1 of 15

Australian Privacy Policy 2024: Where are we going, and how far can PETs get us? ��Sydney Privacy Workshop 2024Kimberlee Weatherall�Professor of Law, The University of Sydney�Chief Investigator, ARC Centre of Excellence for Automated Decision-Making and Society

2 of 15

Australian Privacy Act 1988 (Cth) basics

Personal Information

Collected / used / held by an “APP Entity” – private and public sector

Australian Privacy Principles cover collection, use, holding

Enforcement against breach of principles, and data breaches

ie

IF you have personal information,

AND it is collected/disclosed/held by a covered entity,

THEN the APPs apply,

AND regulator can (in theory) enforce the law

3 of 15

Australian Privacy Act 1988 (Cth) basics

Personal Information

Collected / used / held by an “APP Entity” – private and public sector

Australian Privacy Principles cover collection, use, holding

Enforcement against breach of principles, and data breaches

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) Whether the information or opinion is true or not; and

(b) Whether the information or opinion is recorded in a material form or not.

BIG exclusion: employee records

4 of 15

Australian Privacy Act 1988 (Cth) basics

Personal Information

Collected / used / held by an “APP Entity” – private and public sector

Australian Privacy Principles cover collection, use, holding

Enforcement against breach of principles, and data breaches

BIG exclusions/limits:

  • Not individuals (individuals not in business are not bound by the Act)
  • Small business exemption: businesses with turnover < $3M, unless they are a health service provider, trade in personal information, do credit reporting, operate a residential tenancy database (and other specific cases). This exemption covers some 95% of Australian businesses.
  • Political parties exemption
  • Journalism exemption

5 of 15

Australian Privacy Act 1988 (Cth) basics

Personal Information

Collected / used / held by an “APP Entity” – private and public sector

Australian Privacy Principles cover collection, use, holding

Enforcement against breach of principles, and data breaches

13 Australian Privacy Principles. Covering rules about:

  • Having a published privacy policy
  • Collection must be by lawful and fair means, and ‘reasonably necessary for, or directly related to, one or more of the entity’s functions or activities’. Sensitive information can only be collected with consent
  • Use for a secondary purpose only with consent, unless it would be ‘reasonably expected’ and is related (or for sensitive information, directly related) to the primary purpose of collection
  • Quality: reasonable steps to ensure data is accurate, up-to-date and complete
  • Security: reasonable steps to ensure data is protected from misuse, interference, unauthorised access; destruction/de-identification when no longer needed
  • Rights of access and correction

6 of 15

Australian Privacy Act 1988 (Cth) basics

Personal Information

Collected / used / held by an “APP Entity” – private and public sector

Australian Privacy Principles cover collection, use, holding

Enforcement against breach of principles, and data breaches

Individuals have only a right to complain to the Office of the Australian Information Commissioner (OAIC). No right to bring a lawsuit (class action lawsuits against, eg, the Optus data breach are being brought under other laws)

Data breaches must be notified, but no remedial obligations

7 of 15

Australia’s glacial moves towards information privacy reform

2019 Digital Platforms Inquiry Final Report (ACCC)

October 2020

Privacy Act Review Issues Paper

2019 Government response to Digital Platforms Inquiry commits to review of Privacy Act

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (framework for social media platform privacy code)

October 2021 Privacy Act Review Discussion Paper (Attorney-General’s Dept) (116 proposals, with multiple subparts)

September 2023

Government Response to the Privacy Act Review Report

February 2023�Privacy Act Review Report (Attorney-General’s Dept)

2024

? Draft legislation to implement agreed reforms

? Consultations on ‘agreed in principle’ reforms

? Anti-doxing rules (post 12 Feb doxing incident)

8 of 15

Privacy Reform: Government Plans

ADM+S Template 2021

Of the 116 proposals from 2021, the Government has:

  • Agreed to 38
  • ”Agreed in Principle” to 68
  • “Noted” (ie rejected) 10

“Agreement in principle” is “subject to further engagement with regulated entities” to “explore whether and how they could be implemented”, and “a comprehensive impact analysis [conducted in consultation with Treasury] to ensure the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities.”

9 of 15

Some key coming reforms* ����*maybe; many still subject to consultation

  1. Further definition of “personal information”, to clearly include (for example) unique identifiers. Response expresses the view that if information can be used to ‘single out’ an individual from all others, even if they are not identified by name, it is personal information. Unclear whether that will become black letter law.
  2. Clarifying that inferences drawn about people count
  3. A definition for consent to clarify it must be voluntary, informed, specific, current, and unambiguous
  4. A new fair and reasonable’ requirement for the collection, use and disclosure of personal information
  5. Mandatory Privacy Impact Assessment for high-risk activities
  6. Baseline security requirements
  7. Removal of the small business exemption (after consultation, only once government support is in place, with some kind of transition period.)
  8. Some kind of individual right of action (qualified though)
  9. Expanding research exceptions

10 of 15

Some more relevant coming reforms*����*maybe; many �still subject to consultation

  1. Further definition of “personal information”, to clearly include (for example) unique identifiers; information can be used to ‘single out’ an individual from all others, even if they are not identified by name, it is personal information. Unclear whether that will become black letter law. (Will still talk about people being “reasonably” identifiable…)

  • Clarifying that inferences drawn about people count as personal information

  • Geo-location tracking could become ‘sensitive’

  • A new fair and reasonable’ requirement for the collection, use and disclosure of personal information

  • ”noted” (rejected) idea of protections for de-identified data

  • Targeting required to be fair and reasonable in the circumstances; prohibit targeting based on sensitive information

  • Criminal offence for ‘malicious’ re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit

  • Limits on how long you keep data

11 of 15

Respecting, or protecting privacy is not just about removing names, or preventing disclosure, or ensuring names can’t be reattached. �

12 of 15

13 of 15

A Challenge

Super-cool privacy-enhancing tech (differential privacy; federated learning; synthetic data generation etc etc etc) can still facilitate super-creepy, privacy-invasive conduct. Still will need to ask yourselves, “is it ok to do this analysis, about [these] people, for [this] purpose?”

Many people are working very hard to find ways to protect data, to process it, to extract insights from that data in ways that better ensure it doesn’t ‘leak’.

But collecting loads of specific, highly personal information about people in order to draw insights about those people and people like them where those insights will be used to make decisions about, or seek to influence those people and people like them is still invasive and an exercise of power, even if it’s happening only on the device; even if humans don’t see it.

Over time, some of it could be brought within the Act (eg, requirement for fair and reasonable processing, of information connected to a unique identifier) by interpretation, by focusing on the moment of collection BEFORE treatment, by guidelines, or …. Other laws will be used (AI regulation; consumer protection; …)

14 of 15

A Challenge

Super-cool privacy-enhancing tech (differential privacy; federated learning; synthetic data generation etc etc etc) can still facilitate super-creepy, privacy-invasive conduct. Still will need to ask yourselves, “is it ok to do this analysis, about [these] people, for [this] purpose?”

Many people are working very hard to find ways to protect data, to process it, to extract insights from that data in ways that better ensure it doesn’t ‘leak’.

But collecting loads of specific, highly personal information about people in order to draw insights about those people and people like them where those insights will be used to make decisions about, or seek to influence those people and people like them is still invasive and an exercise of power, even if it’s happening only on the device; even if humans don’t see it.

Over time, some of it could be brought within the Act (eg, requirement for fair and reasonable processing, of information connected to a unique identifier) by interpretation, by focusing on the moment of collection BEFORE treatment, by guidelines, or …. Other laws will be used (AI regulation; consumer protection; …)

15 of 15

THANKS

ADM+S

Contact for more information

Kimberlee Weatherall

kimberlee.weatherall@sydney.edu.au

www.adms.com.au

These slides are licensed under a Creative Commons Non-Commercial Licence (v 4.0 International). Terms here: https://creativecommons.org/licenses/by-nc/4.0/.