After the horrific and upsetting breaches involving Optus, Medibank and others, the federal government acted swiftly, dramatically bolstering our privacy regime. The penalties facing Australian businesses that infringe our privacy – in the order of $50 million or 30 percent of turnover in a given period – are arguably now among the heaviest in the world.
But despite the boost to the penalties, there remains a major flaw in our approach to privacy that we must act fast to correct.
December 10 is Human Rights Day, which marks the day that the Universal Declaration of Human Rights was adopted by the United Nations General Assembly in 1948. It’s the perfect time to remind ourselves that privacy is one of the human rights articulated in that declaration. Yet the way we frame privacy in public policy and reform discussions in Australia is too frequently not grounded in this truth.
The primary driver for privacy reform in Australia in recent years has been the Digital Platforms Inquiry, conducted by the Australian Competition and Consumer Commission (ACCC) and which concluded in 2019. It’s this inquiry that recommended the recent penalty hike, the review of the Privacy Act that is currently underway, the introduction of an online privacy code for social media platforms, and a range of other privacy and data-related reforms.
A fundamental premise of the inquiry, and of the ACCC, is that privacy laws are important because they support and enable competition and consumer protection objectives. The idea goes that by empowering consumers to make informed choices about how their data is processed, we can correct bargaining power imbalances and information asymmetries and so increase competition and encourage innovation.
It’s certainly true that in the context of competition policy, privacy is of great utility. That utility flows the other way, too. As a privacy advocate, I’ll admit I’ve found it incredibly useful to be able to spruik for privacy on the basis of the economic benefits it might bring.
But this perspective says little, or even nothing, about privacy as a fundamental human right. It ignores privacy’s intrinsic value, framing it in utilitarian terms where its value is to be weighed against the competing interests of competition and innovation.
As our recent slew of breaches and privacy incidents show, the economic formula is failing us. Businesses operate in a cut-throat digital environment where data is “oil”, innovation is king, and insights and personalisation are the names of the game. Privacy is too often collateral damage to larger ambitions.
The paradigm for privacy as an issue of consumer protection also explains some of the worst user experiences we have online. Viewing privacy as being primarily about “empowering consumers to make choices about the use of their data” is what leads directly to the nightmarish scenario inflicted on internet users of unending T&Cs, privacy policies and popups about cookies – all of which are beyond anyone’s patience or capacity to read or understand.
If breaches like Medibank teach us anything, it’s that privacy is more profound than being an aspirational attribute of our persona as consumers or a tool of competition policy. Those violations struck deep at our humanity and sense of dignity. For those impacted, the exposure of their most sensitive medical information – of procedures and health services needed at life’s most vulnerable moments – completely obliterated any sense of control or autonomy we might feel over our lives.
These issues become even more pronounced in the face of the relentless march of AI and technologies like facial recognition.
We have a choice – to maintain our shallow focus and limit our assessment of the privacy impacts of these new technologies to the quality of their privacy notices and opt-out checkboxes – as already happens with so many digital services, or to contend more deeply with how future applications of these technologies intersect with (and interrupt) our human rights, and with our right to feel a sense of autonomy, dignity and freedom from being perpetually surveilled, tracked or analysed.
Privacy shouldn’t be something we need to ask for, nor should it be something we can trade away in exchange for a service or forsake with the click of a button.
Thankfully, the reform of our privacy regime is not yet done, with the federal government committing to report back in the next few weeks and enact legislation within this term of government.
We may yet refocus our laws on the notion of privacy as a fundamental human right.
Jordan Wilson-Otto is a Melbourne-based privacy specialist at privacy and cyber security consultancy elevenM and a former Assistant Commissioner at the Office of the Victorian Information Commissioner
Do you know more? Contact James Riley via Email.