Exposure Draft – Social Media (Anti-Trolling) Bill 2021

Introduction

1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the exposure draft of the Social Media (Anti-Trolling) Bill 2021 (the Bill).

2 The Bill will introduce a new framework for Australians to ascertain the contact details of individuals that post anonymous, defamatory comments on social media for the purposes of commencing defamation proceedings.[1] The Bill deems social media services as ‘publishers’ for the purposes of defamation law but includes a conditional defence from liability if the social media service discloses the contact details of a commenter in certain circumstances.

3 Many social media services enable users to engage anonymously or pseudonymously on their platforms. Anonymity and pseudonymity are important privacy principles.

4 An individual may prefer to transact online anonymously or pseudonymously for various reasons including a preference not to be identified or to be ‘left alone’, to avoid subsequent contact (such as direct marketing) from an entity, to keep their whereabouts secret from others, including in circumstances where they fear harm or harassment from others, to access services (such as counselling or health services) without this becoming known to others, or to express views in the public arena without fear of reprisal.[2]

5 The explanatory paper to the Bill acknowledges that anonymity is a legitimate feature of the digital ecosystem but can be abused in some cases to harm reputations.[3]

6 In a recent report on the UK’s draft Online Safety Bill, a parliamentary Joint Committee noted that anonymous abuse online was a serious area of concern but also acknowledged that:

‘…anonymity and pseudonymity are crucial to online safety for marginalised groups, for whistleblowers, and for victims of domestic abuse and other forms of offline violence. Anonymity and pseudonymity are not the problem and ending them would not be a proportionate response.’[4]

7 We note that the Bill does not seek to prevent social media users from operating anonymously or under a pseudonym online. However, a likely consequence of the framework in the Bill is that social media services will seek to collect additional contact details (if they do not already hold them) about their users and then verify the accuracy or authenticity of the details they hold so that they may access the defence to liability when required. This necessarily raises privacy risks and impacts, which are discussed further below.

8 The Privacy Act 1988 recognises that the right to privacy is not absolute, and privacy rights will necessarily give way where there is a compelling public interest reason to do so. Whether this is appropriate will depend on whether any privacy impacts are reasonable, necessary and proportionate to achieving a legitimate objective.

9 The explanatory paper notes that where defamatory posts are made anonymously, it can be difficult for victims to seek legal recourse against the original commenter.[5] We understand a key objective of the Bill is to empower individuals to identify anonymous users who post defamatory material in order to seek redress through a claim for defamation.[6]

10 However, an important threshold issue is whether the privacy impact on all Australian social media users, that will result from the collection and verification of their contact details, is a reasonable, necessary and proportionate response to achieving the Bill’s objective. In particular, the number of individuals that are currently unable to pursue a claim for defamation due to an inability to identify anonymous users should be appropriately balanced with the privacy impacts that may be experienced by all Australian social media users.[7]

11 We note that the Online Safety Act 2021 allows the e-Safety Commissioner to require a social media service (amongst other entities) to provide information about the identity of the end user of the service and contact details of an end user of the service.[8] The Act also provides that a social media service is only required to comply to the extent they are capable of doing so.[9] We query whether this approach could be considered further in the context of this Bill, as it appears to require disclosure of the information the entity already has in its possession, rather than incentivising the collection and verification of additional personal information.

12 Accordingly, we recommend that further consideration should be given as to whether the threshold of reasonable necessity is made out, or whether the objective of the Bill may be achieved through measures that have less impact on the handling of personal information.

Additional safeguards for collection and verification of ‘relevant contact details’

13 Notwithstanding the above, should the Bill proceed as drafted, we have considered the substantive provisions to ensure that any adverse effects of the proposed enactment on the privacy of individuals are minimised.[10]

14 Part of taking a proportionate approach is also considering what safeguards can be put in place to mitigate privacy risks. To this end, we have made several recommendations below designed to help mitigate potential privacy risks and impacts by enhancing the safeguards in the Bill.

15 The Bill will deem social media services to be publishers of material posted on their platform for the purposes of defamation law. However, the Bill also includes a conditional defence from defamation liability if a social media service discloses the ‘relevant contact details’ of a commenter either with the consent of the original commenter via a complaints scheme that meets prescribed elements, or in response to an information disclosure order issued by a court.

16 ‘Relevant contact details’ are defined in cl 6 of the Bill as:

1. the name of the person or the name by which the person is usually known
2. an email address that can be used to contact the person
3. a phone number that can be used to contact the person
4. such other details (if any) as are specified in the legislative rules (legislative rules are discussed further below).

17 We understand from the explanatory paper that the ‘relevant contact details’ are intended to be such as is necessary to effect substituted service in an Australian court and fake or inaccurate details will not meet the definition of ‘relevant contact details.’[11]

18 This means that a social media service would be unable to rely on the defence if they produce fake or inaccurate details. It is also relevant to note that cl 14 of the Bill provides that the defence of innocent dissemination is not available to a social media service for the purposes of defamation proceedings.

19 A likely outcome of the framework set out in the Bill is that social media services will seek to collect additional categories of personal information that they do not already hold, and then take steps to verify the authenticity and accuracy of their information holdings to rely on the defence to defamation liability. Both scenarios necessarily have privacy implications.

20 As a starting point, a key privacy consideration is data minimisation, which means limiting the collection of personal information to the minimum amount that is necessary to achieve a particular objective. Data minimisation is an important privacy safeguard, which can help to reduce privacy and security risks and impacts. For example, if an entity collects more personal information than is necessary, this may increase the risk of harm to an individual in the event of a data breach. Holding large amounts of personal information can also increase the risk of unauthorised access by internal or external sources.

21 We recommend the Department consider whether each of the categories of personal information listed in the definition of ‘relevant contact details’ is reasonably necessary in the circumstances. For instance, the definition of ‘relevant contact details’ could be revised so that it requires an email address or a phone number, rather than an email address and a phone number. This would further promote a data minimisation approach and may disincentivise social media services from seeking to collect additional contact details that they do not already hold.

22 A related issue is how social media services will seek to ensure that the ‘relevant contact details’ are authentic and accurate. The Bill is silent on this issue, which leaves it to the discretion of social media services as to the steps they will take to verify the contact details to a level of accuracy that would enable them to rely on the defence.

23 We note that a phone number and email address can be verified by less privacy intrusive methods, for example, by sending an email requesting the user click on a link to verify their account or by sending a verification code to a user’s mobile phone, which must then be entered in an app or web browser.

24 However, it is not clear from the Bill whether ‘the name of the person’ or the ‘name by which the person is usually known’ in the definition of ‘relevant contact details’ means a person’s actual or legal name.

25 If the intention is that a person’s legal name is required to satisfy the definition (in order for a social media service to be able to rely on the defence), this may result in social media services seeking to collect identity information, such as government issued credentials like a driver’s licence or passport, in order to verify the authenticity of an individual’s name.

26 This is problematic given the privacy and security risks associated with the mishandling of this information. For instance, government issued credentials contain significantly more personal information than may already be collected and held by social media services (such as address, date of birth and other identifiers like Medicare number). Further, compromise of identity credentials and information can lead to identity theft, which has significant consequences for individuals.

27 Considering the above, we consider greater clarity is required around what ‘the name of the person’ or ‘the name by which the person is usually known’ actually means in the context of the definition of ‘relevant contact details. The Bill would also benefit from greater clarity and specificity around the reasonable steps social media services should take, or the conditions they will need to satisfy, in order to be able to rely on the defence in the Bill.

28 We also recommend that additional safeguards should also be included in the Bill to ensure that any additional information that is collected by a social media service solely for the purpose of being able to rely on the defence, including any information collected to verify a user’s name, cannot subsequently be used or disclosed for other purposes that may not align with the community’s expectations. At a minimum, we recommend that the Bill includes express prohibitions on this information being used and disclosed for other commercial purposes.

Interaction with the Privacy Act

29 It is important to note that the Bill does not displace the requirements of the Privacy Act and social media services subject to the Act must continue to comply with their privacy obligations. This includes APP 3, which gives effect to the principle of data minimisation by requiring organisations to only collect personal information that is reasonably necessary for their functions or activities. This means that social media services will still need to assess whether the collection of any additional personal information is reasonably necessary in the circumstances.

30 APP 11 imposes obligations on organisations to take reasonable steps to protect the personal information they hold from misuse, interference and loss and unauthorised access, modification or disclosure. If the Bill does incentivise social media services to collect and hold a greater volume of personal information, these entities will need to conduct security reviews to determine if their systems can secure a greater volume of information and implement additional security obligations, where necessary, in order to comply with their obligations under APP 11.

31 Entities also have existing obligations under APP 11.2 to take reasonable steps to destroy personal information or ensure it is de-identified if it no longer needs the information for any purpose for which it may be used or disclosed under the APPs. This obligation would extend to any additional information, including verification information, collected for the purposes of relying on the defence under the Bill.

32 We note that most social media services that will be captured by the Bill are large multinational corporations with substantial resources and would be expected to implement any additional security and deletion or de-identification measures required to protect the personal information of Australian social media users.

33 APP 5 also requires organisations to notify individuals of certain matters before or at the time they collect personal information, including how and to whom they usually disclose personal information. As noted above, the Bill would require a social media service to disclose a commenter’s ‘country location data’ to a complainant, and ‘relevant contact details’ in response to an information disclosure order issued by a court. Accordingly, social media services will need to ensure that their privacy collection notices notify users of these disclosures.

Legislative rules

34 The Bill enables additional details to be included in the definition of ‘relevant contact details’ if prescribed in legislative rules made by the Minister.[12]

35 A discretionary power to prescribe additional types of personal information would expand the scope of the definition and increase privacy risks if social media services are required to collect additional categories of personal information to access the defence.

36 Accordingly, we recommend that the rule-making power is removed and the definition of ‘relevant contact details’ is limited to what is prescribed in the primary legislation.

37 If the rule-making power in relation to ‘relevant contact details’ is retained, we recommend that the Department includes a provision in the Bill requiring consultation with the Information Commissioner as to whether the proposed expansion of the definition is reasonable, necessary and proportionate before any legislative rules are made, which would provide additional oversight and transparency.

38 There is precedent for such consultation requirements in other legislation for example, s 53 of the Office of the National Intelligence Act 2018, s 355-72 of the Taxation Administration Act 1953 and s 56AD of the Competition and Consumer Act 2010.

Consent to disclosure of relevant contact details

39 An important privacy-preserving feature of the Bill is that social media services may only disclose a commenter’s relevant contact details with consent or in response to a court ordered end-user information disclosure order.

40 However, we note that the Bill does not appear to contain limitations as to how a prospective applicant may subsequently use or disclose the information they receive under the framework in the Bill. Consequently, information obtained by a prospective applicant may be used or disclosed for purposes other than commencing legal proceedings against the original commenter.

41 As an additional safeguard, we recommend that the Bill prohibit the subsequent use or disclosure of an individual’s ‘relevant contact details’ for purposes other than those required to initiate legal proceedings for defamation. We consider that this requirement should also be subject to a penalty to encourage compliance.

42 Relatedly, the OAIC’s APP Guidelines state that the four key elements of consent are:

• the individual is adequately informed before giving consent
• the individual gives consent voluntarily
• the consent is current and specific, and
• the individual has the capacity to understand and communicate their consent.

43 An individual may make a complaint to the OAIC if consent to the disclosure of their personal information is not properly obtained by a social media service.

44 We encourage the Department to consider developing guidance around how social media services should address the four key elements of consent to ensure consent is properly obtained in the context of the complaints scheme. For example, the guidance could outline the key matters that social media services should tell individuals when seeking consent to the disclosure of their personal information, including that the information will be disclosed only for the purposes of facilitating defamation proceedings against them.

45 Standard guidance would support the implementation of the framework and ensure a consistent approach to obtaining consent across the industry. The OAIC is available to assist the Department with developing this guidance.