The Privacy Act review could shake up Australia’s value-based approach to privacy

When you look around the world, Australia stands out as somewhat unique when it comes to privacy. Why? Unlike most “western” democracies, it lacks a federal recognition of the right to privacy.

And while there are some protections at the state level, the fact that there isn’t an explicit right to privacy has let the Australian government run loose with an economic value-based calculation anywhere privacy is concerned. This is the same determination that the authors of the Privacy Act made back in the day—they asked what the economic burden of taking privacy into consideration should be, which resulted in the Privacy Act not applying to entities with an annual turnover of less than $3 million dollars. It’s the same reason that the Australian Bureau of Statistics went into a lengthy consultation process this year to see if they could use privately held datasets (such as electricity household usage) to supplement census data because “it creates direct value for the economy.”

The same reasoning of value and utility of individuals’ data brought us the Data and Availability and Transparency Bill, which is flawed in many ways and shouldn’t proceed until a new Privacy Act is in place. (We said as much in our submission to the consultation if you’re interested!)

This needs to change. Government bodies can’t barter people’s personal information away on their behalf because of economic pursuits. So, as a part of reviewing the privacy ecosystem in Australia, we’ve asked the government to enshrine in law a federal level right to privacy. In line with Article 12 of the United Nations (UN) Universal Declaration of Human Rights to which the Australian government is a signatory: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Updating the Privacy Act can give Australians the ability to control how their information is used and shared, and empower them to take action when their privacy or personal information is violated. At the moment, internationally, we are falling behind in addressing the privacy (but also broader societal and economic) harms caused by the business models of digital platforms and services, public and private alike. It’s time for the government to ensure meaningful protections and actionable rights for individuals!

A rights-based approach to privacy and data protection already exists in places like the United States, United Kingdom, and across the European Union’s (EU) 27 member states, and ultimately it’s critical for us to follow-suit if we want to remain relevant in the digital economy. Not to get too meta here, but business will suffer if we can’t reach international agreements because the Australians don’t enjoy the same rights as their key trading partners. How’s that for a much better value-based argument?

While we recognize that a copy and paste of the EU’s General Data Protection Regulation (GDPR) is not the best fitting solution, we do encourage the consideration of the rights guaranteed to individuals under the GDPR, many of which should form a fundamental part of a truly modernized Privacy Act. Chapter 3 of the GDPR entitled “rights of the data subject” ensures that there are clear and actionable rights for individuals.

What does that look like for individuals? Take a look at this snapshot from our friends at Access Now who put together a guidebook on how individuals can exercise their rights!

Imagine if the next time a government service issued some arbitrary decision, as the Centrelink robodebt program did for hundreds of thousands (!!!) Australians, we actually had a right to understand the decision-making process, a right to access our data and rectify any wrong information… How differently would government and private companies think about the way they treat our private information?

The recommendations from our submission to the consultation, are as follows:

  • Redefine the scope and reach of the Privacy Act. 
  • Update the definition of personal information.
  • Adopt a rights-based approach. 
  • Introduce a statutory tort for invasions of privacy.
  • Don’t use consent as a scape-goat to weak protections of personal information.
  • Abolish exemptions, namely the exemption for political messaging.
  • Introduce a stronger definition of ‘de-identified’ data.

The time has come for Australia to recognise that privacy is a human right and not a bartering chip of the economy. Given the ubiquity of digital services in our lives and the amount of data collection it all entails, Australians must be equipped with meaningful protections and actionable rights going forward. The alternative is positively dystopian.

That said, this is just the start of a long review process! So make sure you are subscribed to updates from us to follow what happens next in this review, and we will let you know when you can take action and have your say.

Image Credit: Rune Fisker 2017