If you do anything online chances are Google or Facebook know about it.
A 2016 study by Princeton University revealed Google had a data collection presence on 70 per cent of the one million most popular websites. Facebook, meanwhile, holds sensitive data on the 2.4 billion people who have signed up to its social platforms and also tracks them well beyond the application walls.
Both companies have admitted to eavesdropping on users’ private voice conversations.
The knowledge underpins the tech giants’ business model: knowing as much about consumers as possible in order to sell targeted advertising.
The digital duopoly, which rakes in over half of all digital advertising spend, have proven just how profitable the collection and trading of personal information can be, now worth a collective $US1.3 trillion despite offering relatively few physical products and offering most of their services for “free”.
Others have taken notice of the value of people’s information, adding to the explosion in the amount of personal data collected, challenging the traditional privacy paradigm.
Broadly, the trend is known as “surveillance capitalism”, according to Shoshana Zuboff, an American author and scholar who coined the term in 2014 after researching Google and Facebook’s success. She compares their data practices to Ford and General Motors’ mass production a century earlier.
“[Surveillance capitalism] is the idea that you could take human experience – private human experience – you could drag it into the marketplace and call it behavioural data,” Zuboff explained earlier this year, “and then with some application of value-added here, and computation there; you buy it, you sell it; you create whole new markets…”
The phenomenon, and its inevitable extension through offline tracking devices like home assistants, IoT, and autonomous vehicles, creates an obvious tension with individual privacy.
Advocates and legal experts in Australia say the current practices of data collection and processing deserves more scrutiny and weak national regulation is encouraging the practice.
Elsewhere, lawmakers have taken steps to protect consumers – regularly unaware of their surveillance or the newfound value of their personal information.
Regulators have introduced strict new regimes for data collection and processing in Europe known as the General Data Protection Regulation (GDPR), with the US on track to deploy a similar approach next year in California where many of the tech giants are headquartered.
And while approaches vary there has been a common acknowledgment that organisations need to be upfront with consumers about data collection and processing, gain clear consent, and have a duty to protect people’s information. The regimes also introduce much tougher penalties for when they fail to do so – $A31 million or 4 per cent of annual global turnover, whichever is higher, in the case of GDPR.
Australia’s response to protecting digital consumer rights and privacy, meanwhile, has been considerably more limited.
Successive governments have largely ignored legal and privacy advocates who argued for reform, instead, persisting with loosely interpreted and enforced approaches to privacy established in the 1980’s.
According to a growing band of critics, the approach is no longer fit for a digital age and in some cases the more flexible approach is being exploited by businesses.
“Our current privacy regulation in Australia, was put in place about 30 years ago, and really stems from a very 1970’s approach to privacy regulation,” says Dr Katharine Kemp, a senior lecturer at the Faculty of Law, UNSW whose research focuses on competition law, consumer protection and data privacy.
“It’s not fit for dealing with privacy in the digital era,” Kemp told Which-50. “There are very substantial gaps if individuals attempt to rely on this kind of regulation to combat the practices of large digital platforms and other companies that seek to use their personal information for commercial purposes.”
Australia’s Privacy Act, which regulates the handling, holding, access and correction of personal information, was created in 1988 and amended in 2000 to include the private sector. But none of the subsequent reforms to the law have directly addressed the changing nature of data collection in a digital age.
It means Australia’s laws and regulatory system can not adequately deal with the new digital platform business models and the rampant data collection they have encouraged, according to Kemp.
Don’t scare the horses
“The big change in terms of business models, has been that it has become so profitable for firms to use our personal information for other purposes. So the digital platforms are tracking consumers pervasively as they move around on the web, but also tracking consumers offline.
“And the reason they do that is that it’s highly profitable to create very detailed profiles on consumers and to use those profiles to sell advertising services to their advertising customers who are their real customers.”
The business model creates an enormous incentive for companies to collect as much personal information as possible on consumers, but also to conceal the practice, Kemp says.
“Because you don’t want to scare the horses.”
The opacity and subsequent lack of awareness also makes it difficult for competitors offering privacy-enhancing alternatives to compete.
“If you have a company like DuckDuckGo come along and offer a privacy-enhancing search engine, it’s very hard for them to impress on consumers just why this is a great product and why they would want to switch to it instead of using Google when it’s not apparent to consumers just how weak the privacy protections are when they are using Google relative to DuckDuckGo.”
In Australia especially, Kemp says, companies have little incentive to accurately disclose their data collection or offer alternatives because they can rely on Australia’s “notice and choice” system of disclosure and consent: companies gives consumers notice about the data practices that they propose and then consumers have a choice in whether they proceed with this service and accept the terms.
The system typically produces vague catch-all privacy policies which allow the extensive data collection, according to Kemp.
“The reality is we don’t get real notice because we don’t truly understand what those terms mean. They’re far too vague and opaque. And you could be forgiven for thinking that they were intentionally vague and opaque.
“And beyond that, we certainly don’t have the ability to say to Google or to Facebook, or any media company: ‘I want your service but I don’t agree to these uses’. That’s not going to happen. So there is a fundamental problem with us approaching this regulation on an individual basis, on the basis of incremental contracts.”
Samantha Floreani, a board member at the Australian Privacy Foundation and a former senior policy advisor for Victoria’s privacy regulator, agrees Australia’s principled approach has not been effective in protecting consumers’ privacy.
“[In the EU] they can’t just slip in consent in amongst a huge long terms and conditions document.
“And while Australian privacy regulators encourage organisations and companies to do this – it’s best practice to be clear and upfront about it – we’re still seeing lots and lots of really verbose, long, awful terms and conditions which just make it really hard for individuals to understand what they’re signing up for.”
While Australia’s principle approach to privacy has not fared well in the digital age, it was actually deliberately designed in a flexible way to be technology agnostic, according to Floreani.
Where it has fallen down, however, is the flexibility is being exploited by companies through a loose interpretation and application of the principles, according to Floreani.
“There is a looseness to it as well; organisations can be quite creative in how they go about applying the [privacy] principles because the rules are not rigid. They’re not hard and fast rules. So you can be a bit loose.”
More with less
Floreani says the principles approach would be harder to exploit if the national regulator was adequately resourced and therefore better able to enforce them. However, she says neither side of politics has shown enthusiasm for substantial reform and are mindful significant changes could also threaten the privacy exemptions political parties currently enjoy.
Annual reports show the national regulator, the Office of the Australian Information Commissioner has not significantly increased its staff levels since its creation in 2010, despite privacy complaints increasing and its duties expanding.
But even with limited resources the agency has had some successes.
For example, the OAIC received no additional funding when it introduced a mandatory data breach reporting scheme last year requiring Australian organisations to notify the regulator and affected customers when consumer data they held had been compromised. Previously there had been essentially no obligations for Australian organisations to report data breaches and the scheme led to a 712 per cent surge in reporting over the voluntary system.
The regulator has also had to withstand an attack from the Abbott government which tried to kill off the agency in 2014 as part of its “smaller government agenda”. The OAIC survived thanks to a coalition government leadership spill but continued to be asked to do more with less.
“The government has time and time again demonstrated that it doesn’t prioritise the right to privacy. And that is seen by how the OAIC is resourced and staffed,” says Floreani, “I would say that the government has definitely made it very clear that privacy is not at the top of the agenda.”
Angelene Falk, who leads the OAIC as the Australian Information Commissioner and Privacy Commissioner told Which-50 “global and technological developments are creating unparalleled opportunities and challenges for regulating the right to privacy”. At the same time, Falk says, there has been a “shift in community and government expectations of regulators in overseeing organisations in the digital economy”.
The Commissioner declined to directly answer questions about whether her agency is adequately resourced but did welcome its first substantial budget increase in nearly a decade – an additional $25 million over the next three years to assist with the implementation of a new data portability scheme – as a “very welcome step”.
Falk says the OAIC uses a mix of regulatory strategies, including enforcement, to encourage regulated entities to build in privacy and security protections by design. The goal is to move Australian entities from “minimum compliance with the Privacy Act towards implementing best practice”.
“In this way, we aim to increase to increase public trust and confidence in the protection of personal information and access to government-held information for the benefit of all Australians.”
James North, head of technology, media and telecommunications at independent law firm Corrs Chambers Westgarth, advises some of the leading global technology companies on privacy compliance in Australia. He tells Which-50 there are signs of change but currently, regulators simply don’t have the funds to do the job at hand.
“It’s not one of the regulators that in-house lawyers lose sleep over,” North told Which-50, “They haven’t been feared in the same way the ACCC has been.”
The ACCC is Australia’s competition and consumer watchdog and one of the few remaining regulators with the capability to aggressively pursue enforcement. It’s 18-month long Digital Platforms Inquiry exposed systemic problems in the platform model and called for major reforms to Australian privacy laws.
According to North the final report also signaled the competition regulator had begun to wade into the privacy debate.
“You could read between the lines that that is what [the ACCC] is looking for: they want to make privacy one part of consumer law enforcement in their role as the consumer regulator,” North told Which-50.
Treating privacy as a consumer issue, rather than a seperate one, would mean substantial changes for data collectors, North says. They would be under more pressure to treat consumers fairly and not mislead them, meaning privacy policies would face a tougher fairness test. Essentially companies could no longer “hoodwink” consumers into collecting data, North says.
And when companies ignored those consumer law requirements they would face a much better resourced and litigious regulator.
“If they get into this space, then purely because of their approach to enforcement, I think privacy will need to be taken more seriously by business.”
While such a step would arguably be more onerous on organisations, North says reform would have the added benefit of bringing Australian organisations closer to the level of regulated entities in the EU. Indeed North says many of his clients have taken some of the steps of their own accord to continue partnering with EU firms but also because better data governance simply makes business sense.
The ACCC report recommendations have been welcomed by the government and the OAIC, the latter endorsing its proposed privacy law reforms specifically.
While the ACCC recommendations stop short of recommending a full data regulation regime, they do move Australia closer to GDPR and would be a good start, according to privacy activists.
Signs of change
The OAIC’s Falk told Which-50 while some commonalities already exist with current Australian law, the EU regulation model had provided valuable lessons to be considered as part of potential reform in Australia.
“This includes evaluating the suitability of EU GDPR privacy rights and protections in the Australian context, such as rights relating to profiling and automated decision making, compulsory privacy impact assessments for data processing activities involving certain high risks and express requirements to implement data protection by design and by default.”
A spokesperson for the Attorney General’s Department, which would ultimately draft any reforms, confirmed the department is monitoring international regulatory developments for data collection, including GDPR.
Australian lawmakers already proposed some reforms to the Privacy Act in March – independent of the ACCC recommendations – to increase penalties and give consumers some rights to request their information not continue to be used. The Attorney General’s Department told Which-50 it intends to consult on those privacy reforms later in 2019 and is currently consulting on the ACCC report.
The government has said it will respond to the ACCC’s proposed reforms by the end of the year.