Trust in the data economy: the role of stakeholders

3 June 2019

Speech by Australian Information Commissioner and Privacy Commissioner Angelene Falk to the International Seminar on Personal Data, Tokyo

Konnichiwa. I’m Angelene Falk, the Australian Information Commissioner and Privacy Commissioner. I have regulatory competence over both the federal public service and the private sector in Australia.

It is a great honour to be here today in Tokyo, Japan, a long-standing economic partner for Australia. I would like to thank Chairperson Shimada Minako and her team at the Personal Information Protection Commission for hosting this event and an excellent Asia Pacific Privacy Authorities forum last week. These events provide a wonderful opportunity to engage with fellow regulators and privacy experts across the Asia Pacific, and with European data protection regulators, government and business.

I would particularly like to acknowledge Shimada-san for the great leadership and foresight she has shown by organising an international seminar around the theme of “global free flow of personal data with adequate protection”. 

Focus on this topic is critical at a time when many believe institutional trust is in decline. It responds to the call by bodies such as the OECD for the use of all policy tools at our disposal to counter the consequences of trade uncertainty and to realise the benefits of digitalisation for all.

And, of course, it builds on Prime Minister Abe’s call at Davos earlier this year for “world-wide data governance” which emphasised not only “data free flow” but also “trust” and the “careful protection” of personal data.

We have heard a lot about “trust” over the last week. And today I would like to talk with you about the role of key stakeholders in a model for the flow of data with trust, from the Australian regulator’s perspective, regulating the handling of Australians’ data by global companies.

The individual needs to be at the centre of such a model — as the key measure of its success. Regulators, governments and business each have a role to play in ensuring trust in the data economy. And achieving public benefit, for individuals, is ultimately what we all seek to enhance and protect.

To participate in a data economy where data flows with “trust”:

  • Firstly, individuals need confidence that, when they share their data, it is handled appropriately. They also need the right tools to understand how to manage their own privacy.
  • Secondly, government and business need to support individuals to manage their privacy, “privacy self-management”, through being accountable and transparent. In other words, organisations need to have practices, systems and procedures in place to ensure compliance and to demonstrate that compliance.
  • Finally, as regulators, our role is to provide the check and balance in this system, and in doing so, to ensure trust in the system of oversight — protecting personal information wherever it flows. This can be achieved in part through regulatory cooperation and collaboration on developing policy positions, guidance, tools and enforcement, so that we protect personal information consistently around the globe.

Just as personal data connects and drives the global economy, trust in the custodians of that data is essential for its sustainability. When change is constant, trust offers us a glimmer of hope in all the complexity of the data economy. While the way it is demonstrated may differ across cultures, trust is a universal concept, and may also provide a bridge to interoperability, which Commissioner Denham will speak about later.

I would like to share with you the Australian experience: how we are seeking to build trust in personal information handling; and how we are collaborating with regulators within Australia, as well as the Asia Pacific and the EU to achieve this.

Let’s start with the individual who needs to have trust in how their data is handled. In Australia and around the world we see a need to strengthen public trust and confidence in the protection of personal information. That is especially the case when it comes to digital platforms.

The number and serious nature of privacy issues associated with these platforms has led to increased scrutiny around the world, from the public, government and regulators. My investigation into the Facebook Cambridge Analytica matter involving Australians’ information is well advanced. This has involved consultation and cooperation with my counterparts in other countries.

And organisations should take notice of such scrutiny. Research in Australia has found that 73% of consumers choose a brand they trust the most with their personal information.

But investigations by their nature happen after an event; and prevention is better than cure. The Australian Government had this in mind when charging me with developing a new binding code to increase online protections for Australians’ privacy. We will start to develop the Code this year, and will include a focus on ensuring greater protection for more vulnerable groups online such as children. In doing so, I will have regard to policy developments in other jurisdictions such as the UK Information Commissioner’s draft code of practice for online services that focuses on children.

And trust is not only about the individual’s willingness to trust, but also how organisations establish and act on that trust. A heightened community awareness is reflected in the sustained year on year growth in privacy complaints. We see this in Australia and around the globe. This trend illustrates the gap between community expectations and organisational practice.

And as community focus on privacy issues strengthens, organisations are becoming increasingly aware of the impact of consumer trust in privacy on their business.

This year’s global Edelman Trust Index revealed a critical development in consumer sentiment around the world. As relationships — including those between organisations and individuals — have become highly digitised, people have shifted their trust to the relationships within their control.

Nowhere is this truer than in data protection where individuals seek control and the ability to self-manage their privacy. The desire is for enhanced control and accountability, including transparency.

Of course, the Australian Privacy Act and other data protection laws around the world recognise this. Organisations have to manage personal information in an open and transparent way – requiring clearly expressed and up to date privacy policies, notices and consents.

Another important transparency and accountability measure is mandatory data breach notifications – a feature in Australian and other data protection laws around the world, including the GDPR, Canada, Columbia, Mexico and the Philippines. Such schemes:

  • incentivise proactive security practices
  • help ensure individuals can act to prevent harm, and
  • allow consumers to make informed choices and have confidence in the entities they deal with.

Importantly, they ensure organisations are transparent and accountable for breaches that occur under their watch.

In May this year, I released a report on Australia’s Notifiable Data Breaches scheme outlining lessons learned during the first year of operation. Our evidence shows that the causes of data breaches are clear: most exploited our human frailty, such as employees being tricked into providing credentials that then allow access to information and systems. It is clear that employees need to be supported through training, processes and technology to mitigate this known risk.

So my report should be read as a call to action for organisations to prevent data breaches, now that we know the cause. To me, this presents the perfect opportunity for both regulators and organisations to act together to prevent future breaches and uplift the security posture globally, for the benefit of all. Security requirements are of course a common feature of data protection laws around the world.

And governments also have a role to play. Governments are not only the architects of our privacy frameworks, they also need to be trusted custodians of our data.

My Office has introduced the Australian Government Agencies Privacy Code which embeds accountability and transparency in personal information handling practices by government agencies. The Code has now been in place for almost one year, and requires agencies to:

  • appoint a Privacy Officer and a Privacy Champion at senior level
  • undertake a Privacy Impact Assessment for “high risk” initiatives
  • implement a privacy management plan, and
  • enhance internal privacy capability, through training and awareness.

And like any good relationship, trust must be developed over time. Trust is not only to be established up front but also maintained once an individual shares their information. Initiatives such as privacy management plans that are mandatory under the Code ensure ongoing accountability for data throughout its life cycle and in turn maintain trust.

Importantly, the Code was not only influenced by the requirements of Australian privacy law but also the GDPR. This is a good example of how in Australia, we have been able to incorporate the best practice approach of another jurisdiction — the EU — by building on their work and integrating it into our domestic frameworks.

Done well, privacy self-management allows individuals to exercise choice and control, by understanding how their personal information is being handled. However, it is dependent on the extent to which organisations make this information accessible and understandable.

For consumers to have a fair chance of making choices, there needs to be a way of presenting information that is meaningful to consumers. The use of standard icons may be a start, but I think we need to develop a universal lexicon that describes data handling practices consistently across organisations.

Certification of privacy competence is another mechanism towards organisational accountability that supports individuals that we have explored today. It allows some of the burden to shift from the individual to the organisations putting themselves forward for certification. Just as no one here today has had to satisfy themselves of the safety of this building before stepping inside, a certification can be relied on by a consumer in deciding whether to trust one business over another.

I am considering the introduction of certification in Australia, and in doing so will draw upon the work already done in this area in other jurisdictions including the EU, Japan, and Singapore.

Australia is also implementing the APEC Cross Border Privacy Rules which my office will enforce. And we will learn from others further down the CBPR road, like the US and Japan, where this mechanism is in place to provide accountable cross-border data transfers.

As a regulator, my ability to efficiently prevent, detect, deter and remedy relies on cooperation and collaboration, not only across borders with data protection authorities, but across regulatory schemes.

For data protection authorities, the intersection between consumer protection, privacy and data protection is also becoming increasingly relevant given the importance of personal information in the digital economy. The International Conference of Data Protection and Privacy Commissioners [ICDPPC] is looking at this issue closely through the Digital Citizen and Consumer working group, which I co-chair with Canada.

At home, I am collaborating with the Australian Competition and Consumer Commission, the ACCC, on regulating digital platforms. We are also co-regulators with the ACCC for Australia’s new data portability measure — the Consumer Data Right. Our role in this co-regulatory model is to ensure strong privacy safeguards are built into the system, so consumers can benefit from being able to switch service providers who can give a better deal, and have their privacy protected.

This collaboration is consistent with the resolution of the ICDPPC, that we work together in order to get the best outcome in the public’s interest: the competition benefits for consumers, while protecting personal information. 

To conclude, our data offers enormous potential for individuals, business and government, and it no longer stops at national borders. We therefore need a model for data flow that includes strong privacy protections that build public confidence and consumer trust.

First, individuals need to be given the opportunity to exercise meaningful privacy self-management. Second, business and government must operate transparently and accountably, so their information handling and business is worthy of trust. Third, regulators must ensure trust in the system of oversight — protecting personal information wherever it flows. This can be achieved in part through regulatory cooperation and collaboration when we develop policy positions, guidance, tools and enforcement, to protect individuals wherever their data travels, and to ensure consistency and predictability in the system of oversight as data continues to flow.

I believe that these three cornerstones can underpin a world where data flows with trust.

Arigato. Thank you.