Who gets to use public sector data, for what purposes, and under what conditions?  Whose data is it anyway?

That is the debate at the heart of a proposal now being put forward by the Australian Government, in its exposure draft of the Data Availability and Transparency (DAT) Bill.

If it becomes law, the DAT Bill will dramatically overturn more than 30 years of privacy jurisprudence, which currently limits when personal information about you or me can be disclosed by Australian Government agencies. The past few decades of privacy law and policy was all kicked off in the 1980’s with immense public opposition to the Australia Card proposal, which would have facilitated – you guessed it – loads more data-sharing by and between government agencies.

So why the change?  And why now, when community concern about privacy, and levels of discomfort about data-sharing in particular, are rising?

This blog will unpack the DAT Bill proposal for you and explain some of the privacy impacts as we see them.  (Oh, and along the way we will encourage you to make a submission if you’re not happy about the idea.)

Where has the DAT Bill come from?

The DAT Bill is the latest stage in a process which began with a 2016 Productivity Commission public inquiry and report on Data Availability and Use, which had the lofty aim to “unlock the full potential of public sector data in Australia”.  (You can read about the experience of our Principal, Anna Johnston, appearing before the Productivity Commission here.)

The Productivity Commission suggested that Australia is missing out on unknown opportunities due to the untapped potential of data.  At the centre of the recommendations was the creation of the then-called Data Sharing and Release Act, as well as a National Data Commissioner to oversee the new scheme.

In 2018 we saw the first iteration of proposed legislation in an Issues Paper on the proposed ‘Data Sharing and Release’ Bill. You can read the submission Salinger Privacy provided along with other privacy professionals here, but suffice to say – we were not happy.

The 2020 DAT Bill is the most recent version of the proposal. Gone is the tech-bro fantasy of unlocking the value of big data, and in its place is a more prosaic aim to “deliver better, more seamless services to the public” and “planning for the future based on the best available information.”

What does the proposed data sharing scheme look like?

The first thing to understand about the DAT Bill, is that the entire data sharing scheme it would implement is a carve out from Australian Privacy Principle 6 (APP 6), which governs how personal information can be used and disclosed.  In doing so, the DAT Bill represents a fundamental and significant change to the way information privacy is understood and implemented in Australia.

In the current landscape, if an organisation is covered by the Privacy Act 1988, and it wishes to share the personal information it holds with another organisation, APP 6 allows disclosure on only a few grounds.  One ground is for a directly related secondary purpose, another is with consent, and another is if another law specifically authorises it.  Otherwise, you need to find a suitable exemption, such as for ethically approved research in the public interest. So for Australian Government agencies which hold our personal information, there are ways to share it – but subject to some limitations and protections. They can’t just go ahead and give it to another organisation because it seems like a good idea.

Enter: the DAT Bill.

The proposed data sharing scheme would enable broad disclosures of public sector data, including personal information, by providing an overarching “alternative authority” to share. This side steps APP 6, and overrides most of the secrecy provisions and non-disclosure prohibitions that have been established over decades of law-making.

This also disregards community expectations around privacy. Don’t just take our word for it: research conducted for the Office of the Australian Information Commissioner found that 9 out of 10 Australians want more control over their personal information, not less.  And 70% of Australians expressed discomfort with the idea of their personal information, held by government agencies, being shared with the private sector.

The nuts and bolts of the scheme

Under the proposed data sharing scheme, the public sector agencies which hold the information (‘data custodians’) are able to disclose public sector data, provided that the recipient of the data is an ‘accredited user’.  Organisations only need to seek accreditation once in order to access data many times, from many data custodians. The Accreditation Framework is important as it is the entry point into the scheme and determines who gets access to public sector data.

In this sense, the DAT Bill proposes a loosely controlled environment for sharing: you have to be in the club before you get the benefits.  The scheme, at this stage, does not include release of public sector data to the public at large, aka ‘open data’.

In order to become accredited by the National Data Commissioner, an entity needs to demonstrate capacity in three broad areas: governance and administrative frameworks, security and privacy of data, and technical skills and capacity.

Once you’re in the scheme, public sector data, including personal information, can be shared for “permitted purposes”, which are:

• Delivery of government services
• To inform government policy and programs, and
• Research and development

There are also “precluded purposes” which are not authorised by the Bill, such as law enforcement, compliance, assurance and national security purposes.

But let’s face it: the three permitted purposes are already broad enough to drive a truck through.

There seems a certain kind of naivety involved in this formula: if the law says that data-sharing can only be used for the ‘good’ purposes, then it will only be used for good, right?  This wishful thinking reminds me of the tech-bro protagonists of The Social Dilemma, who line up to wash their hands of their own moral responsibility for the various ills wrought by Big Tech with ‘we weren’t expecting any of the bad stuff, who could have predicted that?’  (The answer, of course, was a diverse array of privacy advocates, ethicists, historians and philosophers who did predict it, but were ignored in the ‘move fast and break things’ rush for growth and profits.)

The safeguards

Once in the scheme, in order to share data there are five data sharing principles to consider. These have been adapted from the Five Safes Framework and are:

• Project: data is shared for an appropriate project/program that includes consideration of the public interest, ethics, and privacy
• People: data is made available only to appropriate persons who have the right training and skills
• Setting: data is shared in an appropriately controlled environment
• Data: appropriate protections are applied to the data – including data minimisation principle
• Outputs: are as agreed, and appropriate for future use

But that’s about it for safeguards, folks. There is no requirement that personal information be de-identified first.  (De-identification is mentioned as a privacy-enhancing measure, but we know it’s not infallible as a privacy risk control.)  And there is no requirement for independent ethical review which might otherwise be required to attest that no privacy harm (or other downstream impacts, especially for vulnerable populations) will arise from sharing the data.  No requirement that the results of the data-sharing must benefit the public overall, rather than private interests.

And the scheme is not limited to government agencies only sharing with other government agencies.  ‘Accredited users’ can be other government agencies at all levels, as well as industry, research bodies and the private sector more broadly.  The proposed scheme also plays with the idea that entities could potentially pay a fee in order to become accredited and enter the scheme.

By our reading, this means a private sector company could buy a ticket into the data club, jump through a couple of hoops, and then turn a profit off research they conduct using the personal information of Australians collected by the government.  If your ethical alarm bells aren’t ringing yet, they should be, because this starts to look alarmingly like the ability for companies to pay for access to public sector data, which would be an egregious breach of community trust.

What does this mean for privacy?

When we as individuals share our personal information with government, it’s generally because we have to. Government agencies typically collect our personal information because they can compel us by law (e.g. we must file our tax returns), or because we want or need to access some kind of government service (e.g. get a passport, or claim social security benefits, childcare rebates, or NDIS assistance).  This means that there aren’t many opportunities for us as citizens to opt-out of public sector data collection and use.  Also, the nature of personal information we need to provide to government, in order to receive services, can be quite intrusive into our private lives.

We shouldn’t even think about this as ‘public sector data’.  It is personal information about us, held by government agencies, in order to run government programs and services for our benefit.  They are merely custodians of our data.

The default position should be – and has been, until now – that any disclosure of our personal information should only occur in very limited circumstances.  Right now, APP 6 offers a balancing act between protecting the privacy of individuals, and allowing for other activities in the public interest.  The DAT Bill will overturn that delicate balance.

The DAT Bill takes a framework that was designed to control for one very particular type of privacy risk – namely re-identification risk from the release of de-identified datasets, such as when the ABS releases data built from Census forms – and elevates it as the primary means by which to judge whether a disclosure should occur in the first place.  That is not what the Five Safes Framework was designed for.  Determining whether a disclosure should occur in the first place requires a delicate balancing of competing public interests – which, by the way, the Privacy Act, and secrecy provisions built into various pieces of legislation, have been doing for more than 30 years.

And if you are harmed as a result of the disclosure of your personal information under this new scheme?  Too bad.  While in theory your right to complain to the OAIC will still exist, in practice you will have no legal ground about which to complain, because the disclosure will have been authorised under APP 6 by this new law.

Contrary to community expectations – and the Government themselves?

As mentioned earlier, the proposed scheme flies in the face of the expectations of majority of Australians.  Since the Productivity Commission’s initial recommendations were made in 2016, we have seen the tide turn against data-sharing, and in favour of more privacy protections rather than less.  There has been an undeniable shift in public consciousness and care about privacy.  The Cambridge Analytica revelations and on-going Facebook scandals, the ACCC’s Digital Platforms Inquiry, CensusFail, RoboDebt, re-identification attacks and data breaches too numerous to mention have all added up to public demands for better privacy protections from government.

In recognition of this, the Australian Government has recently committed to a review of the Privacy Act, and to bringing forward amendments in 2021 to strengthen the Privacy Act and bring it into line with community expectations and global best practice.

Yet this DAT Bill, to undercut the existing level of protection in the Privacy Act, is being proposed by the same government, at the very same time.  You have to wonder if perhaps the left hand doesn’t know what the right hand is doing.

So how to resolve the data-sharing dilemma?

The prospect of enabling widespread disclosure of our personal information by government, without much more than the Five Safes Framework as a protection, rings huge alarm bells.  Overriding existing legal protections is a naïve, blunt and reckless approach to improving the mechanics of data-sharing.

In our view, a better approach would be to reform and strengthen the Privacy Act to meet community expectations and technological advances, while also better enabling ethically approved research in the public interest.  (The research exemptions at sections 95 and 95A in particular need dragging into the 21^st century.)  This should be done before trying to implement the DAT Bill, or else personal information should be removed from the DAT Bill’s scope altogether.

UPDATED NOVEMBER 2020:

The National Data Commissioner is accepting submissions until November 6. 

Salinger Privacy worked with colleagues in the privacy profession on a submission, which is now available here.

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

One of the key findings of the OAIC’s latest Australian Community Attitudes to Privacy Survey is that 62% of Australians are uncomfortable with their location being tracked through their mobile or web browser.  Our Kiwi cousins are remarkably similar: a survey by the New Zealand Privacy Commissioner in 2016 asked what people found most ‘sensitive’, with 63% responding that they were sensitive about physical location.

Indeed across continents and cultures the message is the same: sharing location data makes the majority of people feel “stressed, nervous or vulnerable, triggering fears of burglaries, spying, stalkers and digital or physical harm”.

And yet, website and app developers routinely collect location data.  How do they get away with it?  And can location data ever be considered de-identified?

The proliferation of location data

With the advent of mobile phones, telephony providers began to know where we were.  With the shift to smartphones, that knowledge has spread well beyond just our phone providers; multiple smartphone apps use a mixture of GPS, Bluetooth and Wi-Fi signals to pinpoint locations whenever we carry our phones.

A global ‘sweep’ of more than 1,200 mobile apps by Privacy Commissioners around the world in 2014 found that three-quarters of all the apps examined requested one or more permissions; the most common was location.  Disturbingly, 31% of apps requested information not relevant to the app’s stated functionality.  A prominent example was a torch app which tracked users’ precise location, and sold that data to advertisers.

More recently, a scan of 136 Covid-19-related apps for the 2020 Defcon security conference found that three quarters asked for location data, even in apps where the stated functionality was simply to monitor the user’s symptoms.

(Given these findings, perhaps it is no surprise that the outbreak of COVID-19 has also had an impact on the perception of privacy risk and location data, just over the course of 2020.  In the OAIC’s community attitudes survey, location tracking was initially perceived as the fifth biggest privacy risk we face at the beginning of the year, but by April it had risen to the third biggest privacy risk, ahead even of government surveillance.)

However it is not only apps we install on our mobile phones which can track our location.  Bluetooth signals emitted by wearable devices can be collected by third parties; and venues such as shopping centres and airports (or, briefly, rubbish bins in London) use the MAC addresses broadcast by devices to detect how populations are moving within a space, and to identify repeat visitors.

Bluetooth Beacons can also be used to link online advertising to offline transactions.  Having purchased MasterCard transaction data in the US to better tie offline purchases with online advertisements, Google offers advertisers the ability to see whether an ad click or video view results in an in-store purchase within 30 days.  Connecting to shopping centre Westfield’s free wifi involves agreeing to a set of terms and conditions which include linking the mobile device ID with the individual’s wifi use.

Location data is highly granular.  One study suggested that four points of geolocation data alone can potentially uniquely identify 95% of the population.    Mark Pesce, a futurist, inventor and educator, as keynote speaker at the OAIC Business Breakfast for Privacy Awareness Week in 2015, described the geolocation data collected by and broadcast from our smartphones as “almost as unique as fingerprints”.

Data showing where a person has been can reveal not only the obvious, like where they live and work or who they visit, but it may also reveal particularly sensitive information – such as if they have spent time at a church or a needle exchange, a strip club or an abortion clinic.  Some app-makers claim they can even tell which floor of a building people are on.

A recent example is the analysis conducted by Singaporean company Near on the movements of workers at an abattoir in Melbourne, which was the centre of an outbreak during the first COVID-19 isolation period.  Near claimed that it could track this small cohort of workers to specific locations including shops, restaurants and government offices.  (Near uses “anonymous mobile location information” collected “by tapping data collected by apps” to provide insight into the precise movements of individuals, in order to offer advertisers “finer slices of audiences to reach highly qualified prospective customers”.  Near boasts of having “the world’s largest data set of people’s behavior in the real-world” consisting of 1.6 billion ‘users’, across 44 countries, processing 5 billion events per day.)

This information can then be used to target individuals.  For example anti-abortion activists use geo-fencing to target online ads at women as they enter abortion clinics.  Near has reported that it could target individuals with messaging about the Australian Government’s COVIDSafe app: “We can support app adoption, saying to someone you’ve been to a postcode or a high-risk area and encourage them to download the app. That’s quite easy to do”.  This is despite the company’s claim that its data is “anonymized to protect privacy”.

None of these technologies – or their ability to impact on people’s private lives or autonomy – depend on the identifiability of the data subject.  Nonetheless digital platforms, publishers, advertisers, ad brokers and data brokers often claim to work outside the reach of privacy laws because the data in which they trade is ‘de-identified’ or ‘anonymised’ or ‘non-personal’.

In response to such claims of protecting privacy through anonymity, the New York Times’ Privacy Project used publicly available information about people in positions of power, linked with a dataset of location data drawn from mobile phone apps.  The dataset included 50 billion location pings from the phones of more than 12 million Americans in Washington, New York, San Francisco and Los Angeles.  The result was highly invasive:

“We followed military officials with security clearances as they drove home at night. We tracked law enforcement officers as they took their kids to school. We watched high-powered lawyers (and their guests) as they traveled from private jets to vacation properties. … We wanted to document the risk of underregulated surveillance. …Watching dots move across a map sometimes revealed hints of faltering marriages, evidence of drug addiction, records of visits to psychological facilities.  Connecting a sanitized ping to an actual human in time and place could feel like reading someone else’s diary.”

Harms caused by location data

A number of case studies illustrate how the public release of location data about individuals whose identity was unknown even to the data collector can enable groups or individuals to be singled out for targeting.  In each case the dataset had purportedly been ‘de-identified’, but each release created the possibility of serious privacy harms including physical safety risks for some individuals in the dataset.

One disturbing recent example is the finding that publicly disclosed de-identified data about public transport cards used in the city of Melbourne, could be used to find patterns showing young children travelling without an accompanying adult.  Those children could be targeted by a violent predator as a result, without the perpetrator needing to know anything about the child’s identity.

In March 2014, the New York City Taxi & Limousine Commission released data recorded by taxis’ GPS systems.  The dataset covered more than 173 million individual taxi trips taken in New York City during 2013.  The FOI applicant used the data to make a visualisation of a day in the life of a NYC taxi, and published the raw data online for others to use.  It took computer scientist Vijay Pandurangan less than an hour to re-identify each vehicle and driver for all 173 million trips.  Then postgrad student Anthony Tockar found that the geolocation and timestamp data alone could potentially identify taxi passengers.  Using other public data like celebrity gossip blogs, he was able to determine where and when various celebrities got into taxis, thus identifying exactly where named celebrities went, and how much they paid.  Tockar also developed an interactive map, showing the drop-off address for each taxi trip which had begun at a notorious strip club.  The same could be done to identify the start or end-point for each taxi trip to or from an abortion clinic or a mosque, and target the individuals living at the other addresses as a result – without ever needing to learn their identity.

And the release of Strava fitness data in 2017 famously led to a student pointing out that the heat maps could be used to locate sensitive military sites, because military personnel often jog routes just inside the perimeter of their base. Others have noted that the heat map highlighted patterns of road patrols out of military bases in combat zones including in Afghanistan, Iraq, and Syria.  Further, a Strava user has explained how she discovered that her workout routes were accessible to (and commented on by) strangers, even though she had used the privacy settings in the app to prevent public sharing of her data or identity.

The focus should be on preventing harms, not whether or not data is identifiable

Much effort is expended by advertisers and others wishing to track people’s movements, in convincing privacy regulators and consumers that their data is not identifying, and that therefore there is no cause for alarm.  Their goal is to avoid identifying anybody, such that the activity can proceed unregulated by data privacy laws.

In fact the real question both companies and governments should be asking is how to avoid harming anybody.

If the end result of an activity is that an individual can be individuated from a dataset, such that they could, at an individual level, be tracked, profiled, targeted, contacted, or subject to a decision or action which impacts upon them, that is a privacy harm which may need protecting against.

Treat location data as personal information

Privacy professionals reviewing the application of privacy laws to their apps, systems, databases and processes should treat with scepticism any claims that data has been ‘de-identified’ to the point that no individual is reasonably identifiable from the data.

Location data in particular is so rich, and so revealing of patterns of movement and behaviour, that notwithstanding an absence of direct identifiers like name or address, location data alone can oftentimes at least individuate, if not also lead to the identification of, individuals.

Given the degree to which community sentiment suggests that location data is considered highly ‘sensitive’ by a large majority of consumers, I suggest that any organisations holding or using location data would do well to treat all unit record level data as ‘personal information’, and apply the relevant privacy principles, regardless of whether de-identification techniques have already been applied.

This blog is an edited version of an article previously published in the Privacy Law Bulletin 17.6 (September 2020).

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

The road to law reform is often long, and in the case of the Australian Privacy Act this latest iteration will prove no exception.

In October 2020 the Australian government released an Issues Paper to explore the question of whether the Privacy Act 1988 and its enforcement mechanisms remain fit for purpose. Submissions were called for, against a range of questions, and will be published on the Attorney General’s Department website in due course.  In terms of next steps, the Government’s plan is to follow up this round of review by publishing a Discussion Paper in 2021 with more concrete proposals for legislative amendments.

This blog provides an overview of the background to this particular review, and thoughts on the likely shape of law reform to come in 2021 and beyond.

The background

Federal privacy law in Australia dates back to 1988, when the Privacy Act was first introduced to regulate federal public sector agencies. That law was born from a proposal to introduce a national identity card, which was ultimately dropped by the Australian government due to public opposition, amidst a growing demand for privacy laws to rein in the powers of bureaucrats.

For the first decade or so the Privacy Act only regulated government agencies, but it was reformed in 2000 to extend its scope to also cover much of the private sector. (Public sector agencies at the state, territory and local government levels are instead regulated by a patchwork of state and territory privacy laws.)

In 2008 the Australian Law Reform Commission (ALRC) tabled the results of its two year long review into the Privacy Act, and made numerous recommendations for reform. Some of those recommendations were accepted and taken up in amendments to the Act, which ultimately took effect in 2014.

The explosion of growth in digital technologies, social media platforms and the Internet of Things all point to the need for privacy law to keep up with the challenges posed to individual privacy by new technologies. In 2019 the Australian Competition and Consumer Commission (ACCC) published its final report from its Digital Platforms Inquiry, which considered the behaviour of the major platforms such as Facebook and Google.  The ACCC’s report highlighted risks for both consumers and businesses from the business models followed by major technology companies which primarily rely on the collection and analysis of consumer data as the source of their wealth and power.  Amongst their other recommendations, the ACCC suggested that the Australian Government should conduct a review into whether the Privacy Act remains fit for purpose in this digital age. In late 2019 the Government agreed to review and reform the Act, which brings us to the Issues Paper released in October 2020.

Terms of Reference

The issues paper asks for submissions in response to 68 questions, ranging across the Terms of Reference, which are to examine and consider options for reform on matters including:

• The scope and application of the Privacy Act including in relation to: the definition of ‘personal information’, current exemptions, and general permitted situations for the collection, use and disclosure of personal information.
• Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices including in relation to: notification requirements, consent requirements including default privacy settings, overseas data flows, and erasure of personal information.
• Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act.
• Whether a statutory tort for serious invasions of privacy should be introduced into Australian law.
• The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives.
• The effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other Commonwealth regulatory frameworks.
• The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.

Likely directions for reform

One of the themes running through this latest review is the need to ensure that Australia’s privacy laws empower consumers to protect their data, while also ensuring that businesses can engage with consumers online to secure their economic growth. Of particular concern is the need to ensure that the Privacy Act is brought closer into line with GDPR, so that Australia could – possibly – finally secure an ‘adequacy’ decision from the European Commission, which would open up more possibilities for trade in personal information. To date, an adequacy ruling has escaped Australia, primarily because of a number of carve-outs from the Act’s coverage of the private sector, including exemptions for small businesses, employee records, political parties and media organisations.  Expect to see significant debate over any proposals to scrap those exemptions; this is not the first time the matter has been considered.

One of the topics canvassed in the 2008 ALRC report was whether or not Australia should have a statutory tort of privacy, with the ALRC concluding that it should.  The Government did not act on that recommendation. This topic was however referred back to the ALRC in 2013 for its own more comprehensive review, which resulted in a report in 2014. That report again recommended the introduction of a statutory tort for serious invasions of privacy.  Again, the Government of the day did not act.  However the idea has been the subject of numerous other independent or bi-partisan inquiries and recommendations, at both federal and state levels, including most recently by the ACCC.  2021 might finally be the year in which the Government acts on the multiple recommendations.

Between European Parliament moving on AdTech and Google phasing out third party cookies by 2022, expect this latest review to also focus on targeted advertising, personalised content and the role of online identifiers.  A re-think of the threshold definition of ‘personal information’ and whether it does implicitly, or should explicitly, include online identifiers and technical data, or should allow for individuation, could lead to significant shifts in the scope of Australian privacy regulation.

Another topic likely to gain plenty of attention is the need to reduce reliance on the ‘notice and consent’ self-management model of privacy regulation, in favour of stricter limits on collection, use and disclosure.  The Issues Paper canvasses alternative models such as GDPR-type over-arching fairness tests and Canadian no-go zones for certain types of data flows.

Also looking to other jurisdictions for influence and ideas, the Issues Paper asks whether Australia should introduce some GDPR-type individual rights, such as the right to erasure, or US-type certification schemes.

Finally, expect some consideration about how to improve access to justice, such as a direct right of action for individuals with a complaint about a breach of a privacy principle.  To date complainants can only approach the privacy regulator, the Office of the Australian Information Commissioner (OAIC), whose backlog of complaints creates delays and operates as a barrier to resolution.  The ability to take a complaint to a tribunal or court with the power to order compensation – as happens under some State privacy laws – could see a meaningful improvement in access to justice for those individuals keen to have their day in court.

The Salinger Privacy wishlist

What’s on our wishlist for 2021?  A Privacy Act fit for the digital economy.  You can read our detailed submission in response to the Issues Paper here.

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

A recent determination by the OAIC in the Flight Centre case demonstrates the potential to cause privacy harm when personal information is recorded and stored inappropriately.  In that case a free-text field designed for a different purpose was used by some staff – contrary to company policy – to enter credit card and/or passport numbers.  This led to the disclosure of almost 7,000 customers’ valuable personal information.

This month’s blog reviews the case, and highlights the implications for all organisations with respect to data security, as well as the role of consent and your privacy policy.

Background

In 2017 Flight Centre – a large travel agency in Australia – organised an event known as a ‘design jam’, which was intended to create technological solutions for travel agents to better support customers.  16 teams participated in the event, without being required to sign a non-disclosure agreement.

Participants were given access to 106 million rows of data representing transactions across the previous two years. There were over 6 million individual customer records included.

Although steps were taken to de-identify the customer records within the dataset, the steps taken were insufficient. In particular, a free text field which remained in the dataset included personal information about almost 7,000 customers.  Contrary to company policy, some staff had used the free text field to store details of customers credit card numbers and passport numbers.  (The free text field was actually intended to be used by staff to communicate internally about a customer’s booking.)  The existence of this personal information within the dataset was not picked up during a review of 1,000 rows of the dataset before it was released to the event participants.

Can a Privacy Policy demonstrate consent?

The Flight Centre case provides a useful illustration of the necessity of meeting all five elements in order to obtain a valid consent.  Consent must be voluntary, informed, specific, current, and given by a person with capacity.

The respondent had argued that its Privacy Policy permitted the use of personal information for product development purposes (which was the business objective behind the design jam event) because customers had consented to this use via the Privacy Policy in the course of transacting with the company.  However the OAIC disagreed, noting that an organisation “cannot infer consent simply because it provided an individual with a policy or notice of a proposed collection, use or disclosure of personal information”.

Further, the OAIC stated that a Privacy Policy is “a transparency mechanism…  It is not generally a way of providing notice and obtaining consent”.

In relation to the particular Privacy Policy, the OAIC found:

• “consent could not be obtained through the Privacy Policy as it was not sufficiently specific, and bundled together different uses and disclosures of personal information”;
• “a request for consent (should) clearly identify the kind of information to be disclosed, the recipient entities, (and) the purpose of the disclosure”; and
• “Any purported consent was not voluntary, as the Privacy Policy did not provide individuals with a genuine opportunity to choose which collections, uses and disclosures they agreed to, and which they did not”.

In the absence of consent, the Flight Centre was found to have disclosed personal information in breach of the Use & Disclosure principle (APP 6).

Data security failures

The OAIC also found that the Flight Centre had breached the Data Security principle (APP 11), stating:

“the storage of passport information and credit card details in a free text field (in a manner inconsistent with applicable policies), and the absence of technical controls to prevent or detect such incorrect storage, caused an inherent data security risk in terms of how this kind of personal information was protected”.

The OAIC also noted:

• “the respondent should have implemented technical controls that would detect whether staff had included credit card details and passport information in the free text field of its quoting, invoicing and receipting system”, and
• a “reasonable step” would have been “to implement an automated scanning technique to review data” to check for any remaining personal information prior to the disclosure.

Of particular interest is the OAIC’s conclusions about the role of business process as well as system design:

“The steps required to protect an entity’s information holdings from unauthorised disclosure will invariably be multi-layered and multi-faceted. Entities should assume that human errors… will occur, and design for it”.

Lessons learned

What can we learn from Flight Centre’s failures?

First, understanding the human element in data breaches is critical.  Policies and procedures, and staff training, are not enough.  The OAIC noted that organisations should assume that human errors will occur, and should design systems accordingly.  Include both technical controls to prevent poor practices, and assurance testing to find and remedy them.

In the case of Flight Centre, while internal policies were clear, the OAIC found that they were not routinely followed, by a number of staff, over a significant time period.  Further, the OAIC found that technical controls and assurance procedures were inadequate to address the storage of data by staff in inappropriate fields.  This created an inherent privacy risk.

However much like the data breach arising from the public release of a Myki card dataset, which was also released to participants in a hackathon event, no privacy impact assessment was completed because of the mistaken belief that the data had all been de-identified, such that no personal information remained.  The lessons learned include to mandate a Privacy Impact Assessment methodology across all projects, and to not take de-identification promises at face value.

Another lesson learned is the need to use available technology to scan for personal information stored within your systems, especially within free text data fields and unstructured data.

A risk management lesson learned is to apply third party risk assessment procedures to unusual situations such as hackathon events, in which third parties – which are not typical contracted service providers, vendors or suppliers – are nonetheless given access to, or copies of, data.  Flight Centre admitted that its vendor management policy was not followed in the lead up to the design jam event; nor were event participants asked to sign a non-disclosure agreement, or agree to any terms, before participating in the event.

And the final lesson learned is to not rely on your Privacy Policy to authorise your use or disclosure of personal information.  As we said in Why you’ve been drafting your Privacy Policy all wrong, a Privacy Policy is not magic.  It cannot authorise you to do anything that the privacy principles don’t already allow.  The OAIC has said it clearly: a Privacy Policy is purely a transparency mechanism, and not a way of either providing notice or obtaining consent.  If you need consent to authorise your conduct, that consent needs to be voluntary, informed, specific, current, and given by a person with capacity.  It cannot be obtained by making your customers ‘agree’ to your Privacy Policy.

So don’t let your customer data turn into a privacy pickle: check staff compliance with policies about data storage, don’t take ‘de-identified’ claims at face value, routinely scan your information assets for protected data, use PIAs and third party risk management strategies on all types of projects, and whatever you do, don’t expect your Privacy Policy to magically shield you from compliance with your Use and Disclosure obligations.

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

The Office of the Australian Information Commissioner’s recent determination in ‘WP’ and Secretary to the Department of Home Affairs highlights the traction that can be gained through a representative complaint that stems from a single data breach – even when the breach was well-contained post-incident.

‘WP’ sets out the approach to determining appropriate compensation for a large group of individuals comprising a representative complaint.  In particular, the case confirms the approach the OAIC will take when making determinations about the distribution of compensation for representative complaints which feature individuals suffering different levels of harm.  The case also offers useful lessons for organisations dealing with a large-scale data breach.

Background

The complaint concerned a breach of the IPPs in the Privacy Act by the (then) Department of Immigration and Border Protection (DIBP), now known as the Department of Home Affairs.

On 19 February 2014, The Guardian Australia notified the OAIC that a ‘database’ containing the personal information of ‘almost 10,000’ asylum seekers was available in a report on the DIBP website.

The breach occurred when an Excel spreadsheet containing statistical data of 9,258 individuals was mistakenly embedded in a Word document published to the website.  (DIBP had a practice of publishing its reports in both Word and PDF formats to assist accessibility of its reports.)  This spreadsheet was merely one of the documents used to compile statistics for the DIBP’s official publication.

The data contained full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and reasons why the individual was deemed to be ‘unlawful’.  Some of this included ‘sensitive information’ as defined under the Privacy Act, but it was inherently also ‘sensitive’ by common standards – in light of these particular individuals’ vulnerability, and the potential risks to their personal safety as asylum seekers.

DIBP removed the report within an hour of notification.  However in the eight days during which the report was accessible online, it was accessed a number of times, and republished by an automated archiving service.

OAIC’s Own Motion investigation

The OAIC formally investigated the incident in 2014, finding:

• DIBP was aware of the risks of embedding personal information in publications, but its systems and processes did not adequately address them
• as a result, DIBP staff simply did not detect the embedded information when the document was created, or before it was published
• the breach may have been avoided if DIBP had implemented processes to de-identify data in situations where a full dataset was not needed
• the incident was particularly concerning due to the vulnerability of the people involved, and
• ‘prevention far better than cure’ – the breach also demonstrated the difficulties of effectively containing a breach where information has been published online, and highlighted the importance of taking steps to prevent data breaches from occurring, rather than relying on steps to contain them after they have occurred.

The OAIC made a number of recommendations about how DIBP could improve its processes, including requesting that DIBP engage an independent auditor to certify that it had implemented a planned remediation, and provide a copy of the certification and report to the OAIC.

The representative complaint

Alongside the OAIC’s ‘own motion’ investigation, the OAIC received over 1,600 complaints from affected individuals.  One of these was re-framed as a representative complaint some months later.

Under the Privacy Act, a ‘representative complaint’ can be made by an individual on behalf of other individuals who have similar complaints about an act or practice that may be an interference with their privacy.  The Commissioner may make a declaration that class members are entitled to compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint.

Significantly, a representative complaint must also satisfy certain conditions under the Act.  It must be able to describe or identify the class members, but it need not specifically name the individuals represented, give the actual number of class members, or have their consent to be represented as class members.  These provisions can support representative complaints arising from large scale data breaches involving the same organisation and the same event – even when the organisation has acted quickly to contain an inadvertent data breach, and may have resolved a portion of complaints directly.

The representative complainant sought a declaration that the 9,258 class members were entitled to an apology from the Department, compensation for economic and non-economic loss, and aggravated damages.  Conciliation was unsuccessfully attempted.

The OAIC then gave notice to all affected individuals to give them the opportunity to provide specific information about loss or damage suffered as a result of the breach, to assist its decision on entitlement to compensation under the representative complaint.  The notice set out the key information encouraged from complainants, how it should ideally be assembled and submitted, and gave a due date for response, which was subsequently extended.

OAIC’s approach to remedy and determination of entitlement

Amongst other things, the January 2021 decision set out the OAIC’s approach to compensation for the 1,297 class members who made submissions or provided evidence about their loss within the timeframe allowed.   It established an overall scale for quantum of damages and sub-categories within the scale, but left the process of how each individual should be assessed in light of their alleged loss to the DIBP to manage, building in additional tiers of review.

Six categories of loss were established for both economic and non-economic loss.  These ranged from no payment for non-economic loss where individuals did not make any submission or give evidence about impact, scaled sums for varying degrees of embarrassment, anxiety or distress, to over $20,000 for individuals who provide evidence of ‘extreme loss or damage resulting from the breach’, such as in relation to specific psychiatric harm.

Existing case principles for interpreting causation were also applied to assess loss.  These principles emphasise that:

• causation is a question of common sense and experience, determined on the facts of each case
• in law, causation is a question of identifying where legal responsibility should lie, rather than examining the cause of event from a scientific or philosophical viewpoint
• a ‘but for’ analysis is not a sufficient test for causation, although it may be a guide; and
• where there are multiple elements, each one sufficient on its own to have caused the loss, the causation test may be considered satisfied by each one of them.

The case also illustrates the importance of looking at loss from the perspective of the individual impacted – rather than how most people might be ‘expected’ to have been impacted.  This is important when looking at the potential fall-out from a mass data breach.  A single incident may involve the release of the exact same information about multiple people, but it can have different consequences for different individuals and give rise to a wide range of reactions.

The take-aways

So what can organisations learn from a data breach that morphs into a representative complaint?

For starters, how important it is to know your data.  Just recently we highlighted the Flight Centre case, in which a group of competitors in a ‘design jam’ event were inadvertently able to access the credit card and passport numbers of almost 7,000 customers.  In both the Flight Centre case and this one, the people responsible for publishing or sharing records had no idea that the records even contained personal information.

Second, the proactive assessment of risks concerning use of large datasets is obviously more efficient than mopping up after the fact.  Yet all too often, Privacy Impact Assessments are not undertaken.  Privacy risk management needs to be embedded in organisational culture.

Third, for many organisations managing large datasets, these sorts of breaches should be seen as ‘not if, but when’.  When a large-scale data leak bursts and complainants come forward, they may come from many different sources – individually and directly, via media, regulators, lawyers, support organisations, or other complainants as members of a class.  They may arrive in a trickle or a flood, and build over short or very extended timeframes.  You will need to be prepared with a Data Breach Response Plan, and with a complaints-handling procedure.

Fourth, you will also need to be prepared financially: not only did OAIC’s determination deal with damages for loss, but there were additional costs for the Department in this case, including the appointment of auditors and external expert assessors.

Finally, complaints must be handled sensitively to avoid escalation, and you will need to be alive to the possibility that disclosure of the same data will lead to different and wide-ranging impacts for different individuals.

For more guidance on how to handle a privacy complaint, and the quantum of compensation typically ordered, see our Checklist – Handling a Privacy Complaint.  The Checklist offers a nine step process to follow when handling a privacy complaint about a breach of the APPs, from initial acknowledgement of the complaint through to finalisation, and includes a table summarising all OAIC determinations up to 31 January 2021 in which compensation was ordered.  Along with our template Data Breach Response Plan, the Complaint-Handling Checklist is included in a number of our Privacy Law Compliance Kits.

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

If you’re asking if your customers trust you, you’re asking the wrong question.

Privacy risk management is not just about legal compliance, but about ensuring that you can meet your customers’ expectations.  (In the context of public services, your ‘customers’ are citizens or residents, but the point remains valid.)

Part of meeting expectations will be ensuring that customers trust what you are proposing to do with their data.  According to research into the topic of trust in emerging technologies, trust matters because it impacts on customers’ intentions and motivations, as well as affecting the degree of ‘buy-in’ from both customers and staff.  High levels of trust can support change management, project implementation success, and process efficiencies.  Meanwhile pre-existing low levels of trust will frame customers’ experiences and interactions, and distrust will lead to active avoidance behaviours.  In the private sector then, ‘trust’ can offer a competitive advantage.

In a public sector context, both the Productivity Commission and the OAIC have noted that community trust and acceptance – aka having a ‘social licence to operate’ – is vital for projects involving greater data sharing and release.  The UK’s privacy regulator has likewise noted that “trust and public engagement is a prerequisite for government systems to work. Greater trust leads to more rapid and complete take up of services across the population being served”.

So what do the stats tell us about trust – who has it, and how to get it?

First, the level of trust Australians place in an organisation to handle their personal information does depend (in part – but I will get to that) on the type of organisation itself.  The OAIC’s regular surveys into community attitudes towards privacy reveal that the organisations with the highest level of trust are health service providers and financial institutions – although with all sectors suffering a significant lessening of trust from 2013 to 2020.  The organisations with the lowest level of trust are social media companies.

But other data from the OAIC also shows us that the two sectors with the worst record in terms of the number of notifiable data breaches suffered are… health service providers and financial institutions!

So what’s going on here – the organisations with ostensibly the worst data security outcomes are also the most trusted?  And if the companies suffering the lowest level of customer trust – hello, Facebook – are miraculously still in business, why are we bothering to care about trust at all?

Clearly, simply asking whether a sector is trusted is not giving us the full picture.

First, trust in a sector as a whole doesn’t necessarily correlate into use of a sector as a whole.  It’s not like you or I can really choose not to engage at all with the banking sector, or the healthcare sector, let alone with government.

Second, it turns out that gaining a social licence to use data is far more nuanced than simply a matter of checking that your organisation or brand enjoys an underlying level of trust.

Instead, you need to look at a multiplicity of factors which impact on whether any particular project will have a social licence to operate.

A multi-year, eight-nation research project by the World Economic Forum and Microsoft sought to measure the impact of context on individuals’ attitudes towards privacy and the use of their personal information.  Their research made two critical findings.

First, there are four types of factors which influence an individual’s degree of trust in any given proposal to use their personal information:

• the situational context – i.e. the nature of the proposal itself
• demographics – research has shown that an individual’s gender, age, ethnicity and country of origin can each influence the value they place on privacy
• culture – local cultural norms also play a part, and
• perceptions – about the strength of legal protections available, as well as about the individual’s own level of confidence navigating technology.

From an organisational point of view, you will only have control over the first of those four factors: the situational context.

Second, in terms of the situational context, there are seven variables that individuals consider, when determining whether they would accept any given scenario involving the use of their personal information.  Interestingly, the single most important variable affecting the ‘acceptability’ of a scenario was not the type of data at issue, the way it was proposed to be used, the type of organisation or institution seeking to use it or even the pre-existing level of trust enjoyed by the particular organisation proposing the project – but the method by which the personal information was originally collected.

In terms of the method of collection, any given set of personal information may be broadly categorised as having been directly provided by the subject, indirectly provided via another party, observed, generated or inferred.  An individual’s ability to control how his or her personal information may be used depends on both an awareness of the collection, and control over that collection.  As awareness and control over the point of collection lessen, so too does trust in the subsequent use of that data.  Understanding how personal information is collected therefore becomes critical to understanding the likely community expectations around the use of that data.

And the WEF research found that the type of entity proposing the project – i.e. the sector the organisation is in, such as healthcare, finance, government etc – turned out to be the least important of all the variables.

So trust in data-related projects is specific to the use case and the design of each project, as well as the type of customers to be affected, far more than it is about underlying levels of trust in particular organisations or sectors.

Here at Salinger Privacy we have a number of clients doing fascinating and valuable work in data analytics, in public interest areas like medical research, or informing public policy on how best to protect children from harm, or how to better educate students or support vulnerable populations.  Being able to achieve those objectives depends so much on public trust and gaining a social licence, so getting the privacy settings right in the design of those projects is a critical issue.

Plus sometimes, even the law will only allow our clients to use or disclose personal information if it will be ‘within reasonable expectations’.

(This ‘fuzzy’ nature of privacy law is actually one of the things I love about it – you do need to use your judgment, and think about what your customers would expect, and what you can do to avoid causing them any harm.  The interpretation of what is ‘reasonable’ is shifting all the time, and that’s a good thing.  It’s how privacy law manages to stay relevant to both new technologies and shifts in community expectations.  If the law was more prescriptive it would quickly become out of date.  Instead, privacy principles expect organisations, regulators and courts alike to take the pulse of society, and adapt accordingly.)

So – how can an organisation gain its social licence to use personal information?  How do you build trust in your project?  How do you know if you will be operating ‘within reasonable expectations’?

In addition to addressing the variables highlighted in the WEF research, you should think about transparency.  Qualitative research conducted in New Zealand on behalf of the Data Futures Partnership found that being transparent about how data is proposed to be used is a crucial step towards community acceptance, and that in particular, customers and citizens expect clear answers to eight key questions:

VALUE

• 1. What will my data be used for?
  2. What are the benefits and who will benefit?
  3.  Who will be using my data?

PROTECTION

• 1. Is my data secure?
  2. Will my data be anonymous?

CHOICE

• 1. Can I see and correct data about me?
  2. Will I be asked for consent?
  3. Could my data be sold?

The answers to those questions will be different for every project, and have almost nothing to do with the pre-existing level of trust enjoyed by any particular entity or brand.

So my takeaway message for you is this.  Ask not whether your customers trust you; ask whether you have designed each of your data projects to incorporate the elements needed to make those projects trustworthy.

If you would like to know more about the factors which influence trust in data use projects, join us for a free webinar on 5 May 2021 to celebrate Privacy Awareness Week!

Invite your colleagues who work in privacy or with data to our Masterclass in Data, Privacy and Ethics.  We will draw together global research into the factors that influence customer trust, and our own experience guiding clients through data analytics, business intelligence and research projects, to offer a framework for balancing business objectives with legal and ethical concerns about the use of personal information.  See the Webinar Overview to register.

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

Oh, privacy advisers, we hear your pain.

No matter whether you work in government or the private sector, your organisations will no doubt be keen to maximise the benefits from your information assets, in order to gain insights into how best to run your business, or to support evidence-based decision making.  However with the increase in the availability and richness of data, the risk of a data breach or privacy breach also rises.

But the rules about secondary use of personal information are not always black and white, and if you also start to throw ethical considerations and customer expectations into the mix… well then, the question becomes: where to start?

A common problem we have seen amongst our clients is this:

• You’ve got a large amount of data, generated from lots of different source systems, with different data owners or data custodians in charge of each dataset
• You’ve got pressure from the senior executives to make better use of data
• You’ve got data requestors, meaning people who want access to data, spread across your organisation too, and they’re pestering the data owners with requests all the time
• But the data owners are busy, or nervous about not complying with privacy law, or concerned about whether a particular data use proposal is going to create reputational risks for the organisation
• The privacy team, or Legal, or Risk & Compliance, can get caught in the middle of a tug of war, with people pulling on all sides
• When privacy advisers are swamped, or suffering from decision paralysis, it creates a bottleneck. Or if risk-averse privacy advisers gain a reputation as “the people who always say ‘no’”, data requestors might start avoiding the privacy advisers entirely, which just makes things worse!

Our observations are this.

Data requestors want:

• to understand what the legal and ethical limitations are around the use of each dataset
• to be briefed about the context and limitations of each dataset or data type, in terms of data quality or ‘fitness for purpose’ for their needs
• clarity about the pathway to follow, who is responsible for assessing data use requests, and what the approval criteria are
• faster approvals, and
• more consistent decision-making.

Data owners and data custodians:

• want guidance to help them make the ‘right’ decision when asked about access to the data for which they are a custodian
• are worried not only about privacy compliance but other legal issues, including not breaching secrecy rules in other legislation, or contracts, confidentiality agreements or MoUs with other stakeholders and partner organisations, and
• are worried about other, non-legal consequences of secondary use, such as public trust, and reputational issues which arise from breaking privacy or confidentiality promises made to data subjects at the time of original data collection.

And everyone wants a structured way to consider data use requests which raise ethical issues, but without going down a formal human research ethics committee route every time.

This is increasingly a challenge for organisations keen to make the most out of their data: how to make decisions about secondary data use, which are legal, ethical, and respectful of your customers?

And how do you build that decision-making capability across your organisation, so it’s not just the privacy officer having to figure out the answer every time?

This common dilemma for organisations – and the privacy advisers caught in the middle who seek our advice – inspired the topic for our free Privacy Awareness Week webinar this year.

We are going to explore what the law says, what some ethical frameworks suggest, what research about community expectations tells us, and then we are going to show you how to pull all of those things together, to build a pragmatic framework for balancing business objectives with legal and ethical concerns about the use of personal information.

Join us for a free webinar on 5 May 2021 to celebrate Privacy Awareness Week!

Invite your colleagues who work in privacy or with data to our Masterclass in Data, Privacy and Ethics, to hear how to resolve competing demands to protect yet share data.  See the Webinar Overview to register.

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

The World Health Organisation (WHO) has released the first of a series of design documents concerning digital proof of COVID-19 vaccination, as the start of a process to standardise digital versions of existing paper “home-based” records and the international “certificate of vaccination or prophylaxis” aka the Yellow Card: “Interim guidance for developing a Smart Vaccination Certificate” (SVC).

The WHO position so far can be summed up as “Not Too Much Technology; Not Too Much Identity”.

Digitising proof of vaccination

WHO sets out a worthwhile set of reasons for wanting digital proof of vaccination.  This is a contested policy arena; there are plenty of concerns that vaccine passports would lead to discrimination in employments and travel.  The WHO emphasises that the making of rules for the use of any SVCs remains a matter for other policy makers.

So, bearing in mind that proof of vaccination has policy problems, this is how WHO describes the motivation for digital proof:

SVCs can enhance existing paper home-based records and the [Yellow Card] by combining the functionality of both. Additionally, SVCs can provide a way to mitigate fraud and falsification of “paper only” vaccination certificates by having a “digital twin” that can be verified and validated in a reliable and trusted manner, for health, occupational,educational, and travel purposes (as per national and international policies); without depending on an individual verifier’s subjective interpretation. Once an individual’s vaccination record is available in a digital format, additional functionality can be built to support things like automated reminders for the next dose or linkages to other immunization information systems (though these are outside the scope of this document). An SVC is intended to allow for multiple types of use without requiring an individual to hold multiple vaccination records.

Verifiability of vaccination credentials

Until WHO released its guidance, the endeavour to digitise proof of vaccination had been dominated ― almost captured ― by two movements: Self Sovereign Identity and blockchain. Dozens of press reports through 2020 positioned “Verifiable Credentials” as the key to managing vaccine rollouts and “reopening economies”. Some pundits seem to think the long-awaited killer app for digital identity has finally arrived; see e.g. “Coronavirus jumpstarts race for digital ID”.

Several digital proofs of vaccination are being piloted, most of which boast blockchain, including the Evernym IATA TravelPass and IBM’s project in New York City. One of the leading programs in this space is the COVID Credentials Initiative (CCI) formed a year ago by 60 or so companies almost all focused on blockchain. CCI’s messaging today centres on verifiable credentials and minimises blockchain references.  Yet nevertheless, verifiable credentials are seen by most commentators and technologists as synonymous with ‘identity on blockchain’.

In my view, the technological task of digitising proof of vaccination is straightforward. Blockchain is neither necessary nor sufficient, and no new order is needed for “user-centric” identity management in healthcare (especially in the midst of a pandemic where the priority must be to deliver health services without complicating the way healthcare is managed).

Verifiable credentials on the other hand are a very good idea indeed, in digital proof of vaccination.  Let’s unpack what is really needed here.

In essence, any verifiable credential is an assertion about a data subject ―such as “This person had a COVID Type ABC vaccination on April 1, 2021” ― which is digitally signed by or on behalf of the party making the assertion ―such as “Nurse 12345678, ACME Central Vaccination Clinic”.  Ideally the verifiable credential contains a key pair bound to a data carrier controlled by the subject (typically a cryptographic wallet) so that each time the credential is presented, it is signed afresh by the subject’s private key, giving the receiver confidence that the presentation was made with consent of the individual. The fresh dynamic signature also conveys information about the type of wallet the credential was presented from.

Despite the excitement around the new W3C verifiable credential standard and the popular association of verifiable credentials with blockchain, we have had cryptographically verifiable credentials for many years.  The original verifiable credentials were in fact smartcards and SIM cards.

Whenever you use a Chip and PIN smartcard, the merchant terminal cryptographically verifies the digital signatures of the card-issuing bank (proving the account details are genuine) and of the cardholder (proving the transaction was created afresh on the spot, under the cardholder’s control). The same sort of thing happens when you place a mobile phone call: the SIM card digitally signs a packet of account details, proving to the network that you are a legitimate subscriber.  These attributes about end users in different systems are cryptographically verified at the edge of the networks, without ‘calling home to base’.

What has WHO decided?

WHO convened a Smart Vaccination Certificate Working Group  to publish standards for SVC security, authentication, privacy and data exchange.  The interim guidance is the first in a series of three drafts and public consultations leading to a final specification in mid 2021. The Working Group has deliberated already and closed off a number of design decisions, around medical terminology, clinical coding standards, the format of the patient vaccination record, and the technology of the SVC global trust network which will make the certificates widely available and recognisable.

In my view the WHO work has two serious and most welcome implications.

Firstly the Working Group has expressly endorsed PKI as the technology for a new WHO trust framework for global interoperability of digitised proof of vaccination.  They drew on decades of ICAO e-passport experience and consider the issue of trust framework technology to be “closed ” [Ref: line 218 of the consultation paper]. Nevertheless they appreciate that implementing PKI is a significant undertaking, reporting that several countries have called for “assistance related to the establishment of their [public health authority’s] national public key infrastructure” [Ref: lines 208-214].  The role of the WHO to facilitate PKI availability and deployment is a work in progress.

Secondly, WHO has stressed that digitised vaccination proofs will not supersede the time-honoured Yellow Card: “vaccination status should still be recorded through the paper-based International Certificate for Vaccination, and Prophylaxis”.  Furthermore, identification of vaccination recipients will be undertaken under existing practices.  That is, WHO sees no need to intervene in identification practices and is not entertaining any idea of a new digital identity framework. The interim guidance spells out that it is expected that a “health worker is able to ascertain the identity of a subject of care, as per the norms and policies of the public health authority” [lines 381-382] and “the identity of the subject of care SHALL be established as per Member State processes and norms” [line 501]. Furthermore, “the SVC is not an identity” [line 382].

In a nutshell, WHO has decided that digitisation of the Yellow Card will not entail too much technology (such as the new and unproven blockchain methods or exotic verifiable credentials) and neither will it entail new identity philosophies (such as Self Sovereign Identity, which has untold impact on the way patients and healthcare systems interact).

My analysis and proposal for a Digital Yellow Book

These positions set out by WHO are most welcome, given the tendency for new digital identity movements and technologies to complicate public policy.  I recently wrote a short paper on just these issues and presented it to an IEEE symposium on public interest technologies: “A digital Yellow Card for securely recording vaccinations using Community PKI certificates” (IEEE International Symposium on Technology and Society, 12-15th November 2020, Tempe Arizona).

We should digitise nothing more and nothing less than the fact that someone received their vaccine.  A verifiable credential carrying this information would include the place, date and time, the type of vaccine, and the medico who administered or witnessed the shot.  The underlying technology should be robust, mature and proven at scale ― as is PKI and public key certificates ― and available in a choice of form factors ranging from passive universally accessible 2D barcodes through to contactless electronic certificates in smart phones and medical devices.

Above all, digitising the fact of a vaccination must be done within the existing contexts of public health administration around the world. No new patient identification protocols should be imposed on health workers.  Let us assume that they know what they are doing today when assessing patients, administering vaccines and keeping records.  There is no call for a new digital identity framework, even if “user centric” seems appealing.  The digitisation effort should focus on taking vaccination events and representing them digitally faithfully, accessibly and in-context.

Reproduced with permission, Constellation Research

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

Artificial intelligence (AI), and its impacts on privacy and other human rights, have been the focus of much attention in the past two months.  From the European Commission considering a new AI-specific law, to the Australian Human Rights Commission (AHRC)’s final report on Human Rights and Technology, legislators and policy-makers are starting to grapple with the implications of this particular form of technology.

Why?  Because from setting insurance premiums to deciding who gets a home loan, from predicting the risk of a person re-offending to more accurately diagnosing disease, algorithmic systems – especially those turbo-charged by AI – have the ability to re-shape our lives.  Algorithms are increasingly being used to make predictions, recommendations, or decisions vital to individuals and communities in areas such as finance, housing, social welfare, employment, education, and justice – with very real-world implications.  As the use of algorithmic systems increases, so too does the need for appropriate auditing, assessment, and review.

The AHRC for example has recommended, amongst other things, mandatory human rights impact assessments before AI is deployed in administrative decision-making, a ban on the use of ‘black box’ algorithms by government, a moratorium on the use of facial recognition technology in law enforcement settings, and the creation of an AI Safety Commissioner.

Privacy and consumer protection regulators are wielding their powers over AI developers under existing laws too.  The US Federal Trade Commission has warned in a blog post that companies need to hold themselves accountable to laws requiring truth, fairness, and equity in the use of AI … “or be ready for the FTC to do it for you”.  In April the South Korean Personal Information Protection Commission (PIPC) imposed sanctions and a fine on the developer of a chatbot for breaching rules on the processing of personal information.

So government and corporates alike have been put on notice that they need to lift their game when it comes to the development and deployment of AI, and other automated decision-making systems.

What is the privacy officer’s role in this?  Where should a privacy professional start, when assessing the privacy considerations raised by algorithmic systems?

As a privacy professional, you cannot apply the law or assess risk without a basic understanding of algorithmic systems, and how they interact with information privacy obligations.  You don’t need to be a technical expert, but you do need to know the right questions to ask of technical experts, so that you can assess the legal and reputational risk of what they propose.

To help privacy professionals get a handle on this topic, Salinger Privacy has just published our latest guide: Algorithms, AI, and Automated Decisions – A guide for privacy professionals.  Here’s a little taster.

Are we talking about AI or algorithms?

At its simplest, AI is an umbrella term for a range of techniques and computer systems capable of performing tasks which would normally require human perception and intelligence, such as recognising speech, or recognising patterns in data.  An AI system capable of recognising patterns in data is typically running an algorithm which was developed, and is continuously refined, by using machine learning (ML) to process vast amounts of ‘training’ data, to come up with correlations, so that the machine can ‘learn’ to recognise images, and be able to distinguish between – for example – an image of a cat and an image of a carrot.

An algorithm is basically a set of rules or sequence of instructions telling a computer what to do.  An algorithm will typically instruct the computer to take certain inputs, and then perform a calculation in order to generate an output, which could take the form of a classification, a prediction, a score, a recommendation, or an automated decision.  For example, an algorithm might examine credit history data and predict the credit risk posed by a customer; or examine electricity usage data and recommend the best product for that customer; or examine recruitment applications en masse and make automated decisions to reject certain applicants.

However not all algorithms are developed using AI.  Algorithms can also be created by humans, writing code.  These are known as rule-based systems.  They can be as simple as ‘if X then Y’.

The trouble is, algorithmic systems do not come with the contextual understanding that humans have.  This is sometimes purported as a good thing: if a machine makes a decision, then it won’t be as biased as a human one, right?  Unfortunately it’s not that simple.  If the rules encoded into an algorithm are unfair, or the data in which the algorithm is applied is biased, so will be the outcome.  And removing a human from writing the code doesn’t necessarily solve this issue.

A machine learning model which classifies a picture as being an image of a cat or a carrot might seem like a simple task (and for humans, it is), but its ability to do so will depend on the data it has ingested, the way it was designed and developed, and the context in which it is deployed.  If the algorithmic system was only trained on pictures of black and white cats, what will happen when it is deployed and has to classify a picture of a ginger cat?  This is a silly hypothetical scenario, but real-world harm can be caused by mistakes such as these – and risks can be introduced at any point across an algorithmic system’s life cycle.

Which systems create privacy risks?

Algorithmic systems which raise privacy issues will include systems using AI, but also human-written rule-based code, which use personal information to make predictions, recommendations, classifications, scores or decisions about humans.

Systems which were developed using AI may pose particularly high privacy risk, but in our view all types of algorithmic systems should be considered.  A recent example that demonstrates this is the Australian Government’s Online Compliance Intervention, more commonly referred to as ‘Robodebt’, which used an algorithmic system to automate a process with the goal of recovering debt.  This system did not use AI, but its human impact – AUD$1.5B in unlawful ‘debts’ – was significant nonetheless.

How to assess privacy risk in an AIA

Evaluating the privacy risk of algorithmic systems via an Algorithmic Impact Assessment (AIA) is not just a matter of testing for legal compliance.  In order to understand, identify, and mitigate against privacy-related harms, you need to think about concepts such as fairness, ethics, accountability, and transparency (when taken together, sometimes abbreviated to ‘FEAT’), which are vital factors to consider when assessing algorithmic systems.  However we would also encourage privacy professionals to think more deeply about how to design trustworthy systems, by looking at both risks and solutions through the lens of what we call ‘The Four D’s Framework’.

The Four D’s Framework

The Four D’s offers a framework for assessing algorithmic systems in order to minimise privacy-related harms throughout the lifecycle of an algorithmic system.

The build of an algorithmic system comprises four stages:

• design
• data
• development, and
• deployment

Design

Responsible algorithmic systems feature privacy risk management long before any personal information is used in a live scenario.  Ideally, consideration of privacy issues should start as early as the design stage.

One of the first things to consider for any algorithmic system are the design objectives.  It should go without saying that building an algorithmic system that processes personal information ‘because we can’ will rarely meet community expectations.  Asking the question: ‘what is the problem we’re trying to solve’ is a popular place to start to ensure there is a clear understanding of why an algorithmic system is being pursued at all.  But there are many other questions that are also important to ask at this stage, such as:

1. Who will benefit from the development of this system?
2. Who has this problem, and how do we know it is actually a problem for them?
3. What do they say they need?
4. Who is most at risk or vulnerable?
5. Will this system meet the need/solve the problem better than what is already in place?
6. How will we know if the system is ‘working’?

Data

Organisations need to take care when considering the types of data that will be used to develop, train, test and refine their algorithmic systems.  Data often only tells part of the story, and when processed without due consideration, can lead to misleading or even harmful outcomes.

For example, historic bias might be found within a training dataset, or bias could be introduced as an AI system ‘learns’ post-deployment.  There have been numerous examples of this: the use of training data which reflected historic bias has led to racial discrimination in facial recognition algorithms, and gender bias in the Apple Credit Card.

Some questions to consider regarding data include:

1. When, where, how and by whom was the data initially collected?
2. Who is represented in the data? Who is not represented in the data?
3. How will we organise the data?
4. How will we test for bias in the data?

Development

The development stage of an algorithmic project includes building and testing the algorithmic system.

If you are procuring a product or services, you will need to play an active role in the building and testing stage, or ensure that off-the-shelf products are rigorously examined and tested before deployment.  Questions of accountability also need to be considered, as organisations cannot simply outsource their responsibility through procurement and hope to avoid liability for any harms caused.

For organisations developing their own algorithmic systems, now is the time to put the design thinking and considerations around data into action.

When testing algorithmic systems, organisations should first determine a baseline for each metric that they deem to be the minimal acceptable result.  For example organisations should be aware of, and mitigate for, the possibility of evaluation bias, which can occur when the test data do not appropriately represent the various parts of the population that the system is planned to be deployed upon.  Also, when developing an algorithmic system, organisations will want to test to see how well it is ‘working’, against metrics such as accuracy, recall and precision.

Deployment

Once the algorithmic system is deployed into the real world, organisations cannot simply wash their hands of the system and let it run wild.  Examples of machines ‘learning’ to be biased post-deployment include a recruitment algorithm which learnt that Amazon preferred to hire men, and Microsoft’s Tay chatbot which all too quickly learned from Twitter users to make offensive, sexist, racist and inflammatory comments.

The system may need to be changed to deal with real-world inputs and requirements for interoperability and interpretability, and there may be real-time feedback that needs to be integrated back into the system.

Another key area for privacy professionals to consider at deployment is how individuals will be meaningfully informed of how the algorithmic system is being used in practice, and how they may seek more information or exercise review rights.  Decisions made or supplemented by algorithmic means should be explainable and auditable.

Conclusion

Privacy professionals should ensure they are involved in assessing privacy and related risks throughout the lifecycle of an algorithmic system’s development.  In this blog we have introduced the Four D’s Framework as a way of conceptualising the breadth of issues to be considered in an Algorithmic Impact Assessment.  Our new guide offers more detail on the legal and ethical risks posed by algorithmic systems, how to utilise the Four D’s Framework to guide system development, and a set of indicators which can be used to measure the trustworthiness of an algorithmic system.

Algorithms, AI, and Automated Decisions – A guide for privacy professionals can be purchased as a single eBook, or along with other resources in one of our value-packed Compliance Kits – see the ‘PIA Pack’ or the ‘Everything…’ option for your sector.

Photograph © Shutterstock

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month – sign up below.

The release last week of the report into the first 12 months of the federal government’s beleaguered ‘COVIDSafe’ app got me thinking about the importance of Privacy by Design – and in particular, how the ‘design’ part of the equation is not just about the technology.

With the release of the evaluation report – months late and only after a heavily redacted version was released after a concerted FOI push – we now know that the COVIDSafe app has been a terribly expensive flop.

Only 779 users who tested positive to Covid-19, out of around 23,000 positive cases in the relevant time period, consented to having data from the app uploaded to the national COVIDSafe data store between 26 April 2020 and 15 May 2021; that’s a usage rate of around 3%.  From those 779 Covid cases, the app identified 81 close contacts, of whom only 17 were contacts not otherwise identified by manual contact tracing.

I don’t even want to calculate the total cost of the COVIDSafe app divided by 17 because I fear the figure would make me cry.

The COVIDSafe app – as Jacqueline Maley described it, a “cute footnote in the story of pandemic bunglings” – has been “utterly outclassed” by QR Code check-in apps implemented by State governments.

How?  Privacy, utility and trust.

Compare the public acceptance and uptake of the COVIDSafe app, which was relatively low and which generated a fair amount of public angst and discussion about the pros and cons (even before we knew it didn’t work properly on iPhones), versus the NSW Government’s ‘Covid Safe Check-in’ app, which enjoys incredibly high rates of acceptance and use, by both venues and patrons alike, and with almost no push-back from the public at all.

Two covid apps, both by governments, led by the same political party, covering the same population, for the same broad contact-tracing purpose: one a raging success and the other ultimately an eye-wateringly expensive failure.  Why?  It comes down to context.

This is a neat illustration of an argument I have made before: public trust, and therefore rates of use or compliance, is not as simple as asking: “Do you trust this organisation (in this case, the government)?”

It’s about asking: “Do you trust this particular way your data is going to be used for this particular purpose, can you see that it will deliver benefits (whether those benefits are personally for you or for others), and are you comfortable that those benefits outweigh the risks for you?”

When you realise that this more complex set of questions is the thinking behind consumer sentiment, it demonstrates how important it is to assess each different data use proposal on a case-by-case basis, because the nature of the proposal, and the context it is in, will make each value proposition unique.  That means the balancing act between benefits and risks from a privacy point of view needs to done fresh for every different project.

It also shows the importance of Privacy by Design thinking – and how this is not just about the design of the tech, but the design of the entire ecosystem in which the tech is supposed to work, including legal protections, transparency and messaging, which together add up to how well users understand how an app works.  As studies have since shown, how well users understand how an app works makes a difference to their level of trust, because they can make more informed decisions for themselves.

Both apps have built-in privacy features, such as enabling the use of pseudonyms, automated deletion of data after a certain time period, and preventing the data from being accessed unless triggered by a positive covid case.

However the simplicity of the NSW app’s design, and the fact that it puts the user in complete control of when the app is used – instead of the COVIDSafe ‘always on’ design – put it way in front.  (The ‘always on’ design also led to other problems with COVIDSafe, like draining battery life and interference with critical diabetes monitoring systems.)  NSW app users can at any time revert to pen-and-paper when checking in to a venue.

The NSW app is also superior in its embrace of data minimisation as a design principle, only collecting data about when the user checks in to a venue.  By contrast the COVIDSafe’s ‘always on’ design meant vast reams of data being collected on every ‘handshake’ between two devices, and then business rules being written to cull out those which were for less than 15 minutes – an arbitrary time period now known to be meaningless in terms of the likelihood of transmission.

The messaging around the NSW app, and how it works, was clearer too.  (It helps that the user experience is intuitive and the user can see if the app is working or not; that means less complex messaging is needed in the first place.)  By contrast the communications around the COVIDSafe app were truly awful: we had the PM’s sunscreen analogy, seriously misinformed claims from the Government Services Minister that the app “simply digitises a manual process”, plus the Health Minister’s bargaining and the PM’s ‘maybe I’ll make it mandatory after all’ musings, as well as influencers being paid to make false claims about the app, political spin on whether the app works on iPhones, and a 40% take-up target based on no modelling which the government then quietly dropped.

Finally, the NSW app design has been superior in its embrace of an iterative design process, starting with trials, conducting testing, and openness to user feedback, leading to improvements over time.

Compare that with an almost non-existent bug reporting mechanism for the COVIDSafe app design team.  One security researcher – who, four hours after the app launched, found a critical design flaw which meant that Android phone model names and user-assigned device names were transmitted over Bluetooth, allowing for device re-identification and tracking – described the process of trying to report the flaw to the Government as like “yelling into an empty room”.  It took over a month for that flaw to be rectified, by which time the app had been downloaded 6 million times.

This was one of a number of flaws which suggest that the app was not comprehensively tested before its launch.  While there was a Privacy Impact Assessment conducted on the COVIDSafe app, its scope was limited to examining the federal Department of Health’s compliance with the federal Privacy Act.  It did not review whether the app’s build was as described, whether it worked as planned, or whether other models would be preferable.

I am not saying that the NSW check-in app is perfect.  In particular, while there is a Public Health Order directing that contact details collected via the app are only to be used or disclosed for the purposes of contact tracing, it lacks the bespoke legal protections of the COVIDSafe app, which was bolstered by specific amendments to the Privacy Act to prohibit use for secondary purposes such as law enforcement.  As debates about other check-in apps in WA, Queensland, the ACT and Victoria have shown, public trust can be damaged by broken promises about the purpose for which personal information will be used.

Those of us who urged caution in April 2020, rather than jumping on the COVIDSafe bandwagon, were criticised as not part of ‘Team Australia’.  But caution was the right response.  You need to check that the tech works, look for abuse cases and unintended side-effects, strengthen the legal protections, prohibit or prevent secondary uses, be transparent, get the messaging right, and be open to user feedback if you are going to build a successful technology project.

Above all, utility matters.  If the tech doesn’t work, if the benefits of the data collection are not realised, then all the talk about trading off privacy for other objectives like public health is meaningless.  The privacy risks will remain, along with a great big white elephant.

Photograph © Shutterstock

Hey, before we start, can I just ask: are you male, female or other?  Are you bristling at even being asked?

Collecting accurate data on gender can, when done appropriately, be a key way to ensure a product, program or policy is designed with gender differences in mind. In fact, poor design which leads to damaging outcomes can occur when data about gender is not collected.

However, there are many instances where the knowledge of someone’s gender is completely irrelevant to the circumstance at hand, and collecting it is not only an invasion of privacy, but can also increase the severity of harm caused by misuse of that personal information, or in the event of a data breach.

Privacy harms, whether caused by data breaches, surveillance, or other invasions of privacy, do not impact everyone equally. While the focus of this piece is on gender, it’s important to always keep in mind the ways that gender intersects with other factors including race, disability, class, and sexuality.

So, read on to explore the friction between collecting gender data and enhancing privacy, and why it is essential that we consider gender when we assess privacy risks.

Language note: where I refer to ‘women’ I mean both trans and cisgender women. Trans women are women. Where it is necessary to differentiate that I am specifically talking about cis or trans women, I will make that distinction clear. While many of the issues in this piece are framed around women, they also often impact non-binary and gender non-conforming people in similar ways, at the same, if not higher rates. However there remains a lack of research regarding the intersection of privacy and gender non-conforming people and I have chosen not to cast the experience for non-binary communities as the same as it is for women.

Privacy harms are not served equal

Women have been surveilled and policed for centuries, to the extent that until relatively recently they have been perceived as having no right to privacy when it came to their sexual life.  Even now, we see particularly gendered invasions of privacy like doxing (malicious publication of someone’s personal details), stalking, and non-consensual sharing of intimate images.

Often, the harm caused by privacy loss, such as a data breach, disproportionately impacts those who are already part of a marginalised or vulnerable group, including women.

Let’s take a relatively recent, and local, example of a data breach to explore this point. In 2018, Public Transport Victoria (PTV) released a large dataset containing 15 million de-identified details of Melbourne’s contactless smart card public transport ticketing system known as Myki. Later that year, academics Vanessa Teague, Ben Rubinstein and Chris Culnane were able to re-identify themselves and others in the dataset.  The Office of the Victorian Information Commissioner investigated, and found that PTV had failed to address the possibility that individuals in the dataset could be re-identified.  (You can read more in OVIC’s investigation report.)

The point I want to make here is how we think about the impact of data breaches.  Not everyone is affected equally.

According to the Australian Bureau of Statistics, cisgender women are, on average, more likely to use public transport than men. Women are also more likely to experience stalking than men, with approximately 1 in 6 cis women experiencing stalking since the age of 15 (compared to 1 in 15 cis men). On top of this, research conducted by WESNET, Women’s Legal Service NSW and Domestic Violence Resource Centre Victoria, has found that the issue of perpetrators utilising technological means to facilitate their abuse of women is significant, and on the rise.

So with that in mind, when we consider the possible harms caused by the Myki data breach, the picture looks a lot worse for women when we apply a gendered lens to the risk assessment.  The likelihood of individuals being identified from the dataset and their patterns of behaviour analysed, and the ability for perpetrators to use that data to inflict violence or harassment on victims as a result, is much greater for women than for men.

While on the subject of statistics, research conducted by the OAIC showed that when comparing responses between those who identified themselves as men with women, that women are less likely to feel comfortable with location tracking, and significantly more likely to turn off GPS or location sharing on mobile devices.  Zeynep Tufekci found that men are three times more likely than women to include their contact details in their social media profiles, even after controlling for privacy and audience concerns, suggesting women are “seeking to avoid the risk of unwanted attention”.

The possible gendered privacy harms compound further when we look outside the gender binary. Trans and gender non-conforming people experience stigma and discrimination at high rates, and many make deliberate choices regarding to whom they disclose details about their gender identity or biological sex characteristics. Organisations wishing to collect data on gender need to very carefully consider the possible harm that could be caused should the personal information of gender diverse individuals be inappropriately or unlawfully accessed, used, or disclosed. In some cases, the very act of attempting to collect gender data inappropriately can cause unnecessary stress for many individuals.

Sexist algorithms

The public and private sectors alike are increasingly incorporating and, in some cases relying upon, algorithmic systems, including use of machine learning and automated decision-making systems. The existence of bias in these kinds of systems is well documented, with an increasing amount of research into the area. Here is just a small handful of examples:

• Amazon’s AI recruitment tool showed bias against women
• Virtual assistants reinforce gender stereotypes
• Microsoft study found gendered connotations in word embeddings (which underpin a lot of machine learning applications which rely on language processing)
• Machine learning algorithm learns sexism from photographs
• Voice recognition cannot understand women’s voices

The harm caused to women by these systems only increases for those who also intersect with other marginalised or minority identities, including in relation to race, disability, class and sexuality.

While upholding privacy cannot solve all the challenges associated with the use of algorithmic systems and associated risks of bias, discrimination or unfair outcomes, a robust Algorithmic Impact Assessment can go a long way to ensure that the personal information being used as inputs into these systems has been tested for fairness and accuracy. If we take an expansive view of privacy, we can use privacy risk assessment as a tool to examine the power structures of these systems, and put safeguards in place to mitigate potential gendered and other discriminatory harms.

Should we even collect gender?

We all know the drill about collection minimisation: only collect personal information that is necessary for a given purpose.  But it often seems that many organisations go into a kind of autopilot at this step: yes of course we need name, date of birth, gender.  Do you really, though? Collection of gender should not be the default, and it’s worth interrogating when it is actually necessary to know someone’s gender, and for what purpose.

Herein lies another tension: it’s unfortunately not as simple as just not collecting gender data at all. In many cases, a lack of data on gender can cause its own form of harm. In Invisible Women, Caroline Criado Perez highlights the extent to which the world has been designed by and for cisgender men. From medical testing to safety designs and protective clothing, to the size of everyday appliances, Criado Perez emphasises the very real harm that occurs as a result of taking a ‘gender neutral’ approach which actually results in using the ‘standard male’ as the default. While Invisible Women is not without its flaws, and has been criticised for using a male/female binary which ignores other genders and sex variations, it does serve as a useful collection of evidence of how male-default thinking creates real-world problems for anyone who is not a cisgender man.

Collecting accurate gender data in order to ensure a policy, program, or product is designed in a way that meets the needs and experiences of people across all genders is really important. But it always needs to be balanced against the right to privacy, including consideration when it is necessary and proportionate to know someone’s gender.

In a report specifically examining privacy and gender, the UN Special Rapporteur for Privacy suggests that, among other things, any requirement for individuals to provide sex/gender information should be:

• Relevant, reasonable and necessary as required by the law for a legitimate purpose
• Respectful of the right to self-determination of gender, and
• Protected against arbitrary or unwanted disclosure or threatened disclosure of such information.

The report also recognised that “privacy offers protection against gender-based violence, discrimination, and other harms that disproportionately affect women, intersex, and gender non-conforming individuals.”

Once an organisation decides it is indeed necessary to collect gender data, it must also consider carefully how to ask for gender identity in a respectful, inclusive and meaningful way. If you wish to collect accurate data (and meet the requirements of the data quality privacy principle!), then simply offering ‘male’ or ‘female’ options is not good enough.

Here is a non-exhaustive list of tips for organisations to consider when asking for gender details:

• Be really clear what it is you are actually asking people for. For example, do you need to know someone’s biologically assigned sex at birth for a specific medical purpose? Or do you need to understand someone’s gender identity in order to provide them with the correct services?
• Be careful not to confuse gender identity with sexual orientation
• Consider providing an option that enables people to self-determine their gender
• Include a consideration of gendered impacts when assessing and mitigating against privacy risks, including consideration of the possible harms that could occur as a result of inappropriate disclosure of an individual’s gender identity

For more guidance, see this guide to collecting gender data inclusively from the Canberra LGBTIQ Community Consortium, or this one from Monash University.

The 2021 census has provided us with an example of what not to do. While there was an option for people to self-enter their gender in a free-text field, the ABS noted that those who chose the non-binary option would ultimately be randomly assigned a binary sex: male or female.  What followed was outcry that this would not capture an accurate picture of the gender diversity in Australia, and in turn erase trans and gender diverse people.  Further, while the inclusion of a free-text field was a welcome improvement to earlier iterations of the census, it was not an option on the paper form.  This left trans and gender diverse people who wished to complete the form by hand, for reasons including ability and accessibility, with no choice but to misrepresent their gender.

The paper form is also widely regarded as the more privacy-enhancing option, which meant that many were left with a choice: the increased privacy protection of a paper form, or the ability to identify their gender in a way that is meaningful to them. Nobody should have to make that kind of choice. Given that gender diverse people continue to be subject to stigma and discrimination in Australia, the privacy of their personal information should be of utmost importance.

When in doubt, go back to basics

Long established privacy considerations such as necessity and proportionality still go a long way when determining when it is reasonable to collect gender data, and what you may wish to do with it.  Collection of gender information should never be the default, as with collating any other personal information.  However, organisations should take care to avoid applying ‘male-default thinking’ to their programs and projects.  It is not acceptable to cite privacy as the rationale behind avoiding the work of collecting inclusive gender data and ensuring that outcomes do not adversely impact people who are not the considered the ‘male standard’.  Regardless as to whether gender data is collected or not, it is always important to consider the impacts on women, as well as trans and gender diverse people, when assessing privacy risk.

A case involving facial recognition technology and customer satisfaction surveys offers plenty of lessons in how privacy law applies to Australian businesses.

In June 2020, the 7-Eleven chain of convenience stores began using a new customer feedback survey system in 700 stores across Australia.  Each store had a tablet device which enabled customers to complete a voluntary survey about their experience in the store.  Each tablet had a built-in camera that took images of the customer’s face as they completed the survey.

Those facial images were stored on the tablet for around 20 seconds, before being uploaded to a server in the cloud.  A third party service provider converted each facial image to a ‘faceprint’, which is an encrypted algorithmic representation of the face. The faceprint was used to infer information about the customer’s approximate age and gender.  The faceprint was also used to detect if the same person was leaving multiple survey responses within a 20 hour period on the same tablet; if multiple responses were detected, they were excluded from the survey results.

In other words, the company was using a facial recognition technology on its customers, to prevent its employees gaming a customer satisfaction survey by leaving multiple positive survey responses about their own performance.  At least 1.6 million survey responses were completed.  It is not known how many unique customers this represents.

The Office of the Australian Information Commissioner (OAIC) launched an investigation, and on 14 October published the final determination by the Privacy Commissioner Angelene Falk.  Falk found that 7-Eleven had breached APP 3.3 by collecting ‘sensitive information’ (namely, biometric templates) unnecessarily and without consent; and APP 5 by failing to provide proper notice.

The implications of this case extend beyond just the use of facial recognition technology, and offer salient lessons for organisations of all shapes and sizes.

Here are my top takeaways for businesses:

1. You can’t contract out of your privacy obligations

You will be on the hook for what your tech provider is doing with your customers’ data.

7-Eleven tried arguing that it had not ‘collected’ any personal information because the information stored in the cloud was handled by its service provider, and that it had no access to the data.  The OAIC found that the retail company did ‘collect’ the personal information via its service provider, because the data was collected on behalf of 7-Eleven, and it had contractual control over the data.

The lesson here is that both you and your technology provider must comply with the Privacy Act.

2. You can’t escape your privacy obligations by arguing that you couldn’t identify anyone

Sometimes you just have to laugh.  7-Eleven argued that the facial images and faceprints were not ‘personal information’ because they were not used to identify, monitor or track any individual.  But the whole point of facial recognition technology is to identify individuals, in the sense of being able to distinguish one person from another!  (Otherwise, what was the tech vendor selling – photos for the fun of it?)

Further, its deployment in this case was to monitor individuals: to see if anyone was entering multiple survey responses within short spaces of time.

The OAIC made short shrift of 7-Eleven’s claim, and found that the faceprints were ‘personal information’, because the facial images and the faceprints were ‘about’ individuals, who were ‘reasonably identifiable’.

(‘Personal information’ is defined in the Act to mean: “information or an opinion about an identified individual, or an individual who is reasonably identifiable”.)

3. You can invade someone’s privacy without knowing who they are

If your service provider can identify individuals, then in law so can you.  No hiding behind your tech vendor; you’re handling personal information.

Your data is not to be considered in a vacuum; the test is whether it is possible to identify an individual “from available information, including, but not limited to, the information in issue” (at [37]).  If your data can be linked to other available data to identify someone, you’re handling personal information.

The test for identifiability is not whether or not you can figure out a person’s name or legal identity; it is whether one individual can be “distinguished from other individuals” (at [38]).  If your system can single out people to interact with them at an individual level, you’re handling personal information.

4. The collection of any type of personal information, no matter how benign, must be reasonably necessary

Under APP 3, collecting personal information because it will be “helpful, desirable or convenient” is not enough (at [58]); your collection of personal information must be “reasonably necessary” for one of your organisation’s “functions or activities”.

The OAIC in this case formulated this test as involving consideration as to whether the impact on individuals’ privacy is “proportionate to a legitimate aim sought” (at [59]).  While the OAIC noted that “implementing systems to understand and improve customers’ in-store experience” (at [102]) was a legitimate aim of the business, the collection of biometric templates was not a proportionate way to achieve that aim.

In other words, the risk posed to the individuals must be weighed against the business objectives, and serious consideration must be applied to determining whether those objectives could be achieved in a less privacy-invasive manner.

Is using facial recognition to infer age and gender a proportionate response?  No; as the OAIC noted, if such data was necessary 7-Eleven could have simply asked for age range and gender as part of the survey questions.  (Which reminds me: sometimes you don’t need to know about gender at all.)

Is using facial recognition a proportionate response to the desire to improve the accuracy of a customer satisfaction survey?  The OAIC said no:  “Any benefit to the respondent was disproportionate to, and failed to justify, the potential harms associated with the collection and handling of sensitive biometric information” (at [105]).

5. Plus if it is sensitive information, you also need consent

In addition to the ‘reasonably necessary’ test, if the personal information you want to collect is in a sub-category known as ‘sensitive information’, under APP 3.3 you will also need the consent of the individual.  Sensitive information includes biometric information and biometric templates, as well as information about a person’s health or disability, ethnicity, religion or sexuality, amongst other categories.

While consent may either be express or implied, the OAIC noted that generally speaking, when seeking to collect ‘sensitive information’, organisations should aim for express consent, given the greater privacy impact which could arise from the handling of these special types of data.

6. A valid consent is hard to get

All stores had a notice outside with an image of a surveillance camera.  Some of the notices also had text next to the image, which said “By entering the store you consent to facial recognition cameras capturing and storing your image”.

The 7-Eleven Privacy Policy said “By acquiring or using a 7-Eleven product or service or providing your personal information directly to us, you consent to 7-Eleven collecting, storing, using, maintaining and disclosing your personal information for the purposes set out in this Privacy Policy”.

So 7-Eleven argued to the OAIC that “if a customer did not consent to the use of this technology, the customer could elect to not enter the store or not use the tablet”.

Yeah, they really said that.

(By the way, by reading this blog, you consent to give me a million dollars, which I may or may not have spelled out in another document you probably did not see before you began reading this blog.  What, not happy?  You were completely free to not read this blog, what’s your problem?)

Except that’s not the way consent works in privacy law.

As formulated by the OAIC, the four key elements which are needed to obtain a valid consent are:

• The individual must be adequately informed before giving consent
• The individual must give consent voluntarily
• The consent must be current and specific; and
• The individual must have the capacity to understand and communicate their consent.

So let’s spell this out.

Consent is the ‘would you like sauce with that?’ question.  The question must be very specific about what is being proposed, the question must be asked about only one thing at a time, and the customer must be free to say yes or no (or say nothing, which means ‘no’), and still get their sausage roll.

Entering a store does not mean your customer consented to you collecting their personal information.

Answering a survey does not mean your customer consented to you collecting their personal information.

And importantly, your Privacy Policy is not a tool for obtaining consent.  Also, your Privacy Policy is not magic.  It cannot authorise a company to do anything that the privacy principles don’t already allow.  A Privacy Policy is solely there to inform people, in general terms, how your organisation handles personal information.

No surprise, the OAIC found that customers’ consent could not be implied by 7-Eleven.

7. That lame sign in the window is not a collection notice

APP 5 requires organisations to take reasonable steps to notify people about the collection of their personal information – the who, what, when, where, how and why – at or before the time of the collection.  (Offering a clear notice also happens to help you meet the ‘informed’ element of consent, as mentioned above.  But you need to give notice regardless of whether you are also seeking consent for something.)

7-Eleven had signs at the entry to its shops, only some of them with text.  Even those with text did not explain that facial recognition would be used on customers answering the survey.  Even astute customers could have understood the signage to be about CCTV security cameras, not cameras on the tablets used for the customer satisfaction survey.

The OAIC found the signs insufficient to meet the requirements of APP 5, and noted that an easy approach to notice could have been taken:  7-Eleven “should have included a collection notice on, or in the vicinity of, the tablet screen. The collection notice should have notified customers … before the start of the survey, and crucially, before the first facial image of the customer was captured. This was a practical and cost-effective step that the respondent could reasonably have taken in the circumstances, to draw customers’ attention to the collection of their sensitive biometric information and the purpose of that collection”.

The lesson here: don’t let your big tech spend be undone by the failure to include a cheap solution to your privacy notice obligations.

8. Taking a casual approach to using new tech is a legal risk

Companies need to be finely attuned to the risks that come from collecting personal information without care.  ‘Move fast and break things’ should not be your mantra.  A finding that there has been an unlawful collection by a retailer of biometric information about Australians at a large scale should cause company boards and Audit & Risk committees to ask questions about their own data practices.

And facial recognition technology?  Well that’s a whole other world of pain and risk.

When facial recognition technology is attracting calls for a moratorium, or stricter regulation, and when a Bill to use the technology for law enforcement can’t even get through Parliament because it is so controversial, and when some vendors of the technology are even re-thinking its use, and when the technology is criticised by the computer science profession for its problems with racial and gender bias, maybe don’t go around casually implementing facial recognition software for trivial purposes.

Just… don’t.

9. Do proper risk assessments

One of the most striking aspects of this case is that 7-Eleven was only one month into its rollout of the new technology when the OAIC began making preliminary inquiries about the company’s compliance with the law.  Yet the retailer continued with the program for another 13 months before pulling the plug, just before the Privacy Commissioner made her final determination.

That’s some pretty brave risk-taking.

The OAIC noted that a better approach would have been to conduct a Privacy Impact Assessment in advance of the program starting, which could have identified “options for avoiding, minimising or mitigating adverse privacy impacts (including by identifying potential alternatives for achieving the goals of the project without collecting such information)”, and “assisted in assessing the proportionality of collecting biometrics for the purpose of understanding customers’ in-store experience” (at [103]).

Conclusion

So beware, organisations of all shapes and sizes – you have been put on notice by the OAIC.  You can’t hide behind your tech vendors.

You need careful, risk-based consideration of all projects which will collect or use personal information.  The scope of what is regulated as ‘personal information’ is broad.  Your collection must be reasonably necessary for a legitimate purpose, and you must be able to justify the potential harms to individuals as proportionate when measured against your business objective.  Plus, if the personal information is one of the types of personal information defined as ‘sensitive’, you will also need an informed, voluntary, specific and current consent to collect it.

The days of “By entering our store / accessing this website you are consenting to whatever we put in our Privacy Policy” are over.

On 25 October 2021 the Australian government released a Discussion Paper crammed full of proposals to amend the national privacy law, as well as a Bill intended to progress certain reforms ahead of the rest.

Here’s what you need to know, to help you prepare for what’s likely ahead, or to draft a submission in response to the proposals.

The background

The power of social media and online platforms, AI, the Internet of Things and the boom in all things digital point to the need for privacy law to keep up with the challenges posed to individual privacy by new technologies.  In 2019 the Australian Competition and Consumer Commission (ACCC) published the final report from its Digital Platforms Inquiry, which considered the behaviour of the major platforms such as Facebook and Google.  The ACCC’s report highlighted risks for both consumers and businesses from the business models followed by major technology companies, which primarily rely on the collection and analysis of consumer data as the source of their wealth and power.  Amongst their other recommendations, the ACCC suggested that the Australian Government should conduct a review into whether the Privacy Act remains fit for purpose in this digital age.

In late 2019 the Government agreed to review and reform the Privacy Act, which led to an Issues Paper released in October 2020.  That Issues Paper called for submissions on whether the Privacy Act and its enforcement mechanisms remain fit for purpose.

Twelve months and 200 submissions later, the Attorney General’s Department has released a Discussion Paper, containing both specific proposals and less settled options for reform, clustered around 28 topics, each with their own chapter.

At 217 pages it’s not a quick read, so here are the highlights, followed by our take on key elements of the proposals: the good, the bad and the ugly.

The proposals in the Discussion Paper

Not surprisingly given the European Parliament moving on AdTech, Google phasing out third party cookies, Apple lifting the veil on third party online tracking, and wave after wave of public revelations about the toxic impact of Facebook’s activities, the Discussion Paper has much to say about digital harms, targeted advertising, personalised content and the role of online identifiers.

First, the Discussion Paper proposes a re-drafting of the threshold definition of ‘personal information’, so that it explicitly recognises and includes online identifiers and technical data, and encompasses the use of data with individuated effects.  By moving closer to the GDPR’s model which includes online identifiers, indirect identification and the notion of ‘singling out’, this proposal alone will help strengthen and modernise Australia’s privacy laws.

Second, there is an intention to reduce reliance on the ‘notice and consent’ self-management model of privacy regulation, in favour of stricter limits on collection, use and disclosure.  With another proposal likely to gain plenty of attention, the Discussion Paper proposes a ‘fair and reasonable’ test to be applied to collection, use and disclosure, on top of existing rules around collection necessity and purpose limitation.

Third, consent.  While moving away from requiring consent for routine activities, it appears consent will remain as an option for authorising some types of information handling practices.  The Discussion Paper proposes to tighten the legal tests for what constitutes a valid consent, by building into the legislation what has to date been guidance from the Office of the Australian Information Commissioner (OAIC): that consent must be voluntary, informed, specific and current, and requires an “unambiguous indication through clear action”.  Combined with another proposal, which is to require ‘pro-privacy defaults’ when choices are to be offered to users, these proposals should spell the end of companies using dark patterns to trick people into sharing their personal information, and then claiming ‘consent’ as their lawful basis for collection, use or disclosure.

Fourth, the Discussion Paper proposes to abolish an existing rule about using or disclosing personal information for direct marketing (Australian Privacy Principle 7), in favour of applying the same standards as for other activities (APP 6).  But then direct marketing is mentioned again elsewhere, which leads us to the next significant proposal.

Without yet landing on a firm model, the Discussion Paper suggests some options for regulating how organisations deal with scenarios which inherently pose a higher privacy risk.  The Privacy Act currently sets some slightly tougher tests for handling some categories of data known as ‘sensitive information’, such as information about an individual’s health or disability, ethnicity, religion and sexuality.  However the Discussion Paper seeks to broaden out this idea to a notion of restricted acts, to which higher standards will apply.  What is potentially within scope includes not just the handling of ‘sensitive information’, but also some additional types of data such as location data and information about children, and some particular types of practices such as direct marketing, and automated decision-making with legal or significant effects.  The Discussion Paper also asks for further submissions on whether the best way to regulate these types of higher risk practices is by self-management (i.e. requiring individuals to consent), or by organisational accountability and risk management (i.e. requiring organisations to conduct Privacy Impact Assessments or take other steps to identify and mitigate the risks posed by their practices).

GDPR equivalence?

One of the themes running through this review process is the need to ensure that the Privacy Act is brought closer into line with the GDPR, in the hope that Australia could finally secure an ‘adequacy’ decision from the European Commission, which would beautifully simplify matters for businesses, Unis and other organisations which deal with customers or service providers in Europe. To date, an adequacy ruling has escaped Australia, primarily because of a number of carve-outs from the Privacy Act’s coverage of the private sector, including exemptions for small businesses, employee records, political parties and media organisations.  Yet the Discussion Paper has not directly proposed removing these carve-outs; instead, it raises a number of issues and options, and calls for yet more submissions on the pros and cons of abolishing those four exemptions.  So expect to see significant debate, with further pushback from organisations currently benefitting from the exemptions.

Also showing evidence of looking to other jurisdictions for influence and ideas, the Discussion Paper proposes introducing some GDPR-type individual rights, such as the right to erasure and the right to object.

Finally, the Discussion Paper has thrown out a few different models to improve access to justice, including consideration of a statutory tort of privacy (though without yet committing to a particular model, if any), and/or a direct right of action for individuals with a complaint about a breach of a privacy principle.  At present complainants can only approach the OAIC, whose backlog of complaints creates delays and operates as a barrier to resolution.  The ability to take a complaint to a court with the power to order compensation – as happens now under some State privacy laws – could see a meaningful improvement in access to justice for those individuals keen to have their day in court.

Our two cents’ worth

OK, I would like to think that our views are worth more than just two cents, but here’s a taste of what the Salinger Privacy submission on the Discussion Paper will focus on.

Overall I believe the proposals represent some sensible ways to strengthen the law to deliver on both political promises and community expectations to modernise the Act to effectively deal with digital harms, but there are some opportunities not yet grasped, and a few things in need of a fix.

THE GOOD

The definition of personal information

In chapter 2, the Discussion Paper proposes some minor edits to the definition of personal information:

Personal information means information or an opinion that relates to an identified

individual, or an individual who is reasonably identifiable:

1. a) whether the information or opinion is true or not; and
2. b) whether the information or opinion is recorded in a material form or not.

 An individual is ‘reasonably identifiable’ if they are capable of being identified, directly or indirectly.

By amending the definition to cover information that “relates to” an individual, instead of the current test which is “about” an individual, the proposed reforms will address some of the confusion caused by the Grubb v Telstra line of cases, as well as bring the Privacy Act into line with the newer Consumer Data Right (CDR) scheme.  This is good news.

Another welcome development is a proposed non-exhaustive list of what will make someone “capable of being identified, directly or indirectly”, with examples including location data, online identifiers, and “one or more factors specific to the physical, physiological, genetic, mental, behavioural (including predictions of behaviours or preferences), economic, cultural or social identity or characteristics of that person”.

Importantly, the Discussion Paper states that the new definition “would cover circumstances in which an individual is distinguished from others or has a profile associated with a pseudonym or identifier, despite not being named”.  This is a very important and positive development, to help address the types of digital harms enabled by individuation – that is, individualised profiling, targeted advertising or messaging, and personalised content which can cause harm, but which currently escapes regulation because organisations can claim that they don’t know who the recipient of their messaging is.

However, I would like to see this language actually used in the definition itself, to be absolutely sure that ‘identifiable’ in law incorporates the notion ‘distinguished from others even if identity is not known’.  (For more on how the GDPR’s notion of ‘singling out’ may or may not include people whose identity is not knowable, see our research paper on the subject.)

As Sven Bluemmel, the Victorian Information Commissioner, put it recently:  “I can exploit you if I know your fears, your likely political leanings, your cohort.  I don’t need to know exactly who you are; I just need to know that you have a group of attributes that is particularly receptive to whatever I’m selling or whatever outrage I want to foment amongst people.  I don’t need to know your name.  And therefore, arguably depending on how you interpret it, I don’t need ‘personal information’.  I just need a series of attributes that allows me to exploit you.”

That’s why we need the definition of personal information to indisputably cover individuation, as well as identification, of individuals.

Some of the other aspects of the proposals are a mixed bag.  Sticking with the threshold test that a person must be ‘reasonably’ identifiable will not address current weaknesses in the definition.  The word ‘reasonably’ waters down the scope of the definition more so than other international privacy laws, which set the threshold at any degree of identifiability.

Whether or not someone is ‘reasonably’ identifiable is not a measure of the likelihood that someone will suffer harm, but is a test based on ‘reasonable’ levels of resources and motivation.  This leaves a gap between the test applicable to the data holder, and the reality of whether or not an individual can actually be identified from the data, such as by a motivated party willing to go beyond ‘reasonable’ steps.  The OAIC has said that an individual “will be ‘reasonably’ identifiable where the process or steps for that individual to be identifiable are reasonable to achieve”.  So even where re-identification of patients from publicly released MBS/PBS was demonstrated by a team of experts, the OAIC found that the steps the experts took to achieve actual re-identification were more than ‘reasonable’, and therefore the data did not meet the definition of ‘personal information’.

Yet the Discussion Paper also says that on the flipside, to apply de-identification such as to fall outside the scope of the definition of ‘personal information’, an organisation must meet a test which is that there is only an “extremely remote or hypothetical risk of identification”.

In my view there is a gap between the test arising from the definition of personal information (“not reasonably identifiable”) and the test in the proposed definition of de-identified data (“extremely remote or hypothetical risk of identification”), creating a legislative no-man’s land of data which is not personal information but nor is it de-identified.  There should not be a gap between the two.

Not acting to close that gap would represent a missed opportunity to bring within scope for regulation the types of harm evidenced by various submissions made to the review thus far.  Bad actors will continue to argue that because no one is ‘reasonably’ identifiable in their data, they are not regulated by the Act at all.

It’s not difficult to anticipate the argument from AdTech and others: ‘Well it wasn’t reasonably identifiable information because we cleverly used hashed email addresses to match up customer records from different devices and different apps and share user attributes between different companies’.

(I say it’s not difficult to anticipate this argument because that’s how data broker LiveRamp, formerly known as Acxiom, says they draw data from multiple publishers, sites, devices and platforms (aka “gain second-party segments or third-party data”), build customer profiles and then target ads to around 7 million Australians online.  Their website claims to offer ‘data anonymization’ because “LiveRamp removes personally identifiable information (PII) and replaces it with pseudonymous record keys during our matching process so you can use data with confidence”.

Um, what?  As the GDPR makes abundantly clear, use of pseudonymous record keys which enable data linkage does not ‘anonymization’ make.  This marketing double-speak about ‘anonymization’ makes me feel like Inigo Montoya in The Princess Bride: “You keep using that word, but I do not think it means what you think it means”.

So maybe individual identities are hidden during the matching process, but the end result is still that Company A can find out new information about their customers, or individually target people who are not their customers but who have ‘lookalike’ characteristics, using data collected by Companies B, C and D.  This is the kind of online tracking, profiling and targeting of individuals across the web that the phase-out of third party cookies is supposed to stop.)

So Salinger Privacy will be arguing that the word ‘reasonably’ in the definition needs to go the way of the dinosaurs, and that the line between identifiable and not should be based on the “extremely remote or hypothetical risk of identification” test.

The Discussion Paper also proposes to add a definition of ‘collection’ that expressly covers “information obtained from any source and by any means, including inferred or generated information”.  This would be an improvement, but I would argue that the definition of ‘collection’ needs to be pitched not in relation to the nature of the information but to the action of generating or inferring information.

Also, I suggest that inferred or generated data should be included in the list of things which comprise ‘personal information’.  Otherwise here’s the likely conclusion from AdTech and similar players: ‘The inferences we drew happened some time after we collected the data, so that’s not a ‘collection’ but a ‘use’, and the Act doesn’t say that APP 6 (which regulates ‘use’) applies to inferred information, so woo hoo we’re off the hook’.

(I know that’s not what the OAIC or the Discussion Paper mean when they talk about ‘collection by creation’, but instead of letting those arguments play out in some expensive litigation between the OAIC and Big Tech in the future, let’s nip them in the bud now with some clear legislative drafting.)

Again, I’m not just hypothesising here about what certain players might say.  Take a look at Facebook’s submission on the Issues Paper, which says that the information it infers about people is not, and should not be, regulated as ‘personal information’.  Facebook wants to protect its investment of “time, money and resources” in developing and using its inferences about people, which instead of being treated as personal information worthy of legal protection are characterised in the submission as the company’s “intellectual property” which should be protected from “inappropriate interference”, by which it means having to comply with the APPs.

The ‘fair and reasonable’ test

In chapter 10, the Discussion Paper proposes the introduction of a new requirement: that “collection, use or disclosure of personal information under APP 3 and APP 6 must be fair and reasonable in the circumstances”.

This is proposed in relation to routine activities (e.g. use or disclosure for a primary purpose, or a directly related secondary purpose), and activities authorised on the basis of the individual’s consent.  It is not proposed to apply to activities authorised under a different law, or under an exemption such as those relating to law enforcement or research purposes.

To supplement this ‘fair and reasonable’ test, the proposal includes factors which could be legislated as relevant to any application of the test.  The draft list is:

• Whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances
• The sensitivity and amount of personal information being collected, used or disclosed
• Whether an individual is at foreseeable risk of unjustified adverse impacts or harm as a result of the collection, use or disclosure of their personal information
• Whether the collection, use or disclosure is reasonably necessary to achieve the functions and activities of the entity
• Whether the individual’s loss of privacy is proportionate to the benefits
• The transparency of the collection, use or disclosure of the personal information, and
• If the personal information relates to a child, whether the collection, use or disclosure of the personal information is in the best interests of the child

This is a welcome suggestion, but in my view it still needs some strengthening.  Otherwise imagine the argument from tech platforms about why content which might harm teenage girls or push vulnerable people towards extremism is still being fuelled by algorithms designed to generate ‘engagement’:  ‘Well our free services need ad revenue to operate, for ads to be successful we need high levels of engagement with the platform, to get high levels of engagement we need users to see certain content which we know will engage them, and so in those circumstances this [anorexia-promoting / conspiracy-theory fuelled / hate-filled / extremist / genocide-promoting / do I need to keep going about the types of harms here] content is “reasonably necessary to achieve the functions and activities of” our company, and anyway we can’t foresee which of our users are at “risk of unjustified adverse impacts or harm” from that content, but just in case we have included something in our T&Cs to set expectations and be transparent, so we have now met the “fair and reasonable” test’.

Also, I would argue that the ‘fair and reasonable’ test should apply to all instances of collection, use and disclosure, including where the collection, use or disclosure is authorised by another law, or under an exemption.  The ‘fair and reasonable’ test should be able to flex to the circumstances of the use case.  Think about the data hungry activities of Australian Government agencies: the likes of the ATO, Centrelink and the NDIA often operate on the basis of specific legislative authority to collect, use or disclose personal information.  Shouldn’t we expect those activities to also be ‘fair and reasonable’?

Perhaps then agencies wouldn’t be able to get away with releasing deeply intimate information about a person’s relationship history, tax affairs and social security benefits to a sympathetic journalist, in response to some public criticism about their agency.

And don’t we want our law enforcement agencies to also only use personal information in a ‘fair and reasonable’ manner?  Legitimate investigations and even covert surveillance will be ‘fair and reasonable’ in the right circumstances.  After all, police forces with nothing to hide will have nothing to fear, right?

Accountability for high privacy impact activities

Another significant proposal is the idea to create a list of ‘restricted practices’, which while not prohibited will require additional steps from organisations to identify and mitigate privacy risks.

The draft list (at Proposal 11.1) is:

• Direct marketing, including online targeted advertising on a large scale
• The collection, use or disclosure of sensitive information on a large scale
• The collection, use or disclosure of children’s personal information on a large scale
• The collection, use or disclosure of location data on a large scale
• The collection, use or disclosure of biometric or genetic data, including the use of facial recognition software
• The sale of personal information on a large scale
• The collection, use or disclosure of personal information for the purposes of influencing individuals’ behaviour or decisions on a large scale
• The collection use or disclosure of personal information for the purposes of automated decision making with legal or significant effects, or
• Any collection, use or disclosure that is likely to result in a high privacy risk or risk of harm to an individual.

While not explicitly saying so, this proposal looks a lot like the introduction of mandatory Privacy Impact Assessments for certain activities.  (Proposal 11.2 also suggests alternatives to organisational accountability which instead rely on self-management options like requiring consent, explicit notice or opt-outs, but they are clearly not the favoured option and we know that notice and consent is broken, so let’s not even go there.)

The Australian Government Agencies Privacy Code already makes PIAs mandatory for the public sector in relation to ‘high privacy risk’ activities, with the OAIC maintaining a list of the types of activities it considers to inherently pose high levels of risk.  This new proposal looks set to extend the requirement to the private sector as well.

Through its latest determinations against 7-Eleven and Clearview AI, the OAIC was already signalling that PIAs are now expected under APP 1 for what it is calling ‘high privacy impact’ activities, as a way for organisations to demonstrate that they have effective privacy risk management processes in place.

The Salinger Privacy submission will argue that this list of ‘restricted practices’ should be incorporated into APP 1, and be the trigger for a mandatory PIA to be conducted.  However even better would be to adopt the GDPR model, which is that if, after the conduct of a PIA and the implementation of all mitigation strategies, there is still a residual level of high risk, then the regulator must be consulted, and the regulator has the power to stop or prohibit the activity.  (Now that might have stopped a company like Clearview AI in its tracks sooner.)

I will also suggest a tweaking of the list of ‘restricted practices’.  For example instead of just “online targeted advertising on a large scale”, I would throw in behavioural tracking, profiling and the delivery of personalised content to individuals.  (Netflix and the ABC’s iView would otherwise be able to say ‘Well we don’t show ads so this list does not apply to our activities’.)

Conversely, I would not consider all direct marketing to be a high privacy impact, even when delivered at scale.  A brochure mailout or email newsletter delivered to the first party customers of a retailer poses very low privacy risk if there is no personalisation of messaging or pricing, or tracking of engagement or conversions.

Some further food for thought is whether or not the OAIC should be able to add to the list of restricted practices, and/or whether or not some ‘restricted practices’ should instead be prohibited, either by the Act or via OAIC developing guidance over time about ‘no-go’ zones.  Recent calls for a moratorium on the use of facial recognition in government come to mind.

Children’s privacy

Kids’ privacy is getting a lot of attention in these and related proposals from the Australian Government.  Whether or not a proposed activity is in the best interests of a child gets a mention in the list of factors relevant to applying the ‘fair and reasonable’ test (Proposal 10.2), and processing personal information about children on a large scale is included in the list of ‘restricted activities’ which will require additional risk mitigation steps (Proposal 11.1).

Plus Proposal 13 raises the curly and interrelated issues of children’s capacity, parental consent, and age verification.  The Discussion Paper proposes two options on which the Government is seeking feedback: require parents to consent on behalf of children for all instances of handling personal information about children under 16, or only for those instances where the lawful basis for collecting, using or disclosing the information is ‘with consent’ in the first place.

In my view, the first option is utterly unworkable.  So many legitimate and routine activities need to happen in a child’s life without stopping to ask for a parent’s consent for every separate thing.  Imagine a school contacting a parent to ask ‘do we have your consent to collect and use information about what little Johnny did in the playground at recess today?’  (If the parent says ‘no’, then what?)  Such a legal requirement would either cause routine activities to grind to a halt, or organisations will implement horrible unwieldy bundled ‘consents’, which will make a mockery of Proposal 9 – which is to spell out in legislation that every consent must be voluntary (i.e. not part of the conditions of use), informed, current, specific (i.e. not bundled), and an unambiguous indication through clear action.

The Discussion Paper is also asking for feedback on whether organisations should be permitted to assess capacity on an individualised basis, rather than taking a fixed date – the child’s 16^th birthday – as the magical day on which they transform from helpless to capable of making independent decisions.

Plus there’s plenty more about kids’ privacy to be found in the Online Privacy Bill, discussed further below.

Regulation and enforcement

There’s a whole lot going on under this heading in the Discussion Paper (chapters 24-28).

Some of the proposals seek to fix long-standing enforcement problems, or propose sensible measures like a tiered civil penalty regime.  (That will be particularly important if small businesses are brought into the fold.)  So far so good.

Some are more radical ideas like industry funding of the OAIC, as happens now with the corporate regulator ASIC, and splitting apart the OAIC’s functions so that a ‘Privacy Ombudsman’ handles the complaints function.  This idea of splitting policy / strategic / advisory functions off from the complaints-handling / enforcement functions is pretty funny, when you consider that the OAIC was created explicitly to bring those functions all under the one roof for privacy and FOI.  (Just fund the OAIC properly will be my submission in response.)  I should probably move this idea into the ‘Bad’ pile.  Which brings us to…

THE BAD

Ugh, the criminalisation of re-identification rears its head again!  First prompted in 2016 by some egg-on-faces in the Australian Government when the MBS/PBS dataset was shown to have not been properly de-identified before its public release, instead of penalising, say, the release of poorly de-identified data in the first place, the Government moved to criminalise the conduct of researchers and security specialists who conduct re-identification attacks on data.  This terrible, horrible, no good, very bad idea was rightly criticised by the Privacy Commissioner and opposed in Parliament due to fears of its impact on public interest research and cybersecurity efforts.

Why re-introduce the idea now (Proposal 2.6)?  Just… no.  If you’re worried about malicious re-identification attacks on public data, introduce a statutory tort.  Don’t penalise the white hat hackers.

Also: dear governments, please stop drinking the Kool-Aid on the wonders of open data.  De-identification is not a magic solution to privacy compliance, and unit record level data is unlikely to ever be safe for public release unless treated with some pretty complex differential privacy techniques, as was demonstrated in 2016 (MBS/PBS), 2018 (Myki), and 2020 (Flight Centre).

A direct right of action that’s not very… direct

Chapter 25 discusses the idea of a ‘direct right of action’.  The ACCC recommended that “individuals be given a direct right to bring actions and class actions against APP entities in court to seek compensatory damages as well as aggravated and exemplary damages (in exceptional circumstances) for the financial and non-financial harm suffered as a result of an interference with their privacy under the Act”.

The Discussion Paper noted a number of submissions made about the OAIC’s lack of resources, which has caused complaint-handling delays, and means it operates as a ‘bottleneck’.  Unlike in other jurisdictions, the OAIC is effectively the gatekeeper, and can dismiss complaints without proceeding to either conciliation or a formal determination, thus quashing the complainant’s appeal rights.

So you would think a direct right of action would fix that, right?  Er, no.  Proposal 25.1 is to create a right of action which is only triggered if the complainant first goes to the respondent, then to the OAIC, and then can only proceed to the Federal Court if the OAIC first determines that the complaint is suitable for conciliation.  Too bad if they dismiss it instead, or if it languishes in the queue so long that the respondent has skipped town in the meantime.

For a ‘direct right of action’ it’s not very.. direct.  Nor is it very accessible to most people.  Hands up who wants to pay a QC in the Federal Court and be exposed to costs orders if you lose?

Other jurisdictions do this better.  NSW for example allows privacy complainants to lodge a complaint in a no-cost tribunal, so long as they first complained in writing to the respondent and the respondent did not resolve the matter to the complainant’s satisfaction within 60 days.  The NSW Privacy Commissioner has a right to be heard in the tribunal, but does not operate as a brake or a bottleneck on matters proceeding.  A cap on compensation keeps things manageable for respondents.

THE UGLY

There are some aspects of the proposals which are messy, or about which the politics could get messy.

The bits they squibbed

The Discussion Paper kicked the can down the road on the four major exemptions: small businesses, employee records, political parties and media organisations.  Rather than propose specific outcomes, chapters 4-7 of the Discussion Paper dance around these contentious areas, while calling for further submissions on a number of questions.

(So if you have a view, make a submission!)

For example, consideration of the small business exemption includes whether, rather than just bringing all businesses within scope of the Act, as comparable jurisdictions do, certain ‘high risk’ practices should be prescribed in.  In my view, creating yet more exceptions to an exemption will create confusion, and would be unlikely to lead to an ‘adequacy’ ruling from the European Commission.

Then there’s the idea of a statutory tort of privacy (chapter 26), which has been kicking around as an idea for what seems like forever, but which never quite makes it over the line, despite it enjoying pretty widespread support other than from the media and other businesses afraid of being sued for serious invasions of privacy.  The Discussion Paper throws up four options, one of which is to not introduce a tort but extend the application of the Act to “individuals in a non-business capacity for collection, use or disclosure of personal information which would be highly offensive to an objective reasonable person”.

Individuals doing offensive things are hardly going to respond to a letter from the OAIC.  Nor will this resolve the problem for victims who have suffered harm at the hands of organisations which are exempt, or at the hands of rogue employees, whose employers get to escape liability.

Individual rights

OK, so I know that the proposed rights of objection (Proposal 14) and erasure (Proposal 15) will generate a lot of attention, but I just can’t get too excited about them.  We already have a right to opt out of direct marketing, and we can withdraw consent to activities which were originally based on our consent, like participation in a research project.  We also already have a right of correction, which the OAIC has said can include deletion in some circumstances.

While I’m not opposed to introducing more rights, the right to erasure in particular is mostly privacy theatre.  It will cause messy compliance headaches, but deliver little of substance for individuals.  Better to prohibit or prevent bad practices by organisations in the first place, than rely on individuals having to clean up afterwards.

Conversely, the discussion of automated decision-making does not propose any new rights, yet this is an area in which rights could actually make a significant difference.  Think what a right to algorithmic transparency, explainability, auditability and review could do to prevent the next Robodebt-type snafu!  Proposal 17 just suggests that people be told, via an organisation’s Privacy Policy, if automated decision-making is being used.  This will achieve… nothing much.  I think we deserve better.

The Online Privacy Bill

The ABC says it is “committed to protecting your privacy”.  So why are they giving our data to Facebook and Google?

The ABC Privacy Policy was updated in late 2021, to “reflect some changes to the way in which your information will be handled as we look to help Australians find more content likely to be of interest to them”.

The changes include “disclosing hashed email addresses to Google and Facebook to show you promotions for ABC Content likely to be of interest to you on those platforms, unless you choose to opt out”.

In other words, if you have an ABC Account (e.g. if you login to watch iview or use the ABC Listen app), you will be individually profiled and potentially targeted by Facebook or Google, based on information about you given to those companies by the ABC – unless you have first figured out this practice is going on and then activated your privacy settings to opt out.

Is this legal?  Can the ABC really match up data about its viewers and listeners with Google and Facebook, without your consent?

That depends on your interpretation of the Privacy Act as it stands today.  The confusion over what is allowed is a good illustration of why the Privacy Act is in need of reform – but I will come back to that later.

Won’t hashing protect me?

The AdTech and data broking industry like to say that they are protecting your privacy, or sharing only ‘de-identified’ data, by using ‘hashed’ email addresses when they exchange data about you.  Hashing is a one-way scrambling process: your email address becomes a string of gibberish which cannot be reverse-engineered, so your ‘real’ email address cannot be guessed at.  But if you use the same email address to log in to two or more sites (and most of us do), and if those two or more companies use the same hashing algorithm to scramble your email address, the string of gibberish becomes a unique identifier about you, which can be then be used to match and link up all the other data held about you, by those companies.

So that claim about protecting your privacy is a furphy.

The fact that no ‘names’ or even ‘real’ email addresses are exposed in the middle of the data-sharing process makes no difference to the end privacy impact, which is that you will be shown specifically targeted ads or other forms of personalised content, because of the richness of the information about you that has been shared between companies, behind your back.

In this case, the ABC has clearly admitted that what it is doing is giving information about its viewers and listeners to Facebook and Google.

Why would the ABC do this? 

It does so to enable both profiling and individualised targeting of content and ads to its current or prospective viewers.  So, for example, as the ABC itself explains, if the ABC already knows that you have watched The Newsreader, it won’t waste money paying Facebook or Google to show you ads on those platforms exhorting you to watch The Newsreader.  (Sidenote: enjoy the irony of the public media paying to advertise on social media a TV show about a TV show set on commercial media, in a time before social media existed.)

This also means that the ABC can pay to advertise other shows to you, if it thinks – because of your viewing history – that you might like them.  And it can target ads for ABC shows to ‘lookalike’ audiences: people who Facebook and Google have profiled as similar to ABC viewers, but who are not known to be ABC viewers… including all the privacy-protecting people who try to avoid this kind of profiling by laboriously using different email addresses across sites, or who refuse to create accounts to log in at all.

More disturbingly, it also means that Facebook and Google could now know even more information about you than before, and add to your profile.  (Because let’s face it: they’re not mugs.  They’re going to monetise that data as much as they can.)  Which means that – and this is the part that surely the ABC doesn’t fully realise or it wouldn’t be letting its valuable first party customer data out of its own hands – the ABC’s rivals can also now even better target ads for rival TV shows to you.  (Liked The Newsreader?  Forget the ABC, try Apple TV’s Morning Wars!)

(Updated 7/1: Note that it has been pointed out to me that the use of Facebook’s Custom Audiences targeted marketing technique would usually involve terms to preclude Facebook from re-using the data shared with it by advertisers, so perhaps ABC customers are not at risk of this final scenario happening.  However my understanding is that to date the ABC has not released the terms of its engagement with Facebook despite FOI requests from privacy advocates going back some months, so we can’t yet tell what those terms are.  And the Privacy Policy doesn’t mention FB’s Custom Audiences; that’s just what a reader has told me the ABC is using.  Also, the ABC Privacy Policy, after talking about the information it discloses to third parties for the purposes of marketing via other platforms, states “Some third parties may be able to match information about your use of our digital services with personal information they already have about you”.  Because that statement appears before mention of the sharing of hashed email addresses, it is not clear whether that statement is only about data collected via third party cookies and similar online identifiers whether customers are logged in or not (see more about that below), or if it also includes data shared via techniques like using hashed email addresses to build Custom Audiences.)

So, can they really do this?

The sharing of a ‘hashed email address’ is an example of the disclosure of information which, taken alone, might be argued by industry players to be ‘de-identified’, such as to escape regulation under the Privacy Act.  That’s because information which cannot ‘reasonably identify’ an individual is excluded from the reach of our privacy laws.  And a hashed email address, alone, should not be capable of identifying anyone.

But the privacy regulator in Australia, the OAIC, has said that the test as to whether or not something meets the definition of ‘personal information’ (which means it will be regulated by the Privacy Act), is not about considering information in a vacuum: “Some information may not be personal information when considered on its own. However, when combined with other information held by (or accessible to) an entity, it may become ‘personal information’.”

So, given that a hashed email address can be – and indeed is intended to be – linked back to other information held about identifiable individuals by Facebook and Google, I would argue that the hashed email address, along with all the other ABC-collated information shared about the ‘de-identified’ individual it relates to, is ‘personal information’ regulated by the Privacy Act.

But despite the OAIC’s guidance, the letter of the law about what is ‘personal information’, and what is not, is not quite so clear, which leaves room for argument from the digital platforms and others in the AdTech ecosystem.  (Facebook for one argues that this information is not regulated because no-one is ‘identifiable’.)

This alone is a compelling reason why the Privacy Act is currently being reviewed, and why the Australian Government has already proposed strengthening and clarifying the definition of ‘personal information’.

(For more on the Privacy Act review, and to inspire your own submission in support of the proposed reforms, or to argue like me that they need to go further to be truly effective, see our submission to the Privacy Act review.  It includes plenty of other examples to explain why reform is needed to protect our privacy.  But get in quick, submissions are due 10 January.)

But wait, it gets worse!

Let’s say that, like yours truly, you have thus far resisted all encouragements to create an ABC Account, and are therefore still enjoying iview without having to share any email address with the ABC.  Are you immune from the data sharing?  Turns out, no.

Check out this from the updated ABC Privacy Policy:  “If you are not a registered ABC Account holder, or you are accessing an ABC digital platform while not logged into your ABC Account, we may disclose the identifier for your device or browser to Google and Facebook, via Tealium, for the same purpose. … If you don’t want to see promotional information on those platforms that is informed by your use of ABC digital services, you can opt out via the account settings on those platforms. ”

So, the ABC (with whom I have never had an account) is sharing my data with Facebook (with whom I have never had an account) and the way to opt out of that is via Facebook, but I can’t because I don’t have a Facebook account from which to access any ‘account settings’.

Way to go Aunty!  Nice Kafkaesque nightmare you’ve got us in, all so you can show your loyal viewers ads for stuff they probably already know about.

Is this even legal?

Now, if the ABC is indeed found to be sharing ‘personal information’, can it do so legally?  Without customer consent, I cannot see how.

(Have they got consent?  They are relying on telling customers via their Privacy Policy, and letting people ‘opt out’ if they don’t like it.  But in case after case, the OAIC has said that in order to be valid, consent requires an ‘opt in’, not ‘opt out’, and adding something to a Privacy Policy is not nearly enough.  But spelling out the essential elements needed to gain a valid consent under the Privacy Act is also the subject of a law reform proposal: to make it absolutely clear in the letter of the law itself that to rely on ‘consent’, the customer needs to have exercised a clear and affirmative choice.  So that’s reason #2 to make a submission to the Privacy Act review, ‘toot sweet’ as the ABC’s own Kath and Kim would say.)

The disclosure to any third party is regulated by Australian Privacy Principle (APP) 6, unless it is for ‘direct marketing’ in which case the rule is APP 7, which starts to make things murky as to whether or not consent is needed for that disclosure.  But what is clear is that if the information is being disclosed to an organisation outside Australia, it also has to meet APP 8.

And as I previously noted to the ABC when it first proposed last year to make logging into iview mandatory, under APP 8.2, disclosure of personal information to an overseas organisation like Facebook, in jurisdictions such as the USA which does not have privacy protections equivalent to ours, requires the consent of the individual, after they have been expressly informed that their personal information will be sent to a jurisdiction without privacy protections.  (And none of the exemptions to APP 8 are relevant here.)  So that alone could pose a compliance problem for the ABC.

But regardless of whether or not the ABC is currently legally regulated in the way it shares data about the viewing and listening habits of its customers, surely it has a moral responsibility to protect its viewers and listeners from harm?

What’s so wrong with sharing our data?

When you think about it, a person’s ABC viewing or listening habits may be quite sensitive, and harm could be done when they are shared without consent.  Many Australians go to the ABC as a trusted source of information on controversial issues.  A student from an authoritarian country who likes to watch shows about democracy, or a teenager from a conservative family who takes an interest in gender fluidity or religious scepticism, may suffer significant harm if these preferences are exposed.

For example, if an Australian has watched Foreign Correspondent’s episode on the crackdown against Uighurs in Xinjiang, this could be used by Facebook or Google to inform an attribute such as “interested in human rights abuses in China”, which could then be used by the Chinese government to target propaganda directly to those viewers via paid advertising on those platforms.  This has implications for societal political manipulation.  The data is likely to be very easily identifiable by Google, Facebook, the Chinese Communist Party, or other sophisticated data gatherers with whom it might (directly or indirectly) be shared.

So what’s the solution?

If you are less than impressed with this state of affairs, start by making a submission to the review of the Privacy Act, ASAP.  (Submissions close 10 January.)  Tell the Government you are one of the 89% of Australians who believe that the information used to track us online should be protected under the Privacy Act.

Even if you have time for nothing else, email the review team to say that you support proposals 2.1-2.5 and 9.1-9.2, which are to clarify and strengthen the definition of personal information, and the elements of consent.  Want more details?  See our blog explainer here, and our detailed submission here.

And then let the ABC know; the bottom of their Privacy Policy tells you how, or write to the MD like I did.  Letters from a few concerned viewers last year saw the ABC defer its plan to make it mandatory to log into iview, while it re-considered the privacy issues.  Perhaps these recent changes to the Privacy Policy are the result of that review, because 10 points to Aunty for now making it much clearer for everyone to understand exactly what kind of intrusive data sharing is going on, whether people have logged in or not.

But transparency is not enough.  This type of exploitative data extraction and surveillance capitalism has no place on our beloved Aunty.

Australians don’t want to be tracked online.  Our public broadcaster should not be sharing data about its viewers and listeners with global tech behemoths without our active and informed consent.  Aunty’s job is to tell us stories, not tell stories about us to Facebook and Google.

Privacy compliance is not rocket science.  Meeting community expectations about our data is not hard.  It’s about common sense, and good manners.

Perhaps I can best sum it up using my ABCs: Always Be Considerate.

(Post script for our non-Australian readers: ‘Aunty’ is a fond nickname for the Australian Broadcasting Corporation, our publicly funded national broadcasting service and – except on this issue – national treasure.)

Photo (c) Shutterstock

The demise last week of FLoC is not the end of the story for Google’s plans to prop up surveillance-based advertising once cookies are phased out.

As a replacement for third party tracking cookies, Google was – until last week when it was killed off – trialling a new system for delivering personally targeted ads called FLoC.  FLoC’s objective was to hide individuals in a crowd, and keep a person’s web history ‘private’ on their browser.  But it turned out that this initiative was not quite as ‘privacy first’ as Google wanted us to believe.

Nor will its touted replacement – ‘Topics’ – necessarily be much better at preventing privacy harms.

What is changing about the AdTech ecosystem

In his brief history of online advertising, Dan Stinton, the Managing Director of Guardian Australia and former Head of Digital at Yahoo7, explains that “most advertisers or their advertising agencies… purchase consumer data from third parties (credit card purchases, for example), aggregate this with their own first-party data (customer email addresses, for example), and then follow those consumers across the web by dropping cookies on their web browsers and serving targeted ads”.

For a couple of decades now, they have done so in the name of serving up ‘relevant’ ads, targeted to appropriate customer segments.  However Stinton writes that at some point “segmentation (became) consumer profiling, which is where the potential for harm really exists”, and that “relevant ads morphed to become industrial-scale behaviour modification”.

The Cambridge Analytica scandal opened the world’s eyes to the impact of surveillance-based advertising, and the realisation that the AdTech ecosystem, initially developed to enable ‘free’ online platforms supported by advertising revenue, has resulted in harms well beyond being subject to unwanted ads.

Fast forward a few years, and community sentiment has shifted.  Where the public goes, legislators and courts – and even big business – eventually follow.  First we saw Apple and Mozilla block tracking cookies by default in their web browsers, and then when Apple blocked app-based tracking as well unless iPhone customers opted in, only very small numbers of people consented to let the tracking continue.  Privacy-first providers of digital services which offer alternatives to the dominant Google and Facebook suite of surveillance-driven products, such as DuckDuckGo (search engine), Signal (messaging) and Protonmail (email), are also growing in market share.

In parallel, European courts have made findings against the use of tracking cookies without consent; and European privacy regulators have cracked down on the difficult-to-use opt-out mechanisms used by Facebook and Google.  Meanwhile the European Parliament is considering a Digital Services Act to regulate online behavioural advertising, recent amendments to the California Consumer Privacy Act have jumped into the regulation of digital ‘dark patterns’, and a Bill to ban surveillance advertising has just been introduced into the US Congress.

Sensing the tide turning on community expectations around privacy and online tracking, and a new market for privacy-enhancing tech, Google announced it would address privacy concerns by also phasing out third party tracking cookies on its Chrome browser.  Since Chrome is the dominant browser used globally, the final demise of the third party cookie is now scheduled to occur in 2023.

But the end of third party tracking cookies is not the full story when it comes to surveillance, profiling and personalised targeting, based on your online movements.

Inside the birdcage

Once third party tracking cookies are gone, more and more companies will require their customers to log in to their website or access services through an app.  This means that the customer’s use of that company’s website or app can be tracked, without needing cookies.  That tracking generates what’s called ‘first party data’.  When customers use their email address to log in to a site (or download and use an app), their email address becomes a unique identifier, which can then be matched up with ‘first party data’ from other companies, for customers who use the same email address across different logins.

(Our recent blog about the ABC offered an example of even a publicly funded broadcaster succumbing to the drive to collect more ‘first party’ customer data, and then use hashed email addresses to enable ad re-targeting on third party platforms like Facebook and Google.)

But how about outside the birdcage?

Flying, but still tagged

While plenty of companies will push their customers inside their own birdcages, that still leaves plenty of web activity happening when you are not logged into sites.  But just because you’re not logged in doesn’t mean you are as a free as a bird; you can still be tracked, profiled and targeted.

As part of its planned phase-out of third party cookies, in 2021 Google proposed FLoC – or Federated Learning of Cohorts – as a new browser standard.  The objective of FLoC was to “allow sites to guess your interests without being able to uniquely identify you”.

Google started using machine learning to develop algorithms which reviewed each individual’s web search and online browsing activity to profile them, and place them into ‘cohorts’ of 1,000 or more people with similar demographics, qualities or interests, before allowing advertisers and others to target their ads or content to individuals in that cohort. While advertisers, in theory, were not supposed to learn the identity of anyone in the cohort, or their particular browsing history, they were still able to reach the precise individuals they want to target.

FLoC therefore still allowed individuated targeting or differential treatment of the individual by an advertiser, via Google as the ‘middle man’ who knows all your secrets, even as Google promised to prevent identification of the individual to the advertiser.

The result was highly privacy-invasive for Chrome browser users included in the FLoC trials (which included Australians): your intimacy and honesty turned against you, your hopes, fears, questions and plans extracted and exploited by Google to track, profile and segment you into multiple ‘cohorts’, so they can make a buck targeting you with personalised ads.

Plus in fact identification or additional, intrusive leaking of attribute data about individuals to third parties could also be possible from FLoC.  This is because the Chrome browser on an individual’s device would tell every website they visit what that individual’s ‘FLoC ID’ is.  A FLoC ID tells the website operator that this particular individual is in the cohort ‘ABCDE’, which means they have a certain profile which reflects the habits, interests and potentially demographics of people in that cohort (e.g. young women interested in physical well-being, or middle-aged men interested in cricket), as determined from their recent online activity.

That way, a publisher (i.e. a website which hosts paid third party ads) can show the ‘right’ kind of ads to that person.  Advertisers will have already told the publisher to show their ad to people with certain profiles; so a person profiled as interested in physical well-being might be shown an ad for yoga gear or diet pills, and a person profiled as interested in cricket might be shown an ad for cricket bats or sports betting.  So when an individual with a FLoC ID of ‘ABCDE’ landed on a particular website, the publisher would know what kind of ad to display.

Being FLoC’d together does not guarantee privacy

There are two risks associated with this type of online behavioural surveillance and targeting, even if individuals are ‘hidden’ within cohorts, or allocated loose ‘Topics’.

First, websites or advertisers could potentially reverse-engineer from some cohorts the likelihood that certain individuals visited particular websites.

Second, if a website operator already knows other information about that user, either because they are tracking the user’s IP address or the individual has had to log in to the publisher’s birdcage – e.g. the individual subscribes to read the Sydney Morning Herald, or has a free account to watch SBS On Demand – the publisher can combine their ‘first party data’ (i.e. what they learn about their customer from what the customer reads or watches within the confines of that site) with the new information inferred from the fact that that individual is now known to be in cohort ‘ABCDE’ – for example, that this person is likely to be a young woman interested in physical well-being.

This may be no better using ‘Topics’ instead of FLoC.  Topics will apparently still use an individual’s recent browsing history to group them into up to 15 ‘baskets’ out of about 350 ‘interest’ categories, based on the IAB’s Audience Taxonomy instead of FLoC’s AI-built cohorts.  As well as categories built around demographics (gender, age, marital status, income level, employment type etc), the IAB’s taxonomy has ‘interest’ categories such as #404: Healthy Living > Weight Loss; and #624: Sports > Cricket.  Publishers will be shown three of the 15 baskets at random.

However FLoC was particularly egregious, because of the tendency of its algorithms to create ‘cohorts’ based around not only ‘interests’ but also particularly sensitive matters such as ethnicity, sexuality, religion, political leanings and health conditions.  (The IAB taxonomy on which Topics will be based may not be entirely immune from allowing publishers to infer sensitive personal information from its ‘interest’ categories either; for example interest #503 is Music and Audio > Religious, while #521 is Music and Audio > World/International Music.)

Just for a moment consider the extent to which even public interest health information websites leak data to Google about who visits their sites: an investigation by The Markup found that even non-profits supposed to be protecting their clients, like Planned Parenthood in the US (which offers information on contraceptives and abortions), addiction treatment centres and mental health service providers, are leaking information about their web users to Google and Facebook.

Now think about combining that surveillance of online behaviour, with the power of inferences drawn from people’s Google search terms and click-throughs, and you can start to see how FLoC could enable highly intrusive profiling and personalised targeting at an individual level.

Even FLoC developers admitted that owners of walled sites (such as the Sydney Morning Herald or SBS in my example) “could record and reveal” each customer’s cohort, which means that “information about an individual’s interests may eventually become public”.  The GitHub site for FLoC described this, in somewhat of an understatement, as “not ideal”.

For example, the Sydney Morning Herald could potentially find out which of its subscribers are interested in abortions, anti-depression medication, substance abuse, gambling or suicide; who is questioning their religion or exploring their sexuality; and how they are profiled by Google in terms of their age, gender, ethnicity, political leanings, income, employment status and education level.  It could then add that to its own ‘first party’ customer data, and potentially share it with others.  Because each user’s FLoC ID was continually updated to reflect their latest online activity, website operators could infer more and more about their subscribers over time.

While Google has said that ‘Topics’, at this stage, will shy away from any demographic categories, it is still proposed to be continuously updated to reflect each individual’s browsing history over time.

Publishers can then use this information to sell ad space to those offering arguably harmful messaging (e.g. promoting sports betting to gambling addicts, or promoting pro-anorexia content to teenage girls) as easily as they can target beneficial messaging (e.g. promoting Headspace centres to vulnerable young people).  Individuated messaging and content can also as easily exclude people from opportunities as include them.

The risks are not confined to publishers selling ad space, because the FLoC ID was shared with all websites you visit, not just publishers hosting third party ads.  So even government websites could have gleaned information about you from your FLoC ID.  Are we comfortable with the ATO or Centrelink knowing that Google has profiled someone as interested in crypto-currency?

So there’s plenty to be concerned about from a privacy perspective.  However perpetuating online privacy harms was not the only criticism of FLoC.  The competition regulator in the UK, for example, raised concerns about the effect of FLoC and other of Google’s ‘Privacy Sandbox’ initiatives.  In the words of Cory Doctorow, writing for the Electronic Frontier Foundation, “the advertisers that rely on non-Google ad-targeting will have to move to Google, and pay for their services… Google’s version of protecting our privacy is appointing itself the gatekeeper who decides when we’re spied on while skimming from advertisers with nowhere else to go”.

Can we ever fly free?

FLoC may have been dumped for now, but whether it is ‘Topics’ or something else which Google ultimately uses to replace third party tracking cookies, there appears little appetite from Google to join its rivals in moving away from surveillance-based online behavioural targeting any time soon.

So what can you do?

First, choose your browser and devices wisely.  Tracking cookies are already blocked in Apple’s Safari and Mozilla’s Firefox, and Apple devices are much better at blocking third party tracking both inside apps and on the open web as well.

Second, if you are using Google’s Chrome as your browser, try to find out if you were included in the global FLoC trials, using EFF’s ‘Am I FLoCed?’ tool.  Also keep an eye out for instructions on how to opt out of the trials of ‘Topics’, due to start later this month.

Third, if you are a website operator, declare that you do not want your site to be included in your users’ lists of sites for cohort (or ‘interest’ topic) calculations.  Government, health, non-profit, human rights and other public interest organisations in particular should strongly consider blocking Topics, in order to protect their users from being subject to profiling and personalised ads or messaging based on any association with their website.

Finally, agitate for law reform.  Perhaps it is no coincidence that the trials of FLoC were conducted in 10 countries including Australia, but not in the EU.  The major AdTech players and digital platforms like Google and Facebook will keep exploiting our data unless the law stops it.

FLoC is a perfect example of why the law needs to change to keep up with tech: FLoC still allowed individuated targeting, if not identification of users to the advertiser.  Topics will do the same.  That’s why the current review of the Australian Privacy Act and the definition of ‘personal information’ is so important – we need a law which reflects the role of online identifiers in the AdTech ecosystem, and respects the wishes of the 89% of Australians who believe that the information used to track us online should be protected under the Privacy Act.

Otherwise, in the words of the 80’s band which I now think of as FLoC of Seagulls, we might find that while we can run, we just can’t get away from surveillance-based online targeting:

And I ran, I ran so far away
I just ran, I ran all night and day…
I couldn’t get away

Photo by Glen Carrie on Unsplash

Anorexia.  Violent extremism.  Holocaust denial.  Anti-vaccine conspiracy theories.  Gambling addiction.  Hate speech.  False claims about stolen elections.  Genocide.

You might not think of these as privacy harms, but they have one thing in common: they have all been promoted or fuelled by the manipulation and abuse of our personal information.

We are currently witnessing a profound fracturing of societies and communities, driven by the hyper-personalisation of content consumed in the digital environment.  This is squarely a privacy concern, for two reasons.

First, because it is the sucking up of our data in privacy-invasive ways which creates digital platforms’ power.

Second, because the power of those platforms is then used to target us individually: to segment us, manipulate us, and shape our experience of the world through filter bubbles built by algorithms fed on our data.

The end result of all the filter bubbles and echo chambers and dark patterns and ‘emotional contagion’ and misinformation and disinformation and manipulation of news feeds is that instead of being enriched, our world actually becomes smaller, our choices more limited.  The products we are offered, the prices we pay, the job ads we see, the news stories we read, the ‘truth’ we are told: all of this becomes decided for us by machines built not to serve us, but to deliver profits to Big Tech’s owners.  And the more divisive and outrageous the content, the higher the ’engagement’, and the more astronomical the profits.

That algorithmic narrowing and manipulation of our choices ultimately affects our autonomy, and our dignity.  Yet that is what privacy law is supposed to protect: our autonomy, which is our ability to make choices for ourselves.

Much has been said in recent years about the role of Big Tech in political polarisation, the spread of misinformation, the lessening of trust in both experts and traditional institutions and the consequent weakening of democratic governments.  But not many mainstream commentators identify the root cause of these problems as invasions of privacy.  (In the documentary The Social Dilemma, privacy doesn’t even rate a mention until near the end.)

Sure, privacy advocates, regulators and academics have been saying it.  As NZ Privacy Commissioner, John Edwards passionately warned of the need for regulation to  address the power asymmetry of Big Tech.  And as Chair of the consumer protection and competition regulator, the ACCC, Rod Simms called out how the privacy issues raised by Google and Facebook can’t be divorced from issues of market power.  But privacy law has not stopped them.

With the benefit of largely untrammelled intrusive data collection and profiling practices, online behavioural advertising has become online behavioural engineering: manipulation and behaviour modification on steroids.

Social media and digital platforms have become addictive and toxic because of the data that is harvested from us.  Our personal information has not just been monetised, it has been weaponised, against us.  ‘Personalised experiences’ have become chambers and filter bubbles, in which political divides become entrenched, hatred builds and misinformation and disinformation about everything from vaccines to elections thrive.  Waleed Aly has compared the power of Google with the power of a nation state like China, and says “Imagine a foreign nation with the power to manipulate our individual psychology. Imagine us handing them such power over the critical infrastructure of our democracy. To be fair, we didn’t knowingly hand it to the tech giants either. They seized it when we weren’t looking, algorithm by algorithm.”

The result is a roll-call of human misery.

Pharmaceutical companies side-stepping consumer protection laws to bombard users with ads for addictive opioids based on their Google search terms.

Instagram damaging teenage girls’ health, with an algorithm which “led children from very innocuous topics like healthy recipes … all the way to anorexia-promoting content over a very short period of time”.

Betting companies grooming suicidal gambling addicts.

Facebook allowing advertisers to target – and exclude – people on the basis of their ‘racial affinity’, amongst other social, demographic and religious characteristics.

Facebook facilitating targeted crypto scams.

YouTube allowing misinformation about covid, disinformation about elections, and the amplification of hate speech.

Facebook promoting to advertisers their ability to target psychologically vulnerable teenagers.

Facebook knowingly radicalising users by recommending groups like QAnon.

Inciting the riot in Washington DC.

Fomenting ethnic violence in Ethiopia.

Inciting genocide in Myanmar.

Yet from the digital platforms to the advertisers and companies which benefit, organisations engaging in intrusive online tracking, profiling and targeting have largely been able to side-step privacy regulation, often by claiming that the data they are using is not identifiable, thus not ‘personal information’ regulated by privacy laws.  This ignores the underlying objective of privacy laws which is to prevent privacy harms, in favour of semantic arguments about what is ‘identifiable’.

Some of those companies might say that they are protecting your privacy because they do something fancy like hash (scramble) your email address before sharing and matching up your data, but let’s call that for what it is: bullshit.

So maybe your ‘real’ email address is never shared out in the open, but the fact is that if data about your online habits is being tracked, and shared between unrelated companies on the basis of your email address, and then used to profile you and then treat you differently (for example, show you different products or prices), or to reach you with micro-targeted ads or personalised content or messaging – your personal information is being shared without your consent, and your privacy is being invaded.

Let’s look at Facebook, for example.  Advertisers provide details about their customers to Facebook, using a hashed version of their customers’ email address.  Facebook can then target ads to precisely those people, having matched the hashed email addresses from the advertiser to the hashed email addresses it already holds about Facebook users.  But because neither company is sharing ‘identifiable’ data (i.e. ‘raw’ or unhashed email addresses), the chief privacy officer at Facebook claims that they can serve ads “based on your identity… but that doesn’t mean you’re ‘identifiable’”.

In other words: data which Facebook and other industry players describe as not identifiable, and thus not regulated by privacy laws, is being used to match up customer records from different devices and different apps, and share user attributes between different companies, without your consent.

Another example can be found in the data broking industry.  Data broker LiveRamp, formerly known as Acxiom, says they draw data from multiple publishers, sites, devices and platforms (aka “gain second-party segments or third-party data”), build customer profiles and then target ads to around 7 million Australians online.  Their website states that “LiveRamp removes directly identifiable personal information and replaces it with pseudonymised record keys during our matching process. This means you can use data with confidence”.  (A previous version of their website I saw described this as ‘anonymization’, but it has since been revised to label this as ‘pseudonymisation’.)

But as Justin Sherman wrote recently in Wired, the carefully deployed language around de-identification is a furphy: “that data brokers claim that their ‘anonymized’ data is risk-free is absurd: Their entire business model and marketing pitch rests on the premise that they can intimately and highly selectively track, understand, and microtarget individual people”.

This semantic misdirection about data not being ‘directly identifiable’ is happening not only in the United States where the narrower phrase ‘PII’ is used instead of ‘personal information’.  Australian industry analysts have written about how entirely unrelated companies are now matching their own sets of customer data, in order to target individual consumers – such as personally targeted ads for Menulog shown on smart TVs during breaks in Channel 7 content, using hashed email addresses via data broker LiveRamp.

So while individual identities are hidden during the matching process, the end result is still that Company A can find out new information about their customers, and/or individually target people who are not their customers but who have ‘lookalike’ characteristics, using data collected about those individuals by Companies B, C and D.  Using various methods, the data collected about you while you are using your banking app can now be matched with the data collected about you when you look up flight prices while logged into your frequent flyer account, and then matched to the data collected about you when you watch streaming TV, including whether or not you instantly respond to the fast food ad you saw on TV.  Did you consent to all of that?

This is precisely the kind of unfair and invasive online tracking, profiling and microtargeting, for differential treatment, of individuals across the web that the community expects to be within scope of the Privacy Act for regulation.

Yet marketeers describe this as ‘privacy compliant’, because they use pseudonyms instead of real names or email addresses to facilitate their data matching and build out their customer profiles before they target you.  What a joke.

The question is, what is the government going to do, to stop this Big Tech racket?  Because clearly the market incentive is to keep exploiting our personal information until the law stops it.

We need law reform, to ensure that these data practices are firmly within scope of privacy regulation.  No more ‘we don’t share your PII’ semantic trickery.

We need to start by updating the current law’s flawed and outdated premise that privacy harms can only be done to ‘identified’ individuals, and that therefore only ‘identifiable’ data needs the protection of the law.

To ensure that the Australian Privacy Act is capable of protecting against digital harms, as is expected by the community, and is the stated objective of the current legislative review by the Australian Government, the definition of personal information requires reform to indisputably cover the individuation, as well as identification, of individuals.

Individuation means you can disambiguate a person in the crowd.  In the digital world, this means the ability to discern or recognise an individual as distinct from others, in order to profile, contact, or target them and subject them to differential treatment – without needing to know their identity.  This might take the form of a decision to show someone a certain ad or exclude them from seeing a particular offer, display a different price, make a different offer, or show them different information.  The result might be as benign as the act of showing a profiled customer an ad for sneakers instead of yoga gear, but it could also be a decision to target vulnerable individuals with ads for harmful products, misinformation, or extremist content.

As Sven Bluemmel, the Victorian Information Commissioner, put it recently:  “I can exploit you if I know your fears, your likely political leanings, your cohort.  I don’t need to know exactly who you are; I just need to know that you have a group of attributes that is particularly receptive to whatever I’m selling or whatever outrage I want to foment amongst people.  I don’t need to know your name. … I just need a series of attributes that allows me to exploit you”.

Privacy schemes elsewhere in the world are already broadening out the notion of ‘identifiability’ (or even abandoning it altogether) as the threshold element of their definitions, such as the California Consumer Privacy Act (CCPA) 2018, and the 2019 international standard in Privacy Information Management, ISO 27701.  Each has either explicitly expanded on the meaning of identifiability, or has introduced alternatives to identifiability as a threshold element of their definitions.

For example the CCPA includes, within its definition of personal information, data which is “capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”, without first needing to pass an identifiability test.  This theme is further fleshed out within the definition of ‘unique identifier’, which means “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier”.

Last year the US Uniform Law Commission voted to approve the Uniform Personal Data Protection Act, a model bill designed to provide a template for uniform state privacy legislation.  The model Bill defines personal data to include data “without a direct identifier that can be reasonably linked to a data subject’s identity or is maintained to allow individualized communication with, or treatment of, the data subject”.

Another example is the New York State Privacy Bill 2021, which clearly intends to include, within the scope of what is ‘identifiable’ for the purposes of its definition of personal data, both tracked online behaviour (such as browser searches and an individual’s “interaction with an internet website, mobile application, or advertisement”), as well as geolocation data, and any inferences drawn from that information.

Plus of course the GDPR’s definition of ‘personal data’ includes online identifiers and the notion of ‘singling out’.  The Austrian DPA recently ruled that IP addresses (as collected via Google Analytics) constitute personal data, because they allow an entity to ‘single out’ a data subject within the meaning of recital 26 of the GDPR.  Further, the DPA found that an actual identification is not necessary, and that there is no requirement that all the information enabling the identification of the data subject must be in the hands of one entity.

Are we on the cusp of change here in Australia too?

The Australian Government has proposed, in the Discussion Paper on the review of the Privacy Act, that the definition of ‘personal information’ should be reformed to include “a non-exhaustive list of the types of information capable of being covered by the definition of personal information”.  The examples given include location data, online identifiers and “one or more factors specific to the physical, physiological, genetic, mental, behavioural (including predictions of behaviours or preferences), economic, cultural or social identity or characteristics of that person”.

Importantly, the Discussion Paper says that the definition would therefore cover “circumstances in which an individual is distinguished from others or has a profile associated with a pseudonym or identifier, despite not being named”.

Now some, including the Big Tech and marketing industry players, will argue that they don’t want the Privacy Act reformed, lest it become the ‘law of everything’.  But I believe we should take an expansive view of privacy, and a root-cause look at privacy-related harms.

As a threshold definition, ‘personal information’ simply creates the boundaries of the playing field.  Other parts of the law – the privacy principles – do the heavy lifting when it comes time to set the rules of play, deciding which data practices are fair, and which should be prohibited.  But if much of the data which fuels the digital economy isn’t even considered to be part of the game, how can we ever agree on the rules?

We need the Privacy Act to explicitly include, within its scope for regulation, information which can be used to individuate and potentially harm people, even if they cannot be identified from the information in a traditional sense.

In my view privacy law must become ‘the law of everything’, because in the digital economy, data about people iseverything.

Photograph © Shutterstock

Recent caselaw demonstrates that privacy laws reach further than some organisations might expect.

Introduction: the identifiability test

Most information privacy and data protection laws around the world have as their starting point some notion of identifiability.  Legal obligations will typically only apply to data that relates to an ‘identifiable’ person.

For example, Australian privacy laws create privacy principles, which apply only to data which meets the definition of “personal information”.  The Australian Privacy Act defines this as: “information or an opinion about an identified individual, or an individual who is reasonably identifiable”.

The point of this legal definition is that if no individual is identifiable from a set of data, then the privacy principles – the backbone of an organisation’s legal obligations – simply won’t apply.  If no individual can be identified from a dataset, then the dataset can be safely released as open data; matched or shared with or sold to other organisations; or used for a new purpose such as data analytics, without breaching privacy law.

Or so the theory goes.

In reality, determining whether or not an individual might be considered in law to be ‘identifiable’ is not straightforward.  The scope of what is included within the notion of identifiability may surprise many organisations.

Recent cases have tested the limits

The Office of the Australian Information Commissioner (OAIC) has made a series of determinations which have shed light on the extent to which privacy laws cover data which – at face value – may not appear to be identifiable of any individual.

The recent cases which touch on the definition of ‘personal information’ are the 7-Eleven case, the Clearview AI case, and the Australian Federal Police (AFP) case.

All three cases involved the use of facial recognition technology, but the issues raised in relation to the scope of privacy laws are applicable to many other types of data and data use practices, including online behavioural advertising, customer profiling and targeted marketing.

The 7-Eleven case

In June 2020, the 7-Eleven chain of convenience stores began using a new customer feedback survey system in 700 stores across Australia.  Each store had a tablet device which enabled customers to complete a voluntary survey about their experience in the store.  Each tablet had a built-in camera that took images of the customer’s face as they completed the survey.

Those facial images were stored on the tablet for around 20 seconds, before being uploaded to a server in the cloud.  A third party service provider converted each facial image to a ‘faceprint’, which is an encrypted algorithmic representation of the face. The faceprint was used to detect if the same person was leaving multiple survey responses within a 20 hour period on the same tablet; if multiple responses were detected, they were excluded from the survey results.

In other words, 7-Eleven was using a facial recognition technology on its customers, to prevent its employees gaming a customer satisfaction survey by leaving multiple positive survey responses about their own performance.  At least 1.6 million survey responses were completed.

The OAIC found that 7-Eleven had breached Australian Privacy Principle (‘APP’) 3.3 by collecting ‘sensitive information’ (namely, biometric templates) unnecessarily and without consent, and APP 5 by failing to provide proper notice about that collection.

One of the arguments raised by 7-Eleven was that the information at issue did not constitute ‘personal information’ for the purposes of the Privacy Act.

The Clearview AI case

Clearview AI provides a facial recognition search tool which allows registered users to upload a digital image of an individual’s face and then run a search against the company’s database of more than 3 billion images.  The database of images was created by Clearview collecting images of individuals’ faces from web pages including social media sites.  The search tool then displays likely matches and provides the associated source information to the user.  The user can then click on the links to the source material, to potentially enable identification of the individual.

From October 2019 to March 2020, Clearview offered free trials of its search tool to the AFP, as well as to the police services of Victoria, Queensland and South Australia.  Members from each of these police services used the search tool on a free trial basis, uploading images of people to test the effectiveness of the tool.  Uploaded images, known as ‘probe images’, included photographs of both suspects and victims in active investigations, including children.

The OAIC found that Clearview had breached APPs 1.2, 3.3, 3.5, 5 and 10.2.  One of the arguments raised by Clearview was that the information at issue did not constitute ‘personal information’ for the purposes of the Privacy Act.

The AFP case

Officers from the AFP used the Clearview search tool on a free trial basis.  Those officers did so without entering into any formal arrangements with Clearview, and the Clearview search tool was not subject to the AFP’s normal procurement or due diligence processes.  The OAIC found that the AFP had breached APP 1.2, as well as a separate requirement under a Code issued specifically for Australian government agencies, which mandates the conduct of a Privacy Impact Assessment prior to commencing any high privacy risk activities.  While it does not appear that the AFP argued otherwise, the OAIC canvassed whether the data at issue was ‘personal information’ for the purposes of the Privacy Act.

The arguments about identifiability and ‘personal information’

7-Eleven had argued that the facial images and faceprints it collected were not ‘personal information’ because they were not used to identify any individual.

However the OAIC found that even though individuals could not necessarily “be identified from the specific information being handled”, the information was still ‘reasonably identifiable’ – and thus within the scope of ‘personal information’ – because the faceprints were used “as an ‘identifier’ which “enabled an individual depicted in a faceprint to be distinguished from other individuals whose faceprints were held on the Server”.

Similarly, Clearview argued that ‘vectors’ could not constitute ‘personal information’.  From the three billion raw images scraped from the web, Clearview retained metadata about the source of each raw image, and a vector for each raw image: a digital representation generated from the raw image, against which users could compare a new vector (i.e. a new digital file created by running the tool’s facial recognition algorithm over an uploaded probe image), in order to find a potential match.  Clearview argued that the vector and metadata held in their database neither showed an individual’s face, nor named or otherwise directly identified any individual.  They claimed that their tool merely distinguished images, and did not ‘identify’ individuals.  (Any image ‘matches’ would simply present a link to the URL for the source of the original raw image.)

However the OAIC disagreed.  First, the OAIC noted that the definition in the Privacy Act does not require an identity to be ascertained from the information alone, thanks to an amendment to the definition in 2014.

Second, the OAIC noted that because “an individual … is uniquely distinguishable from all other individuals in the respondent’s database”, it was irrelevant that the respondent did not retain the original image from which the vector was generated, nor any identity-related information about the individual.

The OAIC thus determined that both the raw image and the vector generated from it constituted ‘personal information’ for the purposes of the Privacy Act.

In the AFP case, the OAIC reiterated that being able to distinguish an individual from the group will render an individual ‘identified’ in privacy law.

Lesson 1: identifiability is not to be considered in a vacuum

The Australian definition of personal information is broader in its scope than the American phrase beloved by information technology professionals and vendors: PII or ‘personally identifying information’.  The American / IT industry test asks whether someone can be identified from this piece of information alone.  By contrast, the Australian legal test asks whether someone can be identified from this piece of information alone, or once it is combined with other available information.

In the Clearview case, the OAIC stated: “An individual will be ‘reasonably’ identifiable where the process or steps for that individual to be identifiable are reasonable to achieve. The context in which the data is held or released, and the availability of other datasets or resources to attempt a linkage, are key in determining whether an individual is reasonably identifiable”.

This formulation is not novel.  In guidance published in 2017, the OAIC explained that an individual can be ‘identifiable’ “where the information is able to be linked with other information that could ultimately identify the individual”.

The identifiability test therefore depends on considering not only the particular information at issue, but also any other information that is known or available to the recipient, and the practicability of using that other information to identify an individual.  Who will hold and have access to the information is therefore a relevant consideration when assessing whether an individual will be ‘reasonably identifiable’.

Lesson 2: an individual can be identifiable without learning their identity

The second lesson is that ‘identifiability’ in law does not necessarily require that a person’s name or legal identity can be established from the information.  Instead, it implies uniqueness in a dataset.  This is similar to the GDPR’s notion of ‘singling out’.

Again, since 2017, the OAIC has maintained that: “Generally speaking, an individual is ‘identified’ when, within a group of persons, he or she is ‘distinguished’ from all other members of a group.”

What is novel about the 7-Eleven case is that the OAIC has now applied that reasoning to data from which there is slim to no chance of re-constructing a person’s name or legal identity, such as vectors generated from faceprints, but which is nonetheless useful for separating one individual from another and subjecting them to different treatment.

In other contexts, the OAIC has noted that it is not only identifiers like biometric vectors which can ‘reasonably identify’ someone; browser or search history are two examples of behavioural or pattern data which could lead to an individual being rendered unique in a dataset.

Conclusion: the implications

While significant, these cases demonstrate a line of reasoning which is entirely consistent with what the OAIC has been saying for many years, since the definition of personal information was updated in 2014.

The Australian legal test for what constitutes ‘personal information’ – and thus what is within scope for regulation under privacy law – includes two elements which may surprise many organisations handling data:

• the data is not to be considered in a vacuum, and
• data can be identifiable without revealing identity: being able to distinguish an individual from the group will render an individual ‘identified’ for the purposes of privacy law.

While not surprising for those who follow OAIC guidance closely, the implications of these cases are far reaching.  The logical conclusion is that Australian privacy laws, like the data protection laws of the European Union, extend to data which can be used to disambiguate customers or other individuals and subject them to differential treatment, even in online environments where organisations may not have the facility to trace back to find out the individual’s legal identity.

Regulated entities will face a legal compliance risk if they do not appreciate the breadth of data which is covered by their obligations under the Privacy Act. In particular, organisations should be wary of technology vendors, supplying products used in applications from customer profiling and targeted marketing to security and identity authentication, who may be pitching their products as ‘compliant’ or ‘privacy protective’ on the basis that no-one is identifiable from that data alone.

The correct legal test in Australia suggests that data which can be linked to other data sources, such that an individual can be distinguished from the group and then treated differently, will constitute ‘personal information’, and restrictions on the collection, use or disclosure of that data will apply accordingly.

Want more caselaw insights? 

For Privacy Awareness Week 2022, Salinger Privacy will host a free webinar on 4 May, offering more lessons from recent privacy cases, including:

• The role of PIAs in privacy risk management
• How to get your collection, consent and transparency practices right, and
• Managing risks including from ‘shadow IT’ and contracting out. 

Register here.

An earlier version of this article was first published in LSJ Online.

Photograph © Shutterstock

When consumer advocacy body CHOICE last month went public with its investigation into the use of facial recognition by major Australian retailers, the public reaction was swift – and negative. No surprise, given we already knew that the majority of Australians are uncomfortable with the collection of their biometric information to shop in a retail store.

Much of the online chatter, the media coverage and the defensive comms swirled around in circles, sometimes getting lost in the minutiae of topics like the size of the font on the signage at stores, or how long images of customers are held for, or who is recognisable from the images, or arguing about whether customers ‘consent’ by walking into a store, or going through privacy policies with a fine-toothed comb. Another common angle of exploration was facial recognition technology itself, including its questionable accuracy and potential discriminatory impacts.

The OAIC has since launched an investigation into the use of facial recognition technology by Bunnings and Kmart. (By comparison, by pausing its use of the tech in response to the CHOICE investigation, third retailer The Good Guys seems to have turned down the regulatory heat, and has thus far avoided a formal investigation.)

But it’s not only facial recognition technology which might create privacy concerns for customers. Nor are these data management issues and PR headaches limited to the retail sector. I see similar concerns raised in discussions about other forms of data collection and use, such as customer profiling, online tracking and marketing. So there are lessons to be learned for all types organisations, collecting all sorts of personal information.

In particular, this incident has highlighted a lot of confusion about the rules when collecting personal information, and the roles of notice and consent, including what is needed when, under Australian privacy law.

Happily we don’t need to wait for the OAIC to conclude its investigation, before we can clear up some of that confusion. We already have the Privacy Act 1988, existing OAIC publications and formal determinations to guide us.

So here’s your quick and dirty, 8-point cheat sheet guide to collecting personal information under the Privacy Act.

1. The act of creating new data, such as by drawing inferences, generating insights or producing biometric vectors, is a fresh ‘collection’, which must comply with the Collection principles

Let’s start by looking at what constitutes a ‘collection’ of personal information, for the purposes of compliance with the Collection principles, which are in found in Australian Privacy Principles (APPs) 3-5 in the Privacy Act.

Collection isn’t just about when you ask customers to fill out a form. The ‘creation’ of new personal information, such as by way of combining data or inferring information from existing data, will also constitute a ‘collection’ for the purposes of the APPs.

For example in the Uber case, the OAIC stated that “The concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means”, such as via online cookies.

And in the Clearview case, the OAIC found that the vectors used for its facial recognition technology, which were generated from images drawn from photographs scraped from the web, were also ‘collected’, noting that “‘collects’ includes collection by ‘creation’ which may occur when information is created with reference to, or generated from, other information”.

2. You will be ‘collecting’ personal information even if it is only transient

The act of taking a photo of a customer, to be used to generate a faceprint, is a ‘collection’ of personal information, no matter how ephemeral that image is, and even if the image is not going to be stored.

In the 7-Eleven case, the OAIC found that even a transient collection, such as images which were stored on a tablet for around 20 seconds before being uploaded to a server in the cloud, will constitute a ‘collection’ for the purposes of the APPs.

So Electronic Frontiers Australia’s Chair Justin Warren was spot on when he compared the use of facial recognition on retail customers to taking a fingerprint of every customer as they enter the store and checking it against a file of previous fingerprints: “The fact they then throw away that piece of paper isn’t the problem, it’s that they took the customer’s fingerprints in the first place”.

3. All collection must be reasonably necessary, and proportionate to a legitimate business objective

The collection of any type of personal information, no matter how benign, must be reasonably necessary for a legitimate purpose. From the 7-Eleven case we know that under APP 3, collecting personal information because it will be “helpful, desirable or convenient” is not enough; your collection of personal information must be “reasonably necessary” for one of your organisation’s “functions or activities”.

The OAIC has formulated this test as involving consideration as to whether the impact on individuals’ privacy is “proportionate to a legitimate aim sought”. In the case of 7-Eleven, while the OAIC noted that “implementing systems to understand and improve customers’ in-store experience” was a legitimate aim of the business, the collection of biometric templates was not a proportionate way to achieve that aim, and thus was in breach of APP 3.

Plus, all collection of personal information must also be by lawful and fair means (APP 3.5), and collected directly from the individual unless an exception applies (APP 3.6).

4. All collection requires a collection notice to be provided that is specific to that collection

APP 5 requires organisations to take reasonable steps to notify people about the collection of their personal information – the who, what, when, where, how and why. That notice must be provided at or before the time of the collection.

Not to be confused with your Privacy Policy (which talks in general terms about the whole organisation), a collection notice must be specific to the personal information being collected at that point. Privacy regulators stress the need to keep notices concise and in plain language, while also offering enough detail about how you propose to collect, use or disclose the individual’s personal information.

The objective of a collection notice is to prevent anyone getting a nasty surprise later; and it can enable the individual to make an informed choice about whether to provide you with their information (if they even have that much choice).

But remember that a collection notice is not a free pass to collect anything you like. You can still only collect personal information if your reason for asking for the personal information is reasonably necessary – see point #3 above.

Another tip: make sure you don’t confuse collection notices with consent forms. Collection notices are a one-way form of communication. The person does not need to indicate their agreement; they are simply being put ‘on notice’.

5. A Privacy Policy is not a collection notice

The obligation to have a Privacy Policy comes from APP 1. It’s a separate requirement to your APP 5 collection notices.

As described by the OAIC, a Privacy Policy is simply “a transparency mechanism”, which “must include information about an entity’s personal information handling practices including how an individual may complain and how any complaints will be dealt with”.

So your Privacy Policy is not magic. It cannot authorise your organisation to do anything that the APPs don’t already allow you to do.

6. Some acts of collection (or use, or disclosure) also require the prior consent of the individual, unless a public interest exception applies

Asking for a person’s consent is a separate process to either providing a collection notice or publishing a Privacy Policy.

Importantly, you don’t need consent for everything! Seeking consent is only necessary when the APPs say that you need a person’s consent, in order to lawfully collect, use or disclose their personal information.

This is most commonly when you are either:
• collecting information about a person’s health or disability, unless that information is necessary to provide a health service to the individual, or
• collecting other types of ‘sensitive information’ about a person, such as biometrics (hello, facial recognition tech), genetic information, or information about the person’s ethnicity, sexuality, criminal record, religion, religious or philosophical or political beliefs, or membership of a trade union, political association or professional association, or
• proposing to use or disclose personal information for a purpose unrelated to the primary purpose for which you collected it, or
• disclosing personal information overseas
… and no exemption applies.

So check the APPs to find out whether or not any particular activity (whether a collection, use or disclosure of personal information) first requires the person’s consent, in order to be lawfully authorised.

But heads up: a valid consent is hard to get.

7. If you do need consent to authorise your conduct, that consent will only be valid if it is voluntary, informed, specific, current, and given by a person with capacity

The OAIC has said that in order to be valid, a consent must be voluntary, informed, specific, current, and given by a person with the capacity to consent.

I like to describe consent as the ‘Would you like fries with that?’ question. The question must be very specific about what is being proposed, the question must be asked about only one thing at a time, the default position must be ‘no’, and the customer must be completely free to say either yes or no to the fries, and still get their burger.

So notice alone typically does not allow you to infer consent. (For anyone who still thinks that posting a notice outside a store is the same as getting consent from customers who enter the store, please consider this: if providing a notice was enough to infer consent, the Privacy Act would not need to require both.)

‘Opt out’ is not consent either; the OAIC has made clear that an individual’s silence cannot be confidently taken as an indication of consent.

8. Consent cannot be obtained by making your customers ‘agree’ to your Privacy Policy, a collection notice, or your Terms and Conditions

In the Flight Centre case, the OAIC noted that a Privacy Policy is not a tool for obtaining consent. Making your customers ‘agree’ to your Privacy Policy, or to a collection notice, or to Ts&Cs, before they can access a service, download an app, enter a store or buy a product removes the voluntary aspect needed to gain a valid consent.

So, if you want to collect (including create) personal information from or about your customers, make sure that you:
• can demonstrate that your collection is reasonably necessary, for a legitimate aim, and proportionate to that aim (APP 3.1- 3.3)
• only use lawful and fair means (APP 3.5)
• collect information directly from each customer unless you are authorised otherwise (APP 3.6)
• provide a collection notice to every customer (APP 5), and
• publish a Privacy Policy, such as on your website (APP 1).

Plus, if the personal information you are collecting / creating is ‘sensitive information’, you will also require each customer’s consent, unless an exemption applies.

Easy, right? Now we’ve got that sorted, you can go and enjoy your fries. Or not. It’s completely up to you.

Want hands-on training about this topic? Join our small group workshop in October: Privacy Notice and Consent: How to get it right.

Or grab our Template Collection Notices and Consent Forms in one of our Compliance Kits.

Want more caselaw insights? Watch our video here.

Photograph © Mitchell Luo on Unsplash

There is something magical about the number seven.  The seven deadly sins, the seven dwarfs, the seven year itch, those plucky child detectives who formed the Secret Seven, and the barn-raising dance number from Seven Brides for Seven Brothers.  Plus of course, the seven habits of highly effective people.

Here’s our own set of seven.  They might not be magical, but hopefully they are practical.  In addition to the PIA tools we have available via our Compliance Kits, these are our seven tips on how to make sure that a Privacy Impact Assessment is effective.

Do more than a legal compliance check

Despite the definition of PIAs from the Privacy Act making clear that they are about measuring and mitigating “the impact that the activity or function might have on the privacy of individuals”, many PIAs are conducted as if they are simply a compliance check against statutory privacy principles.  They test that the organisation commissioning or conducting the activity will comply with the law, without ever asking what impact the activity will have on individuals.

An example of how looking for privacy impacts is broader than simply reviewing compliance with data privacy laws is in relation to body scanning technology.  When first trialled at airports in the wake of the 11 September 2001 terrorist attacks, full body scanners offered screening officials a real-time image of what a passenger looks like naked.  Despite the image not being visible to anyone else, and the image not being recorded, and no other ‘personal information’ being collected by the technology (and thus the technology posed no difficulties complying with the Privacy Act), the visceral reaction by the public against the invasion of their privacy was immediate.  The technology was as a result re-configured to instead show screening officers an image of a generic outline of a human body, with heat maps showing where on any given passenger’s body the security staff should pat down or examine for items of concern.

Review the ecosystem, rather than elements in isolation

PIAs which focus on one element of a project or program, rather than the whole ecosystem, will often miss the point.  A PIA should examine not just a piece of tech in isolation, but the design of the entire ecosystem in which the tech is supposed to work, including legal protections, transparency and messaging, which together add up to how well users understand how the technology works.  How well users understand how a system or product works makes a difference to their level of trust, because they can make more informed decisions for themselves.

An example is the PIA of the COVIDSafe app, which did not examine compliance, or risks posed, by the State and Territory health departments which would actually be accessing and using the identifiable data collected by the app.  Each of those health departments was covered by a different part of the patchwork of privacy laws in Australia (and in the case of SA and WA, no privacy laws).  The scope of the PIA was limited to the federal Department of Health’s compliance with the federal Privacy Act.  The PIA Report’s authors called out this limitation in their report, along with the lack of time available to consult with either State and Territory privacy regulators, civil society representatives or other experts.  Despite this, the PIA was reported in the media as giving ‘the privacy tick’ to the app.

Test for necessity, legitimacy and proportionality

A PIA should not only be about assessing one potential vector for privacy harm such as the compromise of personal information.

The OAIC has made clear that a PIA should assess:

• whether the objective of an activity is a legitimate objective,
• whether or not the proposal (in terms of how it will handle personal information) is necessary to achieve that objective, and
• whether or not any negative impacts on individuals are proportionate to the benefits or achievement of the objective.

In particular, a PIA should identify “potential alternatives for achieving the goals of the project”, which could be less privacy-invasive.

The OAIC’s determination against 7-Eleven offers a good example.  While finding that the company’s objective of “understanding customers’ in-store experience” was legitimate, the covert collection of biometrics to achieve that objective was neither necessary nor proportionate to the benefits.  (The store had implemented facial recognition technology without notice or consent to test who was answering its in-store customer satisfaction surveys.)

In the Clearview AI case, the OAIC further established that the tests of “necessity, legitimacy and proportionality” are to be determined with reference to “any public interest benefits” of the technology; the commercial interests of the entity are irrelevant.

Test the tech

Again the PIA of the COVIDSafe app is a prime example.  This PIA turned out not to be a review of the app at all.  The reviewers could not test the app’s functionality, let alone test whether assertions made about the data flows were correct.  The terms of reference for the PIA were simply whether the Department of Health could lawfully participate in the proposed data flows.

This is related to the failure to test for proportionality.  A proper assessment of privacy impacts on individuals should involve balancing benefits against risks.  If a PIA cannot test whether the benefits will actually or even likely be achieved, no judgment can be made about whether or not the privacy risks will be outweighed by the benefits.  Had the PIA reviewers been able to test the functionality of the app, and had they therefore been able to determine that – as later became apparent – that the app did not work on iPhones and had other technical problems as well, then a judgment could have been made much sooner that the benefits did not outweigh the risks to privacy (let alone the financial costs of the project) at all.

Consider customer expectations and the role of social licence in gaining trust

Public trust is not as simple as asking: “Do you trust this organisation / brand?”  It’s about asking: “Do you trust this particular way your data is going to be used for this particular purpose, can you see that it will deliver benefits (whether those benefits are personally for you or for others), and are you comfortable that those benefits outweigh the risks for you?”

When you realise that this more complex set of questions is the thinking behind consumer sentiment, you can see how important it is to assess each different data use proposal on a case-by-case basis, because the nature of the proposal, and the context it is in, will make each value proposition unique.  That means the balancing act between benefits and risks from a privacy point of view needs to done fresh for every different project.

Utilise multiple mitigation levers

Levers to address privacy risks can include:

• technology design
• technology configuration (i.e. choosing which settings to use when implementing off-the-shelf tech)
• legislation
• policy (including policy, procedures, protocols, standards, rules etc)
• governance
• public communications
• user guidance, and
• staff training.

Comparing two different covid-related apps offers a good example of how different levers may be pulled to mitigate similar privacy risks.  The development of the federal government’s COVIDSafe app was rightly lauded for including strong, bespoke legal privacy protections (such as to prevent use for law enforcement purposes) developed very early on, yet the app itself had design flaws which could leak data to bad actors.  By contrast the NSW government’s ‘Covid Safe Check-in’ app did not have specific legal protections until months after its launch, but it had more protections baked into the app’s design: it put the user in complete control of when the app was used, compared with the COVIDSafe ‘always on’ design.

Follow the recommendations

This should go without saying, but simply conducting a PIA is not enough.  Unless findings and recommendations to mitigate privacy risks are followed, a PIA will be nothing more than a smokescreen, offering a veneer of respectability to a project.

In particular, a PIA may result in a recommendation to significantly alter the course of a project.  Project teams need to be prepared for this possibility.  Make sure your project teams allow enough time to absorb recommendations from a PIA, and even pivot, pause or scrap the project if it becomes necessary.

So there you have it: our seven tips for making your PIAs effective.  It’s not magic, just logic.

With easy-to-use templates + Salinger Privacy know-how via checklists and more, we can help you steer your PIA in the right direction.  Take a look at our complete range of Compliance Kits to see which suits you best.

Photograph © Shutterstock