Gov stalls on some privacy reforms with conditional support – Strategy – Security


The government has offered “in-principle” – conditional – support for over half of the recommendations from a two-year-long review of the Privacy Act.



In its formal response published today, the government agreed fully to 38 of the review’s 116 recommendations. Legislation incorporating these will now be drafted and subjected to further consultation.

However, for a large number of recommendations to come out of the review, support ranged from “in-principle” agreement to 68 recommendations, subject to “further engagement” and a “comprehensive impact analysis”; to 10 recommendations being “noted” but having no clear path forward.

Those given in-principle support could still be implemented, but the timeline is uncertain, and depends on the outcome of additional work.

Among recommendations given only in-principle support is the introduction of a tort of serious privacy invasion, which the government said required consultation “with the states and territories on implementation to ensure a consistent national approach.”

A related right, that of individuals to “apply to the courts for relief in relation to an interference with privacy”, is also accepted in-principle but with no implementation timeline.

Other matters likely to await yet more consultation include individuals’ rights to control data collection and use; a “fair and reasonable” test for data collection; and data collection for marketing purposes.

De-identification and re-identification regulation, meanwhile, faces a tougher path to realisation.

Rights of the individual

The review canvassed various ways in which individuals could be given more control over how organisations collected and used their data.

Proposals included giving people the right to ask to view what data an organisation had collected about them; a right to object to the collection, use or disclosure of personal information; and the so-called “right to be forgotten” via erasure, de-indexing, and correction of personal information.

These provisions were opposed by Google and Meta, among others, back in 2022. Both organisations cited the importance of gathering marketing information about users, to support subscription-free services.

Google had also objected to including “precise geolocation tracking data” collection in activities requiring consent; this has also been delayed for now.

Addressing “dark patterns”

The review raised the idea that a “fair and reasonable use” test should apply to the handling of personal information.

It explained that the current Privacy Act “requires individuals to largely self-manage their privacy on the assumption that individuals engage with and comprehend the privacy policies and collection notices of entities”.

To reverse this excessive burden on individuals, the government had proposed a requirement that “collections, uses and disclosures of personal information are fair and reasonable in the circumstances”.

This test would also have helped address the problem of “dark patterns” – user interface designs that encourage people to accept invasive data collection by clicking through dialogues on the way to the content they want.

This was agreed to in-principle by the government.

De-identification and re-identification

The vexed question of how to regulate de-identified data has also been left on the backburner.

The issue has been a political hot button since at least 2016, when a group of academics including Dr Vanessa Teague demonstrated how a de-identified Medicare dataset could be traced back to individuals.

The Privacy Act review proposals included making organisations liable for ensuring de-identification was reasonably protected against re-identification; an offence of “malicious re-identification”; and a prohibition on organisations re-identifying individuals if they acquired de-identified databases.

The government “noted” these findings but did not commit to a timeline or specific policy work.

Politicians, media privacy reforms unlikely

Reform of the Privacy Act’s treatment of political parties is also firmly off the agenda for now, with the government merely noting the report’s proposals.

These had included narrowing any exemptions so they only apply to registered political parties; and requiring political organisations to publish privacy policies.

Meanwhile, while agreeing that journalism exemptions should be narrowed to organisations that recognise privacy principles, all other proposals received the “agree in-principle” delay.



Source link