In Australia, our information privacy rights turn on the definition of ‘personal information’. If data meets the definition of ‘personal information’, there will be privacy obligations attached to it; otherwise, all bets are off. But is this approach to protect privacy serving us well?
Although certainly a less nebulous term than ‘privacy’, relying on the phrase ‘personal information’ has its own drawbacks, because challenges can be made to its breadth. The components of the definition which are argued about include that the information must be ‘about an individual’, and that the individual must be ‘identified … or … reasonably identifiable’.
The full bench of the Federal Court has just heard submissions in the Privacy Commissioner’s appeal against the AAT decision in Grubb v Telstra. In December last year, the AAT ruled that mobile network data is not ‘personal information’ subject to the Privacy Act, because it is ‘about’ connections between mobile devices, rather than ‘about an individual’, notwithstanding that a known individual triggered the call or data session which caused the connection.
You might think this distinction is – as Minister McCormack said about privacy concerns and the Census – ‘much ado about nothing’. (Boom tish!) But as I have noted before, taking such a narrow view of the word ‘about’ is a slippery slope, that could undermine our privacy laws. If banks start arguing that their records are only ‘about’ transactions, not the people sending or receiving money as part of those transactions – or if hospitals claim that medical records are ‘about’ clinical procedures, not their patients – we may as well all pack up and go home. Let’s hope the Federal Court sees sense on this question.
The even more contentious part of the definition of ‘personal information’ is the notion of identifiability: is an individual reasonable identifiable from the information at issue? The flip side of identifiability is the challenge of de-identification.
These debates are an attempt to create clarity from ambiguity: Is it personal information or not? And thus: is it in or out of the scope of the privacy principles? Is it worth protecting?
But increasingly, I am of the view that trying to force the world into this type of ‘personal information or not’ binary legal structure is not helpful. Perhaps, if our objective is to protect people’s privacy, our laws need to grapple with a broader view of the types of practices which can harm privacy – regardless of whether ‘personal information’ is at stake.
The UN’s Special Rapporteur on Privacy, Joe Cannataci, has written about privacy as enabling the free, unhindered development of personality. You could think of privacy as related to the right to self-determination, or as an element of autonomy.
And if you think of the purpose of privacy laws as protecting individual autonomy, we should be ensuring that our laws regulate all types of activities which can impact on autonomy. Because it is individuation, rather than identification, which can trigger privacy harms.
In other words, you can hurt someone without ever knowing who they are.
Individuation means you can disambiguate the person in the crowd. This is the technique used in online behavioural advertising; advertisers don’t know who you are, but they know that the user of this device has a certain collection of attributes, and they can target or address their message to the user of this device accordingly.
Once we move beyond straight-up advertising, the impact on individual autonomy becomes more acute. Individuation can lead to price discrimination, like surge pricing on Uber based on knowing how much phone battery life you have left. Or market discrimination, like Woolies only offering car insurance to customers it has decided are low risk. Or in the world of Big Data, social or government interventions can be triggered by an algorithm assessing your collection of attributes, without necessarily knowing who you are.
Geolocation data likewise offers high rates of individuation, even without identification. I have written before about how privacy harms could arise from using geolocation data to figure out the likely home address of people who have visited a strip club or an abortion clinic. Individuals could be targeted for harm, without the perpetrator ever knowing who they are.
The Facebook / Cornell University ‘research’ project on emotional contagion offers another fine example of causing privacy harm, without ‘personal information’ being involved. Although the researchers argued that no personal information was at stake (and, thus in theory there were no privacy impacts) because they did not know who their research subjects were, they deliberately manipulated the news feeds of almost 700,000 Facebook users, in order to trigger emotional outcomes for people who had no idea they were even part of a ‘research’ project.
Other examples are on a smaller scale, but no less disturbing. Taking photos of the genitals of a sedated patient – even if those photos do not lead to identification of the patient, and even if the photos are never shared – is a gross violation of a person’s dignity and autonomy.
All these activities hold the potential to impact on individuals’ autonomy, by narrowing or altering their market or life choices.
Philosophy professor Michael Lynch has said that “taking you out of the decision-making equation” matters because “autonomy enables us to shape our own decisions and make ones that are in line with our deepest preferences and convictions. Autonomy lies at the heart of our humanity”.
Yet for now, our legal protections for privacy only kick in when there is an ‘identifiability’ dimension to an activity.
Perhaps it is time to re-think the scope of our privacy laws, to encompass individuation and autonomy as well as identification. In March this year a statutory cause of action for serious invasions of privacy, that could go beyond our limited ‘personal information’ protection laws, was recommended by the NSW Legislative Council Standing Committee on Law and Justice in its report Remedies for the serious invasion of privacy in New South Wales. The NSW Government is due to respond on 5 September.
So between the impending decision in the Grubb v Telstra case, and the response from the NSW Government to the recommendation to introduce a statutory tort of privacy, the scope of our privacy laws might just be in for a timely shake-up.
Photograph (c) Shutterstock