Where to with privacy reform in Australia
May 26, 2022 |
A brief review of this website will reveal that there is a constant development of privacy laws throughout the world to meet changes in data handling practices and challenges from those who would interfere with privacy. Development and improvement of privacy regulation in Australia has been slow, tepid and fitful despite regular recommendations for reform from law reform commissions.
In Australia the last Federal election did not reveal an enthusiasm for privacy reform as a platform for any major party according to InnovationAus with No privacy reform commitments from major parties. The article was written last week, prior to the poll. So in a sense what the Coalition wanted to do is irrelevant now. The article provides:
The Coalition is uncommitted to privacy reform and Labor remains silent despite broad support from independents and minor parties, according to the Australian Privacy Foundation.
Updated on Thursday, the Australian Privacy Foundation’s (APF) election scorecard indicated support for its recommended privacy priorities. The group invited 100 political parties and independent candidates to express whether they supported the APFs privacy priorities released in April.
Included in the privacy priorities are six legislative amendments aimed at bringing privacy protection under Australian law “into the 21st century and up to the standard of peer developed countries”. This includes removing exemptions under the Privacy Act for employee records, registered political parties and political ‘acts and practices’, and journalism, aside from reports on public officials in the performance of their duties.
APF chair David Vaile said that a majority of the minor parties supported all the priorities, but many responses lacked an explanation. However, he praised South Australian Senator Rex Patrick for committing to introduce legislation to amend the Privacy Act 1988 to properly safeguard sensitive voter information” if re-elected and calling on the major political parties to “end their exemption from national privacy safeguards”.
The federal Greens were among those who fully support the proposals of the APF. They have also proposed the introduction of a Digital Rights Commissioner within the Australian Human Rights Commissioner.
The purpose of this role would be to “be a watchdog and arbiter to ensure that human rights held by people offline are protected online, in accordance with a unanimous 2013 UN General Assembly Resolution,” a spokesperson said.
Labor did not reply to the APFs inquiries despite “a large number of attempts to contact individuals there”, according to Mr Vaile, although he acknowledged their correspondence may have been lost over the busy election period. He said a detailed response was received from the Coalition, but this did not include any clear commitments.
“The response from the Liberal party had quite a lot in it, but it didn’t add up to a substantial commitment to support any of the principles that we could see in an unambiguous way. They’ve given [the privacy principles] some attention to acknowledge that without directly saying, one way or the other, they didn’t deliver anything that looked like a commitment,” Mr Vaile said.
The APF’s priorities also include an amendment to the Australian Broadcasting Corporation Act to outlaw the ABC from sharing identifiable personal data with other entities, and to prevent the mandatory provision of personal data to access the ABC’s “full digital media services”.
The other amendment priorities include an update to the legal definition of consent, preventing public circulation of personal information unless it is permanently anonymous, a dedicated and well resourced Privacy Commissioner, and a statutory tort for breach of privacy. According to APF, the latter has been “recommended by five Australian Law Reform reviews over three decades”.
Mr Vaile believes that Labor and the Coalition hesitate from committing to privacy law reform to avoid restraining themselves should they form government. However, he qualified this by stating that there are parts of the major parties that support the need for privacy rights.
Commenting on the Coalition government since 2013, Mr Vaile expressed his frustration at the active attempts to “nobble, abolish, undermine, humiliate, or intimidate what’s left of the Privacy Commissioner” referring back to the Coalition’s failed attempt to abolish the OAIC and other tactics.
“They also just swamped [the OAIC] with administrivia. One example was the mandatory data breach disclosure system. If you don’t want to tell people you’ve lost all their data, you can go to the Privacy Commissioner and whine about why you shouldn’t have to. This creates this massive extra workload…because there’s lots of breaches that go on,” Mr Vaile said.
Responding to a question on notice, Attorney-General Michaela Cash noted that as of February 2 there were 85 data breach notices that had not been finalised. Further, the 2020-21 target of processing 80 per cent of notifiable data breaches within 60 days was only just met.
Before entering the caretaker period, the Coalition failed to introduce stricter penalties for data breaches. In April, it was reported that a review of the Privacy Act also running six months late.
The Labor party and the Coalition were contacted for comment asking what their response to the privacy priorities, but no reply was received.
There are a number of privacy related issues the Government will need to address one way or another. The first is what to do with the Attorney General’s Department review of the Privacy Act 1988. The Digital Platform’s Inquiry made significant privacy and consent recommendations, summarised as:
Protecting privacy
In light of the overlapping nature of privacy, competition and consumer protection issues in digital markets, the ACCC has made a range of privacy-related recommendations, including:
-
- Strengthening protections in the Privacy Act
- Broader reform of the Australian privacy law framework
- The introduction of a privacy code of practice specifically for digital platforms
- The introduction of a statutory tort for serious invasions of privacy.
The Inquiry found that digital platforms’ privacy policies are long, complex, vague and difficult to navigate and that many digital platforms do not provide consumers with meaningful control over the collection, use and disclosure of user data.
Problematic data practices include the use of click-wrap agreements and take it or leave it terms.
“We’re very concerned that current privacy policies offer consumers the illusion of control but instead are almost legal waivers that give digital platforms’ broad discretion about how they can use consumers’ data,” Mr Sims said.
“Due to growing concerns in this area, we believe some of the privacy reforms we have recommended should apply economy wide.”
The recommended amendments to the Privacy Act should be supplemented by an enforceable privacy code of practice, developed by the Office of the Australian Information Commissioner (OAIC), and address data practices specific to digital platforms.
Those recommendations have not be actioned yet. One possible reason for the reluctance to curb the collection of personal information and tighten consent requirements is set out in the ABC report Both Labor and the Liberals are using secretive databases to help sway your vote. Political parties are exempt from the operations of the Privacy Act but are very dependent on data.
The article provides:
Linda Fenech lives in the hyper-marginal seat of Macquarie in Sydney’s west, which is held by Labor by just 371 votes.
She regularly writes, calls and visits her local representatives as well as answers political robocalls.
As a mother of a child living with a disability, this lifelong Liberal voter says she is switching to Labor for the first time this election.
She’s what political data-crunchers would call a “persuadable”, a voter who could be nudged to swap sides.
With such a fine margin between success and failure, it’s people like Linda whom both parties are targeting with increasingly sophisticated messaging in a bid to win them over.
And it’s underpinned by a data-driven approach helping to transform stacks of data points harvested from the voting public to identify swing voters in key electorates.
The software being used to influence your vote
Labor’s voter database is called “Campaign Central”. In it, constituents are assigned a “persuadability score” based on information collected through polling and robocall results.
Data analysts then parse these results against the respondent’s key demographic information such as income, age and gender to produce statistical modelling which tells Labor strategists if you’re worth their time and effort.
University of Queensland’s (UQ) Glenn Kefford, who spent years researching both databases, says identifying voters as “moderately” or “highly persuadable” helps with campaigning.
“When they segment the voters up for targeting in phone banking, for example, the lists are really segmented along who’s most persuadable,” he said.
If you have a higher persuadability score, you’re more likely to receive phone calls or door knocks from volunteers or to have direct mail about specific issues the party knows you care about (based on what their software has on you) dropped into your letterbox.
Former Labor MP Emma Husar said scores were used to identify how the party could sway a voter on a particular issue.
“If they had a higher persuadability score you would find out what they are persuadable on … so health, education, defence … then you would tailor the messages to them, so it could be more calls from the MP … [or] bombard them with direct mail.”
According to one former Labor insider, persuadability scores could even help identify which members within a family group were more likely to respond to inducement.
“I could [see] the persuasion scores of people enrolled at an address, so I can walk to a family house of five and know I want to talk to only two people there, because I know for example the kids are persuadable and the mother and father have an entrenched voting pattern.”
The Liberals have a similar but older system called “Feedback”. Liberal campaign strategists concede that Labor’s set-up is years ahead of theirs.
The software may also help a party determine if it’s worth courting your vote at all. If Labor campaigners identified you as a rusted-on Liberal, they would avoid hassling you.
For Liberals, this kind of information may be determined through their position on defence and national security.
“Internally, we knew voters who rated defence and national security as a very important issue were likely to vote Liberal,” a current Liberal strategist said.
“Because of this, we wouldn’t bother sending them any campaign materials because we knew we had their vote anyway.”
Labor sources said similar conclusions could be drawn about their voters based on their recorded stances on healthcare and education.
How did the parties get this information about you?
If you’re registered to vote in Australia, you already exist in both the Liberal’s Feedback and Labor Campaign Central and there is no way to know what the parties have about you.
Political parties have been exempt from the Privacy Act since 2000. If a voter demanded access to their profiles, there is no legal obligation on the parties’ parts to show or remove the data if requested.
“Australia is one of the only advanced democracies where parties are completely exempt from privacy legislation,” Dr Kefford said.
Both programs are loaded with voter details supplied by the Australian Electoral Commission (AEC), which includes names, age and address.
Sources familiar with the software said the programs have extracted contact information from the electoral roll if voters voluntarily made it available.
Otherwise, parties may fill in gaps in contact details through external providers or other means such as scanning details filled out a party-affiliated postal vote registration forms.
The AEC said it does not provide voter’s phone numbers and email addresses to parties.
This personal information, initially intended to help politicians work with their constituents, forms the foundation of a data arms race between the two parties, who use it to build detailed pictures about their voters.
Every time you engage with your local representative’s office, the nature of your interaction can also be added as a point of data to your profile.
Insiders say this could be through paper surveys sent to you about the cost of living, responding to prompts on a robocall about voting intentions, or answering a doorknock from volunteers.
Party staffers wouldn’t even need to leave their desks.
“If you ever called your MP and complained about a specific issue, say about climate change or same-sex marriage, the person on the other side of the phone could look you up and add your thoughts in there,” a current Liberal strategist said.
The final result in their databases is a robust breakdown of your viewpoints.
This information would also follow you if you moved to another electorate and you would appear in a report for your new representative, which would be generated once you changed your registered address with the AEC.
Ms Fenech, 43, in the seat of Macquarie, grew up in a Liberal-voting household and has supported the incumbent party for most of her life.
As a mother of a child living with cerebral palsy, Ms Fenech researched the disability support policies of the major parties and has become a vocal supporter of Labor’s Susan Templeman.
Ms Fenech told the ABC that after she made it public she was switching her vote, she saw an increase in Liberal Party campaign material in her letterbox.
“What I found a bit crazy is after I was so vocal, we got a lot of propaganda in our mailbox, some addressed to me directly and some just junk mail, almost all of it was Liberal [material].
“I had one pamphlet that was geared toward NDIS, a lot of it had to do with the Liberal policies on what they had done with the NDIS.”
A former Liberal strategist told the ABC the team in Macquarie, historically a marginal electorate, had far more comprehensive profiles on voters than neighbouring safe seats.
The strategist said the campaign team would have seen her as someone worth engaging with given the seat is held by a margin of just 0.2 per cent.
“Unless they [Liberals] had a reason not to contact her, like if she had been very abusive during her interactions, they definitely would have tried to do something about her switch,” they said.
Current and former Liberal strategists said Feedback was a centrepiece of several victories in key battlegrounds.
The software was launched before John Howard’s campaign in 1996. It was at the time considered cutting-edge technology and one of the most sophisticated privately-created voter databases in Australia, if not the world.
After Republican strategist Karl Rove pioneered his infamous “metrics” system which helped George W Bush win the 2004 US presidential election through microtargeting, party faithful recognised the value of their software beyond sending out personalised mailouts.
A former Liberal strategist who worked in previous campaigns in marginal seats said the archives of data they kept in Feedback allowed the party to conduct surgical strikes in tight races.
Reports generated from Feedback would tell strategists at the start of a campaign who would be willing to put up corflutes, attend rallies or distribute flyers for the candidate.
Labor’s Campaign Central can also help generate a call list which would prioritise specific people higher up based on the back end of the database.
With limited resourcing, campaign teams on the ground would rely on their software to identify pressure points.
The current Liberal strategist said Feedback could help campaign teams determine, for instance, which local park a truck towing a party billboard should visit.
Another former strategist went one step further, saying if the database on potential swing voters was robust enough they could even nominate specific residences to target with the drive-by billboard.
This was particularly useful in rural areas, where there was less housing density across wider geographical areas.
But how granular a party can go with data has been the subject of much internal contention.
Dr Kefford questioned how effective “persuadability scores” were in practice.
“Even the data scientists themselves and data analysts raise questions about how accurate those figures often are,” the political scientist said.
Yet, parties were collecting and maintaining “tonnes and tonnes of data”.
“The major parties have hundreds of data points on most Australian voters,” Dr Kefford said. “I guess the question is, how much of it is useful?”
One former Liberal strategist said big data, particularly consumer data, which the Liberal Party flirted with was akin to snake oil.
“We just couldn’t see how the size of someone’s underwear would help us win their vote,” they said.
Name and shame to collect
Despite some internal reticence around data collection, insiders say that every MP is expected to chip in.
“Party whips could see before meetings the progress of each office and how many data points they were adding,” a current Liberal Party staffer said.
“If they were falling behind, MPs and their staffers would be named and shamed.”
Macquarie MP Susan Templeman told the ABC she takes the privacy of individuals seriously and would not comment on conversations she’s had with them.
Former Labor MP Emma Husar, who left the party in acrimony, said she was concerned at the time about the lack of restrictions and protocols on who could access voter data.
She said her staff and volunteers were able to access the software in their electorate without any formal privacy training.
“The amount of data that I had access to … and I wasn’t given any specialist kind of privacy [training], you know what to do if you came across something that was a bit worrying or concerning,” she said.
“The use, and the monitoring and the security of it is all right up in the air, and I would say the ethics of it as well.”
Dr Kefford, in the course of his research into campaigning, also observed a lack of privacy protocols.
“Privacy was not a key focus of campaigns on the ground … There was no major emphasis for volunteers to have a clear understanding of privacy guidelines.”
The ABC understands both parties have restrictions around access to their voter data software. MPs would only have access to their own constituents, while senators and party headquarters could see information from across the state.
There have been notable cases of former Labor party staffers misusing their access to the database.
Given the strong incentive not to do much generally about improving privacy protections it is important to havea strong civil society with effective pressure groups. Unfortunately the Australian Privacy Foundation doesn’t fit the bill. It has been ineffective for many years. It is not alone. There are others, digital rights watch and Electronic Frontiers Australia. They are all well meaning, filled with well educated types but politically inept. They tend to vent to each other about the latest privacy outrage, often with some justification. But they make no real impact on a broader stage, beyond being a talking head when a privacy story reaches the mainstream, from another source. The recent Federal election campaign is a classic example of how ineffective they are. The Australian Privacy Foundation attempted to engage in the election campaign through a media release, which it published on 11 April titled Federal Election Platform Principles 2022. As media releases go, it was dreadful. What it wants done is admirable. How it describes it, less so. It is a turgid, wordy and unfocused document which defies an editor to report on it. It provides:
APF draws attention to privacy issues in submissions to parliaments, regulators, and agencies. But all too often the response is creeping intrusion, feeble protection, and flimsy promises of ‘trust us, your data is safe’.
It is past time for Australian MPs, ministers, government agencies and contractors to develop some humility. They do not, and cannot, control worldwide privacy regimes and security threats, or the algorithms ruling shared, aggregated or online digital information. Unenforceable assurances will no longer work.
People in Australia will only trust and have confidence in government and business collecting, storing, and using their vulnerable personal information if it is done in trust-worthy privacy-enhancing systems, covered by strong laws with minimal exemptions, and with easy enforcement when things go wrong – not the mess of loopholes, exceptions, back-door tricks and ‘wet lettuce-leaf’ indirect enforcement we have under current law. The key defects set out below require amendments to bring privacy protection under Australian law, mainly Privacy Act 1988 (Cth), into the 21st century and up to the standard of peer developed countries.
-
- The legal definition of ‘consent’ needs to be fixed to reflect its real meaning, requiring ‘active and properly informed consent’ rather than ‘implied consent’. Silence, pre-ticked boxes, or inactivity mustn’t be accepted as valid ‘consent’. What we’re told about risk and disclosure must be blunt and clear.
- Privacy Act exemptions are out of control and insidious. At least the following must be removed:
- employee records
- registered political parties, and political ‘acts and practices’
- journalism, except reports about public officials and others in performance of their duties
- The Australian Broadcasting Corporation Act 1983 should be amended to:
- ensure Australians are not required to provide their personal information or register for a mandatory account to access the ABC’s full digital media services
- forbid ABC from sharing (re-)identifiable personal information with other entities or platforms
- Personal information should only be exposed to publication as ‘Open Data’, or other uncontrolled circulation, if it is genuinely and permanently anonymous. It should be banned from being described or treated as ‘de-identified’ unless the process used conclusively proves the data can no longer ever be re-linked to a person, under any circumstances, at any time in the future, backed up by ongoing audits.
- We need a statutory tort for breach of privacy, at last, as recommended by five Australian Law Reform reviews over three decades. Australia must no longer be the only equivalent country where citizens have no means to take legal action to protect their personal dignity. The blueprint’s been discussed and consulted on for years, it’s ready to go, the rest of the world copes, let’s stop the fudging and do it.
- We need a dedicated, properly resourced Privacy Commissioner again, to address the current privacy complaint backlog, and future data privacy exploits and threats. A conflicted, sporadic regulator fails us.
Making an impact is difficult for any pressure group/civil society organisation. To do so requires sustained effort that extends beyond poorly drafted press releases.