270 likes | 291 Views
Privacy – Australian law in international context. Graham Greenleaf Professor of Law & Information Systems, UNSW Legal Studies State Conference 2019 29 March 2019. Overview. Why is data privacy valuable ? Who/what endangers privacy most? What global standards for data privacy exist?
E N D
Privacy – Australian law in international context Graham Greenleaf Professor of Law & Information Systems, UNSW Legal Studies State Conference 2019 29 March 2019
Overview • Why is data privacy valuable? • Who/what endangers privacy most? • What global standards for data privacy exist? • Main features of Australian privacy law • Does Australian law meet global standards? • Who can protect your privacy?
1. Why is data privacy valuable? • ID theft: Without privacy you are exposed to identity theft • Very widespread; very damaging; very difficult to repair • Biometric loss: Loss of control of biometric data (fingerprints etc) is permanent • Biometrics are increasingly required for everyday security applications, which may cause ID theft damage to be permanent • Marketing manipulated: Without privacy you are subject to commercial manipulation • It is now so complex it cannot be understood, and so subtle it is often not noticed • Freedoms compromised: Without privacy, freedom of thought, belief and creativity is endangered • How can you be critical, or creative, if businesses and government are looking over your shoulder?
1. Why is data privacy valuable? (cont.) • Democracy at risk: Without privacy, democracy is now at risk • Facebook/Cambridge Analytica shows that mass manipulation of politics, and even election results, is likely from privacy intrusions • If every branch of government can enforce penalties of every other branch, you are powerless to resit oppression • Living it down: Without privacy, you cannot live down things in your past you now regret • The ‘Right to be Forgotten’ (RTBF) is a newly-re-discovered privacy principle • AI threats: Without privacy, automated decision systems will subject us to built in biases and unfair decisions. • Artificial intelligence (AI) will otherwise not explain its decisions about us • No need to justify: ‘What do you have to hide?’ is the wrong Q. • Wrongly puts the onus on you to justify wanting privacy. The onus should be the other way. • You should have a right to decide how information you disclose can be used (‘informational self-determination’), except where the public interest, or other people’s interests, take priority
2. Who/what endangers privacy most? • Both the private sector and government • Largest private sector threats are from global organisations, often located outside Australia • Facebook, Google, Amazon and Microsoft are the inventors of, and largest players in, ‘surveillance capitalism’ • Many smaller local companies emulate or use their methods • Public sector threats are mainly from our own governments, but some are from other countries • Home grown: RoboDebt injustice, MyHealthRecord, data spills • But foreign governments get our data through global cyber-espionage, and through ‘5-Eyes’ cooperation as well • Two levels of solution are therefore needed: global and local • We need effective local remedies for small-scale problems • But Australia needs to participate in global solutions to privacy problems too large for any one country to solve
2. Who/what endangers privacy most?Private sector threats Zuboff(2019, 600+ pgs) • Best analysis known of how ‘surveillance capitalism’ actually works. Complex and largely invisible capture and use of personal data and metadata (‘behavioural surplus’) to predict and control our actions. • Origins with Google (2000), Facebook (2003), Amazon; now emulated (and purchased) widely. • Argues it is a mutant strain of capitalism and neo-liberalism, dangerous to humanity. • Worth searching for reviews for a summary – whatever you know, this will reveal more.
2. Who/what endangers privacy most?Public sector threats • Snowden’s whistle-blowing on US global surveillance of private sector data traffic (2013) exposed threats to non-govtdatahttps://en.wikipedia.org/wiki/Edward_Snowden • Australia is complicit through ‘5 Eyes’ sharing of intelligence with foreign governments https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013-present) • UN Special Rapporteur on the Right of Privacy is working on global answers to limit this https://www.ohchr.org/EN/Issues/Privacy/SR/Pages/SRPrivacyIndex.aspx
134 Countries with data privacy Laws (to April 2019) Key Comprehensive Public only Private only Most Private Bills
Plus 27 with official Bills for new laws (to April 2019) Key Comprehensive Public only Private only Most Private Bills
3. What global standards for data privacy exist? • 50 years development of data privacy standards through (i) national laws and (ii) international agreements. • National: Now 134countries with data privacy laws (1st = Sweden 1973); 27more countries have Bills • International standards in 3 stages: • 1980-1995: Council of Europe data protection Convention 108 (1981) and OECD Guidelines (1980) • 1995-2016: European Union data protection Directive (1995, in force 1998); revised CoE Convention • 2016 – ??: EU General Data Protection Regulation (GDPR) (2016, in force 2018); modernisedCoE 108+
3. What global standards for data privacy exist? • Result: Since 1995, ‘European standards’ have gradually become the dominant data privacy standard • adopted to some extent by MOST of the 134countries with laws • There is still no ‘global privacy treaty’ but CoE Convention 108 now includes 54 countries as Parties and is expanding • The USA is the most important country resisting EU-type standards; China resisting less so; India?: ‘wait & see’ • What is the current ‘global standard’? (on average) • It is almost everywhere stronger than 1980’s OECD Guidelines • It is getting closer to 1995’s EU Directive (more than 7/10); • It gets stronger with every new or revised law, due largely to GDPR influences.
4. Main features of Australian privacy lawIVfactors have inhibited developments Factor I: Driven by politics, not human rights, for over 30 years • No constitutional requirements for, or constraints on, legislation – very unusual • Defeat of Hawke’s ‘Australia Card’ 1987 -> Privacy Act 1988 compromise with Tax File Number (TFN), but public sector only • Credit reporting reforms (1992) were world-leading and largely survive • Threats of State legislation –> 2001 expansion to parts of private sector • Political instability since 2007 –> defeat of Howard’s ‘Health & Welfare Access Card’; few of ALRC recommended reforms enacted; Privacy Act remains stuck in 1990s. • Since 2013, new surveillance ‘anti-terrorist’ laws: data retention law (2015); anti-encryption law (2018)
4. Main features of Australian privacy lawFactor II: Absence of the Courts • No rights to take actions directly before Courts • No constitutional right, or common law (tort) right, or modern ‘breach of confidence’ – unlike most other countries (incl. NZ, Canada, UK) • No statutory ‘serious infringement of privacy’ right of action, despite 4 law reform reports (note current ACCC draft recommendations ) • No Privacy Act right of action except via complaint to Privacy Commissioner (note current ACCC draft recommendations ) • Privacy Act & Commissioner inhibits appeals to the Courts • Appeals to the AAT only possible if the Commissioner (PC) makes a ‘Determination’ of a complaint under s52 • Average of 5.5 s52 determinations p/a for last 5 years (average of 5 successful) –why are there no losers? (ie potential appeals to AAT) • Commissioner dismisses most complaints without a s52 determination – either ‘satisfactorily resolved’ or ‘no breach’ (in PC’s opinion) Result: Almost no case law interpreting, or enforcing, Privacy Act, after 30 yrs– we know little about what it means
4. Main features of Australian privacy law (cont.)Factor III: Weak and inconsistent principles • The Privacy Act’s Australian Privacy Principles (APPs) • Enacted 1988, a ‘first generation’ set of basic principles (‘IPPs’) • 2001 addition of private sector ‘NPPs’ added little new substance • 2012 conversion into ‘APPs’ also added little, partly went backwards • 2018 Significant addition: data breach notification obligations • Not comprehensive, and not uniform • Covers both private sector and public sectors • except SA, Tas and WA state sectors • The APPs are not adopted uniformly across the State/Territory laws, despite this being one of the main aims of the 2012 reforms • Privacy Act exempts far too much from scope • over 90% of all Australian businesses exempt as ‘small’ businesses; • political parties, the media, employment information, ‘publicly available information’ • ALRC Report recommended scrapping – political lobbying too strong
4. Main features of Australian privacy law (cont.)Factor IV: Enforcement weaker than powers • Lack of s52 determinations - Court have not set standards for s52 compensation or new powers to order remedies • Despite s52 compensation power (no monetary limit), actual awards are very small: $0 (2018); $15K, $23K, $1.5K, S1K, $13K (ttl $43.5K 2017) – who would this deter? • PC stopped publishing ‘Casenotes’ (non-s52 settlements) in 2012 (used to be 20p/a)– BUT OAIC Ann. Rep shows they can be substantial $$ – but for what breaches? – ’ transparency gap’ results • Civil penalties for ‘serious’/‘repeated’ breaches to $1.7M (2012) – unused– Also undefined, and only for some breaches • Substantial remedies possible following ‘own motion’ investigations (2012) – very little use Result: Compliance with the Privacy Act could be seen as optional, just a minor business/administrative expense
Remedies in 972 conciliated complaints (OAIC Annual Report 2017-8)
Compensation settlements total $664,000+(OAIC Annual Report 2017-8)Based on median amount of each category belowAverage settlement about $3,400 over 196 settlements
5. Does Australian law meet global standards? (I) APPs lack many rights/obligations now in EU GDPR • ‘Personal data’ includes cookies, IP addresses etc • Positive consent required (not implied or ‘opt out’); • Default settings to favour privacy (‘privacy by default’); • Obligation to design (and re-design) for ‘privacy by design’; • Limits on automated decision-making; • ‘Right to be forgotten’ – living down the (irrelevant) past; • 650K de-linking requests to Google –> 1M URLs de-linked as a result • ‘Portability’ of data in digital form from social networks; • ‘Demonstrable accountability’ by data controllers; • ‘Data protection impact assessment’ (DPIA) for any high-risk processing, with possible prohibitions. • Numerous rights and obligations support ‘data minimisation’. Which of these are necessary to deal with 21st century problems? Many (not all) of 1-10 are now appearing in laws outside the EU
STOP PRESS!!: Privacy Act ‘GDPR reforms’ announced24/03/2019 Press Release gives only details; at least a year away • Social media/platforms ‘to cease use or disclosure of personal information on request’ • Version of GDPR ‘deletion’/’right to be forgotten’ • Code of Conduct for social media/platforms • More transparent data-sharing arrangements; • More specific consent to collection/use of data; • This will be an enforceable Code under the Act • Extra protections for children / vulnerable groups
5. Does Australian law meet global standards? (cont.)(II) Australian enforcement is behind GDPR • GDPR requires data protection authorities (DPA) to be able to fine companies for breaches up to 4% global annual turnover (GAT) (art. 83) • £500K fine of Facebook = 18 minutes of GAT • French DPA fined Google 50M euros • Individuals can sue companies for breaches directly in the Courts (art. 79) • Can also appeal against DPA decisions to Courts (art. 78) • NGOs specialising in data protection are entitled to represent individuals in complaints to DPAs (art. 80) • May receive compensation payable • NGO complaints are now driving the GDPR
STOP PRESS!!: Privacy Act ‘GDPR reforms’ announced 24/03/2019 • Max. penalties for serious/repeated breaches increased to highest of (i) $10M; (ii) 3 x benefit obtained; or (iii) 10% annual domestic turnover. [Existing $1.7M penalties never used.] • New OAIC powers to issue ‘infringement notices’ for non-cooperation concerning ‘minor breaches’ • up to $63K for companies, $12.6K for individuals. • But this is not an administrative fine for breaches as such • Additional remedies incl. ‘prominent publication’ • Additional $25M to OAIC over 3 years to increase capacity • Revision after ACCC ‘platforms inquiry’ report (June) which is likely to recommend: • direct right to enforce Privacy Act before Courts; • ‘serious invasions of privacy’ separate action before Courts. Q: Will the OAIC use these new powers? (or existing ones?)
5. Does Australian law meet global standards? (cont.)(III) Australian companies and GDPR Some Australian companies must comply with EU GDPR (in full): • If they have an ‘establishment’ in the EU (GDPR art. 3(1)); • If they ‘target’ customers in the EU (GDPR art. 3(2)(a)); • If they monitor the behaviour of individuals in the EU (GDPR art. 3(2)(b)); • If their head office requires ‘GDPR compliance’ (‘vertical GDPR-creep’); • If they supply services to companies requiring ‘GDPR compliance’ (‘horizontal GDPR-creep’). Illustrates both the hard and soft power of EU standards (IV) Australia was not ‘adequate’ under the 1995 EU Directive – What prospects under GDPR?
6. Who can protect your privacy?(from the personal to the political) • You can protect yourself • Choose privacy-protective services over surveillance services • Use PETs (privacy-enhancing technologies): encryption, anonymising browsers etc • Refuse unnecessary data collection (or mis-inform) • Social media may respond to complaints and take harmful content down • Community Legal Centres (CLCs) can give advice and represent you • Eg UNSW’s Youth Law Australia has a privacy section • The news media do now expose privacy breaches • Snowden revelations; Cambridge Analytica expose • Individual stories can get media attention: RoboDebt
6. Who can protect your privacy? (cont.) • Policy NGOs (APF , NOYB, PI) can take collective action • Australian Privacy Foundation (APF) – for 32 years since OzCard – great on policy, poor on litigation (no funds); • None of Your Business (NOYB) – NGO founded by Max Schrems, to enforce EU GDPR – success with 50M euros Google fine • Privacy International (PI, London-based) – suing 8 streaming services under GDPR • Individual Australian data protection authorities may act • May encourage companies and departments to negotiate • Aust. Privacy Commissioner won’t investigate for 6 months • No record of any seriously deterrent fines or compensation • At State level, compensation etc is from State administrative tribunals
6. Who can protect your privacy? (cont.) • Data protection authorities acting collectively • EU’s European Data Protection Board (EDPB) of 29 regulators can make & enforce joint decisions (if two disagree) • Competition regulators can break up platforms • EU aims to prevent ‘interoperability’ of Facebook companies • Australia’s ACCC may recommend action (Platforms Inquiry) • Governments can legislate • Global laws have not become a ‘race to the bottom’ • Silicon Valley is not immune to coordinated laws • Global treaties on data protection & surveillance may emerge • Data protection Convention 108+, and the UN Rapporteur’s work Bottom line: To be effective, protection must occur, and strengthen, at both the local and the global levels.
References & Resources • Privacy in Australia – Most of my articles/presentations are on my SSRN pages (free access)https://papers.ssrn.com/per_id=57970, including: • ‘Privacy in Australia’ (2008) – a brief (34 pg) history, 1970-2008 https://papers.ssrn.com/abstract_id=3072270 • ‘Australia's 2012 Privacy Act Revisions: Weaker Principles, More Powers’ (2012) - https://papers.ssrn.com/abstract_id=2252569 • ‘Privacy Enforcement in Australia is Strengthened: Gaps Remain’ (2014) – on the 2012 amendments - https://papers.ssrn.com/abstract_id=2468774 • ‘‘GDPR Creep’ for Australian Businesses But Gap in Laws Widens’ (2018) – Why Australia still falls short of global standards https://papers.ssrn.com/abstract_id=3226835
References & Resources (2) • Global Data Privacy Law Library (on WorldLII) (free access) http://www.worldlii.org/int/special/privacy/ • Australian Privacy and Surveillance Law Library (on AustLII) (free access) http://www.austlii.edu.au/au/special/privacy/ • A useful GDPR Guide https://gdpr-info.eu/ (Intersoft) • Some of my articles on global developments: • ‘The Influence of European Data Privacy Standards Outside Europe’ (2012)https://ssrn.com/abstract=1960299