Ms Falk said an umbrella “fair and reasonable” protection would require businesses and government agencies to consider upfront the foreseeability of harm to individuals, and not simply rely on long and difficult-to-understand consent agreements.
“The kinds of issues that I’ve seen during my regulatory experience that have caused me concern and where I think a protection like this would have helped rather than a reliance on proposed consent are things like smart devices listening in to conversations to train AI [bots] to recognise voices.”
Also concerning were “apps where you download a flashlight, but it collects all of your location data; the use of algorithms by digital platforms to target advertisements that are related to people’s interests that creates harm, like gambling, dieting, and exclusion from employment markets”.
Ms Falk said fairness requirements would put the individual at the centre of information handling practices, rather than the current focus which is predominantly about what’s reasonably necessary for business purposes.
Intrusions
The Privacy Act protects against breaches of informational privacy, but not against more general intrusions of privacy such as bodily privacy or seclusion.
To meet this gap the Attorney-General’s departmental review supported an earlier Australian Law Reform Commission recommendation to create a statutory tort for serious invasions of privacy that are intentional or reckless.
“It’s a gap in our domestic law. I think it is an important part of ensuring privacy protections within Australia because it would extend to interferences with privacy that occur from one individual to another,” Ms Falk said.
She said the Privacy Act only applied to businesses and government agencies and not people and such a protection would address potential issues around emerging technologies.
“We’ve had the experience of the use of facial recognition technology, through scraping of images across the internet.
“The creation of a mass database of those images that then could be coupled with technological developments like smart glasses could arrive us at a position where people walking down the street can have real-time intelligence as to whom they’re walking past.”
“That’s got real safety and security issues. The Privacy Act would not provide a remedy and I think a statutory tort is needed to deal with these emerging risks.”
Ms Falk said fears that a similar proposal for a direct personal right of action for privacy breaches would lead to an outbreak of litigation against business should be tempered by the recommendation for her office to triage complaints.
“The matter would have to come to my office first and be assessed that it does raise an interference with privacy and also seek to conciliate the matter.”
“So there would be some triage ability.”
In response to business fears it would open the floodgates to class and representative actions, Ms Falk said her regulatory experience was that a right of action for privacy breaches would streamline the current situation.
Pointing to both the current court and privacy actions being taken over the Optus and Medibank data breaches, Ms Falk said litigation was proceeding based on other alleged legal obligations in any case.
“What we see is that court action has been taken around other intersecting legal issues, consumer, competition, or breaches of contract and so on. So I think it will be a streamlining influence rather than create additional obligations.”
Building trust
Responding to the recommendation to end the small business exemption Ms Falk said Australia was an international outlier in regulating only 5 per cent of the 2.3 million businesses operating in Australia.
“So that can exclude businesses like real estate agents, debt collectors, some law firms and accountants, all of whom are handling personal information.”
She said the commission’s own consumer surveys showed 85 per cent thought small businesses were already covered by the Privacy Act.
“When we asked them whether or not in fact they should be covered, when they learned that was not the case, 71 per cent considered that they should be.”
“The small business exemption was introduced more than 20 years ago at an absolutely different time and place. And we now have a situation where 84 per cent of small businesses have an online presence and many of them will be handling personal information.“
Ms Falk argued consumers would increasingly be attracted to firms they could trust. She said the extension would also level the competitive playing field by rewarding small firms who were investing in privacy, security and data management.
Supply chains
Amid a concerted regulatory push to harden up supply chains, Ms Falk expressed concern about the need to be to rely on good data practices across the entire chain.
“In my regulatory experience I’m seeing some real gaps there in the supply chain. Where small business operators are involved and there’s no ability to bring home accountability for breakages involving some of the entities that are currently exempted.”
She said proper privacy controls was also critical for firms looking to trade and expand offshore.
“One of the key issues that businesses in the EU and UK and Japan for example, are interested in when they’re dealing with the business in Australia, is how they better protect the information that might transfer from their country.”
“Bringing small businesses into the remit of the Privacy Act will give that greater trust and confidence from an international trade perspective as well.”
