Salinger Privacy

  • About
    • About Salinger Privacy
    • Videos, Podcasts and Media Mentions
    • Work with us
  • Consulting
    • Our Consulting Services
    • Privacy Impact Assessment
    • Privacy by Design advice
    • Algorithmic Impact Assessment
    • Privacy Compliance Reviews
  • Training
    • Overview
    • Training Calendar
    • Public Courses and Workshops
    • In-house Privacy Training and Workshops
    • Online Training
    • Webinars
    • IAPP Certifications
    • Training Advisory Services
    • Login
  • Privacy Resources
    • Privacy Resources
    • Compliance Kits
    • Resources on key privacy topics
    • Free Handbook
    • Newsletter
    • Login
  • Who We Are
    • Anna Johnston
    • Melanie Casley
    • Andrea Calleia
    • Stephen Wilson
    • Chris Culnane
  • Blog
  • Contact
  • Compliance Kits
    • For Business
    • For NSW Public Sector
    • For Victorian Public Sector
    • For Australian Government
    • Login

Individuation – Re-thinking the scope of privacy laws

August 30, 2016, Anna Johnston

Share this post

Share this post on twitter Share this post on Linkedin Share this on Facebook

In Australia, our information privacy rights turn on the definition of ‘personal information’.  If data meets the definition of ‘personal information’, there will be privacy obligations attached to it; otherwise, all bets are off.  But is this approach to protect privacy serving us well?

Although certainly a less nebulous term than ‘privacy’, relying on the phrase ‘personal information’ has its own drawbacks, because challenges can be made to its breadth.  The components of the definition which are argued about include that the information must be ‘about an individual’, and that the individual must be ‘identified … or … reasonably identifiable’.

The full bench of the Federal Court has just heard submissions in the Privacy Commissioner’s appeal against the AAT decision in Grubb v Telstra.  In December last year, the AAT ruled that mobile network data is not ‘personal information’ subject to the Privacy Act, because it is ‘about’ connections between mobile devices, rather than ‘about an individual’, notwithstanding that a known individual triggered the call or data session which caused the connection.

You might think this distinction is – as Minister McCormack said about privacy concerns and the Census – ‘much ado about nothing’.  (Boom tish!)  But as I have noted before, taking such a narrow view of the word ‘about’ is a slippery slope, that could undermine our privacy laws.  If banks start arguing that their records are only ‘about’ transactions, not the people sending or receiving money as part of those transactions – or if hospitals claim that medical records are ‘about’ clinical procedures, not their patients – we may as well all pack up and go home.  Let’s hope the Federal Court sees sense on this question.

The even more contentious part of the definition of ‘personal information’ is the notion of identifiability: is an individual reasonable identifiable from the information at issue?  The flip side of identifiability is the challenge of de-identification.

These debates are an attempt to create clarity from ambiguity: Is it personal information or not?  And thus: is it in or out of the scope of the privacy principles?  Is it worth protecting?

But increasingly, I am of the view that trying to force the world into this type of ‘personal information or not’ binary legal structure is not helpful.  Perhaps, if our objective is to protect people’s privacy, our laws need to grapple with a broader view of the types of practices which can harm privacy – regardless of whether ‘personal information’ is at stake.

The UN’s Special Rapporteur on Privacy, Joe Cannataci, has written about privacy as enabling the free, unhindered development of personality.  You could think of privacy as related to the right to self-determination, or as an element of autonomy.

And if you think of the purpose of privacy laws as protecting individual autonomy, we should be ensuring that our laws regulate all types of activities which can impact on autonomy.  Because it is individuation, rather than identification, which can trigger privacy harms.

In other words, you can hurt someone without ever knowing who they are.

Individuation means you can disambiguate the person in the crowd.  This is the technique used in online behavioural advertising; advertisers don’t know who you are, but they know that the user of this device has a certain collection of attributes, and they can target or address their message to the user of this device accordingly.

Once we move beyond straight-up advertising, the impact on individual autonomy becomes more acute.  Individuation can lead to price discrimination, like surge pricing on Uber based on knowing how much phone battery life you have left.  Or market discrimination, like Woolies only offering car insurance to customers it has decided are low risk.  Or in the world of Big Data, social or government interventions can be triggered by an algorithm assessing your collection of attributes, without necessarily knowing who you are.

Geolocation data likewise offers high rates of individuation, even without identification.  I have written before about how privacy harms could arise from using geolocation data to figure out the likely home address of people who have visited a strip club or an abortion clinic.  Individuals could be targeted for harm, without the perpetrator ever knowing who they are.

The Facebook / Cornell University ‘research’ project on emotional contagion offers another fine example of causing privacy harm, without ‘personal information’ being involved.  Although the researchers argued that no personal information was at stake (and, thus in theory there were no privacy impacts) because they did not know who their research subjects were, they deliberately manipulated the news feeds of almost 700,000 Facebook users, in order to trigger emotional outcomes for people who had no idea they were even part of a ‘research’ project.

Other examples are on a smaller scale, but no less disturbing.  Taking photos of the genitals of a sedated patient – even if those photos do not lead to identification of the patient, and even if the photos are never shared – is a gross violation of a person’s dignity and autonomy.

All these activities hold the potential to impact on individuals’ autonomy, by narrowing or altering their market or life choices.

Philosophy professor Michael Lynch has said that “taking you out of the decision-making equation” matters because “autonomy enables us to shape our own decisions and make ones that are in line with our deepest preferences and convictions. Autonomy lies at the heart of our humanity”.

Yet for now, our legal protections for privacy only kick in when there is an ‘identifiability’ dimension to an activity.

Perhaps it is time to re-think the scope of our privacy laws, to encompass individuation and autonomy as well as identification.  In March this year a statutory cause of action for serious invasions of privacy, that could go beyond our limited ‘personal information’ protection laws, was recommended by the NSW Legislative Council Standing Committee on Law and Justice in its report Remedies for the serious invasion of privacy in New South Wales.  The NSW Government is due to respond on 5 September.

So between the impending decision in the Grubb v Telstra case, and the response from the NSW Government to the recommendation to introduce a statutory tort of privacy, the scope of our privacy laws might just be in for a timely shake-up.

 

Photograph (c) Shutterstock

 

Filed Under: Uncategorized

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month.

Privacy Compliance Kits

Recent Posts

  • OAIC determinations shed light on when data is regulated as ‘personal information’
  • Big Tech, Individuation, and why Privacy must become the Law of Everything
  • Should birds of a feather be FLoC’d together?
  • Why can’t Aunty get the ABCs of privacy right?
  • Privacy law reform in Australia – the good, the bad and the ugly
  • Between 7 and 11 lessons you can learn from the latest OAIC privacy case
  • Privacy and gender: what to ask, when and why
  • What covid apps can teach us about privacy, utility and trust in tech design
  • Cat or carrot? Assessing the privacy risks from algorithmic decisions
  • Not too much identity technology, and not too little

Archive

  • 2022
  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015

Search

Salinger Privacy we know privacy inside out

Salinger Privacy can help you navigate the complexity of the regulatory environment, and ensure the trust of your customers.

CONTACT US

T: 02 9043 2632
PO Box 1250, Manly NSW 1655
Email Enquiry

© Salinger Consulting Pty Ltd
ABN 84 110 386 537

Our Privacy Policy

Subscribe to our newsletter.

These details will be added to our mailing list to receive the Salinger Privacy eNews and Product News newsletters. You can unsubscribe or adjust your preferences at any time, from the bottom of any newsletter.