Viewing entries tagged
Fair and reasonable

Privacy Act review: A closer look at children's privacy

Privacy Act review: A closer look at children's privacy

By Natasha Roberts

In this post, we take a closer look at proposals related to children’s privacy contained in the recent Privacy Act Review Report (the Review) – proposals to which the Government has agreed or agreed in principle.

What was the problem the Review was trying to address?

There is growing recognition that children and young people may be vulnerable in relation to privacy, particularly online. The Review noted that in the digital age kids are increasingly ‘datafied’ and that personal information about children can be used to build profiles and identify moments that children may be particularly vulnerable or receptive to online targeting and marketing (including in relation to harmful products and messaging). As the Report observed, this may affect children and young people’s autonomy and capacity to freely develop their identity.

How did the review propose to address this problem?

The Review took a multifaceted approach to addressing children’s privacy including the following…

Define ‘child’ and restrict marketing, targeting and trading in personal information

Currently the Privacy Act does not define ‘child’ and there are no specific provisions applying to children’s privacy (though organisations are expected to consider an individual’s capacity to consent which may include considerations of age or maturity). The Report proposed reforming the Privacy Act to define a child as an individual under 18 years of age.

In formally defining the meaning of child, the Privacy Act would then provide for certain specific provisions that apply only to children. These include proposals to prohibit the ‘trading’ of personal information of children and restrictions on ‘direct marketing’ and ‘targeting’ of children, other than marketing or targeting that is in the best interests of the child (for example, targeted marketing for essential child support, counselling and community services).

Codify ‘capacity’ in relation to consent

The Privacy Act contains several exceptions that allow certain information handling with the consent of the individual. However, deciding when children have ‘capacity’ to consent can be difficult, in recognition of varying levels of maturity at different ages. Up until now, the Privacy Act has not specified a particular age at which children may consent on their own behalf and guidelines issued by the Information Commissioner have stated that an organisation must decide on a case-by-case basis if an individual under the age of 18 has the capacity to consent. Where that is not practical, the Information Commissioner advises that an organisation may assume an individual over the age of 15 has capacity, unless there is something to suggest otherwise.

The Review recommended retaining this ‘middle path’ between individualisation and practicality, noting that over-reliance on parental consent was impractical and undesirable. The Review did however propose that the Privacy Act codify the principle that valid consent must be given with capacity. While this would result in a change to the Act, it should not result in a major change of approach for organisations given that it formalises what is already contained in the Information Commissioner’s guidelines and what should already be occurring in practice.

Build consideration of ‘best interests of the child’ into fair and reasonable test

Elsewhere we have discussed the proposal for the introduction of a fair and reasonable test to the Privacy Act. The Review further proposes that any such test require organisations to have regard to the best interests of the child as part of considering whether a collection, use or disclosure is fair and reasonable in the circumstances. In our view, this is the most far-reaching of the children’s privacy reforms as it puts the best interests of the child at the heart of decisions about information handling.

Introduce a Children’s Online Privacy Code

Other jurisdictions (notably the UK) have promulgated codes to regulate the privacy of young people online. The Review considered models adopted in those other jurisdictions and came to the view that Australia should introduce a Children’s Online Privacy Code that applies to online services that are ‘likely to be accessed by children’ and which aligns with the UK Age Appropriate Design Code, to the extent possible. According to the Review, a code could address:

  • Whether specific requirements are needed for assessing capacity

  • Whether certain collections, uses and disclosures of children’s personal information should be limited

  • Which default privacy settings should be in place

  • Whether entities should be required to ‘establish age with a level of certainty that is appropriate to the risks’ or apply the standards in the Children’s Code to all users instead

  • How privacy information (including collection notices and privacy policies) and tools that enable children to exercise privacy rights (including erasure requests) should be designed to improve accessibility for children, and

  • If parental controls are provided, how to balance the protection of the child with a child’s right to autonomy and privacy from their parents in certain circumstances.

The Review also proposed amending the Privacy Act to require that collection notices and privacy policies be clear and understandable, in particular for any information addressed specifically to a child. In the context of online services, these requirements are to be specified in the Children’s Online Privacy Code. Specifically, the Code could provide guidance on the format, timing and readability of collection notices and privacy policies.

What are the key takeaways for my organisation?

Privacy law reform is still ongoing, therefore this in an area on which to maintain a watching brief. That said, there is nothing to stop you from reviewing the bullets listed above and assessing your personal information handling activities against those standards. We suggest:

  • Identifying whether you handle children’s personal information and in what circumstances (for example, in person, online etc) to determine how you may be affected by reforms

  • Maintaining a watching brief on privacy law reform to see how proposals related to children’s privacy are implemented in practice

  • Engaging in consultation – the Government has committed to further consultation on children’s privacy and there are likely to be opportunities to comment on bill exposure drafts and the draft code, as its developed

  • Reviewing the UK’s Age Appropriate Design Code to gain insight on the possible scope and approach of the proposed Children’s Online Privacy Code, noting that the Review specifically called for the proposed code to align with the UK’s Age Appropriate Design Code to the extent possible, and

  • Considering whether your organisation’s handling of children’s personal information meets the ‘best interests of the child’ test, which is likely to form part of the proposed ‘fair and reasonable test.’ This may require consideration of whether, throughout the handling of a child’s personal information, a child’s physical, psychological and emotional wellbeing is protected.

Privacy Act review: A closer look at the fair and reasonable test

Privacy Act review: A closer look at the fair and reasonable test

By Natasha Roberts

In this post, we take a closer look at the ‘fair and reasonable test’ – a proposal in the recent review of the Privacy Act 1988 (Cth) (Privacy Act) which the Government ‘accepted in principle’. In our view, the introduction of a fair and reasonable test to the Privacy Act is welcome and has the potential to rebalance the Privacy Act away from personal responsibility (‘Well, you consented so it’s on you if your privacy was impacted’) and towards organisational responsibility (‘We, the organisation, agree to handle this personal information fairly and reasonably’).

What was the problem the Review was trying to address?

Notice and consent have become less effective over time

Notice and consent are often held up as critical elements of privacy law. They are there to ensure transparency and individual choice when it comes to the handling of personal information. Under Australian Privacy Principle (APP) 5, individuals must be told certain information when their personal information is collected including the purpose of collection (notice) and must, in most cases, under APP 6 be asked for permission before the information is used or disclosed for secondary or unrelated purposes (consent).

There’s no doubt that notice and consent will continue to play an important role in the Privacy Act. Indeed, privacy laws the world over include notice and consent as baseline principles. The problem is that over time, notice and consent have become less effective to about the same degree that personal information handling has become more complex and privacy-invasive.

Information handling has become more invasive over time

When the Privacy Act was first introduced in 1988, we lived in a largely paper-based world in which data handling was constrained by practical limitations like the inability to make use of large amounts of hardcopy information and the expense of storing it. There was no information economy in the sense we understand today. And there was no incentive for organisations to collect excess amounts of personal information or to repurpose the information for other (profit-raising) activities. It is possibly for this reason that the Privacy Act contains virtually no restriction on the ‘primary purposes’ for which organisations may use and disclose personal information.

You can see how today – in an environment that rewards data innovation, accumulation and reuse – personal information handling may expand into increasingly privacy-invasive areas – areas that were unanticipated in 1988 or indeed even in 2012 when the APPs were introduced to replace earlier principles.

This creates two pain points for privacy law

The first pain point is that the legislation has inadequate brakes available for unethical or privacy-invasive data handling activities. It simply did not need those brakes before. If an organisation collects personal information for the primary purpose of profiling children and selling such information to other businesses, for example, APP 6 would seem to permit this. Submissions to the Privacy Act review also pointed out that organisations have significant discretion in determining whether a collection is ‘reasonably necessary’ for their functions and activities under APP 3.

The second pain point is that data handling has become much more complex in recent decades and this has significant implications for the operation of informed consent. How can an individual be adequately informed if you need a degree in data science to fully grasp what is going to happen to your information? In other comparable settings, we do not expect individuals to have subject-matter expertise. We do not, for example, demand that airline passengers read lengthy statements about aeronautics and safety testing and then ‘consent’ to fly on a certain type of aircraft. Of course, passengers should not have to bear risk or responsibility for aircraft safety. Nor should they have the ‘choice’ to fly on risky, poorly-maintained aircraft. We are at a point now where the same principles should apply to data handling.

You might think that the difficulty of obtaining informed consent in these circumstances would cause a natural shift away from reliance on consent for data processing. Well, you would be wrong. As data processing has become more complex, consent notices have become prevalent, along with being longer and more technical.

Thankfully the Privacy Act Review Report recognised this, noting that ‘where digital innovation is exponentially increasing the amount of personal information and sources from which it is collected, it is not reasonable that individuals should bear primary responsibility for ensuring that they do not experience harm as a result of an entity’s information-handling practices.’ It also noted that ‘the diversity, change and novelty in digital information-handling practices may mean that individuals do not appreciate the scale, or even the existence, of privacy risks.’

How did the Review propose to address this problem?

Enter the fair and reasonable test

To address these obvious shortcomings in the current regulatory approach, the Review Report proposed that the Privacy Act be amended to introduce a requirement that the collection, use and disclosure of personal information be fair and reasonable in the circumstances. In applying this ‘fair and reasonable test,’ the Review Report proposed that certain matters be taken into account, including:

  • Whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances

  • The kind, sensitivity and amount of personal information being collected, used or disclosed

  • Whether the collection, use or disclosure is reasonably necessary for the functions and activities of the organisation or is reasonably necessary or directly related for the functions and activities of the agency

  • The risk of unjustified adverse impact or harm

  • Whether the impact on privacy is proportionate to the benefit

  • If the personal information relates to a child, whether the collection, use or disclosure of the personal information is in the best interests of the child, and

  • The objects of the Act.

Perhaps, most importantly, the Review Report specifically proposed that the fair and reasonable test apply irrespective of whether consent has been obtained. Our hope is that, in the future, it will be harder for individuals to ‘consent away’ their rights to fair and reasonable information handling.

What are the key takeaways for my organisation?

Privacy law reform is still ongoing, therefore this in an area on which to maintain a watching brief. That said, there is nothing to stop you from reviewing the bullets listed above and assessing your personal information handling activities against those standards. We suggest:

  • Maintaining a watching brief on privacy law reform to see how the fair and reasonable test is implemented in practice.

  • Engaging in consultation processes associated with Privacy Act reform – the Government has committed to further consultation on the fair and reasonable test and there is likely to be opportunities to comment on bill exposure drafts.

  • Taking the time to review the fair and reasonable factors listed above to see how they apply to your information handling practices – aside from anything else, they offer a baseline for fair and reasonable collection, use and disclosure of personal information.

  • Considering the fair and reasonable factors listed above in any privacy impact assessment or product development process.

First reaction to the Government's response to the Privacy Act review

First reaction to the Government's response to the Privacy Act review

By Natasha Roberts

Two weeks ago, the Government released the Response to the Privacy Act Review Report. And for many of us, who participated in multiple rounds of consultation, who engaged with critical law reform questions, who offered solutions to challenges created by the digital age, who hoped the Government was ready to take an ambitious leap forward…

First, there was a feeling of disappointment…

…as we came to terms with the fact that the Government had agreed to only 38 of a possible 116 proposals, and ‘agreed-in-principle’ to a further 68. No ambitious leap. More of a reluctant step forward in which the privacy law ‘can’ was kicked down the information superhighway. What ‘agreed-in-principle’ will mean in practice remains unclear. Naturally, many of us are concerned about the potential for serious watering down or backing down. Only time will tell.

…next, we took stock of the missed opportunities…

Perhaps unsurprisingly, the Government decided against taking up proposals to narrow the political exemption. We will leave it to others to point out the double standard inherent in this decision.

But, we in the privacy and security community are a pragmatic bunch and must invest our energies in…

The parts the Government got right

While the ‘agree-in-principle’ (rather than the straight ‘agree’) response to many proposals introduces uncertainty, there is, at least, an opening to work with Government to push those proposals forward. The following reforms have the potential to make a real difference to the privacy rights and protections of everyday Australians:

Updating the definition of personal information to close gaps in protection, particularly online. We particularly commend the Government’s recognition of the privacy impact of individuation. In its response, the Government made clear that it ‘considers that an individual may be reasonably identifiable where they are able to be distinguished from all others, even if their identity is not known’ (p 5). A change to the scope and coverage of the Privacy Act along these lines could mean a significant uplift in privacy protection.

Introducing a ‘fair and reasonable’ test. Currently the Privacy Act offers little direction on the uses an organisation may make of personal information, except that the information must be necessary to a defined use and should not be used for other purposes (except in certain prescribed circumstances). This gives considerable latitude to organisations and leaves open the possibility that information is used for activities that do not meet community expectations.

Which is why the Government’s agreement-in-principle to a ‘fair and reasonable’ test – which would apply irrespective of whether consent has been obtained – is so welcome. The Privacy Act is in serious need of rebalancing. Privacy responsibilities – which are currently borne too heavily by individuals (under the at times deceptive doublespeak of ‘choice’ and ‘consent’) – should be transferred to organisations. Our hope is that, in the future, it will be harder for individuals to ‘consent away’ their rights to fair and reasonable information handling.

Strengthening children’s privacy. The Government has agreed-in-principle to a suite of proposals aimed at protecting children, particularly online. This includes restrictions on targeting of children online and prohibition of trading in children’s personal information. It also includes the development of a Children’s Online Privacy Code to ensure the best interests of the child are upheld in the design of online services, and to provide further guidance on how entities are expected to meet requirements regarding targeting, direct marketing and trading. We applaud this.

Aligning privacy and security. The law reform environment in Australia, broadly, has an information security flavour right now (or at least, one that is cognisant of the deep impacts of advanced persistent threats and cyber-crime and the impact of data breach on individuals), which highlights necessity of digital and data initiatives operating in an environment that is safe-for-work. The set of proposals (21.1-21.8) in the ‘Security, retention and destruction’ chapter are clearly reflective of this.

It is great to see that there will be clarity around securing personal information – with what ‘reasonable steps to secure personal information’ in APP 11 actually means in practice to be embedded in legislation. The Government has also agreed-in-principle to organisations being required to meet baseline privacy outcomes that are aligned with the forthcoming Australia’s Cyber Security Strategy. Given the common goals of the Government’s privacy and information security mandates, we look forward to seeing further developments here.

A final word on the law reform process

Regulating information privacy is notoriously difficult and multifaceted. The challenge is compounded by a rapidly evolving digital environment. The Privacy Act Review could have sat languishing in a backroom of the Attorney-General’s department, un-responded to and un-actioned. Instead, the Government has responded to the review and published its response. For this we are grateful. Yes, there have been some areas of disappointment in the Government response but overall, we’re encouraged to see the Government moving forward, despite the challenges.

Be assured that we will be watching closely to see how the next stage plays out.

Please contact us if you have any questions about the Privacy Act reform process and how it may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.