Attorney General’s Privacy Act Review Report: Chapter 11, consent. Review, analysis and consideration.

July 25, 2023 |

Chapter 11 of the Privacy Act Review Report considers the operation of consent under the Privacy Act and possible reforms.  

The issue of consent regarding handling of personal information is vexed, not just in Australia but throughout jurisdictions which have data protection laws. Often the concern is that all too often any consent is not the product of true agreement.  Few consent without reading those notices.  Often those terms are lengthy, drafted in complex legalese and the provisions relating to the use, collection and disclosure of personal information are buried deep into the notices.  If a person wishes to use a service they must consent to terms and conditions of the service provider or retailer setting out in Privacy Notices. Is there really consent if the service is critically necessary.  An example, the Barristers Chambers Limited sent all Victorian barristers terms and conditions with a requirement that they be agreed to by 30 June.  If the box wasn’t ticked, no email services hosted by Barristers Chambers Limited.  The permissions given to the provider are extensive and, in part, quite ridiculous.  Onerous doesn’t begin to describe them.  They seem to be inspired by the mill owners of 18th century England.  There is no way i would advise a client to accept them if given a choice.  But like all barristers I need to be on the Barristers Chambers Network.  So I signed up to them.  And hope for the best. Which will probably be the case.  That doesn’t make the terms and conditions any more reasonable.

Some experts are sceptical that proper consent can ever be effected. In an excellent paper published earlier this year David Solove suggested a way of accepting the inadequacy of of consents but achieving a satisfactory outcome in Murky Consent: An Approach to the Fictions of Consent in Privacy Law.  The abstract provides:

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic” – it transforms things that would be illegal and immoral into lawful and legitimate activities. Regarding privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates, where organizations post a notice of their privacy practices and then people are deemed to have consented if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems – people are ill-equipped to make decisions about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that in most circumstances, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary – an on/off switch – but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Abandoning consent entirely in most situations involving privacy would involve the government making most decisions regarding personal data. But this approach would be problematic, as it would involve extensive government control and micromanaging, and it would curtail people’s autonomy. The law should allow space for people’s autonomy over their decisions, even when those decisions are deeply flawed. The law should thus strive to reach a middle ground, providing a sandbox for free play but with strong guardrails to protect against harms.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Instead of providing extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. This would allow for a degree of individual autonomy but with powerful guardrails to limit exploitative and harmful behavior by the organizations collecting and using personal data. In the Article, I propose some key guardrails to use with murky consent.

Consent is currently only required under the Act for a limited range of collections, uses and disclosures of personal information such as

  • the collection of sensitive information,
  • and may also allow APP entities to use or disclose personal information for a secondary purpose. Consent may be relied on to authorise the use or disclosure of personal or sensitive information for the purposes of direct marketing in certain circumstances, or as a basis for cross-border disclosures of personal information.

In the Act consent can be express or implied. The Guidelines state that a number of conditions must exist for consent to be valid, including that it be informed, voluntary, current and specific, and ‘the individual has the capacity to understand and communicate their consent’.

Notwithstanding the DPI Report recommending that consent be required for any collection, use or disclosure of personal information except where personal information is necessary for performance of a contract, for compliance with a legal requirement, or is otherwise necessary for a public interest reason the submissions generally opposed giving consent a more prominent role under the Act. It was seen as most effective when used in a narrow range of situations where individuals most need to exert control over their personal information. Submissions noted that:

  • requiring consent in additional circumstances would lead to ‘consent fatigue’: where individuals are overwhelmed with the number of consent requests that they receive, and are less able to effectively engage with those consents
  • consent unreasonably places the burden of privacy protection on individuals: where individuals are required to consider complex data handling practices and unknown privacy harms that may materialise in the future rather than being able to be confident that the collection, use or disclosure will not be harmful
  • it would be unnecessarily burdensome on APP entities to obtain consent in many situations: where a collection, use or disclosure of personal information would be reasonably expected by the individual or broader community, and
  • consent is only meaningful where the individual has a real choice: where individuals feel resigned to consenting to the use of their information to access online services as they do not consider there is any alternative.

Consent fatigue is commonly trotted out by organisations when proposals require them to provide more information than they are required to do.  It is more myth than reality.  Similarly the claim about burden is fairly specious.  The processes to get consent are quite well established. 

The OAIC submitted that consent should be reserved for high privacy risk situations on the basis that requiring consent for reasonably expected personal information handling may reduce it to a tick-box exercise which ‘will detract the value of consent in higher-risk situations where it will actually be valuable’.  Given the tenor of the submissions and the OAIC’s position it is hardly surprising that the Report recommended that there be no change to consent requirements but rather introduce reforms:

  • requiring APP entities to:
    • handle personal information fairly and reasonably,
    • conduct PIAs before engaging in high privacy risk activities and
    • not engage in certain personal information handling practices that pose significant risk of harm.
  • instituting additional privacy rights, including a right:
    • to access and explanation,
    • to object and to opt-out of certain data handling practices,
    • of erasure which would allow individuals to exercise more control over their personal information beyond the point of collection.

The Report in considering what constituted valid consent noted concerns about:

  • some entities deliberately:
    • concealing the nature of their data handling practices
    • employing choice architecture which influences consumer choice by appealing to certain psychological or behavioural biases, including ‘dark patterns’ designed to ‘confuse users make it difficult for them to express their actual preferences, or manipulate them into taking certain actions’.
  • vaguely worded or bundled consents that:
    • detract from the effectiveness of consent,
    • prevent individuals from:
      • understanding what they are consenting to, or
      • exercising choice as between a number of information-handling practices.

To deal with these concerns the Report proposes amending the definition of consent to be:

11.1 Valid consent

Amend the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous

The Report set out the following details in interpreting the proposed elements:

  • Voluntary – An individual must have a genuine opportunity to provide or withhold consent. Taking from the guidance to the GDPR’s equivalent the requirement for freely given consent implies ‘real choice and control’ for individuals, and that if ‘consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given’. The OAIC submitted that consent is unlikely to be voluntary ‘when the provision of service is conditional on consent to personal information handling that is not necessary for the provision of the service, as per Article 7(4) of the GDPR’.
  • Informed – This means providing with sufficient information in an understandable form so that the individual is likely to be aware of the implications of providing or withholding consent to the handling of their personal information. It also means using clear and plain language.
  • Current – The purpose for collecting personal information must be sufficiently linked to the consent. Whether a particular consent is current depends on context. Consent is current where the purpose for which the personal information is handled has not materially changed. Consent cannot be assumed to endure indefinitely.
  • Specific –consent must be sufficiently precise as to the purpose for which the individual is providing consent. It is necessary to guard against overly broad or ‘bundled consents’. The degree of specificity depends on circumstances including the sensitivity of the personal information, whether the proposed collection, use or disclosure is for a purpose that is essential or non-essential for the provision of a service, and whether the collection, use or disclosure would be reasonably expected by the individual.
  • Unambiguous – the consent must be unambiguous and the use of an opt-out mechanism to infer an individual’s consent is only be appropriate in limited circumstances.

The Report supports an expressly recognised right to withdraw consent in the Act to reinforce the importance of valid consent. The recommendation provides

11.3 A right to withdraw consent

Expressly recognise the ability to withdraw consent, and to do so in a manner as easily as the provision of consent. The withdrawal of consent would not affect the lawfulness of how the personal information was handled before the consent was withdrawn.

There were 2 options in requiring online services to implement default privacy settings in certain circumstances, and whether online services should ensure that privacy settings are easy for individuals to access and use.

  • Option 1 – Pro-privacy settings enabled by default: An entity must pre-select privacy settings to be the most restrictive. This could apply to personal information handling that is not strictly necessary for the provision of the service, or specific practices identified through further consultation, and
  • Option 2 – Require easily accessible privacy settings: Entities must provide individuals with an obvious and clear way to set all privacy controls to the most restrictive, such as through a single click mechanism.

The submissions broadly supported Option 1 with not surprising resistances from large data hungry organisations such as Telstra.   Submitters were also generally supportive of Option 2 with the reservation being that a ‘one click mechanism’ would not be appropriate for all entities and in some instances could lead to consumers turning off essential functionality.  Some considered that Option 1 and Option 2 may not necessarily be mutually exclusive and that both options be adopted to ensure that, where introduced, pro-privacy default settings are enabled, as well as easily accessible and clear for consumers to modify.

The Act requires that only personal information and sensitive information that is reasonably necessary/directly related for an entity’s functions or activities may be collected.

The Report proposes that an entity be allowed to collect, use and disclose information only where it is fair and reasonable in the circumstances.  This will translate into Option 1 and give effect to the data minimisation principles underpinning the Act.

It is relevant to note that online privacy settings would also be affected as part of the Children’s Online Privacy Code which would apply to online services that are likely to be accessed by children. The recommendation is.

11.4 Privacy settings for online services

Online privacy settings should reflect the privacy by default framework of the Act.

APP entities that provide online services should be required to ensure that any privacy settings are clear and easily accessible for service users.


Leave a Reply

Verified by MonsterInsights