If 21 is the age at which a person is considered to have matured, what are we to make of a law when it turns 21?
2019 marks the 21st birthday of PPIPA (aka the Privacy and Personal Information Protection Act 1998), the key privacy statute in my home state of NSW. After such a long infancy, it seems an appropriate time to reflect on the law’s effectiveness.
Does PPIPA deliver the goods? After 21 years, I tend to wonder: do the good people of NSW actually enjoy a greater degree of privacy protection than, say, their cousins in WA – who by contrast have no equivalent privacy law covering their state government agencies, local councils or public universities?
I have reason to doubt it. Several reasons, in fact. There are the problems with disturbing loopholes in the legislation, which I have written about before; details like the fact that the maximum compensation payable to a person who has suffered significant harm is set too low and hasn’t been increased in 21 years; and the continued under-resourcing of the NSW Privacy Commissioner’s office.
But today I am more concerned about a really fundamental question. Given PPIPA is recognised has having both a beneficial and a normative purpose – in other words, the legislation as drafted was intended to set new standards across the public sector, to the benefit of individuals’ privacy – is it working?
Agencies not embracing Privacy by Design
For years, advocates of the idea of Privacy by Design have asserted that it is better to design privacy in from the start, and to have pro-privacy settings as the default, than to try and retro-fit a system later.
The on-going Opal Card system design is the perfect illustration of the wisdom of that theory. Over some years, privacy advocate Nigel Waters argued that the collection of data about his travel history – his physical movements – was in breach of the collection limitation principle (known in other jurisdictions as data minimisation), IPP 1, because knowing information about his movements as a passenger was not reasonably necessary for the agency to pursue its lawful purpose of enabling or verifying his entitlement to a concession fare.
And in a ground-breaking case last year, the Tribunal agreed, finding that the collection of travel history data in an identifiable form was just an unnecessary by-product of the system design.
As I have written before, the Opal Card system could – and should – have been designed differently from the start. (Indeed, as part of his case Mr Waters sought to bring forward evidence not only about how public transport ticketing systems work in other jurisdictions in more privacy-protective ways, but also about the political promises made years ago, early on in the Opal Card’s design that the system would allow anonymity for all passengers; and how the former NSW Privacy Commissioner’s criticisms of the later design had been ignored.)
So in order to comply with the Tribunal’s decision and IPP 1, Transport for NSW should now be busy exploring more privacy-protective design options, such as allowing individual passengers to choose to have their travel history data de-linked from their identity data, or otherwise anonymised.
However instead Transport for NSW decided to appeal. In a ruling last August, the Appeal Panel determined that the Tribunal made an error in the way it cast the purpose of the travel history data. Thus far the Appeal Panel has set aside the earlier decision, and determined to conduct a new hearing.
One thing to note however, is that the Appeal Panel hinted that it was taking a dim view of the agency making post-hoc justifications for collecting travel history data that were not mentioned in the original case, and/or not included in the collection notice provided to customers.
If anything, coming up at this late stage with new arguments about why the travel history data might be necessary in an identifiable form only serves to cement the conclusion that from the outset, TfNSW did not consider the right to anonymous transport when making key design decisions, despite knowing both their obligations under privacy law and also that successive NSW Privacy Commissioners had expressed the need for anonymous travel options for all passengers.
We will find out soon enough if the Appeal Panel comes to a different conclusion about whether the design of the Opal Card system is in breach of IPP 1.
If the Appeal Panel allows Transport for NSW to succeed in casting a wide net in its interpretation of what data is ‘reasonably necessary’, the agency could continue collecting personal information without forethought, further encroaching on the privacy of public transport users. Other agencies will gratefully receive and act on that message, allowing the open slather collection of data, or implementation of monitoring or surveillance systems, without having to weigh up the impact on privacy, or consider less-intrusive options.
However if the Appeal Panel upholds the principle of collection limitation, then all public sector agencies would be sent a strong message about ‘privacy by design’, and the need to think carefully when designing new systems: The need to pause and think about why they are proposing to collect personal information, and to only proceed if they can justify the data collection by reference to a legitimate purpose, and with evidence that the data collection will actually achieve that purpose.
An absence of representative complaints
So if the existence of privacy principles alone has not driven change over the past 21 years, we need robust enforcement to ensure the law has the standard-raising effect it was intended to have. Enforcement can be regulator-driven, or caselaw-driven.
One of PPIPA’s success stories has been its mechanism enabling access to justice. By allowing complainants to seek an external review of conduct in an independent tribunal, without requiring legal representation, NSW has seen several hundred privacy cases decided in NCAT, and its predecessor the ADT, since 2001. (By my count, there have been over 400 reported judgments made under PPIPA and her sister law HRIPA, including interlocutory and appeal decisions. We annotate them all in our quarterly guide, PPIPA in Practice.)
Compare that with the handful of cases brought under the federal Privacy Act, which has been around since 1988 but which requires complainants to lodge their cases in the much more expensive Federal Court, and you see the genuine difference legislation can make to people’s lives, if they can quickly and cheaply access a tribunal in which to seek an enforceable remedy to a harm they have suffered.
And yet, I feel like most of those PPIPA and HRIPA cases have just been tinkering around the edges. So far almost every case has been brought by only one or two people, seeking remedies to mitigate the damage done to themselves: an apology here, a small amount of compensation there. And fair enough! It should not be the job of individual citizens to drive systemic change.
But there is also a role for advocacy groups to agitate on behalf of the citizenry at large. In fact, PPIPA appears to allow for this.
First, the law allows any “person who is aggrieved” to seek review of conduct under PPIPA or HRIPA. There is no threshold requirement in the statute that the complainant’s own personal information needs to have been involved in the conduct; they simply need to be aggrieved because they believe the conduct breached a privacy principle. The Tribunal has noted the beneficial purposes of the legislation, and has promoted this broad reading of the phrase “person aggrieved”.
Indeed, the Tribunal noted that it is possible that a “person aggrieved” by conduct could be a person other than the person who was the subject of the personal information at issue, and thus a third party may be able to seek a review and a remedy for any breach. (And the fact that the definition of ‘personal information’ includes information about people dead for less than 30 years indicates an intention to protect the interests of survivors who may be affected by the handling of the deceased’s personal information, rather than their own.) Similarly, successive NSW Privacy Commissioners have stated that a ‘person aggrieved’ is a wider concept than simply a person whose personal information is in issue.
Second, the orders available to the Tribunal are not limited to providing remedies to the complainant, but can be directed to requiring systemic change by a public sector agency, such as requiring certain conduct to be stopped, or proactive actions to be taken in order to comply with the privacy principles.
So, why don’t we have a history of class actions brought by representative groups, aiming for systemic change? I believe part of the reason is that Australian privacy advocacy groups are stretched too thin, having to put their (entirely volunteer-based) resources into making submissions on countless policy and legislative proposals, and running social media campaigns to draw attention to travesties like Robodebt. They don’t have the time, money or energy to run class actions too.
But it doesn’t help that the Tribunal has been slow to embrace the idea, and indeed has offered some conflicting interpretations. A complaint brought by an individual who claimed to be a member of a class of people potentially aggrieved by the disclosure of case studies about workers compensation claimants was dismissed, with the Tribunal stating that the complainant “is only permitted to agitate matters before the Tribunal in proceedings that relate to conduct or alleged contraventions concerning him personally and where he has suffered some tangible and measurable impact”.
Similarly, in the Opal Card case, the Tribunal rejected the complainant’s argument that he could represent all members of a certain category of people (all passengers using Gold Opal cards), and thus his standing was limited to how he was personally aggrieved. (Nonetheless, the Tribunal did note that its findings about non-compliance, and recommendations to the respondent about how to deal with the complainant’s personal information, would equally apply to any other member of that category of people who came forward with the same complaint, and thus it would be ‘prudent’ for the respondent to make their system complaint for all passengers using Gold Opal cards.)
Also, the reactionary responses by governments on the losing end of privacy cases with the potential for systemic change is hardly encouraging. It’s not just on the Opal Card case that agencies fight back after losing a privacy case on its merits. In 2013, farmer Adam Bonner brought a case under PPIPA, and successfully argued that the CCTV system installed by his local council was not fit for purpose, could not achieve its crime prevention objectives, and was thus beyond the council’s power to run in the first place – and had poor data security practices where the video feed ended at the local police station. One man, using his democratic right to object, and his legislated right to demand legal compliance by his local council with the State’s privacy laws, won his case and held the local council to account. Hurrah! It’s the stuff of Hollywood movies, David vs Goliath, right?
Only NSW politics doesn’t work that way. Did the local council or the State government take a step back and re-evaluate the efficacy of their CCTV crime prevention program? Did they promise to only use CCTV when it is actually fit for purpose, such as to justify the intrusions on privacy? No, politicians confected outrage, characterised the complainant as a trouble-maker, simply asserted that all CCTV works fine, and swiftly drafted blanket exemptions for local councils operating CCTV. So, no accountability, no scrutiny; taxpayers waste their money and citizens lose their privacy.
21, but not yet an adult
Much of the value of Big Data is built on our digital breadcrumbs – the digital traces we leave behind as we go about our day-to-day activities like travelling to work, buying goods, using social media or searching the web.
But if an organisation does not have a sound reason for collecting those breadcrumbs – in other words, if collecting our data is not reasonably necessary for the primary purpose for which we were transacting in the first place (getting on a bus, buying a pair of shoes, chatting to our friends on Facebook) – then it should not be collected at all.
It’s not rocket science. It’s not impossible, or unrealistic, or crazy-advocates-wish-list thinking. It’s right up there as privacy principle number 1, and has been the law for 21 years now: don’t collect personal information unless you really, truly need it for your primary purpose. And yet this most fundamental of privacy principles is so often ignored.
In my view, all the other privacy principles are subordinate to this one. All the access and correction rights, all the data security, all the transparency requirements, are pointless if there are no meaningful limits on what governments can collect about us in the first place.
If agencies still don’t care about getting privacy right, and if individual citizens, the Tribunal or the Privacy Commissioner cannot make them care, then PPIPA is not doing its job. NSW residents are no better off than we were in 1998.
So happy birthday, PPIPA. You may be 21, but I am not yet convinced that you are a functioning adult.
Photograph (c) Shutterstock