Report of the Privacy Act Review by the Attorney General’s Department: Chapter 8, the Political Exemption. Consideration and analysis. Not a particularly elegant solution to a difficult problem.
May 21, 2023 |
Te political exemption in the Privacy Act raises public policy questions that the small business operator and employee records do not. It is also an area of law where the common law has developed to protect free speech. The Report undertakes a significant analysis.
The extent of the exemption:
Under the Privacy Act:
- registered political parties are entirely exempt
- under section 7C political representatives (MPs and local government councillors), and their affiliates and the affiliates of registered political parties are exempted from acts and practices done for any purpose in connection with an election, a referendum, or participation in another aspect of the political process.
This means that currently if a registered political party collects, uses or discloses personal information for a purpose unconnected with the political process, it is not required to comply with the Act. Other political entities are only exempt from the Act’s requirements to the extent that they are handling information for purposes connected to the political process under section 7C.
Under this exemption a registered political party can handle personal information other than for a purpose connected to the political process and still be exempted from the Privacy Act provisions. This is an anomaly given the the rationale for the exemption was to encourage freedom of political communication. There has been no reported instances of a political party taking advantage of this situation. That is probably because political parties are focused on collecting information only for political reasons.
Rationale for exemption
The stated rationale for the exemptions was:
- to encourage freedom of political communication and enhance the operation of the electoral and political process in Australia.
- to operate in a manner consistent with the implied freedom of political communication under the Australian Constitution.
While the Australian Law Reform Commission in its Report 108 recognised the special status of political acts and practices under the Constitution as the most compelling reason for exempting political acts and practices of political entities it still concluded that registered political parties should be brought within the scope of the act and the exemption for political entities should be removed to promote public confidence in the political process and remove the advantage which the exemption confers on incumbent political entities.
The Issues Paper sought feedback on whether political acts and practices should continue to be exempted from the operation of some or all of the Australian Privacy Principles.
The Discussion Paper canvassed the approach to regulating political parties under data protection laws in the UK, Canada and New Zealand.
The Report noted that almost all submissions on this exemption considered it was not justifiable and should be narrowed or removed. The OAIC submitted that there was little evidence that data protection laws operating in other countries have had any considerable impact on political parties’ ability to perform their basic democratic roles, including political communication.
The Report proposed amending the definition of ‘organisation’ to include registered political parties, and that they be included within the scope of the exemption in section 7C of the Act. Accordingly registered political parties would be required to comply with the APPs in the handling of personal information, to the same extent as political representatives (and political affiliates) unless exempted by the operation of the exemption in section 7C.
Regarding transparency the Report:
- confirmed there were concerns about transparency in the handling of voters’ information whereby political parties in collecting personal information about voters from a variety of sources such as media and data brokerage services and the electoral rolls, can build large databases with detailed information about voters without their knowledge or consent. They are not required to inform voters of the ways in which their personal information is collected, or specify how it will be used or disclosed.
- considered that greater transparency in relation to political communication may, be consistent with and support the constitutionally-prescribed system of government but serve to protect it citing LibertyWorks Inc v Commonwealth where the High Court found the purpose of the Foreign Influence Transparency Act 2018 intention of making transparent the involvement of foreign interests in political communication , was consistent with the freedom of political communication and ‘reinforces the freedom despite doing so by burdening some political communication.’
- proposed that the Act be amended to require political entities to be more transparent about how they handle personal information by requiring entities that are covered by the political exemption in section 7C to have a privacy policy in accordance with APP 1.
The question of reasonableness in the handling of information raised because of:
- the advent of ‘Big Data’ and data analytics has transformed political campaigning. The concern is that the political exemption enables political parties to use voter information in targeting systems to deliver political messaging and advertisements in ways which may negatively impact democracy.
- the deployment of online political ‘micro-targeting’ where political parties collect data about individuals which can be classified into groups of people susceptible to a certain message and then tailoring online content to those groups. This can rely on ‘profiling’, the analysis of information about an individual to evaluate aspects about them and permits classifying them into different groups or sectors by means of algorithms or machine learning. Profiling and targeted advertising and content uses information which individuals may intentionally provide, as well as information obtained in less consensual ways which may be repurposed for unanticipated objectives.
- the Cambridge Analytica scandal where data was accessed from Facebook and used to target individuals with political messages
- targeting of political messaging and advertisement can impact democracy by inhibiting informed political debate and restricting voters’ ability to make freely informed decisions.
- delivery of political information directly to an individual, targeting reduces public scrutiny and collective deliberation. The OAIC submitted that targeting has been linked to political polarisation.
- a report by the Australian Communications and Media Authority (ACMA), there is increasing concern within the community over online disinformation and misinformation. Micro-targeted advertising is an area of concern that the ACMA is continuing to monitor.
- privacy breaches and the apparent misuse of personal information in the political life of other democracies, with potential ramifications which are much broader than privacy harms affecting single individuals. There is a public interest in protecting the privacy of all Australians in the political sphere.
The Report refers to the UK as a supporting example. UK political parties are subject to data protection laws, including that data be processed ‘lawfully, fairly and in a transparent manner’. According to UK ICO guidance:
- fairness requires personal data to be handled only in ways that people reasonably expect, and not used in ways that have unjustified adverse effects on them
- it is unlikely to be fair if a person is deceived or misled when the personal data is obtained, and
- before engaging with voters using methods such as data analytics, micro-targeting and automated calling, a campaigner must assess whether the proposed methods are fair.
The Report proposes:
- adopting a ‘fair and reasonable’ test. It will be an objective test and require that the collection, use and disclosure of personal information in political acts and practices be fair and reasonable in the circumstances.
- the application of the fair and reasonable test apply to targeting undertaken by political entities. Targeting involves the collection, use or disclosure of information which relates to an individual, including personal information, deidentified information, and unidentified information, for tailoring services, content, information, advertisements or offers provided to or withheld from an individual (either on their own, or as a member of some group or class).
The fair and reasonable test will have seven legislated factors:
- Whether an individual would reasonably expect the collection, use or disclosure.
- The kinds, sensitivity and amount of personal information.
- Whether the collection, use or disclosure is reasonably necessary to achieve the functions and activities of the organisation.
- The risk of unjustified adverse impact or harm.
- Whether the impact on privacy is proportionate to the benefits.
- If the personal information relates to a child, whether the collection, use or disclosure is in the best interests of the child.
- The objects of the Act.
The Report advocates the fair and reasonable requirement because it would:
- protect the integrity of the democratic electoral process.
- not prevent voters’ information being used to communicate with them but would require additional steps in the handling of that information, including being more transparent and only collecting, using or disclosing it where it is reasonably necessary for the political purpose and not in ways a reasonable individual would not expect.
- have the practical effect of reducing the circumstances in which the personal attributes of individuals could be used by political entities to profile or target them, but would protect privacy together with the integrity of the Australian democratic electoral process.
The Report also recommends that the prohibition on targeting based on certain types of sensitive information and traits apply to targeting undertaken by political entities. This will include targeting on the basis of sensitive information can be used to marginalise or discriminate against minority groups. The prohibition should not extend to targeting based on political opinions, membership of a political association or membership of a trade union. The Report recommends including a ‘savings clause’ could be included to allow a court to read down the application of the Act to ensure constitutional validity.
Currently the political exemption operates to prevent individuals from exercising control in relation to the use of their information by political entities. Political parties are able to use personal information to make unsolicited calls and texts without individuals being able to opt out. The political exemption operates to remove the right for individuals under APP 7 to opt out of direct marketing from political entities.
Under the Spam Act and the DNCR Act a specific exemption exists for certain ‘designated telemarketing calls’ (and faxes) by registered political parties, independent members of parliament and electoral candidates. This includes calls (and faxes) to conduct fund-raising for political or electoral purposes. Under the Spam Act there is a specific exemption for ‘designated commercial electronic messages’ authorised by a registered political party.
The Report recommends that individuals should be able to opt out of receiving targeted advertising and have an unqualified right to opt out of their personal information being used or disclosed for direct marketing which would include promoting the aims and ideals of any organisation, including political campaigning. The proposed amendment may result in inconsistency where a registered political party, independent member of parliament or electoral candidate authorises the making of a designated telemarketing call, or the sending of designated marketing fax. Where a registered political party sends a ‘designated commercial electronic message’ for a purpose connected to the political exemption there may be an inconsistency between the proposed amendments and the Spam Act. That warrants consideration of the provisions of the DNCR Act and Spam Actto ensure there is a consistent policy in relation to communications from political entities.
The Report also recommends that all political entities be required to:
- take reasonable steps to protect personal information and to destroy it when it is no longer required for any purpose in connection with:
- an election,
- a referendum or
- participation in another aspect of the political process,
in line with the requirements in APP 11.
- comply with the reporting requirements under the NDB scheme.
The Proposals are:
8.1 Amend the definition of ‘organisation’ under the Act so that it includes a ‘registered political party’ and include registered political parties within the scope of the exemption in section 7C. |
8.2 Political entities should be required to publish a privacy policy which provides transparency in relation to acts or practices covered by the exemption. |
8.3 The political exemption should be subject to the following requirements: a) Political acts and practices covered by the exemption must be fair and reasonable. b) Political entities must not engage in targeting based on sensitive information or traits which relates to an individual, with an exception for political opinions, membership of a political association, or membership of a trade union. The political exemption should include a savings clause as per Recommendation 41-2 of ALRC Report 108. |
8.4 The political exemption should be subject to a requirement that individuals must be provided with the means to: a) opt-out of their personal information being used or disclosed for direct marketing by a political entity, and b) opt-out of receiving targeted advertising from a political entity.
|
8.5 The political exemption should be subject to a requirement that political entities must: a) take reasonable steps to protect personal information held for the purpose of the exemption from misuse, interference and loss, as well as unauthorised access, modification or disclosure b) take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for a purpose covered by the political exemption, and c) comply with the NDB scheme in relation to an eligible data breach involving personal information held for a purpose covered by the political exemption. |
8.6 The OAIC should develop further guidance materials to assist political entities to understand and meet their obligations. |
The Proposals taken as a whole will pare back the exemptions enjoyed by political parties. As to how they operate in practice is the the scope and operation of “fair and reasonable” and the extent to which the obligation to destroy personal information after an election/referendum/other activity is read broadly or narrowly. Political parties operate constantly and it is often difficult to draw a line between the time they are campaigning for something or another and the time they are not.