Australia’s rebrand on privacy
If you read our newsletter or check the website you may have noticed that the Australian government is doing everything they can to rebrand as the world’s leading tech regulator. In the past few years we have been under a deluge of new laws, directives, industry codes… and yet none of them have fundamentally altered the way we interact with the digital ecosystem around us. Could the ongoing Privacy Act review finally shake up the system? And why do we also need an Online Privacy Bill?
All excellent questions. So, let’s go over how this all stacks up together… It’s simpler than it looks!
A little bit about the Online Privacy Bill
The OP Bill is described by the government as addressing the “unique and pressing privacy challenges posed by social media and online platforms”. It is intended to introduce an online privacy code (aka a loose set of rules) for online platforms, and increase penalties and enforcement measures. This is happening in parallel to the Privacy Act review because it is intended to:
a) deal with social media exclusively and,
b) protect the children, exclusively.
we are concerned that by setting up a separate process for a specific age group and a special type of online service, Australians are once again going to end up with a fragmented system that creates a regulatory headache with little to no real world impact for individual’s rights.
While digital platforms do require updated privacy protections that are fit for purpose for our interconnected world, we are concerned that by setting up a separate process for a specific age group and a special type of online service, Australians are once again going to end up with a fragmented system that creates a regulatory headache with little to no real world impact for individual’s rights.
Importantly, the proposals in the Privacy Act Review would be applicable to all regulated entities and protective of all individuals. By contrast, the OP Bill places emphasis on one sector, and one group of individuals (children). By pursuing both simultaneously, there is risk of creating a two-tiered privacy regulatory system, in which some organisations are covered by the OP Code and some are covered by the Privacy Act. Phew.
At the moment it’s being presented as a complementary legislative instrument to the Privacy Act review, a sort of baseline or a prequel to what’s to come. If that’s the case then we might all end up a little disappointed because core failures of the Privacy Act, including the loose definition of ‘personal information’ hadn’t been fixed in the draft bill. And that’s a big issue that needs fixing―social media companies and data brokers benefit from being able to consider their activities as falling outside the scope of the Privacy Act, thanks to that very narrow definition.
The Privacy Act is overdue for a facelift
If you have felt up the creek without a paddle when it comes to your right to privacy in Australia, it might just be because Australia has not formally recognized that right.* Sure there are some privacy principles in place, but there is no enforceable right protecting privacy. In places like the European Union, they even have a separate right to data protection which is actually the reason the Europeans have a data protection law these days.
*We know you have―we read the frustrated emails.
Recognising the right to privacy at the federal level in Australia is the most critical next step if we want meaningful protections in the digital age. Enshrining a right to privacy in Australia would create a rights-based relationship with the way Australians’ data and privacy is treated online, as opposed to an economic or value-driven model which has been the case so far.* While amendments to the Privacy Act will play a key role in improving the protections against arbitrary infringements upon Australians’ privacy, without a right to privacy the impact of the reforms made to the Privacy Act will remain limited.
*The emphasis on Consumer Data Rights (CDR) in Australia is evidence of this as it poses us as consumers rather than individuals with inalienable rights. The value-driven calculation of privacy infringement vs economic benefit fundamentally shifts when we consider adopting a rights-based system.
Another component that has been discussed as a part of the Privacy Act review is the right to legal action. Judging by the emails we get in the DRW inbox, the lack of options available to Australians when their privacy is violated is a big deal. While we’ve suggested that a direct right of action be included in the Privacy Act itself, another mechanism would be to set up a statutory tort for violations of privacy.
This would be a welcome improvement, although it would only be a partial substitute for implementing the right to privacy as a stand alone right, without the need to meet the requirements of the tort. At DRW we take the view that in order for privacy protections to be meaningful in Australia, there is need for all three of these changes: a federal right to privacy, reform to the Privacy Act, and a statutory tort for serious invasions of privacy.
That’s a lot, right? The Privacy Act review is still underway so if you want to be involved throughout the process make sure you sign up to our newsletter (which is monthly with an occasional extra email) or follow us on Twitter or Instagram to stay in the loop!