Did you consent to all of that?

This is precisely the kind of unfair and invasive online tracking, profiling and microtargeting, for differential treatment, of individuals across the web that the community expects to be within scope of the Privacy Act for regulation.

Yet marketeers describe this as ‘privacy compliant’, because they use pseudonyms instead of real names or email addresses to facilitate their data matching and build out their customer profiles before they target you.  What a joke.

The question is, what is the government going to do, to stop this Big Tech racket?  Because clearly the market incentive is to keep exploiting our personal information until the law stops it.

We need law reform, to ensure that these data practices are firmly within scope of privacy regulation.  No more ‘we don’t share your PII’ semantic trickery.

We need to start by updating the current law’s flawed and outdated premise that privacy harms can only be done to ‘identified’ individuals, and that therefore only ‘identifiable’ data needs the protection of the law.

To ensure that the Australian Privacy Act is capable of protecting against digital harms, as is expected by the community, and is the stated objective of the current legislative review by the Australian Government, the definition of personal information requires reform to indisputably cover the individuation, as well as identification, of individuals.

Individuation means you can disambiguate a person in the crowd.  In the digital world, this means the ability to discern or recognise an individual as distinct from others, in order to profile, contact, or target them and subject them to differential treatment – without needing to know their identity.  This might take the form of a decision to show someone a certain ad or exclude them from seeing a particular offer, display a different price, make a different offer, or show them different information.  The result might be as benign as the act of showing a profiled customer an ad for sneakers instead of yoga gear, but it could also be a decision to target vulnerable individuals with ads for harmful products, misinformation, or extremist content.

As Sven Bluemmel, the Victorian Information Commissioner, put it recently:  “I can exploit you if I know your fears, your likely political leanings, your cohort.  I don’t need to know exactly who you are; I just need to know that you have a group of attributes that is particularly receptive to whatever I’m selling or whatever outrage I want to foment amongst people.  I don’t need to know your name. … I just need a series of attributes that allows me to exploit you”.

Privacy schemes elsewhere in the world are already broadening out the notion of ‘identifiability’ (or even abandoning it altogether) as the threshold element of their definitions, such as the California Consumer Privacy Act (CCPA) 2018, and the 2019 international standard in Privacy Information Management, ISO 27701.  Each has either explicitly expanded on the meaning of identifiability, or has introduced alternatives to identifiability as a threshold element of their definitions.

For example the CCPA includes, within its definition of personal information, data which is “capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”, without first needing to pass an identifiability test.  This theme is further fleshed out within the definition of ‘unique identifier’, which means “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier”.

Last year the US Uniform Law Commission voted to approve the Uniform Personal Data Protection Act, a model bill designed to provide a template for uniform state privacy legislation.  The model Bill defines personal data to include data “without a direct identifier that can be reasonably linked to a data subject’s identity or is maintained to allow individualized communication with, or treatment of, the data subject”.

Another example is the New York State Privacy Bill 2021, which clearly intends to include, within the scope of what is ‘identifiable’ for the purposes of its definition of personal data, both tracked online behaviour (such as browser searches and an individual’s “interaction with an internet website, mobile application, or advertisement”), as well as geolocation data, and any inferences drawn from that information.

Plus of course the GDPR’s definition of ‘personal data’ includes online identifiers and the notion of ‘singling out’.  The Austrian DPA recently ruled that IP addresses (as collected via Google Analytics) constitute personal data, because they allow an entity to ‘single out’ a data subject within the meaning of recital 26 of the GDPR.  Further, the DPA found that an actual identification is not necessary, and that there is no requirement that all the information enabling the identification of the data subject must be in the hands of one entity.

Are we on the cusp of change here in Australia too?

The Australian Government has proposed, in the Discussion Paper on the review of the Privacy Act, that the definition of ‘personal information’ should be reformed to include “a non-exhaustive list of the types of information capable of being covered by the definition of personal information”.  The examples given include location data, online identifiers and “one or more factors specific to the physical, physiological, genetic, mental, behavioural (including predictions of behaviours or preferences), economic, cultural or social identity or characteristics of that person”.

Importantly, the Discussion Paper says that the definition would therefore cover “circumstances in which an individual is distinguished from others or has a profile associated with a pseudonym or identifier, despite not being named”.

Now some, including the Big Tech and marketing industry players, will argue that they don’t want the Privacy Act reformed, lest it become the ‘law of everything’.  But I believe we should take an expansive view of privacy, and a root-cause look at privacy-related harms.

As a threshold definition, ‘personal information’ simply creates the boundaries of the playing field.  Other parts of the law – the privacy principles – do the heavy lifting when it comes time to set the rules of play, deciding which data practices are fair, and which should be prohibited.  But if much of the data which fuels the digital economy isn’t even considered to be part of the game, how can we ever agree on the rules?

We need the Privacy Act to explicitly include, within its scope for regulation, information which can be used to individuate and potentially harm people, even if they cannot be identified from the information in a traditional sense.

In my view privacy law must become ‘the law of everything’, because in the digital economy, data about people iseverything.

Photograph © Shutterstock

Recent caselaw demonstrates that privacy laws reach further than some organisations might expect.

Introduction: the identifiability test

Most information privacy and data protection laws around the world have as their starting point some notion of identifiability.  Legal obligations will typically only apply to data that relates to an ‘identifiable’ person.

For example, Australian privacy laws create privacy principles, which apply only to data which meets the definition of “personal information”.  The Australian Privacy Act defines this as: “information or an opinion about an identified individual, or an individual who is reasonably identifiable”.

The point of this legal definition is that if no individual is identifiable from a set of data, then the privacy principles – the backbone of an organisation’s legal obligations – simply won’t apply.  If no individual can be identified from a dataset, then the dataset can be safely released as open data; matched or shared with or sold to other organisations; or used for a new purpose such as data analytics, without breaching privacy law.

Or so the theory goes.

In reality, determining whether or not an individual might be considered in law to be ‘identifiable’ is not straightforward.  The scope of what is included within the notion of identifiability may surprise many organisations.

Recent cases have tested the limits

The Office of the Australian Information Commissioner (OAIC) has made a series of determinations which have shed light on the extent to which privacy laws cover data which – at face value – may not appear to be identifiable of any individual.

The recent cases which touch on the definition of ‘personal information’ are the 7-Eleven case, the Clearview AI case, and the Australian Federal Police (AFP) case.

All three cases involved the use of facial recognition technology, but the issues raised in relation to the scope of privacy laws are applicable to many other types of data and data use practices, including online behavioural advertising, customer profiling and targeted marketing.

The 7-Eleven case

In June 2020, the 7-Eleven chain of convenience stores began using a new customer feedback survey system in 700 stores across Australia.  Each store had a tablet device which enabled customers to complete a voluntary survey about their experience in the store.  Each tablet had a built-in camera that took images of the customer’s face as they completed the survey.

Those facial images were stored on the tablet for around 20 seconds, before being uploaded to a server in the cloud.  A third party service provider converted each facial image to a ‘faceprint’, which is an encrypted algorithmic representation of the face. The faceprint was used to detect if the same person was leaving multiple survey responses within a 20 hour period on the same tablet; if multiple responses were detected, they were excluded from the survey results.

In other words, 7-Eleven was using a facial recognition technology on its customers, to prevent its employees gaming a customer satisfaction survey by leaving multiple positive survey responses about their own performance.  At least 1.6 million survey responses were completed.

The OAIC found that 7-Eleven had breached Australian Privacy Principle (‘APP’) 3.3 by collecting ‘sensitive information’ (namely, biometric templates) unnecessarily and without consent, and APP 5 by failing to provide proper notice about that collection.

One of the arguments raised by 7-Eleven was that the information at issue did not constitute ‘personal information’ for the purposes of the Privacy Act.

The Clearview AI case

Clearview AI provides a facial recognition search tool which allows registered users to upload a digital image of an individual’s face and then run a search against the company’s database of more than 3 billion images.  The database of images was created by Clearview collecting images of individuals’ faces from web pages including social media sites.  The search tool then displays likely matches and provides the associated source information to the user.  The user can then click on the links to the source material, to potentially enable identification of the individual.

From October 2019 to March 2020, Clearview offered free trials of its search tool to the AFP, as well as to the police services of Victoria, Queensland and South Australia.  Members from each of these police services used the search tool on a free trial basis, uploading images of people to test the effectiveness of the tool.  Uploaded images, known as ‘probe images’, included photographs of both suspects and victims in active investigations, including children.

The OAIC found that Clearview had breached APPs 1.2, 3.3, 3.5, 5 and 10.2.  One of the arguments raised by Clearview was that the information at issue did not constitute ‘personal information’ for the purposes of the Privacy Act.

The AFP case

Officers from the AFP used the Clearview search tool on a free trial basis.  Those officers did so without entering into any formal arrangements with Clearview, and the Clearview search tool was not subject to the AFP’s normal procurement or due diligence processes.  The OAIC found that the AFP had breached APP 1.2, as well as a separate requirement under a Code issued specifically for Australian government agencies, which mandates the conduct of a Privacy Impact Assessment prior to commencing any high privacy risk activities.  While it does not appear that the AFP argued otherwise, the OAIC canvassed whether the data at issue was ‘personal information’ for the purposes of the Privacy Act.

The arguments about identifiability and ‘personal information’

7-Eleven had argued that the facial images and faceprints it collected were not ‘personal information’ because they were not used to identify any individual.

However the OAIC found that even though individuals could not necessarily “be identified from the specific information being handled”, the information was still ‘reasonably identifiable’ – and thus within the scope of ‘personal information’ – because the faceprints were used “as an ‘identifier’ which “enabled an individual depicted in a faceprint to be distinguished from other individuals whose faceprints were held on the Server”.

Similarly, Clearview argued that ‘vectors’ could not constitute ‘personal information’.  From the three billion raw images scraped from the web, Clearview retained metadata about the source of each raw image, and a vector for each raw image: a digital representation generated from the raw image, against which users could compare a new vector (i.e. a new digital file created by running the tool’s facial recognition algorithm over an uploaded probe image), in order to find a potential match.  Clearview argued that the vector and metadata held in their database neither showed an individual’s face, nor named or otherwise directly identified any individual.  They claimed that their tool merely distinguished images, and did not ‘identify’ individuals.  (Any image ‘matches’ would simply present a link to the URL for the source of the original raw image.)

However the OAIC disagreed.  First, the OAIC noted that the definition in the Privacy Act does not require an identity to be ascertained from the information alone, thanks to an amendment to the definition in 2014.

Second, the OAIC noted that because “an individual … is uniquely distinguishable from all other individuals in the respondent’s database”, it was irrelevant that the respondent did not retain the original image from which the vector was generated, nor any identity-related information about the individual.

The OAIC thus determined that both the raw image and the vector generated from it constituted ‘personal information’ for the purposes of the Privacy Act.

In the AFP case, the OAIC reiterated that being able to distinguish an individual from the group will render an individual ‘identified’ in privacy law.

Lesson 1: identifiability is not to be considered in a vacuum

The Australian definition of personal information is broader in its scope than the American phrase beloved by information technology professionals and vendors: PII or ‘personally identifying information’.  The American / IT industry test asks whether someone can be identified from this piece of information alone.  By contrast, the Australian legal test asks whether someone can be identified from this piece of information alone, or once it is combined with other available information.

In the Clearview case, the OAIC stated: “An individual will be ‘reasonably’ identifiable where the process or steps for that individual to be identifiable are reasonable to achieve. The context in which the data is held or released, and the availability of other datasets or resources to attempt a linkage, are key in determining whether an individual is reasonably identifiable”.

This formulation is not novel.  In guidance published in 2017, the OAIC explained that an individual can be ‘identifiable’ “where the information is able to be linked with other information that could ultimately identify the individual”.

The identifiability test therefore depends on considering not only the particular information at issue, but also any other information that is known or available to the recipient, and the practicability of using that other information to identify an individual.  Who will hold and have access to the information is therefore a relevant consideration when assessing whether an individual will be ‘reasonably identifiable’.

Lesson 2: an individual can be identifiable without learning their identity

The second lesson is that ‘identifiability’ in law does not necessarily require that a person’s name or legal identity can be established from the information.  Instead, it implies uniqueness in a dataset.  This is similar to the GDPR’s notion of ‘singling out’.

Again, since 2017, the OAIC has maintained that: “Generally speaking, an individual is ‘identified’ when, within a group of persons, he or she is ‘distinguished’ from all other members of a group.”

What is novel about the 7-Eleven case is that the OAIC has now applied that reasoning to data from which there is slim to no chance of re-constructing a person’s name or legal identity, such as vectors generated from faceprints, but which is nonetheless useful for separating one individual from another and subjecting them to different treatment.

In other contexts, the OAIC has noted that it is not only identifiers like biometric vectors which can ‘reasonably identify’ someone; browser or search history are two examples of behavioural or pattern data which could lead to an individual being rendered unique in a dataset.

Conclusion: the implications

While significant, these cases demonstrate a line of reasoning which is entirely consistent with what the OAIC has been saying for many years, since the definition of personal information was updated in 2014.

The Australian legal test for what constitutes ‘personal information’ – and thus what is within scope for regulation under privacy law – includes two elements which may surprise many organisations handling data:

• the data is not to be considered in a vacuum, and
• data can be identifiable without revealing identity: being able to distinguish an individual from the group will render an individual ‘identified’ for the purposes of privacy law.

While not surprising for those who follow OAIC guidance closely, the implications of these cases are far reaching.  The logical conclusion is that Australian privacy laws, like the data protection laws of the European Union, extend to data which can be used to disambiguate customers or other individuals and subject them to differential treatment, even in online environments where organisations may not have the facility to trace back to find out the individual’s legal identity.

Regulated entities will face a legal compliance risk if they do not appreciate the breadth of data which is covered by their obligations under the Privacy Act. In particular, organisations should be wary of technology vendors, supplying products used in applications from customer profiling and targeted marketing to security and identity authentication, who may be pitching their products as ‘compliant’ or ‘privacy protective’ on the basis that no-one is identifiable from that data alone.

The correct legal test in Australia suggests that data which can be linked to other data sources, such that an individual can be distinguished from the group and then treated differently, will constitute ‘personal information’, and restrictions on the collection, use or disclosure of that data will apply accordingly.

Want more caselaw insights? 

For Privacy Awareness Week 2022, Salinger Privacy will host a free webinar on 4 May, offering more lessons from recent privacy cases, including:

• The role of PIAs in privacy risk management
• How to get your collection, consent and transparency practices right, and
• Managing risks including from ‘shadow IT’ and contracting out. 

Register here.

An earlier version of this article was first published in LSJ Online.

Photograph © Shutterstock

When consumer advocacy body CHOICE last month went public with its investigation into the use of facial recognition by major Australian retailers, the public reaction was swift – and negative. No surprise, given we already knew that the majority of Australians are uncomfortable with the collection of their biometric information to shop in a retail store.

Much of the online chatter, the media coverage and the defensive comms swirled around in circles, sometimes getting lost in the minutiae of topics like the size of the font on the signage at stores, or how long images of customers are held for, or who is recognisable from the images, or arguing about whether customers ‘consent’ by walking into a store, or going through privacy policies with a fine-toothed comb. Another common angle of exploration was facial recognition technology itself, including its questionable accuracy and potential discriminatory impacts.

The OAIC has since launched an investigation into the use of facial recognition technology by Bunnings and Kmart. (By comparison, by pausing its use of the tech in response to the CHOICE investigation, third retailer The Good Guys seems to have turned down the regulatory heat, and has thus far avoided a formal investigation.)

But it’s not only facial recognition technology which might create privacy concerns for customers. Nor are these data management issues and PR headaches limited to the retail sector. I see similar concerns raised in discussions about other forms of data collection and use, such as customer profiling, online tracking and marketing. So there are lessons to be learned for all types organisations, collecting all sorts of personal information.

In particular, this incident has highlighted a lot of confusion about the rules when collecting personal information, and the roles of notice and consent, including what is needed when, under Australian privacy law.

Happily we don’t need to wait for the OAIC to conclude its investigation, before we can clear up some of that confusion. We already have the Privacy Act 1988, existing OAIC publications and formal determinations to guide us.

So here’s your quick and dirty, 8-point cheat sheet guide to collecting personal information under the Privacy Act.

1. The act of creating new data, such as by drawing inferences, generating insights or producing biometric vectors, is a fresh ‘collection’, which must comply with the Collection principles

Let’s start by looking at what constitutes a ‘collection’ of personal information, for the purposes of compliance with the Collection principles, which are in found in Australian Privacy Principles (APPs) 3-5 in the Privacy Act.

Collection isn’t just about when you ask customers to fill out a form. The ‘creation’ of new personal information, such as by way of combining data or inferring information from existing data, will also constitute a ‘collection’ for the purposes of the APPs.

For example in the Uber case, the OAIC stated that “The concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means”, such as via online cookies.

And in the Clearview case, the OAIC found that the vectors used for its facial recognition technology, which were generated from images drawn from photographs scraped from the web, were also ‘collected’, noting that “‘collects’ includes collection by ‘creation’ which may occur when information is created with reference to, or generated from, other information”.

2. You will be ‘collecting’ personal information even if it is only transient

The act of taking a photo of a customer, to be used to generate a faceprint, is a ‘collection’ of personal information, no matter how ephemeral that image is, and even if the image is not going to be stored.

In the 7-Eleven case, the OAIC found that even a transient collection, such as images which were stored on a tablet for around 20 seconds before being uploaded to a server in the cloud, will constitute a ‘collection’ for the purposes of the APPs.

So Electronic Frontiers Australia’s Chair Justin Warren was spot on when he compared the use of facial recognition on retail customers to taking a fingerprint of every customer as they enter the store and checking it against a file of previous fingerprints: “The fact they then throw away that piece of paper isn’t the problem, it’s that they took the customer’s fingerprints in the first place”.

3. All collection must be reasonably necessary, and proportionate to a legitimate business objective

The collection of any type of personal information, no matter how benign, must be reasonably necessary for a legitimate purpose. From the 7-Eleven case we know that under APP 3, collecting personal information because it will be “helpful, desirable or convenient” is not enough; your collection of personal information must be “reasonably necessary” for one of your organisation’s “functions or activities”.

The OAIC has formulated this test as involving consideration as to whether the impact on individuals’ privacy is “proportionate to a legitimate aim sought”. In the case of 7-Eleven, while the OAIC noted that “implementing systems to understand and improve customers’ in-store experience” was a legitimate aim of the business, the collection of biometric templates was not a proportionate way to achieve that aim, and thus was in breach of APP 3.

Plus, all collection of personal information must also be by lawful and fair means (APP 3.5), and collected directly from the individual unless an exception applies (APP 3.6).

4. All collection requires a collection notice to be provided that is specific to that collection

APP 5 requires organisations to take reasonable steps to notify people about the collection of their personal information – the who, what, when, where, how and why. That notice must be provided at or before the time of the collection.

Not to be confused with your Privacy Policy (which talks in general terms about the whole organisation), a collection notice must be specific to the personal information being collected at that point. Privacy regulators stress the need to keep notices concise and in plain language, while also offering enough detail about how you propose to collect, use or disclose the individual’s personal information.

The objective of a collection notice is to prevent anyone getting a nasty surprise later; and it can enable the individual to make an informed choice about whether to provide you with their information (if they even have that much choice).

But remember that a collection notice is not a free pass to collect anything you like. You can still only collect personal information if your reason for asking for the personal information is reasonably necessary – see point #3 above.

Another tip: make sure you don’t confuse collection notices with consent forms. Collection notices are a one-way form of communication. The person does not need to indicate their agreement; they are simply being put ‘on notice’.

5. A Privacy Policy is not a collection notice

The obligation to have a Privacy Policy comes from APP 1. It’s a separate requirement to your APP 5 collection notices.

As described by the OAIC, a Privacy Policy is simply “a transparency mechanism”, which “must include information about an entity’s personal information handling practices including how an individual may complain and how any complaints will be dealt with”.

So your Privacy Policy is not magic. It cannot authorise your organisation to do anything that the APPs don’t already allow you to do.

6. Some acts of collection (or use, or disclosure) also require the prior consent of the individual, unless a public interest exception applies

Asking for a person’s consent is a separate process to either providing a collection notice or publishing a Privacy Policy.

Importantly, you don’t need consent for everything! Seeking consent is only necessary when the APPs say that you need a person’s consent, in order to lawfully collect, use or disclose their personal information.

This is most commonly when you are either:
• collecting information about a person’s health or disability, unless that information is necessary to provide a health service to the individual, or
• collecting other types of ‘sensitive information’ about a person, such as biometrics (hello, facial recognition tech), genetic information, or information about the person’s ethnicity, sexuality, criminal record, religion, religious or philosophical or political beliefs, or membership of a trade union, political association or professional association, or
• proposing to use or disclose personal information for a purpose unrelated to the primary purpose for which you collected it, or
• disclosing personal information overseas
… and no exemption applies.

So check the APPs to find out whether or not any particular activity (whether a collection, use or disclosure of personal information) first requires the person’s consent, in order to be lawfully authorised.

But heads up: a valid consent is hard to get.

7. If you do need consent to authorise your conduct, that consent will only be valid if it is voluntary, informed, specific, current, and given by a person with capacity

The OAIC has said that in order to be valid, a consent must be voluntary, informed, specific, current, and given by a person with the capacity to consent.

I like to describe consent as the ‘Would you like fries with that?’ question. The question must be very specific about what is being proposed, the question must be asked about only one thing at a time, the default position must be ‘no’, and the customer must be completely free to say either yes or no to the fries, and still get their burger.

So notice alone typically does not allow you to infer consent. (For anyone who still thinks that posting a notice outside a store is the same as getting consent from customers who enter the store, please consider this: if providing a notice was enough to infer consent, the Privacy Act would not need to require both.)

‘Opt out’ is not consent either; the OAIC has made clear that an individual’s silence cannot be confidently taken as an indication of consent.

8. Consent cannot be obtained by making your customers ‘agree’ to your Privacy Policy, a collection notice, or your Terms and Conditions

In the Flight Centre case, the OAIC noted that a Privacy Policy is not a tool for obtaining consent. Making your customers ‘agree’ to your Privacy Policy, or to a collection notice, or to Ts&Cs, before they can access a service, download an app, enter a store or buy a product removes the voluntary aspect needed to gain a valid consent.

So, if you want to collect (including create) personal information from or about your customers, make sure that you:
• can demonstrate that your collection is reasonably necessary, for a legitimate aim, and proportionate to that aim (APP 3.1- 3.3)
• only use lawful and fair means (APP 3.5)
• collect information directly from each customer unless you are authorised otherwise (APP 3.6)
• provide a collection notice to every customer (APP 5), and
• publish a Privacy Policy, such as on your website (APP 1).

Plus, if the personal information you are collecting / creating is ‘sensitive information’, you will also require each customer’s consent, unless an exemption applies.

Easy, right? Now we’ve got that sorted, you can go and enjoy your fries. Or not. It’s completely up to you.

Want hands-on training about this topic? Join our small group workshop in October: Privacy Notice and Consent: How to get it right.

Or grab our Template Collection Notices and Consent Forms in one of our Compliance Kits.

Want more caselaw insights? Watch our video here.

Photograph © Mitchell Luo on Unsplash

There is something magical about the number seven.  The seven deadly sins, the seven dwarfs, the seven year itch, those plucky child detectives who formed the Secret Seven, and the barn-raising dance number from Seven Brides for Seven Brothers.  Plus of course, the seven habits of highly effective people.

Here’s our own set of seven.  They might not be magical, but hopefully they are practical.  In addition to the PIA tools we have available via our Compliance Kits, these are our seven tips on how to make sure that a Privacy Impact Assessment is effective.

Do more than a legal compliance check

Despite the definition of PIAs from the Privacy Act making clear that they are about measuring and mitigating “the impact that the activity or function might have on the privacy of individuals”, many PIAs are conducted as if they are simply a compliance check against statutory privacy principles.  They test that the organisation commissioning or conducting the activity will comply with the law, without ever asking what impact the activity will have on individuals.

An example of how looking for privacy impacts is broader than simply reviewing compliance with data privacy laws is in relation to body scanning technology.  When first trialled at airports in the wake of the 11 September 2001 terrorist attacks, full body scanners offered screening officials a real-time image of what a passenger looks like naked.  Despite the image not being visible to anyone else, and the image not being recorded, and no other ‘personal information’ being collected by the technology (and thus the technology posed no difficulties complying with the Privacy Act), the visceral reaction by the public against the invasion of their privacy was immediate.  The technology was as a result re-configured to instead show screening officers an image of a generic outline of a human body, with heat maps showing where on any given passenger’s body the security staff should pat down or examine for items of concern.

Review the ecosystem, rather than elements in isolation

PIAs which focus on one element of a project or program, rather than the whole ecosystem, will often miss the point.  A PIA should examine not just a piece of tech in isolation, but the design of the entire ecosystem in which the tech is supposed to work, including legal protections, transparency and messaging, which together add up to how well users understand how the technology works.  How well users understand how a system or product works makes a difference to their level of trust, because they can make more informed decisions for themselves.

An example is the PIA of the COVIDSafe app, which did not examine compliance, or risks posed, by the State and Territory health departments which would actually be accessing and using the identifiable data collected by the app.  Each of those health departments was covered by a different part of the patchwork of privacy laws in Australia (and in the case of SA and WA, no privacy laws).  The scope of the PIA was limited to the federal Department of Health’s compliance with the federal Privacy Act.  The PIA Report’s authors called out this limitation in their report, along with the lack of time available to consult with either State and Territory privacy regulators, civil society representatives or other experts.  Despite this, the PIA was reported in the media as giving ‘the privacy tick’ to the app.

Test for necessity, legitimacy and proportionality

A PIA should not only be about assessing one potential vector for privacy harm such as the compromise of personal information.

The OAIC has made clear that a PIA should assess:

• whether the objective of an activity is a legitimate objective,
• whether or not the proposal (in terms of how it will handle personal information) is necessary to achieve that objective, and
• whether or not any negative impacts on individuals are proportionate to the benefits or achievement of the objective.

In particular, a PIA should identify “potential alternatives for achieving the goals of the project”, which could be less privacy-invasive.

The OAIC’s determination against 7-Eleven offers a good example.  While finding that the company’s objective of “understanding customers’ in-store experience” was legitimate, the covert collection of biometrics to achieve that objective was neither necessary nor proportionate to the benefits.  (The store had implemented facial recognition technology without notice or consent to test who was answering its in-store customer satisfaction surveys.)

In the Clearview AI case, the OAIC further established that the tests of “necessity, legitimacy and proportionality” are to be determined with reference to “any public interest benefits” of the technology; the commercial interests of the entity are irrelevant.

Test the tech

Again the PIA of the COVIDSafe app is a prime example.  This PIA turned out not to be a review of the app at all.  The reviewers could not test the app’s functionality, let alone test whether assertions made about the data flows were correct.  The terms of reference for the PIA were simply whether the Department of Health could lawfully participate in the proposed data flows.

This is related to the failure to test for proportionality.  A proper assessment of privacy impacts on individuals should involve balancing benefits against risks.  If a PIA cannot test whether the benefits will actually or even likely be achieved, no judgment can be made about whether or not the privacy risks will be outweighed by the benefits.  Had the PIA reviewers been able to test the functionality of the app, and had they therefore been able to determine that – as later became apparent – that the app did not work on iPhones and had other technical problems as well, then a judgment could have been made much sooner that the benefits did not outweigh the risks to privacy (let alone the financial costs of the project) at all.

Consider customer expectations and the role of social licence in gaining trust

Public trust is not as simple as asking: “Do you trust this organisation / brand?”  It’s about asking: “Do you trust this particular way your data is going to be used for this particular purpose, can you see that it will deliver benefits (whether those benefits are personally for you or for others), and are you comfortable that those benefits outweigh the risks for you?”

When you realise that this more complex set of questions is the thinking behind consumer sentiment, you can see how important it is to assess each different data use proposal on a case-by-case basis, because the nature of the proposal, and the context it is in, will make each value proposition unique.  That means the balancing act between benefits and risks from a privacy point of view needs to done fresh for every different project.

Utilise multiple mitigation levers

Levers to address privacy risks can include:

• technology design
• technology configuration (i.e. choosing which settings to use when implementing off-the-shelf tech)
• legislation
• policy (including policy, procedures, protocols, standards, rules etc)
• governance
• public communications
• user guidance, and
• staff training.

Comparing two different covid-related apps offers a good example of how different levers may be pulled to mitigate similar privacy risks.  The development of the federal government’s COVIDSafe app was rightly lauded for including strong, bespoke legal privacy protections (such as to prevent use for law enforcement purposes) developed very early on, yet the app itself had design flaws which could leak data to bad actors.  By contrast the NSW government’s ‘Covid Safe Check-in’ app did not have specific legal protections until months after its launch, but it had more protections baked into the app’s design: it put the user in complete control of when the app was used, compared with the COVIDSafe ‘always on’ design.

Follow the recommendations

This should go without saying, but simply conducting a PIA is not enough.  Unless findings and recommendations to mitigate privacy risks are followed, a PIA will be nothing more than a smokescreen, offering a veneer of respectability to a project.

In particular, a PIA may result in a recommendation to significantly alter the course of a project.  Project teams need to be prepared for this possibility.  Make sure your project teams allow enough time to absorb recommendations from a PIA, and even pivot, pause or scrap the project if it becomes necessary.

So there you have it: our seven tips for making your PIAs effective.  It’s not magic, just logic.

With easy-to-use templates + Salinger Privacy know-how via checklists and more, we can help you steer your PIA in the right direction.  Take a look at our complete range of Compliance Kits to see which suits you best.

Photograph © Shutterstock