What Sezoo thinks of the Australian Privacy Review Report
In February 2023 the Australian Government published the Australian Privacy Review Report and asked for feedback on the report to be submitted on or before 31 March 2023 (https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report) . In submitting our response to the Government, we selected the option to make our response public. It will be on the Government’s website in due course.
In the meantime, and for our own records, this is Sezoo’s feedback.
Contents:
Summary
The proposed changes to the Australian Privacy Act, as described in the Privacy Act Review Report, offer a mixed bag of improvements and efforts to signal action on current preoccupations and concerns.
While we believe there will be some benefits for some people if these proposals are implemented, the immediate beneficiaries will be the law firms providing advice on how to understand the changes and what this means for each organisation in terms of actions and compliance.
The many people impacted by the recent significant data breaches of Optus Medibank and Latitude might well ask what difference these proposals will likely make. Our opinion is that the proposals can make some positive difference, but on their own they are unlikely to satisfy the concerns of those that have been harmed in the past.
Our Approach to reviewing the report
In February of 2023, the Australian Government released a report describing proposed changes to the Privacy Act. Having founded Sezoo in Australia in 2021, and having made it our mission to “radically improve trust in digital interactions for the benefit of all”, this report is clearly of professional interest to us.
We focused our review using two questions:
- The outrageously optimistic: will this realise our Sezoo mission and make us redundant? Will these changes “radically improve trust in digital interactions for the benefit of all”, or at least radically improve privacy?
- The more reasonable: will these changes reduce the risk of data breaches such as Medibank, Optus and Latitude reoccurring?
And if our answer is ‘yes’ or ‘no’ to either question, why do we think this?
Background
These are the most recent of many changes proposed for, and enacted, on the Privacy Act since it first came into power in 1988.
[Critics that point to the date “1988” and exclaim that this proves the Act is not fit for current purposes seem to ignore two things: 1) The Act has been modified many times since 1988, it retains its origin date in its name by convention; 2) Whether or not the Act is impacted by current developments. The Act was originally conceived as a principles based approach (and still has some of that flavour), only in recent times have more prescriptive approaches been adopted. The passage of time and new technical and social developments do not automatically mean that it has gone past its use by date.]
Global and local events of recent times have increased the importance of these changes, most notably a global pandemic and the response taken by jurisdictions on personal freedoms and data acquisition justified by public safety, and the spate of significant data breaches and cyber attacks of which the “latest and greatest” known instances in March 2023 are Optus, Medibank and Latitude.
Rather than taking a narrow focus, and given our focus on “trust in digital interactions”, we think it is important to see this work in the context of other Australian initiatives such as the Consumer Data Right, Cyber Security Strategy, Assistance and Access Act, Critical Infrastructure, Trusted Digital Identity Framework etc.
We see initiatives organised into three themes:
- Consumer Data Right: Improving Market Performance (Competition, Efficiency)
- CyberSecurity: Improving Organisational and Infrastructure Security
- Privacy Act: Protecting Privacy and Rights
In addition to these local initiatives, there are impactful initiatives on the world-stage that inform and influence this recent proposed set of changes, two key examples are the European GDPR regulation and the Californian CCPA.
We chose to plot these initiatives and significant events into a timeline as shown below.
While this is an incomplete view, what should be immediately evident is that things have become a lot busier recently. Many of us are familiar with the phrase and concept that “we live in exponential times”, and it seems that legislation is, and will continue to be, as impacted by these times as the rest of our society and economy.
What creating this map also made evident to us is that there is a need to have each of the initiatives in these themes work in harmony with each other. It is all to easy for these initiatives to overlap and conflict with one another and for these conflicts to be used as an excuse for misinterpretation, cherry picking easier alternatives, and not being able to be compliant, this is a risk we present in the graphic below:
Unfortunately, we believe we can already see some of this entanglement in the different ways that privacy is addressed, for example in the CDR and the Privacy Act.
Our analysis of the report
The 320+ physical pages of the report contain an executive summary (pages 1-4), a list of the proposals (pages 5-16), three “Parts” addressing scope and application, protections, and regulation and enforcement (pages 17-304, the content of these parts provides the supporting argument for the proposals). These are followed by a description of the consultation process and its terms of reference (pages 305-313).
The list of proposals are collated into 28 themes. The themes that have received most attention by reviewers to date are those that impact the most organisations, namely the proposals that small businesses and employee records should be brought into the Act. The themes overall are as shown below (we’ve preserved the same numbering scheme as shown in the report):
General comments
- Australians need a broader legal framework for privacy rather than just a [Data] Privacy Act. Echoing a point made by Elizabeth de Renieris in her book “Beyond Data”, we should look to create a framework that doesn’t start and end with a focus on data but has a broader basis and one less vulnerable to technology developments and evasive implementations
- Notwithstanding this first comment, the Act has the wrong name: The Privacy Act could be called the Data Privacy Act since that is its focus. In fact, even this may be too generous. The Act, as it stands is really only a Personal Information Privacy Act, and even with that it offers no definition of Privacy, Information, nor of Data
- As it stands it is both too narrow and too broad.
- Too narrow: to be a Privacy Act, it needs to consider more than just data. Focusing on data only makes other considerations a stretch or completely absent. The absence of a legally recognised right to privacy for Australians makes the existing [Data] Privacy Act have no anchor.
- Too broad: proposing to address topics such as targeted advertising and content, automated decision making etc. into a privacy act blurs these issues. We might expect protagonists to argue that these are not privacy issues. That targeted advertising can be anonymous (they really don’t care who you are, just that they can sell the idea that you might buy product type ‘x’), likewise curating content only demands knowledge of what you *might* be interested in, or could be made interested in, not who you are etc. These issues cause harm and need to be considered separately, or a better, broader definition of the scope of this Act should be defined otherwise we risk protagonists arguing that these are not issues of privacy.
(Proposal Sections 19, 20)
Specific Comments
Question 1: “does this report make Sezoo redundant?”
Our answer is ‘no’.
OK so we may seem unlikely to say “yes” to this (although if we are true to our mission, we should be grateful if it is achieved). However privacy alone does not constitute or guarantee trust in digital interactions. Even a great Privacy Act on its own would not achieve the mission we have set ourselves of radically improving trust in digital interactions. As it is, this report and its proposed changes might create a better [data] Privacy Act and hence better conditions for online privacy, but that is all.
Question 2: “will these changes reduce the risk of data breaches?”
Our answer is ‘no’.
Here we are drawn to Section 21 in the List of Proposals, “Security Retention and Destruction”, and the 8 proposals it contains (21.1 – 21.8).
The question to ask of these 8 proposals is which, if any, would have made it clear to the breached organisations that they had to take specific measures which would have prevented the breach. Of these, proposals 21.6, 21.7 and 21.8 offer the most hope.
Frustratingly, 21.6 is a “should undertake a review…”, basically to look into the question we propose should have been addressed in this report.
21.7 is a self-asserted declaration (of retention period) by the organisation, and 21.8 that it must state this retention period in its privacy policy. It doesn’t seem to matter what period they decide upon, so long as they can argue that it is “reasonable” if forced to do so.
Unfortunately, as it stands, this set of proposals does not provide sufficient comfort that enacting these measures will encourage, enable or enforce commercial practices sufficiently to prevent another significant data breach (and nor do the other proposed changes).
We still have work to do.
About the Author
