Salinger Privacy

  • About
    • About Salinger Privacy – now Helios Salinger
    • Who We Are
    • Videos, Podcasts and Media Mentions
    • Privacy Awareness Week
  • Consulting
    • Overview – Our Consulting Services
    • Privacy Impact Assessment
    • Privacy Maturity Assessment
    • Privacy by Design advice
    • Privacy Compliance and Gap Analysis
    • Algorithmic Impact Assessment
    • Re-identification Risk Assessment
    • Data ethics
    • Privacy Helpdesk
  • Training
    • Overview – Our Training Services
    • Privacy Compliance Training
    • Privacy Professionals Training
    • All Online Modules
    • Training Calendar
    • Public Courses and Workshops
    • In-house Privacy Training and Workshops
    • Webinars
    • IAPP Certifications
    • Training Advisory Services
    • Login
  • Resources
    • Overview – Our Resources
    • THE PRIVACY PULSE
    • Privacy Act Reforms
    • Compliance Kits
    • Resources on key privacy topics
    • Free Handbook
    • Newsletter
    • Login
  • CASE STUDY
  • Blog
  • CALENDAR
  • Contact
  • Compliance Kits
    • For Business & Non-profits
    • For Peak Bodies
    • For Australian Government
    • For NSW Public Sector
    • For VIC Public Sector
    • For QLD Public Sector
    • For WA Public Sector
    • Login

Individuation – Re-thinking the scope of privacy laws

August 30, 2016, Anna Johnston

In Australia, our information privacy rights turn on the definition of ‘personal information’.  If data meets the definition of ‘personal information’, there will be privacy obligations attached to it; otherwise, all bets are off.  But is this approach to protect privacy serving us well?

Although certainly a less nebulous term than ‘privacy’, relying on the phrase ‘personal information’ has its own drawbacks, because challenges can be made to its breadth.  The components of the definition which are argued about include that the information must be ‘about an individual’, and that the individual must be ‘identified … or … reasonably identifiable’.

The full bench of the Federal Court has just heard submissions in the Privacy Commissioner’s appeal against the AAT decision in Grubb v Telstra.  In December last year, the AAT ruled that mobile network data is not ‘personal information’ subject to the Privacy Act, because it is ‘about’ connections between mobile devices, rather than ‘about an individual’, notwithstanding that a known individual triggered the call or data session which caused the connection.

You might think this distinction is – as Minister McCormack said about privacy concerns and the Census – ‘much ado about nothing’.  (Boom tish!)  But as I have noted before, taking such a narrow view of the word ‘about’ is a slippery slope, that could undermine our privacy laws.  If banks start arguing that their records are only ‘about’ transactions, not the people sending or receiving money as part of those transactions – or if hospitals claim that medical records are ‘about’ clinical procedures, not their patients – we may as well all pack up and go home.  Let’s hope the Federal Court sees sense on this question.

The even more contentious part of the definition of ‘personal information’ is the notion of identifiability: is an individual reasonable identifiable from the information at issue?  The flip side of identifiability is the challenge of de-identification.

These debates are an attempt to create clarity from ambiguity: Is it personal information or not?  And thus: is it in or out of the scope of the privacy principles?  Is it worth protecting?

But increasingly, I am of the view that trying to force the world into this type of ‘personal information or not’ binary legal structure is not helpful.  Perhaps, if our objective is to protect people’s privacy, our laws need to grapple with a broader view of the types of practices which can harm privacy – regardless of whether ‘personal information’ is at stake.

The UN’s Special Rapporteur on Privacy, Joe Cannataci, has written about privacy as enabling the free, unhindered development of personality.  You could think of privacy as related to the right to self-determination, or as an element of autonomy.

And if you think of the purpose of privacy laws as protecting individual autonomy, we should be ensuring that our laws regulate all types of activities which can impact on autonomy.  Because it is individuation, rather than identification, which can trigger privacy harms.

In other words, you can hurt someone without ever knowing who they are.

Individuation means you can disambiguate the person in the crowd.  This is the technique used in online behavioural advertising; advertisers don’t know who you are, but they know that the user of this device has a certain collection of attributes, and they can target or address their message to the user of this device accordingly.

Once we move beyond straight-up advertising, the impact on individual autonomy becomes more acute.  Individuation can lead to price discrimination, like surge pricing on Uber based on knowing how much phone battery life you have left.  Or market discrimination, like Woolies only offering car insurance to customers it has decided are low risk.  Or in the world of Big Data, social or government interventions can be triggered by an algorithm assessing your collection of attributes, without necessarily knowing who you are.

Geolocation data likewise offers high rates of individuation, even without identification.  I have written before about how privacy harms could arise from using geolocation data to figure out the likely home address of people who have visited a strip club or an abortion clinic.  Individuals could be targeted for harm, without the perpetrator ever knowing who they are.

The Facebook / Cornell University ‘research’ project on emotional contagion offers another fine example of causing privacy harm, without ‘personal information’ being involved.  Although the researchers argued that no personal information was at stake (and, thus in theory there were no privacy impacts) because they did not know who their research subjects were, they deliberately manipulated the news feeds of almost 700,000 Facebook users, in order to trigger emotional outcomes for people who had no idea they were even part of a ‘research’ project.

Other examples are on a smaller scale, but no less disturbing.  Taking photos of the genitals of a sedated patient – even if those photos do not lead to identification of the patient, and even if the photos are never shared – is a gross violation of a person’s dignity and autonomy.

All these activities hold the potential to impact on individuals’ autonomy, by narrowing or altering their market or life choices.

Philosophy professor Michael Lynch has said that “taking you out of the decision-making equation” matters because “autonomy enables us to shape our own decisions and make ones that are in line with our deepest preferences and convictions. Autonomy lies at the heart of our humanity”.

Yet for now, our legal protections for privacy only kick in when there is an ‘identifiability’ dimension to an activity.

Perhaps it is time to re-think the scope of our privacy laws, to encompass individuation and autonomy as well as identification.  In March this year a statutory cause of action for serious invasions of privacy, that could go beyond our limited ‘personal information’ protection laws, was recommended by the NSW Legislative Council Standing Committee on Law and Justice in its report Remedies for the serious invasion of privacy in New South Wales.  The NSW Government is due to respond on 5 September.

So between the impending decision in the Grubb v Telstra case, and the response from the NSW Government to the recommendation to introduce a statutory tort of privacy, the scope of our privacy laws might just be in for a timely shake-up.

 

Photograph (c) Shutterstock

 

Filed Under: Uncategorized

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month.

Privacy Compliance Kits

Recent Posts

  • Counting the Costs of Not Reforming the Privacy Act
  • After 20 years, what we’ve learned, what has changed … and what’s next
  • In praise of Privacy by Design, not Privacy Busywork
  • What if the OAIC peered inside data clean rooms … and found they were dirty?
  • How privacy immaturity leads to cyber risk
  • “It’s now or never” – the future of the internet and your privacy could be decided this month
  • Insider risk: 15 examples of why training and controls matter
  • Truth, peace and privacy: what the Government does next matters
  • Glass half empty, or glass half full? How to read the Privacy Act reform proposals
  • Thought your doctor’s visit was private? Australian data brokers have your data, and they’re not afraid to use it.

Archive

  • 2024
  • 2023
  • 2022
  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015

Search

Helios Salinger can help you navigate the complexity of the regulatory environment, and ensure the trust of your customers.

CONTACT US

T: 02 9043 2632
Level 37, 180 George Street
Sydney NSW 2000
Email Enquiry

© Helios Salinger Pty Ltd
ACN 655 748 593
ABN 59 655 748 593

Liability limited by a scheme approved under Professional Standards Legislation

Our Privacy Policy

Subscribe to our newsletter.

These details will be added to our mailing list to receive the Helios Salinger eNews and Product News newsletters. You can unsubscribe or adjust your preferences at any time, from the bottom of any newsletter.