More specifically, this merger is a test of regulators’ resolve to analyse the effects on competition of a tech giant acquiring a vast amount of highly valuable data through a takeover. Google could exploit Fitbit’s exceptionally valuable health and location datasets, and data collection capabilities, to strengthen its already dominant position in digital markets such as online advertising. Google could also use Fitbit’s data to establish a commanding position in digital and related health markets, depriving competitors of the ability to compete effectively. This would reduce consumer welfare (including degrading data privacy options), limit innovation and raise prices.

Past experience shows that regulators must be very wary of any promises made by merging parties about restricting the use of the acquisition target’s data. Regulators must assume that Google will in practice utilise the entirety of Fitbit’s currently independent unique, highly sensitive data set in combination with its own, particularly as this could increase its profits, or they must impose strict and enforceable limitations on data use.

Wearable devices could replace smartphones as the main gateway to the internet, just as smartphones replaced personal computers. Google’s expansion into this market, edging out other competitors would thus be significant. Wearables like Fitbit’s could in future give companies details of essentially everything consumers do 24/7 and allow them to feed digital services back to consumers. The way wearables are being used to track COVID-19 infections and give access to doctors and health information is a timely illustration of this. Although, perhaps justified, subject to strong safeguards, in a public health emergency, the exploitation of such data in a commercial context is an important concern that demands close scrutiny by regulators both for its anticompetitive effects (where huge bundles make it near-impossible for entrants to compete against incumbents) and anti-consumer effects (creating ever bigger bundles that undermine consumer choice).

The acquisition of Fitbit could expand Google’s immense power in digital markets into the $8.7 trillion global healthcare market1through its strength in data and data analytics. Google has already made significant inroads into healthcare. Regulators must carefully assess the proposed deal’s implications for innovation and its potential to undermine the ability of companies to bring new products to consumers in the area of digital healthcare.

The results of unfortunate merger control decisions in the past have likely contributed to the rise of tech giants. Subsequent concerns now have to be addressed through more costly and lengthy ex-postantitrust enforcement proceedings and other competition interventions. Such harms to consumers are far better prevented than cured. Therefore, before deciding whether this takeover can proceed or not, regulators must carefully analyse its full implications for consumers and consider its potential for far-reaching and dynamic effects on digital and health markets.

Signatory Organisations

• AccessNow, EU
• Australian Privacy Foundation, Australia
• BEUC –The European Consumer Organisation, EU
• Centerfor Digital Democracy, US
• Centre for Responsible Technology, Australia
• Color of Change, US
• Consumer Federation of America, US
• Derechos Digitales, Latin America
• EDRi (European Digital Rights), EU
• Idec – Brazilian Institute of Consumer Defense, Brazil
• New America’s Open Technology Institute, US
• Omidyar Network, US
• Open Markets Institute, US
• Open Society European Policy Institute, EU
• Privacy International (PI), Global
• Public Citizen, US
• Public Interest Advocacy Centre, Canada
• Public Knowledge, US
• Red en Defensa de los Derechos Digitales (R3D), Mexico
• Trans-Atlantic Consumer Dialogue, EU-US

Download the media release:

Consumer and Citizen Groups Have Serious Concerns About Google Fitbit Takeover – Common Statement

EFA, Future Wise and APF today denounced the actions of HealthEngine and its doctor appointment booking system which has been sharing patient data with law firms, marketers, and other entities with the flimsiest pretense of patient consent.

“If this ethically dubious behaviour is technically legal, then Australia’s privacy legislation must be changed,” said Justin Warren, Electronic Frontiers Australia board member.

“People have made it clear time and time again that information about their health is extremely personal and private and they expect it to be kept secure, not shared with all and sundry,” he said. “I cannot understand how any doctor would allow their patients’ trust to be abused in this way.”

Dr Trent Yarwood, health spokesperson for Future Wise and a medical specialist, said “Making access to healthcare easier for people is critical. However, practice managers and healthcare professionals must understand the privacy implications of how they do this.”

“Too many services are set up with the primary aim of selling personal data to advertisers, and providing ‘convenient’ services to people purely as a hook to get this data,” he concluded.

The original ABC report noted that “HealthEngine also has a data-sharing arrangement with the Federal Government’s My Health Record (MyHR) digital medical record system.” The precise nature of this data-sharing arrangement must be made public immediately. The government is making MyHR mandatory, save for a short once-only opt-out period, and the public must know what our health data is going to be used for if we are to have confidence in this system.

Kat Lane, vice chair of Australian Privacy Foundation, said “Data in the government’s MyHR can be downloaded to a GP system and is then freely available—no controls, no audit trail—including potentially to apps such as HealthEngine, without proper informed consent. This is a warning about serious issues of transparency and consent with such apps and MyHR.”

The law must be changed to provide robust privacy protections for all Australians, such as by finally giving us the right to sue for breach of privacy, requiring explicit consent for each disclosure of medical or health data to a third party, and proper auditing of record-access that is visible to the patient. The current system is too easy to bypass for unscrupulous operators looking to make a fast buck.

Download the media release:

Doctors, Lawyers, and Privacy Experts Denounce HealthEngine Sharing Patient Health Data With Non-GPs Joint Response to HealthEngine Data Sharing

About EFA

Electronic Frontiers Australia is the premier voice for digital rights in Australia. Established in 1994, EFA is independently funded by members and donations. For more information about EFA, see https://www.efa.org.au

About Future Wise

Future Wise is an independent policy and advocacy organisation, focusing on technology, health, and education; and is a strong voice for digital privacy in Australia. Further information about Future Wise is available at their website: https://futurewise.org.au

About APF

The Australian Privacy Foundation is the primary association dedicated to protecting the privacy rights of Australians. The Foundation aims to focus public attention on emerging issues which pose a threat to the freedom and privacy of Australians. For additional information about APF see https://privacy.org.au

MEDIA CONTACTS
For Electronic Frontiers Australia
Email: media@efa.org.au
Twitter: @efa_oz
Phone: Justin Warren – 0412 668 526

For Future Wise
Email: trent@futurewise.org.au
Twitter: @FutureWiseAU
Phone: Trent Yarwood – 0403 819 234

For Australian Privacy Foundation
Email: kat.lane@privacy.org.au
Twitter: @apf_oz
Kat Lane – 0447 620 694
Or
Email: Bernard.Robertson-Dunn@privacy.org.au
Bernard Robertson-Dunn – 0411 157 113

A case was brought against Transport for NSW by Nigel Waters (life member and a former board member of the Australian Privacy Foundation) in 2016. Mr. Waters objected to a record of his travel being kept that was clearly linked to his identity. Mr. Waters wanted to be able to use public transport anonymously (an option available for Adult Opal Card users). The NSW Civil and Administrative Tribunal agreed that the travel information was not reasonably necessary.

This is a big win for Mr. Waters and tens of thousands of Gold Opal Card users in NSW.

Nigel Waters said: “This is major win for privacy rights in NSW. It clearly raises the bar for all NSW government agencies to apply ‘Privacy by Design’ principles to complex new data driven systems.”

David Vaile, Chair of the Australian Privacy Foundation said: “You shouldn’t have to put up with being potentially spied on as you travel just because you verify your eligibility for a concession.”

Kat Lane, Vice-Chair of the Australian Privacy Foundation said: “The big question is now what Transport for NSW will do? Will they do the right thing and finally recognise the human rights of NSW residents to use public transport anonymously?”

The Australian Privacy Foundation calls on Transport for NSW to immediately disconnect identity details from travel records so that all residents of NSW have their privacy rights respected.

Background Information

Mr. Waters was not represented when he ran the case. Mr. Waters is entitled to a Seniors Card and accordingly a Gold Opal Card. Transport for NSW requires Gold Opal Card users to register their Gold Opal Card.

Mr. Waters did not object to Transport for NSW requiring the following of him:

• To demonstrate eligibility on application;
• Produce evidence of his eligibility for the Gold Card on demand; or
• Verification with Seniors Card periodically to ensure he continues to be eligible

Contacts:

Contacts:

The inadequacy of Australia’s current health data privacy framework – inadequate risk assessment, inadequate law, inadequate enforcement – was demonstrated recently by a major independent study from Chris Culnane, Benjamin Rubinstein and Vanessa Teague at Melbourne University, released in the last days of 2017. [1]

In 2016 the Australian government released a large-scale data set relating to the health of many Australians, under the fashionable rubric of ‘Open Data’. [2] This 10% sample included all publicly reimbursed medical and pharmaceutical bills for selected patients spanning the thirty years from 1984 to 2014. The data as released was meant to be ‘de-identified’, meaning that it supposedly could not be linked to a particular individual: and since it would thus raise no privacy issues, it could be released ‘into the wild’, without controls.

Unfortunately, the government got it wrong: this weak protection can be breached. The IT security researchers demonstrated that this sensitive health data can be reidentified: with minimal effort it may be possible to get a picture of the health of prominent Australians, or of you and your neighbours. The research follows similar studies in the United States and Europe demonstrating the unreliability of existing ‘de-identification’ techniques in the face of rapidly-evolving artificial intelligence ‘machine learning’, and Big Data tools. It must be taken seriously.

In response to that earlier study, the Office of the Australian Information Commissioner’s Office (OAIC), the national privacy watchdog formerly known as the Privacy Commissioner, announced that it is “investigating the publication of the Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets”. OAIC has been investigating since September 2016, after the same researchers initially revealed problems with the data by demonstrating it was possible to re-identify practitioner records. [3]

More than a year later, in 2018 the OAIC is still investigating.

• There has been no public report, nor warning about the bug in ‘Open Data’.
• There is no indication of when the report will be released.
• There has been no indication of whether the report will be released in full rather than in the usual redacted version.
• There has been no requirement to reconsider the misplaced trust in ‘deidentification’ of ‘Open Data’ in the face of evidence of its unreliability.

You should be able to trust governments to care for sensitive personal data about yourself and your family. Clearly some of those who are handling this data either lack expertise, or are careless: it appears that ‘Open Data’ protections can be breached.

The Health Department and its Minister should be held to account. Overseas governments have responded effectively to similar problems: for example, the major Caldicott reports in the UK saw the end of the ‘Care.Data’ plan to sell the health records of most people in Britain. (The architect of that plan is now the CEO of the Australian Digital Health Agency.)

The OAIC should also be held to account. The delay of more than a year is unacceptable. So is the fact there is no end in sight, and the fundamental, controversial flaw in the rhetoric about the claimed safety of ‘Open Data’ remains unrecognised.

It may be that the OAIC lacks expertise and other resources. That is no excuse. (Extensive research work done by NICTA, and by independent university researchers like those at Melbourne and other institutions internationally, identifies the growing risks to ‘de-identification’ as a safe basis for the release of data derived from personal information into a hostile global environment. Efforts by proponents of ‘Open Data’ to promote the safety of de-identification must be met with a more sceptical view.)

It is time for the new Attorney General to provide adequate resources for the national privacy watchdog, so Australians can expect them to investigate the fundamental risks in ‘Open Data’ properly, independently, and promptly.

The OAIC should act like a watchdog, not like a rather timid snail.

Media contacts:

Sources:

The Australian Privacy Foundation (APF) advocates for the privacy of all Australians, whether from Dubbo, Darlinghurst, Dapto or Darwin. While we often have to draw critical attention to privacy problems, we like to give credit where it’s due: NSW parliament is contemplating a positive step that others should follow.

State and Territory governments collect vast amounts of information about people, much of it by compulsion. You need to provide personal information for the electoral roll, driver and boat registration, to run a cafe or small business, and many other purposes. You also need to provide information – no choice – if you are a government employee.

We expect government agencies to take great care with this information about us, but sometimes they don’t. Some are careless, and don’t bother to erase payroll and other data from devices sold to the public. Some leave sensitive files lying around. What happens when there is a breach?

A valuable new law has been introduced into NSW parliament, the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017. It would force NSW public agencies to report data breaches to you, if you are affected, and to the NSW Privacy Commissioner, within 15 days of a serious breach. This would give you a chance to take protect yourself from the consequences, and make it harder for breaches to be swept under the carpet and ignored. Ministers and officials would need to take responsibility. If you were affected by the breach, you’d be in a better position to protect yourself, for example being alert to identity theft, or changing passwords.

This new NSW Bill goes beyond a similar Commonwealth Act – fewer loopholes and more urgency – and should be welcomed by everyone who cares about personal information protection.

APF also calls on the other state governments to enact similar laws: people outside NSW need and deserve this ‘mandatory data breach notification’ protection, which is now common in states and provinces in other countries.

The Foundation also calls on Western Australia and South Australia, which don’t even have any privacy act to start with, to urgently enact a law that deals with information privacy in those states. NSW, Victoria and Queensland have had this sort of law for many years, helping build trust in their data handling regimes. It is amazing that WA and SA still haven’t drafted the necessary law … it’s not difficult or expensive, but it’s increasingly necessary. Now’s the time to fix – don’t let a few hours’ time lag keep you in the past!

Media contacts:
David Vaile 0414 731 249
Kat Lane 0447 620 694

Australian citizen have to deal with the national government. The young, old, unemployed, disabled or those who have served this country in the defence forces must provide their personal information to one or more government agencies. There is no choice: no information means no entitlements. If done properly it is a good thing and should harm no one. But it has to be done properly.

What the Government is proposing to do is a danger to our rights, our privacy and a form of government bullying to ensure our silence. That is why the Australian Privacy Foundation is worried about the new bully in town.

This is just the latest form of Government bullying.

What is the bullying? Could it affect you? Can the government get away with it?

The Department of Human Services is using leaked personal information to harass and demean critics of Centrelink, its service agency. The Department doesn’t like criticism … it’s large, slow and very thin-skinned. It acknowledges that problems with its IT systems and staffing mean it is threatening to collect overpayments that do not exist.

Publicly criticise that inefficiency – a major waste of your money as a taxpayer – and the Department is likely to provide your personal information to the media. People now think twice before getting into a fight with the Human Services bully. The bullying means they are more likely to stay silent, chilling legitimate debate, even though the Department got its figures wrong.

Privacy law in Australia is meant to protect you and I from official abuse of our information. The Department says this is perfectly legal, because the government is authorised to release personal information to correct ‘misinformation’ by recipients of entitlements. That is a shallow and weak justification. There is no independent review, and it is wide open to abuse – it is often unclear that there has been misinformation.

If the Department bullies critics, we will have difficulty telling what is honest disagreement (have you ever misunderstood a government form or found a mistake?), what is dishonest, and what is the result of sloppy, bug-ridden Human Services software.

The Veterans Affairs’ Minister – who deals with veterans and their families – is now shepparding a new bill through the Parliament that allows him to release personal information about veterans when it suits his Department’s aims. The Veterans’ Affairs Legislation Amendment (Digital Readiness and Other Measures) Bill 2016 (Cth) will be bad law.

It makes a mockery of the Privacy Act. The Privacy Commissioner should condemn it. It disrespects people who serve our country. It needs to be killed before it goes to the Senate. It shouldn’t be copied by other Departments.

Just because bullying is legal doesn’t mean it is right. Contact your local member to say NO.

The Australian Privacy Foundation – the nation’s civil society privacy body – commends moves in Queensland and Tasmania to introduce human rights legislation.

The Foundation says, however, that the legislation in those states and the Commonwealth needs to have teeth if it is to meaningfully protect the privacy and other rights of all Australians.

We need a constitutionally-enshrined and justiciable Bill of Rights at the national level – a coherent framework for rights and responsibilities that resembles law in Canada, the European Union and South Africa.

Governments change. Leaders change. Policy development resembles a revolving door. Watchdogs lack the will and ability to do their job. That means we need to enshrine rights in Australia’s constitutions.

Enshrinement protects those rights from poll-driven politicians whose horizon is the next election or the next leadership spill.

Just as importantly, it gives all Australians the ability to take legal action if their rights are abused.

Enshrinement has worked well overseas. It has not resulted in a flood of vexatious or frivolous litigation. It has not chilled free speech or crippled business. It allows ordinary people to stand up to bad government, bad business and bad neighbours. It means people do not need to rely on weak remedies offered by weak regulators.

The Foundation encourages community discussion about proposals for human rights enactments like that going on in Queensland, Tasmania and elsewhere. Those enactments need to empower all Australians. Politicians often choose to ignore good advice. Governments will ignore a Human Rights Act that lacks teeth – if it is merely aspirational and does no more than require brief consideration of rights.

If you want protection from Big Brother and Big Sister – if you want protection for your privacy and for justice rather than what is administratively convenient for officials – you should urge your Government to adopt a Bill of Rights. A Bill with teeth. A Bill that is worth more than the paper on which it printed.

The APF’s Human Rights Position Paper is at https://privacy.org.au/Papers/PS-HumanRts.html

________________________

Background Information

What’s wrong?

Privacy is a human right in key international human rights agreements to which Australia is a signatory. It is fundamental for Australia as a liberal democratic state and for the flourishing of all Australians.

However, it is only weakly and inconsistently protected by Australia. There is significant variation across the national, state and territory governments. Official watchdogs often lack the ability to act on behalf of people whose privacy has been disregarded. One example is the Office of the Australian Information Commissioner, which was on life support for than a year after the Attorney-General decided that it was not needed. Judges, lawyers, business people, mums and dads thought he was wrong.nce over the past 40 years has demonstrated that Governments are prepared to delay the introduction of privacy protection, use exceptions (such as those with Centrelink) win legislation, starve their watchdogs and disregard criticism by the courts.

Experience over the past 40 years has demonstrated that Governments are prepared to delay the introduction of privacy protection, use exceptions (such as those with Centrelink) win legislation, starve their watchdogs and disregard criticism by the courts.

That means we need coherent rights protection

One way to protect all human rights, not just privacy, is through a constitutionally-enshrined justiciable Bill of Rights.
That sort of protection is found in Canada, the European Union and even South Africa. It does not inhibit free speech, law enforcement or business.

A constitutionally-enshrined Bill means that rights protection is found in the constitution. It is there because Australians take rights seriously and recognise that politicians – who often focus just on the next election – will sometimes be prepared to weaken protections by simply a passing an Act.

At the moment your rights are dependent on what a particular politician thinks will win at the next election or next leadership spill. It is a very fragile guarantee that you will be protected from abuses by Big Brother and Big Sister.

A justiciable Bill gives ordinary people the ability to go to court to enforce their rights. It means that do not have to hope a government watchdog is interested and able to act on their behalf. (For 40 years we have seen watchdogs shrug or apologise but not come to the rescue.) It also means that politicians cannot turn a blind eye.

Overseas experience demonstrates that a justiciable Bill does not flood the courts with frivolous litigation, destroy business or cripple the media.

What is happening?

Civil society advocates and politicians in several states are trying to get a Bill of Rights onto the local and national agenda.

As an independent organisation the Australian Privacy Foundation supports public discussion about privacy, democracy, responsibility and rights.

What can you do?

We encourage you to talk to your political representative – remember, they work for you – about human rights.

We also encourage you to visit the Australian Privacy Foundation site at www.privacy.org.au

That site is a detailed source of authoritative and independent information about privacy law and developments such as drones, customer profiling, numberplate recognition and health records.

The APF’s Position Paper on Human Rights

The Foundation’s position paper on human rights is available here

And, surprise, surprise, neither the data nor the software are good enough to support the process.

As a result, thousands of people have received demands for copies of old documents, and have been wrongly subjected to ham-fisted actions by commercial debt-collectors.

Buoyed by this ‘success’, the Department of Health is now asking the Parliament, through whoever is Minister for Health at the time, to authorise it to perform automated decision-making.

The public service is moving in the direction of robot-government, abandoning human-managed business processes in favour of supposedly Artificial Intelligent systems. As the Centrelink debacle has demonstrated, automated decision-making cannot be trusted without direct human oversight.

It is vital that the public stand up right now, and defeat these attempts by the bureaucracy to subject people to decisions based on bad data and badly-designed computer software.

The public service and business alike must be under legal obligations to:

• act responsibly
• design business processes to reflect the fact that all results of data matching, and all automated processes, inherently involve errors of fact and judgement, and sometimes of law as well
• check the output from computer-based systems before acting on it
• ensure that there is sound evidence supporting all actions taken
• take no action harmful to the individual until after notice has been given and an appropriate opportunity has been provided for the individual to contest the matter
• provide copies of the relevant evidence, on request
• where the individual contests the matter, investigate the concerns and respond to the individual
• take no action harmful to the individual while the matter remains contested
• inform the individual about their dispute rights and where to seek advice

Government agencies must not be permitted the freedom to be irresponsible.

________________________

The Australian Government Bill

National Health Amendment (Pharmaceutical Benefits) Bill 2016

cl.101B

Computer programs for administrative action by Minister

(1) The Minister may arrange for the use, under the Secretary’s control, of computer programs for any purposes for which the Minister may or must take administrative action under this Part or a legislative instrument made for the purposes of this Part.

Definitions

(6) In this section:
administrative action:
each of the following constitutes taking administrative action for the purposes of this section:
(a) making a decision;
(b) exercising any power or complying with any obligation;
(c) doing anything else related to making a decision or exercising a power or complying with an obligation.

Note that, contrary to the misleading tone of the ‘Explanatory Memorandum’, the provision is not restricted to minor administrative matters, but has broad scope.

Further, the standard technique used by the bureaucracy is to establish a beachhead, and then argue that precedents exist, and that no-one should have any problems with additional applications of the same old idea. It is vital that the public recognise the Bill’s provision as a ‘thin end of the wedge’ manoeuvre.

The European Provisions

EU GDPR

Automated individual decision-making, including profiling

Art 22.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This is subject to qualifications in Art 22.2, but those qualifications are themselves subject to further qualifications in Arts 21.4 and 9.

However, the effect is that decision-making involving health data in particular is subject to considerable restrictions, and all such automation is subject to the overriding requirement for “appropriate safeguards for the fundamental rights and the interests of the data subject”.