Well August was disappointing, huh?
News of the delay of the long-promised Privacy Act reforms was met with groans of disappointment by privacy and consumer advocates – but interestingly, we hear similar expressions of frustration from regulated entities too.
As my colleague Alex Kotova noted: “It’s not just privacy advocates who should be disappointed by this. As businesses try to ready themselves for what have been highly publicised reforms, this lack of clarity creates more of a compliance nightmare than any removal of the small business exemption (with the right concessions) would do.”
Rumours are that concerns about accurately quantifying the economic impact of reforms have proven a stumbling block in Cabinet.
Leaving aside the view that we shouldn’t be trying to quantify human rights in dollar terms anyway, it is important for the economists to realise that there is also a cost to not reforming the Privacy Act. Because so much of our economy, our social lives, our democracy, our safety and our health is affected by data about humans, laws that are fit for this digital age matter to everyone.
So here’s my list of cost-saving reasons for Cabinet to re-think the delay, and push the Privacy Act reforms to the top of the legislative agenda, quick-smart. There’s a benefit in the proposed reforms for just about everyone.
For the Treasurer
Leaving businesses in a holding pattern while playing the ‘will they won’t they’ guessing game is not only frustrating … it is economically inefficient. How can businesses know where to invest their resources, if they’re not sure whether or when proposed reforms are coming, or what shape they will take?
As we have seen play out in the climate change regulatory space over decades, inaction and uncertainty is a deal-killer for businesses. A company thinking about investing in AI or a new customer data platform, for example, must choose between delaying their project (and risk missing out on being first-to-market, or the efficiencies that new tech can bring), or jumping in now (and risk wasting money and energy on a project that has to be re-tooled later).
Clear and strong regulation offers the certainty of guardrails, within which businesses can adopt, innovate and grow; whereas privacy and security concerns hinder technology adoption. Competition is also stimulated by creating a level playing field, instead of allowing a race to the bottom, in which ethical companies suffer. In the wake of large data breaches, and fears about new technologies like AI, consumers are losing trust in businesses and government to manage their data; stronger privacy laws could turn that around. Treasury’s own paper on national competition policy, released last week, notes the tension between data use and privacy, but points out that the government must create appropriate policy settings to regulate data and digital technology, because Australians “will be more likely to realise the large economic benefits and competition enhancing impacts of data” if “the risk of harm” has been properly managed.
Also, the current weak state of our privacy laws is a key reason why Australia is not recognised as offering ‘equivalent’ legal protections to the European Union (in contrast to other countries in our region such as NZ, Japan and South Korea). This has the effect of creating a legal barrier to international trade involving personal information. We need Privacy Act reform to match our trading partners, and open up possibilities for Australian businesses seeking export markets.
For the Assistant Treasurer
Need to re-build social licence in the Census after yet another debate about what the government does or does not need to know about Australians? The Privacy Act reform proposals include stronger protections for data that has been subject to de-identification techniques (but which could still be re-identifiable, hence the need for protection), but also trade-offs for those heightened protections, in the form of streamlined rules for research in the public interest. Win-win.
For the Minister for Home Affairs
When raising the country’s official alert level from ‘possible’ to ‘probable’ last month, ASIO director-general Mike Burgess warned of the rising threat – not from foreign states, but individuals intent on politically motivated violence. He pinpointed vulnerable young men, in online isolation bubbles, “driven by social media” and radicalised at speed. eSafety Commissioner Julie Inman Grant has likewise pointed at “live streaming, algorithms and recommender systems”, being weaponised by violent extremists. Meanwhile online misinformation is being blamed for riots in the UK.
How do we start to fix this? Tackle the root cause of online targeted messaging. Designed to more efficiently enable marketing spend, online behavioural advertising has morphed into a dangerous weapon, in which every person’s online world can be tailored and targeted to them personally. Every meme, every social media post, every piece of recommended content, every video becomes a channel for undue influence and misinformation. As Lecturer Richard Fern says: “Hate is clickbait. And social media algorithms put it on steroids”.
What is the link to Privacy Act reform? Individuation online is the diesel that fuels the algorithmic engines, amplifying the voices of influencers, and powering the trains of online hate, misinformation and extremism which lead to everything from the explosion in mood disorders to pro-anorexia content to Holocaust denial, false claims about stolen elections and genocide.
We can’t hope to address these problems until individuated data is clearly brought within the scope of the Privacy Act. From there, regulators can better set rules for when data about us can be collected, used or disclosed – and we can start to rein in the business model which rewards online surveillance, profiling and targeted messaging. The proposals to clarify and strengthen the definitions of ‘personal information’ and ‘consent’ are a critical starting point.
For the Minister for Cyber Security
Who would want to be the Minister in the hot seat next time there is a Medibank or Optus-sized data breach, when the government promised to act last time? The Privacy Act reform proposals include setting baseline data security expectations for all regulated entities, as well as bringing small businesses into the regulated tent. So the cost of not introducing the reforms is the failure to incentivise businesses economy-wide to improve their data handling practices … and that means a higher chance of more and more data breaches that hurt ordinary Australians. Shorter data breach notification periods, as also proposed in the reforms, will help mitigate losses.
For the Minister for Employment and Workplace Relations
Want to show that you’re genuinely on the side of working Aussies (while in the middle of cracking down on a corrupt union)? Pass the proposed reform that would protect employees’ privacy rights, against intrusions like forced blood tests at work.
For the Minister for Industry and Science
A number of other government policy and regulatory approaches hang off Privacy Act reform, including Minister Ed Husic’s approach to AI regulation. The proposed reforms include mandatory Privacy Impact Assessment for high-risk activities, requirements to proffer ‘meaningful information’ about how automated decisions are made, and a new ‘fair and reasonable’ test for the collection, use and disclosure of personal information – all of which will help boost trust that AI is being designed, developed and deployed in a responsible and trustworthy way.
For the Minister for Communications
Need a new way to tackle the scourge of gambling addiction and pacify backbenchers who want tougher advertising reforms? The proposals to clarify and strengthen the definitions of ‘personal information’ and ‘consent’, and introduce the ‘fair and reasonable’ test, will help get you there.
Since children’s online safety is also within your portfolio, the proposals to introduce a Children’s Online Privacy Code, and tougher rules for targeting and trading in personal information about children, will also help achieve your objectives.
For the Minister for Health and Aged Care
Public health campaigns derailed by conspiracy theories, teenage girls being pushed into pro-anorexia content on social media, spiralling levels of mental illness in young people, people harmed by unregulated products promoted online via ‘dark marketing’ … all of these health problems are exacerbated by business models built on online surveillance, profiling and targeted messaging, which reward eyeballs on screens, rather than evidence or accuracy. The long-term, collective impact is a lessening of trust in experts and traditional institutions on matters such as public health. Pass the Privacy Act reforms and cut the gas from the amplification engine.
For the Special Minister of State
Ditto electoral integrity challenges: misinformation is being generated and circulated at scale, enabling political mistruth amplification, polarisation and radicalisation, which impacts democratic health and stability. The proposed privacy reforms will help you tackle the platforms which thrive on conflict, and amplify destabilising voices.
For the Finance Minister
Even the ATO is counting the cost of misinformation online, with tax non-compliance on the rise thanks to viral BS spread by the ‘sovereign citizen’ movement. Tackle the algorithms, and bring in more tax revenue.
For the Minister for Foreign Affairs
Imagine being able to swan about Europe with your head held high, saying ‘Yes our privacy laws are finally as strong as yours’? Pass the Privacy Act reforms.
For the Minister for Trade and Tourism
Because once our laws are as good as Europe’s, guess what happens? Australia can score an ‘adequacy’ ruling from the European Commission, and bingo – existing barriers to trade will drop away. Want to trade with countries with lower standards of privacy protection? The reform proposals also feature standard contractual clauses to facilitate compliant cross-border disclosure.
For the Minister for Government Services
Want people to trust the new Trust Exchange digital identity scheme? You know what to do – strengthen our privacy laws to build the social licence first.
For the Minister for Small Business
While tempting to see the proposed abolition of the small business exemption as the introduction of unnecessary ‘red tape’, consider the following.
First, no comparable jurisdiction has a small business exemption in their privacy laws, and the sky has not fallen in.
Second, Australians expect that the Privacy Act’s obligations on entities to protect the security of the personal information they hold should apply economy-wide. This is because financial turnover does not correlate with the value of data being held by a business; even very small businesses can do harm at scale. Removal of the exemption is even supported by the Australian Small Business and Family Enterprise Ombudsman as “necessary and appropriate”, due to public expectations about data protection, such that a blanket exemption is no longer credible.
For example the facial recognition technology vendor Outabox, which supplied its venue sign-in tech solution to multiple clubs, was the subject of a data breach impacting approximately 1 million patrons of those venues. The company’s poor privacy and data security practices exacerbated the harms suffered by patrons. The Privacy Commissioner has stated publicly that Outabox is a ‘small business’ for the purposes of the Privacy Act, and is thus exempt from the law, and immune from consequences for its data breach.
Third, as already mentioned, the existence of the exemption is hampering Australian trade, including trade that would benefit small businesses seeking to access overseas markets.
Fourth, the existence of the exemption means there is a disincentive for small businesses to invest in data security, which leaves them open to cyber risk. If regulation means uplifting a business’s privacy and cyber maturity, that helps the business as well as their customers.
Fifth, continuing to exempt small businesses from the Act does growing businesses no favours in the long run. If businesses are not set up properly from the start to implement ‘fair and reasonable’ personal information handling practices, or to enable robust data security, or to only collect sensitive personal information with express consent, then when those businesses grow past the arbitrary $3M turnover mark they suddenly face a compliance task which may involve re-architecting their systems and business processes, if not also their business model.
I’m not an economist, so I can’t put a dollar figure on the cost of not reforming the Privacy Act. But the costs are real, nonetheless.
Let’s hope Cabinet does not delay or demur any longer.
Photograph © Josh Appel on Unsplash