Additional Comments from the Australian Greens

Additional comments from the Australian Greens

1.1The Australian Greens believe that privacy should be recognised as a fundamental human right in the objects of the Privacy Act, and further codified in an eventual Human Rights Act. As technology becomes ever more important for everyday life it is essential that people’s privacy is enhanced so that corporations cannot rapaciously consume individual and communities’ private lives.

1.2This report makes a number of recommendations that deal with issues raised about the drafting of the bill. These amendments are reasonable and supported by the evidence received. In particular, the recommendations extending the consultation period and requiring consultation with a wide range of stakeholders for the children’s privacy code are strongly supported.

1.3Serious concerns have been raised about the proposed doxxing offence, including the fact that the offence as drafted does not require intention, could cover the narrow sharing of publicly available information like the email address of a politician and the fact there is no exemption for industrial disputes or other political purposes. We agree with stakeholders including the Queensland Council of Civil Liberties and Digital Rights Watch who contend that this offence should be removed from the bill and pursued as standalone legislation.

1.4Likewise, valid concerns were raised about the drafting of the tort of privacy and how this would work in practice. A careful review of the submissions, especially from legal groups, is warranted by the Attorney-General to ensure the tort delivers on the Australian Law Reform Commission’s longstanding recommendations.

1.5Unfortunately, the recommendations of this inquiry fail to grapple with the substantive concerns raised by the submissions and evidence in the inquiry including:

1. The lack of a roadmap for comprehensive privacy reform

2. The need to urgently address the outdated definition of ‘personal information’

3. The failure to implement a ‘fair and reasonable’ test relating to data, and

4. The continued fiction regarding ‘consent’ in a digital context.

1.6The absence of any of these substantive fixes to our broken privacy laws was explained by a departmental official in the following exchange, after being asked why at least the extension of the definition of personal information was not put in the bill, she replied:

Ms Fitch: As I said, the first tranche that's represented in the current bill is largely things that don't directly and significantly impact on regulated entities. I'd draw attention to increased powers for the Office of the Australian Information Commissioner, emergency declarations et cetera.

Senator SHOEBRIDGE: That's a pretty extraordinary proposition to say—that the reason we've got what we've got in this bill is that you don't want anything to impact on regulated entities. That's a pretty extraordinary position for the government to adopt if this is the only meaningful privacy reform. You'll do everything except for anything that impacts on a regulated entity. That surely hasn't been your ambition, has it? 'Don't do anything that actually changes anything'?

Ms Fitch: No, not at all. But what I would say is that the government has made clear that it does seek to do another tranche of reform and, in certain cases, that requires further consultation on the detail of draft proposals.

Senator SHOEBRIDGE: But I didn't mishear you. You've said that you want to make sure that there's nothing in this package of reforms that's going to impact on a regulated entity.

1.7The Australian Greens believe that, because of this decision by the government to not ‘significantly impact on regulated entities’, this bill is a serious missed opportunity. We believe that addressing these key issues is urgent and necessary and will consider them in turn.

1. The lack of a roadmap for comprehensive privacy reform

1.8Almost every submission received by the inquiry noted the uncertainty regarding the overall plan for privacy reform and the need for a publicly stated roadmap from the government for what changes should be expected and when. The lack of this is causing significant uncertainty for businesses and for communities. There was a strong consensus that this roadmap should be provided with this bill and the comprehensive laws tabled as soon as possible, but not less than six months after the next election.

1.9The Australian Human Rights Commission expressed this in its ‘Recommendation 1: The Federal Government set out a clear timeline for when each ‘agreed’ and ‘agreed in principle’ amendment will be introduced in future tranches’.

1.10Three of the most substantive reforms with the broadest agreement are considered in detail below but it is of note that a significant number of other critical reforms were proposed in the Privacy Act Review Report and were agreed or agreed-in-principle by the government before the last election. None of these should be lost and include:

Concerns relating to the children’s privacy code raised including the fact that it doesn’t apply to data brokers and EdTech which we believe warrant action.

Future reform needs to also urgently address platforms that are ‘risky by design’ as was raised by the Alannah and Madeleine Foundation with algorithmic manipulation a particular concern.

Likewise, the Human Technology Institute and CHOICE recommended steps to ensure individuals had a right to request meaningful information about how substantially automated decisions with legal or other significant impacts on them are made.

The Human Technology Institute also raised the need to introduce a power for the Australian Privacy Commissioner to investigate complaints about serious invasions of privacy, and make appropriate declarations.

Electronic Frontiers Australia argued for the removal of exemptions for small business, political parties and employee records as per the recommendations of the Privacy Act Review. This was supported by CHOICE who also noted the failure of the laws to cover high risk small businesses like real estate agents as a particular concern.

In addition, submissions argued that reforms urgently need to address high-risk technologies, such as facial recognition technology, noting that this technology remains largely unregulated and has extremely serious human rights impacts.

2. The definition of ‘personal information’

1.11It was a consistent and strong recommendation including from the Office of the Australian Information Commissioner and the Human Technology Institute that this bill, not some future reform, should expand the Privacy Act’s definition of ‘personal information’, as recommended by the Privacy Act Review Report.

1.12The main issue here is that the definition of ‘personal information’ doesn’t include the kind of information online that we know is being commercialised and weaponized against people right now. This includes real time location data, browsing histories, and related technical and inferred information (such as IP addresses and device identifiers).

1.13It is plainly obvious that the location of a person’s phone or tablet is personal information and yet the laws have not been updated to reflect this. The result is a significant number of predatory marketing and other practices have proliferated to take advantage of this information.

1.14Other countries have already protected this information in their privacy laws, this is not hard. Multiple international examples are available that could be applied as tried and tested off the shelf solutions.

1.15In Europe for example, the General Data Protection Regulation (GDPR) defines personal information as any information which is related to an identified or identifiable natural person. This includes any data through which people can be directly or indirectly identified, such as location data. Many businesses operating in Australia, who also operate in Europe, are already compliant with and knowledgeable of the GDPR requirements.

3. Fair and reasonable test

1.16Many organisations recommended urgent implementation of a fairness obligation or a fair and reasonable test on the use of personal information. Such an obligation would mean organisations would have to handle personal information from collection through to use and disclosure in a manner that is transparent, reasonable, and in line with community expectations.

1.17Such a change could be implemented as a straightforward amendment to the Privacy Act and given this test is in use in other jurisdictions, including shortly in Western Australia, it is considered by multiple stakeholders as very achievable. This test would also be a way of addressing the Privacy Act’s over-reliance on consent as the fair and reasonable test would apply to the use of data, sometimes in novel ways, well after consent was given.

4. Consent

1.18Finally, it was broadly agreed that the issue of consent must be a priority area for privacy law reform. The current definition of consent in privacy laws is so simplistic as to be meaningless. As a demonstration of this it is worth noting consent is not dependent on understanding.

1.19Evidence received from Consumer Policy Research Centre showed:

Australia's current privacy framework disproportionately places the burden on individuals to protect their safety online: Australians would need to spend an average of 30 minutes daily to fully adjust privacy settings on websites and apps rather than accept the company default. Australians need to spend an average of two minutes per website/app managing their privacy, versus our participant in Europe who just spent an average of 3.1 seconds per website/app. Reading privacy policies for daily used sites/apps would take an average of 14 hours. 45% of participants struggled to locate and adjust privacy settings.

1.20The GDPR provides an existing and functional model for how to remedy this and an equivalent must be implemented here urgently. It can’t be that simply clicking ‘I agree’ to 10 pages of an indigestible corporate word salad is how we sign away our rights to privacy.

Senator David Shoebridge

Member