Peter A Clarke

Chapter 12 of the Privacy Act Review Report is significant and the recommendations, if accepted, will improve accountability in the collection and use of personal information. It will certainly involve more than ticking boxes and relying on voluminous privacy statements which aim to ensure compliance with the APPs but do not properly address the “why” it is necessary to collect the troves of data many entities currently do.

The chapter focuses on personal information handling practices.  Consistent with complaints by privacy practitioners for years submissions to the review also complained about practices which do not meet community expectations, including the ACCC.  Submissions recommended to improve the quality of collection notices and consent indicated that reform of privacy policy, collection notice and consent requirements alone would not adequately address emerging privacy risks.  They also highlighted the shortcomings of a regulatory approach in which individuals are expected to read and understand voluminous collection notices and privacy policies to evaluate current and future privacy risks.  They suggested that at present entities have significant discretion in determining whether a collection is reasonably necessary for their functions and activities under APP 3, which could include practices that may not meet consumer expectations.

The Report stated it is not reasonable that individuals should bear primary responsibility for ensuring that they do not experience harm as a result of an entity’s information-handling practices.

The Report noted the role of legitimacy and proportionality assessing collections of personal information, citing Jurecek v Director, Transport Safety Victoria, where Bell J noted that the collection limitation principle, in the Information Privacy Act 2000 (Vic), whether a collection of personal information is ‘reasonably necessary’ should include ‘balancing, in a reasonably proportionate way, the nature and importance of any legitimate purpose and the extent of the interference.’ Jurecek has been cited and applied by the Information Commissioner when interpreting APP 3 of the Act.

The identified weaknesses of the current principles are:

• they do not require consideration of the impact on individuals, individuals’ reasonable expectations
• they regulate the relationship between a chosen objective (purpose of processing) and the type of processing/ personal data being processed – without imposing particular restrictions as to the objective (purpose) that may be pursued.’
• that under APP 6, ‘there is no requirement for the “primary purpose” to be a purpose that consumers are aware of, or a purpose that is necessary or beneficial to consumers’.
• that the APPs do not currently require entities to expressly consider whether personal information handling is within the reasonable expectations of an individual, except when using or disclosing for a secondary purpose under APP 6.2.
• the requirement for a collection to be fair and lawful is limited to the means by which personal information is collected, and has been narrowly interpreted as a collection ‘that does not involve intimidation or deception, and is not unreasonably intrusive.’
• that individuals can be required to consent to entities’ information-handling practices as a condition of accessing many digital services, including intrusive or harmful practices.

The Report rejected adopting lawful bases for processing as that would fundamentally change the current principles-based approach in the Act & would require reconfiguration of the APPs and possibly adopt the concept of ‘processing.’ This would have implications for APPs 3,5, 6 and 8.  The Report considered that as APPs 3 and 6 allows for the collection, use and disclosure of personal information for the purposes set out in the GDPR’s lawful bases such fundamental change was unnecessary.

The Report suggested an overarching fair and reasonable test for the collection, use and disclosure of personal information, with legislated factors to assist with applying the test.  It recommended an an objective reasonable person standard, as used in in Canada and Singapore.

The European Data Protection Board (EDPB) advised that the fairness principle in Article 5(1) recognises ‘the reasonable expectations of the data subjects, considering possible adverse consequences processing may have on them, and having regard to the relationship and potential effects of imbalance between them and the controller’. Operative elements of the fairness principle include:

• Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as over the scope and conditions of that use or processing
• Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller
• Expectation – Processing should correspond with data subjects’ reasonable expectations
• Non-discrimination – The controller shall not unfairly discriminate against data subjects, and
• Non-exploitation – The controller should not exploit the needs or vulnerabilities of data subjects.

The Report noted that protections based on fairness are found in other Commonwealth legislation & the concept of reasonableness is found throughout the Privacy Act.  It is used in proportionality analysis and employed when considering whether a law that limits a right or principle is justified, by asking whether the law is reasonably appropriate and adapted to serve a legitimate end.

The Report stated that the fair and reasonable test would provide a principles-based means of determining whether the handling of individuals’ personal information are permissible. The practices in question would include:

• the creation and sharing of detailed profiles on consumers,
• the use of machine learning to infer traits about an individual without their knowledge,
• targeting content and advertising to individuals based on predicted vulnerabilities,
• the use of personal information for political microtargeting and
• the use of biometric data in certain contexts.

This has resulted in the formal recommendation of:

12.1 Amend the Act to introduce a requirement that the collection, use and disclosure of personal information must be fair and reasonable in the circumstances. It should be made clear that the fair and reasonable test is an objective test to be assessed from the perspective of a reasonable person.

The Report agreed with many submissions that legislated factors would be important.  Interestingly the Information Commissioner submitted that factors would ensure that the test is interpreted by APP entities and the courts ‘from a uniquely privacy law perspective.’  The Information Commissioner has had a poor track record in the Federal Court.  That is partly because the Federal Court has found the Privacy Act a bewildering piece of legislation and has not considered it from a distinct and uniquely privacy approach.  That said the Information Commissioner has a poor record as a litigator.   It is then curious that the Report regards the Information Commissioners’ enforcement “..will map the contours of the fair and reasonable test over time.”  That is incredibly optimistic.  The Information Commissioner has a poor output and, as mentioned above, comes off second best in its cases in the Federal Court to date.

The Report proposes a non-exhaustive list of legislated factors which would not operate as a standalone test Those factors are:

1)     Reasonable expectations

This involves consideration of whether a reasonable individual would expect the personal information to be collected, used or disclosed in the circumstances. Certain kinds of information would be subject to stronger standards of privacy protection, for example, sensitive information, location data or smart home data.

What a reasonable person would expect would be influenced by:

• the nature of the product or service offered
• the purpose for which personal information is being collected, used or disclosed
• services that are likely to be used by vulnerable cohorts of individuals, such as children.

2)     Kinds, sensitivity and amount of personal information

It is fair and reasonable for certain types of information to be treated with a higher degree of care.

Sensitivity encompasses sensitive information as defined in section 6 or other information that would be considered ‘sensitive’ according to the ordinary meaning of the term.

This factor also takes into account the amount of personal information collected, used and disclosed, which would support the principle of data minimisation.  Privacy risks can be reduced or avoided when a data minimisation approach is adopted.

3)     Functions and activities of the entity

This factor considers:

• whether a reasonable person would consider personal information handling to be fair given the functions, and activities and the objectives of the entity
• whether a proposed collection, use or disclosure is reasonably necessary for the functions and activities of the agency.

4)     Risk of unjustified adverse impact or harm

This involves consideration of:

• the risk of unjustified adverse impact or harm that personal information handling poses to individuals.
• the nature, seriousness and likelihood of the risk materialising from the activities of the APP entity
• the privacy harms that can sometimes result from the handling of personal information, which could include:
• direct or indirect financial loss
• physical, psychological or emotional harm
• negative outcomes with respect to an individual’s eligibility for rights, benefits or privileges in employment, credit and insurance, housing, education, professional certification or provision of health care and related services
• reputational harm, significant inconvenience or expenditure of time.

The reference to ‘unjustified’ adverse impact or harm acknowledges that the handling of personal information may not always advantageous to the individual. The issue is whether it is fair in the circumstances.

5)     Whether the impact on privacy is proportionate to the benefits

Proportionality involves an assessment as to whether any impact on privacy is proportionate to the benefit. The impact may be on a single individual or many individuals and the benefit may be to the affected individual(s) or some other party, including the APP entity.

The Report suggests including within the explanatory memorandum:

1. whether the collection, use or disclosure intrudes to an unreasonable extent upon the personal affairs of the affected individual
2. whether there are less intrusive means of achieving the same ends at comparable cost and with comparable benefits, and
3. any actions or measures taken by the entity to mitigate impacts to privacy.

6)     Best Interests of the Child

The Report recommends a stand alone factor acknowledging the special treatment which should attach to the personal information of children, whether the collection, use or disclosure of the personal information is in the best interests of the child.

7)     The objects of the Act

Thos final factor allows consideration of the objects of the Act when assessing whether a reasonable person would consider a collection, use or disclosure to be fair in the circumstances.  This involves an appropriate and proportionate balance is struck between the public interest in protecting the privacy of individuals, the interests of APP entities and other public interests.

The Reports recommendation is:

12.2 In determining whether a collection, use or disclosure is fair and reasonable in the circumstances, the following matters may be taken into account: (a)    whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances (b)    the kind, sensitivity and amount of personal information being collected, used or disclosed (c)     whether the collection, use or disclosure is reasonably necessary for the functions and activities of the organisation or is reasonably necessary or directly related for the functions and activities of the agency (d)    the risk of unjustified adverse impact or harm (e)    whether the impact on privacy is proportionate to the benefit (f)      if the personal information relates to a child, whether the collection, use or disclosure of the personal information is in the best interests of the child, and (g)    the objects of the Act.* The EM would note that relevant considerations for determining whether any impact on an individual’s privacy is ‘proportionate’ and could include: ·         whether the collection, use or disclosure intrudes upon the personal affairs of the affected individual to an unreasonable extent ·         whether there are less intrusive means of achieving the same ends at comparable cost and with comparable benefits, and ·         any actions or measures taken by the entity to mitigate the impacts of the loss of privacy on the individual. *The final wording of any legislative provisions will be developed through the legislative drafting process.

The Report recommended that:

• aside from consent and the exception in APP 6.2(a), the fair and reasonable test should not apply to the exceptions in APPs 3.4 and 6.2(b)-(e).
• the fair and reasonable requirement should replace the reference to a ‘fair means’ of collection in APP 3.5.
• APP 3.5 would be replaced by a broader test which is not limited to the means of collection and applies to the use and disclosure of personal information, and would allow for a holistic assessment of the means, purposes and impacts of information handling.

The Report proposes:

12.3 The requirement that collection, use and disclosure of personal information must be fair and reasonable in the circumstances should apply irrespective of whether consent has been obtained. The requirement that collection, use and disclosure of personal information must be fair and reasonable in the circumstances should not apply to the exceptions in APPs 3.4 and 6.2(b)-(e). The reference to a ‘fair means’ of collection in APP 3.5 should be repealed.