There should be a significant overhaul of privacy laws to require the use of consent for data collection and move towards a privacy by default approach instead, the New York Times Company has urged in a rare submission to the Australian government.
The New York Times, along with the Office of the Australian Information Commissioner (OAIC) and several other organisations, made a submission to the federal government’s review of the Privacy Act with a major focus on the need to reduce the prevalence of “bundled” consent forms for data collection currently employed by tech giants.
The New York Times submission said that requiring consent should be “relied upon as rarely as possible” and should be reserved for high-risk data collection and use.
“People have limited resources in time and energy to dedicate to understanding the specifics of a business’s data processing. These resources should be treated with respect and called upon sparingly,” the New York Times submission said.
Approaches such as those included in the Europe Union’s General Data Protection Rule shouldn’t be adopted in Australia as this “normalises consent as the first thing one does when visiting a site or app pays superficial lip service to transparency and agency while producing neither”, the submission said.
“Our preference is instead to default to permissible data processing that matches pre-digital expectations of privacy as described above, and to require consent to anything beyond that to be slow, difficult, specific and temporary,” it said.
“This set of permissible defaults, so long as it matches a reasonable digital mapping of user expectations, would effectively be pro-consumer – far more so than the status quo – while still enabling businesses to access enough data that they can reap the benefits specific to the digital era in terms of efficiencies and product development.”
This was echoed by the OAIC in its own submission, with the office pointing to a general shift towards companies bundling all data collection policies and conditions into the one form, and the risks associated with this method.
“APP 1 privacy policies and APP 5 notices were not intended to be consent mechanisms that amount to contractual terms and conditions for consumers,” the OAIC submission said. “There has, however, been a shift towards building privacy policies and notices into one document, sometimes called ‘terms and conditions’ and purporting to use them to seek ‘agreement’ to broad data handling practices.
“This has likely been driven by global, USA-based corporations operating in Australia, which have imported and spread American norms where privacy is a matter of contractual negotiation.”
The current approach of requiring consent for expected actions turns the process into a “tick-box exercise which will detract the value of consent in higher-risk situations where it will actually be valuable”, the OAIC said.
The reforms of consent laws around data should focus on measures to address the limitations with this scheme, rather than expanding its use, the office said.
“The overuse of these mechanisms will place an unrealistic burden of understanding the risks of complicated information handling practices on individuals. This will not address the privacy risks and harms facing individuals in the digital age,” the OAIC said.
Consent was also a key topic in the Australian Competition and Consumer Commission’s (ACCC) 18-month inquiry into digital platforms, which spurred the government’s review of the Privacy Act.
The competition watchdog recommended that consent be required to be obtained whenever a user’s personal information is collected, used or disclosed by an entity subject to the Privacy Act, unless the personal information is necessary for the performance of a contract to which the consumer is a party, or if there is an overriding public interest reason.
This should include a “clear affirmative act that is freely given, specific, unambiguous and informed”, and should not be bundled into the one option.
“It may also be appropriate for the consent requirements to be implemented along with measures to minimise consent fatigue, such as not requiring consent when personal information is processed in accordance with a contract to which the consumer is a party, or using standardised icons or phrases to refer to certain categories of consents to facilitate consumers’ comprehension and decision-making,” the ACCC report said.
In its submission, the New York Times said the reforms to the Privacy Act should be based on ensuring these laws match those applying to the physical world.
“We suggest grounding expectations of privacy in what they would be outside of the digital realm as that makes it easy for individuals to reason about the usage that may be made of their data,” it said.
“If visiting a site is akin to visiting a shop, then users can readily understand who may recognise them, what kind of information may be collected, with what retention period, to which third parties it may be shared, and so forth.”