On this page
The Privacy Awareness Week 2016 Business Breakfast was held on Monday 16 May 2016. Professor Joe Cannataci, the first United Nations Special Rapporteur on the right to privacy, provided his global perspective on the future of big data, cyber security and privacy development. Timothy Pilgrim PSM, the Australian Privacy Commissioner, provided updates on the latest developments from his Office, and a look into what the future could bring for personal information handling for businesses.
Timothy Pilgrim, PSM — Australian Privacy Commissioner
Good morning everyone. And I'd like to start by acknowledging the Gadigal people of the Eora nation, the traditional custodians of the land on which we're meeting today, and offer my respects to their elders past and present.
My first apology is going to be for my voice. There was too much trying to sing along with the Ukrainian song in Eurovision yesterday. And yes, for those of you who don't like early starts, I was up at 5 o'clock in the morning making waffles and watching it. So yes you can say tragic or you can say many things. But I am back again this morning for an early start.
Now on that note, I do have to do some formalities first and just let you know the following, that in the event of an emergency, please follow the hotel staff's directions. We do have a Twitter link for you to use which is #2016PAW. No surprise there. And a final one so I don't have to say it at the end, don't forget to complete the evaluation forms.
So, again, good morning everyone and it's great to see the turnout today. For those of you who may not know me, my name is Timothy Pilgrim and I'm Australia's Privacy Commissioner and also the acting Australian Information Commissioner. So welcome to Privacy Awareness Week 2016 and our signature business event, the Privacy Business Breakfast.
So looking around the room, I can see quite a number of familiar faces, people who have all been supporting Privacy Awareness Week for quite some time, and also supporting good privacy corporate practices for many years.
I also see this as an endorsement of the extent to which privacy governance has found its place in business and agencies. We have more people from more organizations here today than at any past business breakfast.
It's also a symbol of how Privacy Awareness Week, or PAW as we fondly call it in the office, has matured on our national business and regulatory calendar.
PAW was originally conceived as a joint exercise between the Asia Pacific Privacy Authorities to raise privacy awareness as an emerging issue in the APEC region.
However, privacy has grown in public consciousness, customer consideration, and business governments to such an extent that the original desire to raise awareness of privacy, per se, has been eclipsed.
Privacy is now a cross-sector and cross-border conversation.
It affects any business that relies on personal information for its success. And that's pretty much every business.
It affects any government agency, which seeks to improve its ability to better target and deliver services. And that is every agency.
It's paramount to consumers or clients who have investment in their personal identity and want transparency and choice about how their identity is used and protected. And that's pretty much everyone.
I can assure you from the perspective of my office, seeing the calls that come in, the questions that are raised, the complaints that are filed, that privacy remains and continues to increase as a key issue for the community.
I know that as Australian consumers are known to be early adopters and heavy users of new technology, it may sometimes appear that privacy is not a top of mind issue for consumers.
But with the rush of excitement about suddenly being able to access new retail and media now cooling, and consumers being more considered, caring for one's own personal identity remains core.
This was reinforced just last week in the release of the Deloitte Privacy Index, which reported that 94% of customers believed trust is more important than convenience in their product and service choices.
That clear resurgence of trust over convenience also points to the rewards for businesses who have already adopted the “privacy by design” approach. The idea that privacy can be a bolt-on extra has always been impractical from a regulator's perspective, but is now also undesirable from a consumer’s.
So it's fair to say that there has never been a more important time to ensure that privacy is built into the fabric of business, and into every product and service development.
Now in this era of data-driven economy, where innovation itself relies increasingly on using personal information in new technological contexts, businesses and agencies know that if they go down this path, it will be essential that they get privacy right in order for long-term success to follow.
And also privacy is very much an international conversation.
For domestic businesses, particularly those focusing both on a domestic and a global market, the impact of the international developments such as the new AU regulation or the US safe harbor decision and the resulting development of the US privacy shield will be felt in Australia, which is why today is so important.
The international growth in public interest and understanding of privacy as a significant information-age concern and the recognition in government and corporate responses to that interest has also allowed more contemporary debates about privacy integration to emerge.
We no longer need to debate if privacy is important and can instead focus on the current and emerging challenges we need to discuss and resolve.
And with our baseline knowledge and awareness of privacy governance established, we can start to debate some of the more complex and nuanced issues that privacy raises — we can also allow room for new and challenging voices, which is, again, one of the primary points of today's events.
Those of you who have joined us before may recall that at this annual privacy breakfast, it's customary for me to give a wide-ranging speech on the year ahead from the perspective of my office and its role as Australia's privacy regulator.
It won't be as wide-ranging today, and I think I just heard someone sigh.
But don't take this to imply that my office doesn't have a diverse agenda for the coming year.
We certainly do.
But let me just reflect for a moment and say now for those of you who have worked closely with our office over the recent years, you'll be aware that the last couple of years have been a little challenging to say the least.
In the 2014 Budget, the Government announced its intention to disband the OAIC, introduce new arrangements for the handling of FOI matters, and re-establish an Office of the Privacy Commissioner.
However, as part of the 2016 Budget, the Government announced that it would not proceed with those changes and returned funding to the OAIC to enable it to continue with its regulating role under both the Privacy and the FOI Acts.
As you might expect then, with the funding of the agency and our privacy and FOI functions now confirmed, you'll be hearing a great deal from us and in a diversity of fora, and different locations.
Starting this month, the OAIC's new Privacy Professionals Network will provide opportunities throughout the year to engage on the latest business and government privacy regulation debates; and to hear updates and be involved in policy development with our team in the office.
I am delighted to say that the first of these meetings will take place in a fortnight's time in Perth.
This will in turn be the start of a calendar of professional meetings and seminars to be held in major cities around the country. But the choice to begin in West Australia is a deliberate one, which sends, I hope, a positive symbol of how this national regulator intends to engage with privacy professionals on a national basis.
And let's face it, to be a little realistic, as good as the catering here is at The Weston, it's a lot to ask people to endure the red-eye flight from Perth just for the privilege of eating with us.
But turning now to this year, you'll also be hearing from us on the important issue of how Australia can not only manage but lead the way in reconciling the significant policy and innovation potential of big data with the vital public confidence that comes from the protection of personal information.
Exploring and testing this potential is undeniably a current reality of Australian business and government; and as Australia's privacy regulator, I must respond to that reality. For this reason, my Office is consulting on a draft Guide to big data in the context of the Australian Privacy Principles.
This is being developed in recognition of the use of data and its potential to bring about social and economic benefits.
But in order to realise those benefits, we need to get privacy right as it is critical to consumer and public trust.
There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation and retention minimisation — work in practice.
However, the APPs are technologically neutral, and structured to reflect the entirety of the information lifecycle.
This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.
The draft guide is aimed at facilitating big data activities while protecting personal information. It encouraged entities to take a risk management approach and to use existing privacy tools to get privacy right in the big data context. Key privacy requirements and helpful privacy tips are outlined in the draft guide. And we want your feedback so together we can get privacy right in this important area.
And as I recently outlined at the CeBIT 2016 conference a couple of weeks ago, my Office is of the view that obtaining a great understanding of the role that de-identification can play in this area is a key priority and one we want industry and expert input on.
De-identification, if done properly, can be a privacy enhancing tool with potential to unlock the value of big data. And the OAIC will be revisiting its guidance on de-identification in coming months. To that end, we will be conducting a series of conversations through the Privacy Professionals Network, and other networks to work with business, government, consumer and technical groups on the possibilities of de-identification.
We want to ensure that our end guidance is not only an accurate reflection of the Privacy Act, but also a practical and reliable solution that builds public confidence in the potential public benefits of data driven innovation.
To be clear, my Office understands the value of information.
Indeed, the FOI Act, which I also regulate, is underpinned by the principle that government held information is a national resource — with all the associated expectations as to how it should be used in transparent public interest and to the best value.
We also understand that the value of this information is often best realised when it can be shared, used and built upon. And as principals based law, the Privacy Act is flexible enough to support all manner of data initiatives provided that an integrated approach to privacy management is taken upfront.
With this in mind, you'll also see a lot of focus from us on the Internet of Things and tech start up sectors this year — working to build privacy governance into the outset of our future tech-leading companies.
We are collaborating with these sectors on the need to get privacy right. And are encouraging them to make use of tools like our Privacy Management Framework and our template for small and medium enterprises, which you can find in the show bags on your chair.
This collaborative approach is our preferred model to regulation, but rest assured that it will continue to be supported by a robust calendar of assessments, investigations in a variety of businesses and government sectors.
Without divulging our full assessment calendar, I can say that — building on our recent assessment of Coles and Woolworths loyalty programs so far this year — it will include a look at some of the other most popular loyalty schemes in Australia.
You'll probably want to ask which programs I'm talking about, but sorry that's going to be just a little bit too much of a spoiler. All I can suggest is have your privacy management frameworks well established.
We will also be continuing a strong focus on telecommunications as part of our oversight of the privacy aspects of the telecommunications metadata retention regime. As well as examining government agencies with significant personal information holdings.
I stress though, that being the subject of an assessment does not necessarily mean there's anything untoward going on. But our assessments are vital to providing consumer and public transparency as to how their individual privacy rights are being protected and respected. They're also designed to assist entities to enhance their information handling practices.
The focus on individual rights also continues this year with the start-up of another important consultative forum, our Consumer Privacy Network, the CPN. The first meeting of which will be held next week.
I look forward to the CPN, informing many of the policy, and public, and education initiatives we have planned for the coming year — particularly, as we look to expand the public education information role of the OAIC to ensure that people continue to be aware of their privacy rights and importantly how to exercise them.
This will continue to be supported by a dispute resolution, conciliation, and determination system that I am pleased to say is now running more effectively and efficiently than ever before — providing timely and fair outcomes for complainants as well clear guidance to business and agencies on regulatory expectations.
For example, one of our top sources of complaints is about giving access to individuals own personal information. We want to make it easier for businesses and agencies to get this right. So we've developed a new access and correction resource which you can also find in your show bags.
More broadly, last financial year our office received just about 12,200 privacy specific inquiries. We opened almost 3,000 complaints and we closed almost 2,000, as well as handling 117 voluntary data breach notifications. We also undertook 19 assessments involving 101 entities across government and business.
Our average resolution time for formal complaints has also come down significantly.
If that were not enough privacy interest for the year ahead, then I also note that in August the very definition of personal information — arguably the most important term in the Privacy Act — will be considered by the full bench of the Federal Court.
As many of you will recall, this definition was explored by the Administrative Appeals Tribunal in an appeal of my determination in the matter of Grubb vs Telstra.
The AAT's decision presents, potentially, a new and different scope to what constitutes personal information under the Privacy Act.
I firmly believe that clarity and certainty around the definition are critical to the operation of the act and to the fair and reasonable expectations of any business or agency which is required to be accountable to it.
Accordingly, I'm of the view that consideration of the issue by the full bench of the Federal Court is essential for both our office and the entities we regulate.
So there is much for us to talk about this year in Australia in the context of privacy.
But for now, let me turn to the international perspective.
This Privacy Awareness Week has taken on a decidedly international perspective, thanks to the involvement of our keynote speaker today, the United Nations Special Rapporteur for Privacy, Professor Joseph Cannataci.
Professor Cannataci's appointment is in itself a significant milestone in the international recognition of privacy as a fundamental human right.
And his remarks on privacy and data protection concerns in various jurisdictions have already generated significant new interest, awareness and debate on the international stage.
So, unsurprisingly, when my colleague John Edwards, the New Zealand Privacy Commissioner and I had mentioned Privacy Awareness Week to Joe in passing last year, he was keenly interested.
When that interest converted into a potential joint invitation by Australia and New Zealand to visit our respective nations for Privacy Awareness Week, I was delighted that my Office could participate.
After all, the opportunity to facilitate the first visit by the UN's first Privacy Rapporteur to Australia goes to the heart of the fundamental purpose of Privacy Awareness Week, and of my Office's public awareness and education functions.
I, like you, look forward to hearing the Rapporteur's thoughts today. I'm certain that Professor Cannataci's views will be interesting, illuminating, and challenging, bringing us a contemporary view on privacy from an international perspective.
It probably goes without saying — but I'm going to anyway, that Professor Cannataci's leadership and privacy and information law and academia is as extensive as it is impressive.
He is the head of the Department of Information Policy and Governance at the Faculty of Media and Knowledge Sciences in the University of Malta.
He also holds the Chair of European Information Policy and Technology Law within the Faculty of Law of the University of Groningen, where he co-founded the STeP Research Group.
He is an Adjunct Professor at the Security Research Institution and the School of Computer and Security Science at Edith Cowan University here in Australia, and so he's no stranger to our shores.
He has written numerous books, text chapters and articles on data protection, medical informatics, copyright and intellectual property, dispute resolution, data retention, and data surveillance. He serves on the editorial boards of six peer-reviewed journals.
In 2002, he was decorated by the Republic of France, citing his pioneering role in the development of technology law, and especially privacy law.
With this background, it was perhaps unsurprising then that when the United Nations Human Rights Council sought its inaugural Special Rapporteur on the right to privacy in July 2015, their search led ultimately to Professor Cannataci.
While, as I said, not a stranger to our shores personally, this is his first visit to Australia in his United Nations capacity, and this morning is his first public Australian address.
Ladies and gentlemen, please welcome to Sydney, Professor Joe Cannataci.
Professor Joe Cannataci — United Nations Special Rapporteur on the right to privacy
So good morning everybody. Thank you very much Tim for your very kind invitation. And it's always so good to be back in Australia.
You will see that my connections to Australia have also introduced me to the concept of a fair go. And you'll understand I should tell you at the outset that Timothy Pilgrim and myself did not share notes about what we're going to talk about.
But certainly both in the first set of slides and the last slides, you'll understand that we do have a couple of things in common. We both get up in the morning to root for something. Though I must say in my case, it's not Eurovision. [Slide 1]
So, now you have to keep this a secret, ladies and gentlemen. So no tweeting about this please, because I'm supposed to be the Rapporteur for all the world, for all the 190 countries in the world. So, nobody can know who I root for when it comes to cricket, right?
And why have I chosen cricket? Because that, of course, is one of the many areas where Australians are proud to do it best, right? I mean, and of course [Slide 2] there are so many things that Australia does best that [Slide 3] it's why I want to talk about Australia being best, all right?
When I was still a very young child at school, they told us this. [Slide 4] I mean, I was told “good, better, best, let us never rest 'til the good is better and the better, best”. Well, I think it's by St. Jerome. That's what I found on the Internet and since I found it on the Internet, it must be right, right?
But the point is, if somebody had to honestly ask me as a proud friend and lover of Australia, is Australia the best when it comes to privacy? And the answer, sadly, is no. It's good, especially thanks to all you folks here and all of the efforts by Timothy's Office. Could we be better? [Slide 5] Much, and this is precisely what my challenge to you and to Australia is.
As United Nations Special Rapporteur for Privacy, I need Australia to be best at privacy. And I want to explain why. Why I want Australia to take a lead when it comes to privacy.
[Slide 6] Especially because in an Internet without borders, we need safeguards without borders, and we need remedies which go across borders.
And this is one of the areas, why, you have to look around and say, okay, we know what to do when we want our team in cricket to beat the rest of the world, when we want to be best. And what do the coaches do, do they run down films of all the opposition? You bet they do. Is Australia running down the films of what the competition is doing when it comes to privacy laws? I know that Timothy and Office his does. I only hope that sometimes some of the members of Australia's Parliament do.
[Slide 7] Because it takes me back to what things which are quintessentially Australian, right? I picked these out of the Internet as I was preparing for the speech, and a fair go is one of the things which has always struck about me Australia.
And if you go on the Internet and just Google “Fair Go Australia”, [Slide 8] you get a whole load of jazz. [Slide 9] From this and that, and you see some of the values coming through, right? Pursuing common good where all people are treated fairly for a just society. And [Slide 10] understand that we have the right to have a go and to have a say.
But I also found this, right? [Slide 11] Is Australia still the land of the fair go? And fair go or fair gone? And that's one of the questions that I'd like us to ask ourselves together as we try to work towards a better society.
Well, [Slide 12] one of the things in which I'd like to talk about too, is the extent to which privacy is all part of the concept of a fair go, and the opportunity to develop one's personality in the freest of manners.
And this is where I want to ask you to ask yourselves a basic question. And that is, why privacy? Why privacy? In a land like Australia where you have one the oldest continuing civilizations on the planet, especially in terms of Australia's indigenous peoples, why privacy? What is the evolutionary advantage of privacy?
And I'd like to suggest to you that privacy is so important because, while it's a standalone right, it's also an enabling right. The main function of privacy, like freedom of expression, like freedom of information, for which Timothy Pilgrim's Office is also responsible for. It's because these three rights together, all of them information related rights, these three rights together help each one of us develop our personality, and develop our personality in a free and unhindered manner.
Because life is not only about who we are, but also who we want to become, who we want to be. And a fair go is all about the freedom of deciding where we want to go in our lives and how we get there.
You can't do that unless you have the freedom to express yourself, to receive information, to impart information. You can't have that in a democratic society where we have given a mandate to our government to keep information on our behalf without having access to that information in terms of the Freedom of Information Act.
And, ladies and gentlemen, we can't do that unless we have privacy, unless we have the bubble of privacy, and a big bubble. Which, we can see through, but only those people we allow can see back in. And that bubble of privacy is so important in so many ways. It's important to enable ourselves to find ourselves, to discover ourselves, to develop ourselves in all ways, including our sexuality, including our sexual identity, who we want to become.
And that is where privacy, obviously, acquires new dimensions. In fact, [Slide 13] in my latest blog last week, I asked each of my daughters to sign a consent form so that I can speak about them. And the whole idea was in order to try and explain, I sat down and reflected the extent the which our attitude to privacy inside our house actually contributed to their development of their personality. And I should plead guilty to the fact that all of my three daughters not only signed off and encouraged me, but they're all adults. They're all over the age of 18. And the whole idea, of course, was when I asked them, is it okay if I tell people out there that you were allowed to bring your boyfriends home and to let them sleep over? They said yeah, fine. Because the way that they discovered their identity — and I should talk about girlfriends too, because privacy is also very important to the LGBTI community — in the way that people develop themselves. And certainly, there's been a lot of interest in that. [Slide 14]
But let's go to thinking about where we are today, right? Timothy Pilgrim spelled out a number of persuasive arguments in his speech as to why privacy is important for business. But let's think about all the data we have today and some of the ideas that I'd like to share with you. Then, we'll come back to Australia and finish with Australia.
This slide is now already eight months old, because it's now no longer 1 billion people on Facebook. It's now roughly 1.3 billion. But it was news eight months ago that a billion people used Facebook on a Monday. And [Slide 15] what's even more news is the way we using it, people use their mobile phone 90% of people are accessing Facebook on their mobile phone. [Slide 16]
A few more facts is the way we're using video, the way that this tracking device that we can carry around with us, and which also happens to make phone calls is being used increasingly for video. And as you can see, I try to learn from my daughters and they tell me that, dad, Facebook is not cool anymore. And so without going too much into the philosophy of cool, I think it's important also to think of the way that these devices are being used to capture data and share it with other people in a way which none of us did ten years ago. [Slide 17]
A headline which caught my interest is that, “In the world of Big Data, privacy invasion is the business model”. Now, I'm not going to agree with that, and I'm not going to disagree with that. Hopefully, will be asked some questions about that. But, do I think there are huge risks? Yes there are, and I'll talk about some of them here in a minute. [Slide 18] Because without knowing it, but certainly much to the delight of security services around the world, we are now generating so much data that we have entered into what Peter Swire calls, The Golden Age of Surveillance.
And the point is, can we reclaim, the way back to where we were 20 years ago? Because, you see, when you ask people what you are aware of, and Timothy was telling you about all the research groups that I lead and have led for the past 25, 30 years, and we carry out lots and lots of empirical investigations. We ask people out there in the street through hundreds of focus groups, thousands of interviews, tens of thousands of online questionnaires, we ask, what do you think about surveillance? Do you care about privacy?
But most people can more or less remember — many, not everything — what they put online. But most people are not aware of the huge tonnes of metadata that they generate and how those are used.
And the point is, from a scientific point of view, from the point of view of big data, we don't know whether we can actually have policies of open data for all the good reasons that Timothy Pilgrim talked about, in the sense that, public data is a resource, but actually primarily, I think we should nuance that a bit by remembering that it's the citizens right to access data which is held on his own mandate — is actually the real right.
There is no right to mine publicly held data. There's a policy. There's a policy in Europe. There is a policy in the United States. There's apparently an interest of having the same kind of policy in Australia. There's certainly a lot of talk about to the New Zealand, but is it the right policy? Is it a wise policy? Perhaps, we can explore that further during the discussion.
[Slide 19] Let me read this to you, especially for those people like me. This was written nearly 50 years ago by Aleksandr Solzhenitsyn. And what Solzhenitsyn said, this [Slide INAUDIBLE] with the information that people give. If only I could write this beautifully.
“As every man goes through life, he fills in a number of forms for the record. Each containing a number of questions. There are thus hundreds of little threads radiating from every man, millions of threads in all. If these threads were suddenly to become visible, the whole sky would look like a spider's web, and if they materialized like rubber bands, buses and trams and even people would lose the ability to move and the wind would be unable to carry torn-up newspapers or autumn leaves along the streets of the city.”
And this is about the kind of information we put in forms. The difference is that 50 years later, [Slide 20] especially with looks at things like Smart City and I've talked to some people in Sydney, who are interested in Sydney and other cities becoming smart cities. Smart cities make Solzhenitsyn's concerns look miniscule, because it's literally a case that — with all the sensors we would have in a smart city — it's literally a case of “every breath you take, every step you make, I'll be watching you”.
And in fact [Slide 21] when you look at — this comes from a mouse pad I saw for sale. It is true that we are always online. [Slide 22] And in fact, wherever you go, this is one of the new phenomena that we've seen in the world that we're always on [Slide 23] and wherever you go, you see — you walk around Sydney, it's no exception, it's actually leading the place there to — we're always online. [Slide 24] Wherever you go, outside, inside. Apparently [Slide 25] we're led to believe, I got this off the internet too, ladies and gentlemen, some people out there are always online and they're inviting you to chat.
And in actual fact, I rather like this cartoon [Slide 26] because the issue is, of course, the extent of digital footprints we're leaving around. And remember one thing, this is no longer a case of leaving digital footprints in Australia. Or only Australians leaving digital footprints. Australians are leaving digital footprints all over the planet. And other people are leaving digital footprints all over Australian sites.
[Slide 27] So, something which I really love about Australia and being here with all my Australian friends, is the good life. There's one thing Australians are really good at, is the good life. [Slide 28] And the good life has a number of perspectives, [Slide 29] but let me just quote Richard Branson, not because some of his airlines fly here, but because he did say this thing about risk. And I'd like you to think about data, and privacy, and risk management. And Branson said, “Every risk is worth taking as long as it's for a good cause, and contributes to a good life.”
One of the things I want you to ask yourselves is, are we taking too many risks when it comes to privacy?
[Slide 30] And this is where I'd like to take you back and I've deliberately chosen very old quotes. I deliberately went back to find very old quotes, because I want to go on from the concept of privacy and the fair go, to privacy, autonomy and freedom.
And Sieghart in ‘83 said that, “in a society where modern information technology is developing fast, many others may be able to find out how we act. And that, in turn, may reduce our freedom to act as we please, because once others discover how we act, they may think that it is in their interest, or in the interest of society or even in our own interest to dissuade us, discourage us or even stopping us from doing what we want to do and seek to manipulate us to do what they want.”
And I will apologize if the next slide is actually quoting myself from 30 years ago. But try as I might, I still can't disagree with myself on this point.
So, let me let you have it. I'm trying, there we are. [Slide 31] And what I was saying in my first book of privacy (and you see it’s celebrating 30 years now from that book), is that “shorn of the cloak of privacy that protects him, an individual becomes transparent, and therefore manipulable. A manipulable individual, is at the mercy of those who control the information held about him. And his freedom, which is often relative at best, shrinks in direct proportion to the extent and the nature of the options and alternatives which are left open to him, by those who control the information.”
And this is why I think [Slide 32] that it's so important that when we look at a good life, at the risks that we're looking at for a good life, the quality of life is defined by some values which relate to autonomy. So when trying to bring a number of things together, and we look at the right to free development of personality, which is not articulated as such as a right under Australian law, though it is under the constitutional law of many countries, especially countries as far apart as Germany, as Brazil, as Colombia, as a whole bunch of Nordic countries in Europe, perhaps, because in Australia, the right to free development of personality is subconsciously assumed within the right of having a fair go. But try to go to court and talk about the fair go. Try to go to your poor Information Commissioner and talk about the fair go.
At the same time, the sense of autonomy as a value, freedom to do as one likes within certain limits, the right to self-determination is a value emanating from the value of autonomy. And the right to political self-determination, which, of course, we see the Australians practice time and time and again, leads us also to think about the right to informational self-determination, which is defined as such now under German constitutional law, but not under Australian laws, again.
And here I'm talking about informational self-determination as a design criteria for smart cities. [Slide 33] But, in fact, I'd like you to go back not necessarily to read all of Jean-Jacques Rousseau’s The Social Contract, but to think about it in a sense, are we redefining the social contract or more importantly, is the social contract being redefined for us? [Slide 34] Because, and especially asking the question, have the last ten years of the Internet already changed the social contract? Where technology development is key, where private corporations, however, have taken advantage of the technology development but the fine print of the business model is not one which most people read very carefully. And indeed, it's not spelled out very carefully.
And governments have also taken advantage of technology development. They have not been telling the citizens about how they are using it to snoop upon them. Many governments are not. So and until recently, there was no structured discussion about the way corporations and governments have been changing the social contract without formal or informal consultation. Which is why, of course, Privacy Awareness Week and all the activities of your Office of the Australian Information Commissioner are so important in generating more structured discussion about the impact this rewriting of the social contract is having.
[Slide 35] So, back to my question. Somebody else's question actually, just borrowed it. I wish I knew who so I could credit it properly. Is Australia still the land of the fair go? [Slide 36] And, if you were to look at several documents which have been produced by the Australian Law Reform Commission, by many people around Australia, there is no question that Australia recognises its international commitments. Australia has signed up to the Universal Declaration of Human Rights, it has signed up to the International Covenant of Civil and Political Rights. And Australia already recognises that it can do better.
You don't actually need me to come along to tell you this. You guys have been saying this yourselves. Perhaps you just need me to remind you about it and also to remind you how important it is that you also do something for the rest of the world about it.
Because the question, of course, is when are you going to do something about it? And, I'm here to encourage you not only to do better, but to become the best. And I'm here to encourage you to do something ASAP because it's good for Australians. That's the most important thing. It's good for business and it's good for the world.
And let me use a few words by Australians to show you the consciousness that Australians have built about this. [Slide 37] And I'm just going to pick up on one report. In the past 30 years, I've literally stopped counting how many reports I've collected by Australians about privacy in their own country. Which is why I'm now so keen. Can you guys do something about that before I retire?
Because, in actual fact, and I'm just going to pick up a few texts from the latest discussion document from the Australian Law Reform Commission, which is entitled Serious Invasions of Privacy in the Digital Era. [Slide 38] And let's look at a few points which come out of there. So what the ALRC is saying is that Australia needs a new standalone Commonwealth Act, that the cause of action about privacy should be set up in a new Act rather than the Privacy Act. Now I'm not asking you necessarily to agree with this. I'm just showing you a few examples of thinking by the ALRC.
But the thinking of the ALRC, certainly in this 4.3, is actually interesting because they do recognise that the cause of action is designed to remedy a number of different types of invasions of privacy, including physical invasions of privacy. So what I'm trying to say is that it's going in the right direction because it's not only looking at information privacy but all of privacy.
Also, if you see [Slide 39] the other things that the ALRC is saying, and this is why I look upon it as opportunities — I'm calling this opportunities for Australia to act but also to lead.
And let me share a few points with you.
As you know, Australia is active within APAC and I'm not saying it's a bad thing, all right? It's a step in the right direction. But it does not get you to your destination if your destination's human rights. It's as simple as that.
So it's a funny position, isn't it? We have the ALRC saying that Australia is internationally committed to human rights. Yet, inside Australia, is privacy actionable as a human right? And is your contribution to APAC, however valid, enough to get you back to fundamental human rights? And, so the best thing I suspect is to belong to a human rights instrument, rather to the kind of instrument that APAC has going.
The problem, of course, is that while regional human rights models work, and for you to see how much they work in this case, I would suggest that the privacy coaches in Australia do what the cricket coaches do and look at what's been happening in Europe.
And don't get me wrong, I'm not saying that Europe is perfect or that there aren't problems about Europe's privacy laws. If you get me going about them, you'll be here until next year's Privacy Breakfast.
But has Europe made progress in privacy over the last 40 years? You bet it has.
Has it made it with a lot of public debate? Of course it has.
But privacy in Europe is recognised as a fundamental human right. Privacy is recognised as being a constitutional right in most European countries. In fact, I'm trying to think of one where it's not.
Can the same be said of Australia?
And it's not as if any of the Australian people I meet, or any of my Australian friends, don't think privacy is important.
Which is why, of course, and here we come to business too. What can Australia do which is good for business, and which is also good for Australia and Australians, and which is also good for Australia on the international stage?
And Timothy Pilgrim was so correctly telling you and referring you to the latest changes and developments in Europe and the GDPR, the General Data Protection Regulation.
And let's ask ourselves a basic question. Is it such a bad idea to try to have Australian levels of protection of privacy, at least at the same level as Europeans?
I suggest you should go better, have even higher standards than Europeans. Because you don't need to go down a route which is as financially inefficient as the United States has.
And it's all very well and good to say, we have our own way of doing things. Fine, you have your own way of doing things, but if I had to pick on the United States as a model, has anybody asked themselves the question why the United States is spending almost three times as much as anybody else on its medical care and yet is number 17 or 27 as scales of quality of medical care. Just because you have your own way of doing things doesn't mean it's the most efficient way of doing things and of course you have the right to do things your own way. It's your money.
But is it— When you ask yourself the question, this is what I tell my American friends before I come back to Australia. What I tell my American friends is, why do you think that out of the 102 countries on the planet which have introduced privacy laws, not one has copied the United States model. Hey, not one. Because it's bloody inefficient, pardon the French. It's something that you have to see whether it's working or not.
Which is why my challenge to Australia is: show them that you can be as good as privacy as cricket, as we are at cricket. Because, and this is where I'd like you to also look at — and I invite you — you see the Europeans because of all the problems they've been with, after so many thousands of years of fighting each other, have kind of got an incentive not to fight each other anymore. And are fighting their wars by, do you want to buy a Volkswagen or I'm sorry, they were cheating there. Do you want to buy another car, instead of a Peugeot or a Citroen? And, I'm back to this point. The Europeans are accustomed to signing one, two, three treaties about the same thing.
So nothing prevents Australia from being part of APAC — being part of a regional body — but also being part of the mother of all data protection conventions: Convention 108. And if anybody had to ask me, is there value for Australia? And my frank answer is yes. You tell me what you're going to lose by signing. Please tell me what you're going to lose by ratifying it. Because it is an incentive to bring Australia's standards clearly up to European standards and therefore make life for business in Australia that much easier. It's not simple, but it's not that difficult either.
And let me come to my final two slides which deal with how I think that Australia can lead regionally. Guys, I need you out here. I need you to set a good example, I need you to help me go across the sea into Asia, and bring people on board with your good practices. But if you're not going to do that, you're going to leave me out on a limb.
Can you put yourselves in my shoes please and remember that I have to meet everybody around the planet, including the Chinese, including the Malaysians, including the Koreans, including so many of your neighbours?
Can you imagine how important it is for me to have Australia together with New Zealand co-leading in the sphere? It's hugely important, and I'd like to put it to you that you have the great potential, a great richness not only to do some things regionally, but also to do them globally, [Slide 40] let me finish on that.
For a long time, I have also taken a deep interest in indigenous matters, and previously in indigenous matters. You are sitting on yet another gold mine, ladies and gentlemen. The Aboriginal peoples of Australia have some of the richest sets of information ethics and privacy neighbouring rules, which have been developed over the past 30,000 years. I'll be speaking about those in more detail tomorrow evening at ANU in Canberra.
But just take it from me, and not from me, here. I am quoting the ALRC here. What the ALRC say this time around and they've said different things on different occasions but to the same effect. Let me read this, especially for those like myself don't see too clearly from the back of the room. So this is Australians talking about it. Not Joe.
“Privacy also gives individuals greater freedom to pursue their cultural interests free from undue interference from others. This freedom may be particularly important for some ethnic, religious, and cultural groups, such as Aboriginal and Torres Strait Islander people, who have a particular cultural identity. Knowledge and customs that bear on the privacy interests of individuals within the group.
“6.48. The culture and background of a plaintiff may also be relevant to whether he or she has a reasonable expectation of privacy. Some information may be considered to be more private in some cultures than in others. These expectations may be well known in the community.
“6.49. For example, the cultural expectations of Aboriginal and Torres Strait Islander peoples and other cultural or ethnic groups may also be relevant in some cases to the reasonable expectation of privacy in the circumstances.”
Do you know how important this is to me? Do you know how many indigenous peoples around the world I have to try and help when it comes it to privacy matters?
Which is why you're sitting on a gold mine here. Which is why I strongly encourage you to make a concerted effort to try and learn from the traditions and the information ethics and all the knowledge about privacy neighbouring rights, which have been developed within the indigenous peoples, see the extent to which they can inform the ongoing debate about privacy in Australia.
And then come and help me do the same process across the world, which is why I am challenging Australia to take up global leadership in this.
And, well, we all know now what Timothy Pilgrim sometimes does on a Sunday morning at 5 o'clock, I'm looking forward to tasting those waffles. [Slide 41] Online you can go and buy this banner. My words to you, my parting words are very simple. If you want to root for something and I want to root for Australia as strongly as I do, in areas outside privacy, it's very simple. Go Australia when it comes to privacy.
[Slide 42] Thank you very much ladies and gentlemen.
[Slide 1] Photo of the Australia national cricket team celebrating winning the 2015 Cricket World Cup
[Slide 2] Photo of a kangaroo lying on a beach
[Slide 3] Photo of Uluru with a kangaroo road sign. Text: “Our World is Awesome. Best of Australia.”
[Slide 4] Quote from St Jerome against photo of green mountains. Quote: “Good, better, best. Never let it rest. ‘Til your good is better and your better is best.”
[Slide 5] Text: “My challenge to you. Now I need Australia to be best at privacy. Joe Cannataci, UN Special Rapporteur on Privacy.” Logos: “Nations Unies Droits de L’Homme Haut-Commissariat / United Nations Human Rights Office of the High Commissioner; “University of Groningen”; “Edith Cowan University”; “L-Università ta' Malta / University of Malta”.
[Slide 6] Text: “In an Internet without borders. We need: Safeguards without borders; Remedies across borders.”
[Slide 7] Graphic: silhouettes of leaping people with text: “Fair Go Australia.”
[Slide 8] Graphic: “Fair go”
[Slide 9] Illustration of Australian animals. Text: “Fair go. Pursue and protect the common good where all people are treated fairly for a just society.”
[Slide 10] Illustration of two children playing with a ball. Text: “Fair go. Understand that we all have the right to ‘have a go’ or ‘have a say’. Wonder how another person feels in this situation. Think about how to make things ‘fair’ for everyone.”
[Slide 11] Graphic of road sign in the outback. Arrow pointing right labelled “Fair go”. Arrow pointing left labelled “Fair gone”. Text: “Is Australia still the land of the fair go?”
[Slide 12] Text slide. Heading: “A Fair Go.” Content:
- Privacy is all part of the concept of A Fair Go
- The opportunity to develop one’s personality in the freest of manners
- The right to free, unhindered development of personality
- To develop yourself freely you need:
- Freedom of Expression: receive/impart information
- Freedom of Access to publicly-held information
[Slide 15] Screenshot of FOX6Now.com article, 4 November 2015, “Nearly everyone now using Facebook on their phones: 90% on mobile”.
[Slide 16] Screenshot of CNET article, 9 November 2015, “Snapchat closes in on Facebook as it hits 6 billion daily video views”.
[Slide 17] Screenshot of CNET article, 29 February 2012, “In the world of Big Data, privacy invasion is the business model”.
[Slide 19] Photo of and quote from Aleksandr Solzhenitsyn: “As every man goes through life he fills in a number of forms for the record, each containing a number of questions… There are thus hundreds of little threads radiating from every man, millions of threads in all. If these threads were suddenly to become visible, the whole sky would look like a spider’s web, and if they materialized like rubber bands, buses and trams and even people would lose the ability to move and the wind would be unable to carry torn-up newspapers or autumn leaves along the streets of the city.”
[Slide 20] Text slide. Two graphics of footprints, the first filled with ones and zeroes, and the second filled with the logos of web and social media companies. Heading: “Smart cities make Solzhenitsyn’s concerns look miniscule.” Content:
- It is no longer (only) the forms that we fill
- It is the electronic tracks that we leave everywhere…
- … and of which most of us are often never conscious
[Slide 21] Photo of a mouse pad with design “Always online” and a pink mouse shaped like a heart.
[Slide 22] Graphic: A globe with a cord connecting to the words “always on.”
[Slide 23] Stock photo: Woman with laptop at home, with graphic of t-shirt with wifi symbol and text: “Always online”.
[Slide 24] Stock photo: Man with laptop sitting by the side of the road with cityscape
[Slide 25] Two graphics: One: multiple person icons joined with green lines in a network, text: “Always online”. Two: Illustration of Jesus wearing suit and tie at a computer, text: “Let’s chat. I’m always online.”
[Slide 26] Cartoon by email@example.com: “We ALL leave a digital footprint.” Person 1 (scrubbing footprint from laptop screen): “Once it’s on-line it’s virtually impossible to scrub out”. Person 2 (reading paper titled “Info on YOU”): “..and the data on you will follow you around for life”.
[Slide 27] Graphic: Green fields and blue skies, text: “The good life”.
[Slide 28] Photo: Tropical beach with two beach chairs.
[Slide 29] Graphic: photo and signature of Richard Branson with quote: “Every risk is worth taking as long as it’s for a good cause, and contributes to a good life”.
[Slide 30] Text slide: Heading: “Privacy, autonomy and freedom”. Content: “in a society where modern information technology is developing fast, many others may be able to find out how we act. And that, in turn, may reduce our freedom to act as we please — because once others discover how we act, they may think that it is in their interest, or in the interest of society, or even in our own interest to dissuade us, discourage us, or even stopping us from doing what we want to do, and seek to manipulate us to do what they want to do. (Paul Sieghart 1983)”.
[Slide 31] Text slide. Heading: “Privacy and autonomy: a formula”. Content: “Shorn of the cloak of privacy that protects him, an individual becomes transparent and therefore manipulable. A manipulable individual is at the mercy of those who control the information held about him, and his freedom, which is often relative at best, shrinks in direct proportion to the extent of the nature of the options and alternatives which are left open to him by those who control the information (Cannataci – 1986)”
[Slide 32] Text slide: Heading: “Quality of life — defined by some values”. Content:
- The right to free development of personality
- Autonomy as a value
- Self-determination as part of the conceptual framework of autonomy
- The right to self-determination — as a value emanating from the value of autonomy
- The right to political self-determination
- The right to informational self-determination
- Informational self-determination as a design criteria for smart cities
[Slide 33] Photo of the title page of The Social Contract by Jean-Jacques Rousseau.
[Slide 34] Text slide. Heading: “Have the last ten years of the internet already changed the social contract?” Content:
- Technology development is key
- Private Corporations took advantage of technology development…but put the fine print of their business model into very fine print indeed.
- Governments have also taken advantage of technology development… and they have not been telling their citizens about how they are using it to snoop upon them
- Until recently there was no structure discussion about the way corporations and government have been changing the social contract without formal or informal consultations
[Slide 35] Same as Slide 11
[Slide 36] Text slide. Heading: “Australia and Privacy”. Content:
- Australia recognizes its international commitments
- Australia already recognises that it can do better
- When is it going to do something about it?
- I am here to encourage you to do better… and best
- I am here to encourage you to do something about it ASAP because:
- It is good for Australians
- It is good for business
- It is good for the world
[Slide 37] Screenshot of report cover page: “Serious Invasions of Privacy in the Digital Era” with the crest of “Australian Government — Australian Law Reform Commission”.
[Slide 38] Text slide. Heading: “The ALRC in 2014”. Content:
- 4.2 The ALRC proposes that the statutory cause of action be contained in a new, stand-alone Commonwealth Act. Including the new action in a Commonwealth Act would ensure consistency in the operation of the cause of action throughout Australia.
- 4.3 The new cause of action should be set out in a new Act, rather than the Privacy Act 1988 (Cth). The Privacy Act largely concerns information privacy, while the new cause of action is designed to remedy a number of different types of invasions of privacy, including physical invasions of privacy.
- 4.4 The ALRC proposes that a statutory cause of action for serious invasion of privacy should be a tort. If the statutory cause of action were a tort, there would be increased certainty around various ancillary matters, such as vicarious liability. There would also be the benefit of more consistency, since the statutory cause of action would operate in concert with existing tort law.
[Slide 39] Text slide: Heading: “Opportunities for Australia to act & lead”. Content:
- APAC is not a bad thing – it is a step in the right direction but it does not get you to your destination if your destination is human rights.
- Australia recognises that its destination is human rights
- Then it is best to belong to a human rights instrument
- A detailed UN HR instrument not yet available – so what to do until then?
- Regional human rights models on the European model have proved that they can work – but there is no detailed HR instrument for Asia-Pacific
- Meanwhile Australia needs to act at home and abroad in privacy sector
- For Australians to strengthen a fair go at privacy and personality
- For business – improve compatibilities with European privacy legislation
- One way of moving closer to EU standards is to kill two birds with one stone – and ratify Council of Europe’s Data Protection Convention 108
- Lead regionally in privacy… and globally in privacy in Indigenous matters
[Slide 40] Text slide. Heading: “Australia and indigenous matters”. Content:
- 2.9 Privacy also gives individuals greater freedom to pursue their cultural interests free from undue interference from others. This freedom may be particularly important for some ethnic, religious and cultural groups, such as Aboriginal and Torres Strait Islander people, who have particular cultural identity, knowledge and customs that bear on the privacy interests of individuals within the group.
- 6.48 The culture and background of a plaintiff may also be relevant to whether he or she has a reasonable expectation of privacy. Some information may be considered to be more private in some cultures than in others. These expectations may be well-known in the community.
- 6.49 For example, the cultural expectations of Aboriginal and Torres Strait Islander peoples and other cultural or ethnic groups may also be relevant in some cases to the reasonable expectation of privacy in the circumstances.
[Slide 41] Graphic: A green and gold banner showing an Australian flag beach umbrella and an outline of Australia overlaid with the Australian flag, with the words “Go Australia!”
[Slide 42] Text slide. Banner: “LexConverge. Law > Across Disciplines > Across Technologies > Across Cultures.” Content: “Thank you for your attention.
Email: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org.
Web: http://www.ohchr.org/EN/Issues/Privacy/SR/Pages/SRPrivacyIndex.aspx, www.um.edu.mt/maks/ipg/lexconverge, www.smartsurveillance.eu, www.respectproject.eu
In this series: #2016PAW videos
- Privacy Awareness Week 2016 Business Breakfast
- OAIC privacy governance priorities for 2016
- A message from the Commissioner series
- Facebook Privacy Awareness Week 2016 series