2020 Vision: Challenges and opportunities for privacy regulation

29 October 2019
Tags: Angelene Falk International Association of Privacy Professionals (iapp) Consumer Data Right data breaches General Data Protection Regulation (GDPR) Privacy Code

Keynote address by Australian Information and Privacy Commissioner, Angelene Falk, at the International Association of Privacy Professionals Australia and New Zealand 2019 Summit in Sydney

[Note: This is an edited version for web publication of the prepared speech]


Good morning privacy professionals!

I would like to begin by acknowledging the Gadigal people of the Eora nation as the traditional custodians of the land on which we meet today. I also pay my respects to Elders past, present and emerging, and I extend that respect to any Aboriginal or Torres Strait Islander people present.

It’s a dynamic time to be involved in privacy and data protection in Australia. Not a day goes by where we don’t encounter the challenge of protecting personal information. I could turn to any major media source — and find an article about a data breach or the data practices of online platforms.

A convergence of forces — a combination of ever-changing technology, the massive amounts of personal information that hurtle at lightspeed around the globe, the increasing role of data in driving our economy — defines our privacy landscape.

As Australia’s independent national regulator for privacy, the Office of the Australian Information Commissioner is keenly aware of these forces and the need to safeguard the personal information of the Australian community wherever it flows.

Today I have been asked to talk about the national privacy landscape.

There is certainly a lot happening with a strong focus on privacy law and practice occurring both nationally and internationally. At home, the development of the Consumer Data Right and the Digital Platforms Inquiry are two notable local examples.

I’ve worked in privacy for well over a decade now, and within that time there’s been a clear evolution of the law that continues to the present.

The Privacy Act has been amended almost 90 times since it commenced in January 1989. At the time of their introduction, many of these reforms were world leading. The Australian Privacy Act of today is principles based and provides a strong foundation for protecting personal information. But there’s a need to ensure it remains fit for purpose into the next decade.

Changes in our environment

The Act’s objectives are as relevant today as they were 30 years ago, and the OAIC’s core purpose — to promote and uphold privacy and information access rights — remains constant and of critical importance.

Those of us in this room know better than anyone that our data no longer stops at national borders. Data-sharing practices are constantly adapting to meet the needs of a global digital economy, and the considerable volume of data held by business and government continues to grow. And the OAIC continues to adapt in order to meet its regulatory challenges.

Privacy is regularly front-page news, and community awareness of these issues is high.

Over the past four years, the OAIC has experienced sustained growth across our regulatory functions, including in the area of privacy complaints — which demonstrates that people are invested in their privacy rights and want to ensure they are protected.

Our latest annual report shows that privacy complaints once again rose last financial year — by 12% to 3,306.

Last year the OAIC also received 950 notifications under the mandatory notifiable data breaches scheme. 210 additional data breaches were reported, outside the NDB scheme.

What sits behind these figures are greater expectations of accountability from the community when it comes to personal information handling. The NDB scheme has also increased the level of transparency expected from and provided by organisations when things go wrong.

This transparency — mandated by law — requires Australians to be notified of a data breach that is likely to result in serious harm to affected individuals, and to act quickly to protect their identity and mitigate the risk of harm.

Domestic developments

In the year since we last gathered for this Summit, the protection of personal information has been the subject of significant inquiry, proposed reform and debate both in Australia and internationally.

In that time, we’ve worked with the ACCC in their Inquiry’s consideration of the bargain between consumers and digital platforms and the ability of consumers to be informed about their data and exercise meaningful control over it.

The information and power asymmetries between consumers and digital platforms can make it challenging for individuals to make informed decisions about how our personal information is handled online.

The ACCC’s Digital Platforms Inquiry report published in July this year makes recommendations to redress this imbalance and increase transparency, choice and control.

These recommendations include strengthened notice and consent requirements, the introduction of an enforceable privacy code for designated digital platforms and higher penalties for privacy infringements.

They offer greater particularity and clarity, and strengthened privacy protections.

The OAIC has made a number of submissions and some additional suggestions based on our regulatory experience, such as extending the existing requirement in the Privacy Act for fair collection of information, to fair use and disclosure.

Our suggestions are also aimed at avoiding any unnecessary regulatory friction and helping ensure our data protection laws are globally interoperable.

We are also focused on striking the right balance between an individual’s ability to self-manage their privacy through proposed enhanced notice and consent requirements, and the accountability of those entrusted with our personal information. Each needs to be supported by the other.

The Government is consulting on the final report.

As a welcome step, earlier this year the Australian Government announced it will strengthen privacy protections and regulatory tools, including:

  • increased penalties for serious or repeated breaches
  • new infringement notice powers and other options to address breaches
  • a requirement for social media and online platforms to stop using or disclosing an individual’s personal information upon request and
  • rules to protect Australian’s privacy online including vulnerable groups such as children.

The OAIC has received additional funding to regulate privacy online and resolve privacy complaints.

International developments

At the international level, we continue to see greater convergence of privacy principles and standards. As the digital economy evolves, law makers and regulators across the globe increasingly see things alike, learn, and borrow concepts from one another.

There is now a ‘global toolbox’ which adds depth to this convergence. International approaches include the GDPR and the APEC Privacy Framework Principles, among others.

We are seeing the GDPR’s influence in Australia, in our region, and around the world; most recently, in California’s Consumer Privacy law.

And in Australia, we are increasingly seeing privacy protections in domestic laws that apply in specific policy contexts being expressed as clear obligations that also confer individual rights.

For example, in response to the Australian community’s calls for stronger privacy and security protections in the My Health Record system, a provision was included in the Act which gives an individual a right to request that their Record be permanently deleted, and confers an obligation on the system operator to do so.

Another example is the ‘Consumer Data Right’ which gives consumers the right to access particular data in a readily usable form, and to direct a business to securely transfer that data to an accredited third party. Starting with Open Banking , it will be rolled out sector by sector across the economy, with energy and telecommunications consumers the next to benefit.

Recently we published draft CDR Privacy Safeguard guidelines on our website. We are looking for business to engage with the draft guidelines, including small business as they will be subject to privacy obligations when accredited.

We want to provide guidance and practical tips to all CDR participants to help them to comply with the scheme’s privacy safeguards.

The consultation will be taking submissions until 20 November so I urge those with an interest in CDR to look on our website as we would value your feedback.

Given these recent domestic developments that seek to enhance privacy protections in specific areas, the Digital Platforms Inquiry and broader international developments, it is clear that the discussion around ensuring privacy frameworks are fit for purpose in the digital age is going to continue.

Privacy 2020 and beyond

In light of the domestic and international landscape, the OAIC is focused on four key elements to inform our approach to regulating privacy into the future.

International interoperability

The first element is international interoperability. Some of you have recently returned from the annual meeting of the International Conference of Data Protection and Privacy Commissioners, now called the ‘Global Privacy Assembly’.

In October last year, I was appointed to the Executive Committee of that Conference. The Committee recently proposed a strategic direction for the conference for the next three years, which was agreed at the annual meeting in Tirana, Albania, and has global interoperability at its centre.

The conference agreed that an evolution towards global policy, standards and models for data protection and privacy can support interoperability, critical to a strong global economy underpinned by the secure and free flow of data and supported by effective privacy protections and regulatory co-operation.

This is not to suggest there should be uniformity in law. Rather, interoperability recognises differences in regulatory frameworks around the world and provides a bridge to ensure personal information is protected no matter where it flows.

As the national regulator of Australian’s personal information that flows across borders, the OAIC is focused on globally interoperable standards, tools that support cross-border data transfers and work to facilitate Australia’s participation in the APEC Cross Border Privacy Rules system.

A simple example of how we are acting to help ensure a consistent regulatory approach across borders, is the OAIC’s work to make addressing the human factor as a cause in data breaches a joint focus with our international counterparts.

Following the introduction of mandatory notifiable data breach schemes around the world, we have clear evidence of the causes of data breaches. Most involve a human factor, whether it’s sending personal information to the wrong recipient, or being the victim of a phishing email that opens the door to a cyber-attack.

At the Tirana meeting, the OAIC proposed a Resolution to address the role of human error in personal data breaches as a further step towards a global approach by data protection authorities.

The Resolution was co-sponsored by nine privacy and data protection authorities from across the globe and passed by consensus. It includes a call to action to organisations:

  • to recognise that personal data breaches often involve human error, and
  • to act to implement appropriate security safeguards against this known risk
  • and uplift security postures globally.

The OAIC also worked with data protection authorities from around the world including the UK, Canada and Federal Trade Commissioner to send a joint statement of expectations to the Libra Association, regarding the privacy implications of its proposed crypto currency service.

Getting privacy self-management right

A second element is to ensure our privacy framework strikes the balance between privacy self-management and organisational accountability. Embedding privacy into the design of technologies, architecture and systems from the start plays an important role in supporting Australians to self-manage their privacy, and making entities more accountable for their use of personal information.

Done well, privacy self-management allows individuals to exercise choice and control, by understanding how their personal information is being handled. This relies on organisations making this information accessible and understandable.

I have previously flagged my interest in developing a common language to help individuals to understand and make informed decisions about their privacy.

As I’ve said, in its Digital Platforms Inquiry report, the ACCC proposed a number of new rights and obligations, including strengthened notification and consent requirements. This includes considering standardised icons or phrases to strengthen notice.

The ACCC’s recommendation that consent should require a clear affirmative act that is freely given, specific, unambiguous and informed, would also align the definition of consent more closely with the GDPR.

However, consent can have its limits.

In an increasingly complex environment, individuals need transparency to make choices. And we need to be careful that consent is not elevated such that anything can be agreed to by ticking a box, resulting in unconstrained personal information handling practices.

Noting human behaviour, we also need to strike a balance between strengthening notification requirements and the practical consequences, such as notification fatigue.

These are challenging issues which may be partly addressed through accountability measures that redress the imbalance in knowledge and power between individuals and organisations. Consideration could also be given to constraining certain data or business practices which are contrary to consumers’ expectations. Perhaps there are some uses of personal information to which consent should simply not be given?

The Office of the Privacy Commissioner of Canada has described this as developing ‘no-go zones’ which they say includes profiling or categorisation that leads to unfair, unethical or discriminatory treatment contrary to human rights law.

A possible illustration of this concept of a ‘no-go zone’ is collecting information about children to use in targeted advertising. We saw how this can play out earlier this year when, following complaints and an investigation by the US Federal Trade Commission, YouTube announced that it plans to end targeted advertising for uploaded videos that children are likely to watch.

Getting organisational accountability right

A third element is ensuring there are sufficient obligations built into the system to ensure organisations are accountable.

There is a useful model to consider close to home. The Consumer Data Right is an example of a reform aimed at achieving the balance between individuals’ right to control and utilise their data and strong accountability measures.

Consumer consent for the collection and use of their data is the bedrock of the CDR regime. Consent enables consumers to be the decision maker, ensuring that they can direct where their data goes in order to obtain the most value from it.

This self-management approach is complemented by a range of privacy protections to ensure CDR data is transferred safely and securely.

A key protection is accreditation. Consumers will only be able to use the consumer data right to direct the transfer of their data to trusted third parties. Accreditation criteria includes privacy and information security requirements which have been set out in draft guidelines that are currently available on the ACCC’s website. And accreditation needs to be maintained and evidenced annually.

A third-party certification or accreditation scheme applied more broadly than the CDR, could provide consumers with evidence-based information about the privacy credentials of entities with which they may engage.

Other features of the CDR scheme that warrant consideration for broader application include the concept of a ‘consumer dashboard’ where consumers can track where their data goes.

Privacy Act scope and coverage

The changes in the privacy landscape also provide an opportunity to consider the scope and coverage of the Privacy Act generally. This is in line with the ACCC’s Digital Platform Inquiry recommendation, that there should be broader reform of the Australian privacy regime, and have regard to whether the Privacy Act should apply to some of the entities and practices which are currently exempt, like small businesses, employee records and registered political parties.

Think about how much the world has changed in the last 30 years. Exemptions for businesses with an annual turnover of less than $3million and political parties came into operation in a world before social media, digital communications and the internet had really taken off.

Many such businesses are already covered by the Privacy Act. For example, small businesses participating in the CDR scheme must comply with the privacy requirements, so too those that have anti-money laundering and data retention obligations. Private health providers are included, regardless of turnover.

While in the past smaller businesses may not have had the means to collect a large amount of personal information, technology now allows for large-scale collection and handling of personal information, regardless of an organisation’s annual turnover. At the same time, such businesses and their customers are not immune to the risks that exist in the digital environment, but are not currently required to notify individuals if they experience a data breach.

Contemporary approach to regulation

The fourth element is to ensure a contemporary approach to regulation. This includes having the right regulatory tools to take a proactive approach to enforcement.

Since the NDB scheme commenced in February last year we have been active in assisting organisations to comply with their notification obligations and to understand the causes of data breaches. Now that we have moved into the second year, however, the onus is well and truly on organisations to further commit to best practice in combating data breaches and improving response strategies. If not, the OAIC will exercise its enforcement powers, and we have several matters in the pipeline.

We are also implementing more changes to the way we handle privacy complaints to ensure a timely complaints process for the community, supported by the additional funding provided in the last budget. This involves a shift to clear timeframes for investigating and conciliating matters. Where matters cannot be resolved through conciliation or otherwise, they will move swiftly to determination.

A contemporary approach to regulation also requires collaboration. We will continue to develop and participate in arrangements that support international cooperation in investigation and the enforcement of privacy and data protection laws, including the APEC Cross-border Privacy Enforcement Arrangement and Global Privacy Enforcement Network.

Collaboration includes working with other Australian regulators to ensure the protection of consumers, such as with the ACCC on its digital platforms inquiry, and as co regulators for the Consumer Data Right, which commences in 2020.

We are also driving this collaboration at a global level. I am the Co-Chair, with the Canadian Privacy Commissioner, of the International Conference’s Digital Citizen and Consumer Working Group. The group was formed to identify ways to improve collaboration between privacy and consumer protection authorities at both the domestic and international level.

In conclusion, we are at a pivotal point in the regulation of privacy in Australia.

Today I have set out four elements that the OAIC is focused on in regulating privacy in 2020 and beyond: international interoperability, enhancing privacy self-management, organisational accountability, and a contemporary approach to regulation.

I hope these remarks will help your discussions over the next two days, along with the fascinating array of speakers both local and international that the IAPP has in store.

Thank you.