By Natasha Roberts
In this post, we take a closer look at the ‘fair and reasonable test’ – a proposal in the recent review of the Privacy Act 1988 (Cth) (Privacy Act) which the Government ‘accepted in principle’. In our view, the introduction of a fair and reasonable test to the Privacy Act is welcome and has the potential to rebalance the Privacy Act away from personal responsibility (‘Well, you consented so it’s on you if your privacy was impacted’) and towards organisational responsibility (‘We, the organisation, agree to handle this personal information fairly and reasonably’).
What was the problem the Review was trying to address?
Notice and consent have become less effective over time
Notice and consent are often held up as critical elements of privacy law. They are there to ensure transparency and individual choice when it comes to the handling of personal information. Under Australian Privacy Principle (APP) 5, individuals must be told certain information when their personal information is collected including the purpose of collection (notice) and must, in most cases, under APP 6 be asked for permission before the information is used or disclosed for secondary or unrelated purposes (consent).
There’s no doubt that notice and consent will continue to play an important role in the Privacy Act. Indeed, privacy laws the world over include notice and consent as baseline principles. The problem is that over time, notice and consent have become less effective to about the same degree that personal information handling has become more complex and privacy-invasive.
Information handling has become more invasive over time
When the Privacy Act was first introduced in 1988, we lived in a largely paper-based world in which data handling was constrained by practical limitations like the inability to make use of large amounts of hardcopy information and the expense of storing it. There was no information economy in the sense we understand today. And there was no incentive for organisations to collect excess amounts of personal information or to repurpose the information for other (profit-raising) activities. It is possibly for this reason that the Privacy Act contains virtually no restriction on the ‘primary purposes’ for which organisations may use and disclose personal information.
You can see how today – in an environment that rewards data innovation, accumulation and reuse – personal information handling may expand into increasingly privacy-invasive areas – areas that were unanticipated in 1988 or indeed even in 2012 when the APPs were introduced to replace earlier principles.
This creates two pain points for privacy law
The first pain point is that the legislation has inadequate brakes available for unethical or privacy-invasive data handling activities. It simply did not need those brakes before. If an organisation collects personal information for the primary purpose of profiling children and selling such information to other businesses, for example, APP 6 would seem to permit this. Submissions to the Privacy Act review also pointed out that organisations have significant discretion in determining whether a collection is ‘reasonably necessary’ for their functions and activities under APP 3.
The second pain point is that data handling has become much more complex in recent decades and this has significant implications for the operation of informed consent. How can an individual be adequately informed if you need a degree in data science to fully grasp what is going to happen to your information? In other comparable settings, we do not expect individuals to have subject-matter expertise. We do not, for example, demand that airline passengers read lengthy statements about aeronautics and safety testing and then ‘consent’ to fly on a certain type of aircraft. Of course, passengers should not have to bear risk or responsibility for aircraft safety. Nor should they have the ‘choice’ to fly on risky, poorly-maintained aircraft. We are at a point now where the same principles should apply to data handling.
You might think that the difficulty of obtaining informed consent in these circumstances would cause a natural shift away from reliance on consent for data processing. Well, you would be wrong. As data processing has become more complex, consent notices have become prevalent, along with being longer and more technical.
Thankfully the Privacy Act Review Report recognised this, noting that ‘where digital innovation is exponentially increasing the amount of personal information and sources from which it is collected, it is not reasonable that individuals should bear primary responsibility for ensuring that they do not experience harm as a result of an entity’s information-handling practices.’ It also noted that ‘the diversity, change and novelty in digital information-handling practices may mean that individuals do not appreciate the scale, or even the existence, of privacy risks.’
How did the Review propose to address this problem?
Enter the fair and reasonable test
To address these obvious shortcomings in the current regulatory approach, the Review Report proposed that the Privacy Act be amended to introduce a requirement that the collection, use and disclosure of personal information be fair and reasonable in the circumstances. In applying this ‘fair and reasonable test,’ the Review Report proposed that certain matters be taken into account, including:
Whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances
The kind, sensitivity and amount of personal information being collected, used or disclosed
Whether the collection, use or disclosure is reasonably necessary for the functions and activities of the organisation or is reasonably necessary or directly related for the functions and activities of the agency
The risk of unjustified adverse impact or harm
Whether the impact on privacy is proportionate to the benefit
If the personal information relates to a child, whether the collection, use or disclosure of the personal information is in the best interests of the child, and
The objects of the Act.
Perhaps, most importantly, the Review Report specifically proposed that the fair and reasonable test apply irrespective of whether consent has been obtained. Our hope is that, in the future, it will be harder for individuals to ‘consent away’ their rights to fair and reasonable information handling.
What are the key takeaways for my organisation?
Privacy law reform is still ongoing, therefore this in an area on which to maintain a watching brief. That said, there is nothing to stop you from reviewing the bullets listed above and assessing your personal information handling activities against those standards. We suggest:
Maintaining a watching brief on privacy law reform to see how the fair and reasonable test is implemented in practice.
Engaging in consultation processes associated with Privacy Act reform – the Government has committed to further consultation on the fair and reasonable test and there is likely to be opportunities to comment on bill exposure drafts.
Taking the time to review the fair and reasonable factors listed above to see how they apply to your information handling practices – aside from anything else, they offer a baseline for fair and reasonable collection, use and disclosure of personal information.
Considering the fair and reasonable factors listed above in any privacy impact assessment or product development process.