APF draws attention to privacy issues in submissions to parliaments, regulators, and agencies. But all too often the response is creeping intrusion, feeble protection, and flimsy promises of ‘trust us, your data is safe’.
It is past time for Australian MPs, ministers, government agencies and contractors to develop some humility. They do not, and cannot, control worldwide privacy regimes and security threats, or the algorithms ruling shared, aggregated or online digital information. Unenforceable assurances will no longer work.
People in Australia will only trust and have confidence in government and business collecting, storing, and using their vulnerable personal information if it is done in trust-worthy privacy-enhancing systems, covered by strong laws with minimal exemptions, and with easy enforcement when things go wrong – not the mess of loopholes, exceptions, back-door tricks and ‘wet lettuce-leaf’ indirect enforcement we have under current law. The key defects set out below require amendments to bring privacy protection under Australian law, mainly Privacy Act 1988 (Cth), into the 21st century and up to the standard of peer developed countries.
- The legal definition of ‘consent’ needs to be fixed to reflect its real meaning, requiring ‘active and properly informed consent’ rather than ‘implied consent’. Silence, pre-ticked boxes, or inactivity mustn’t be accepted as valid ‘consent’. What we’re told about risk and disclosure must be blunt and clear.
- Privacy Act exemptions are out of control and insidious. At least the following must be removed:
- employee records
- registered political parties, and political ‘acts and practices’
- journalism, except reports about public officials and others in performance of their duties
- The Australian Broadcasting Corporation Act 1983 should be amended to:
- ensure Australians are not required to provide their personal information or register for a mandatory account to access the ABC’s full digital media services
- forbid ABC from sharing (re-)identifiable personal information with other entities or platforms
- Personal information should only be exposed to publication as ‘Open Data’, or other uncontrolled circulation, if it is genuinely and permanently anonymous. It should be banned from being described or treated as ‘de-identified’ unless the process used conclusively proves the data can no longer ever be re-linked to a person, under any circumstances, at any time in the future, backed up by ongoing audits.
- We need a statutory tort for breach of privacy, at last, as recommended by five Australian Law Reform reviews over three decades. Australia must no longer be the only equivalent country where citizens have no means to take legal action to protect their personal dignity. The blueprint’s been discussed and consulted on for years, it’s ready to go, the rest of the world copes, let’s stop the fudging and do it.
- We need a dedicated, properly resourced Privacy Commissioner again, to address the current privacy complaint backlog, and future data privacy exploits and threats. A conflicted, sporadic regulator fails us.
Media Contacts for Australian Privacy Foundation board members:
Dr Juanita Fernando | 0408 131 535 | juanita.fernando@privacy.org.au |