Australian Privacy Policy 2024: Where are we going, and how far can PETs get us? ��Sydney Privacy Workshop 2024��Kimberlee Weatherall��Professor of Law, The University of Sydney��Chief Investigator, ARC Centre of Excellence for Automated Decision-Making and Society
�
Australian Privacy Act 1988 (Cth) basics
Personal Information
Collected / used / held by an “APP Entity” – private and public sector
Australian Privacy Principles cover collection, use, holding
Enforcement against breach of principles, and data breaches
ie
IF you have personal information,
AND it is collected/disclosed/held by a covered entity,
THEN the APPs apply,
AND regulator can (in theory) enforce the law
�
Australian Privacy Act 1988 (Cth) basics
Personal Information
Collected / used / held by an “APP Entity” – private and public sector
Australian Privacy Principles cover collection, use, holding
Enforcement against breach of principles, and data breaches
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) Whether the information or opinion is true or not; and
(b) Whether the information or opinion is recorded in a material form or not.
BIG exclusion: employee records
�
Australian Privacy Act 1988 (Cth) basics
Personal Information
Collected / used / held by an “APP Entity” – private and public sector
Australian Privacy Principles cover collection, use, holding
Enforcement against breach of principles, and data breaches
BIG exclusions/limits:
�
Australian Privacy Act 1988 (Cth) basics
Personal Information
Collected / used / held by an “APP Entity” – private and public sector
Australian Privacy Principles cover collection, use, holding
Enforcement against breach of principles, and data breaches
13 Australian Privacy Principles. Covering rules about:
�
Australian Privacy Act 1988 (Cth) basics
Personal Information
Collected / used / held by an “APP Entity” – private and public sector
Australian Privacy Principles cover collection, use, holding
Enforcement against breach of principles, and data breaches
Individuals have only a right to complain to the Office of the Australian Information Commissioner (OAIC). No right to bring a lawsuit (class action lawsuits against, eg, the Optus data breach are being brought under other laws)
Data breaches must be notified, but no remedial obligations
�
Australia’s glacial moves towards information privacy reform
2019 Digital Platforms Inquiry Final Report (ACCC)
October 2020
Privacy Act Review Issues Paper
2019 Government response to Digital Platforms Inquiry commits to review of Privacy Act
Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (framework for social media platform privacy code)
October 2021 Privacy Act Review Discussion Paper (Attorney-General’s Dept) (116 proposals, with multiple subparts)
September 2023
Government Response to the Privacy Act Review Report
February 2023�Privacy Act Review Report (Attorney-General’s Dept)
2024
? Draft legislation to implement agreed reforms
? Consultations on ‘agreed in principle’ reforms
? Anti-doxing rules (post 12 Feb doxing incident)
�
Privacy Reform: Government Plans
ADM+S Template 2021
Of the 116 proposals from 2021, the Government has:
“Agreement in principle” is “subject to further engagement with regulated entities” to “explore whether and how they could be implemented”, and “a comprehensive impact analysis [conducted in consultation with Treasury] to ensure the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities.”
�
Some key coming reforms* ����*maybe; many still subject to consultation
�
Some more relevant coming reforms*����*maybe; many �still subject to consultation
�
�Respecting, or protecting privacy is not just about removing names, or preventing disclosure, or ensuring names can’t be reattached. �
�
�
A Challenge
Super-cool privacy-enhancing tech (differential privacy; federated learning; synthetic data generation etc etc etc) can still facilitate super-creepy, privacy-invasive conduct. Still will need to ask yourselves, “is it ok to do this analysis, about [these] people, for [this] purpose?”
Many people are working very hard to find ways to protect data, to process it, to extract insights from that data in ways that better ensure it doesn’t ‘leak’.
But collecting loads of specific, highly personal information about people in order to draw insights about those people and people like them where those insights will be used to make decisions about, or seek to influence those people and people like them is still invasive and an exercise of power, even if it’s happening only on the device; even if humans don’t see it.
Over time, some of it could be brought within the Act (eg, requirement for fair and reasonable processing, of information connected to a unique identifier) by interpretation, by focusing on the moment of collection BEFORE treatment, by guidelines, or …. Other laws will be used (AI regulation; consumer protection; …)
�
A Challenge
Super-cool privacy-enhancing tech (differential privacy; federated learning; synthetic data generation etc etc etc) can still facilitate super-creepy, privacy-invasive conduct. Still will need to ask yourselves, “is it ok to do this analysis, about [these] people, for [this] purpose?”
Many people are working very hard to find ways to protect data, to process it, to extract insights from that data in ways that better ensure it doesn’t ‘leak’.
But collecting loads of specific, highly personal information about people in order to draw insights about those people and people like them where those insights will be used to make decisions about, or seek to influence those people and people like them is still invasive and an exercise of power, even if it’s happening only on the device; even if humans don’t see it.
Over time, some of it could be brought within the Act (eg, requirement for fair and reasonable processing, of information connected to a unique identifier) by interpretation, by focusing on the moment of collection BEFORE treatment, by guidelines, or …. Other laws will be used (AI regulation; consumer protection; …)
�
THANKS
ADM+S
Contact for more information
Kimberlee Weatherall
kimberlee.weatherall@sydney.edu.au
These slides are licensed under a Creative Commons Non-Commercial Licence (v 4.0 International). Terms here: https://creativecommons.org/licenses/by-nc/4.0/.
�