Sweeping changes to Australia’s privacy laws that took effect on March 12, 2014, make the country a global standard-setter in protecting its citizens’ personal data. A comprehensive update of Australian privacy laws, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (PAA), imposes specific requirements regarding the collection, storage and use of consumers’ personal information on companies that do business in Australia and have revenue of over $3 million. The Office of the Australian Information Commissioner (AIC) is empowered to enforce the PAA’s mandates by imposing fines of up to $1.7 million for serious or repeated invasions of privacy.
At first blush, the requirements imposed by the PAA may seem of a piece with those imposed by the European Union and other privacy-centric jurisdictions, and with the privacy principles promulgated by the Obama Administration. Indeed, the thirteen new Australian Privacy Principles (APPs) established by the PAA (which replace the existing National Privacy Principles and Information Privacy Principles) strike many of the same notes as the Consumer Privacy Bill of Rights proposed by the White House in February 2012: transparency, access, accuracy, security, and so forth, the “usual suspects” in privacy regulation.
But the sense of familiarity may be misleading; the privacy regime imposed by the PAA is easily as strict as any in the EU, and has the potential to be even stricter, depending on its interpretation by the AIC. In particular, the PAA’s restrictions on collection of information that is either publicly available or obtained from sources other than the data subject create a “right not to be profiled” so comprehensive that it would likely not pass First Amendment muster if enacted in the United States.
To fully appreciate the breadth of the protections imposed by the PAA, it may be helpful to review the relatively narrow conceptual framework that underlies most privacy regulation, enacted and proposed, in the United States. Most Federal data privacy statutes apply to specific sectors, such as healthcare, education, communications, and financial services. State laws, in contrast, tend to protect primarily information that could be used to steal our money or identities, such as credit card numbers, social security numbers, and driver’s license numbers. To the extent that efforts are underway to create a more comprehensive privacy framework in the United States, they focus almost exclusively on information that it collected from consumers. So, for example, the introduction to the Consumer Privacy Bill of Rights avers that “consumers have a right to exercise control over what personal data companies collect from them and how they use it.” (Emphasis added.)
The aggregation of information about consumers, in contrast, remains largely undiscussed. Efforts to restrict such information, such as a Utah law prohibiting private companies from collecting license plate reader data (i.e., a log of the license plates driving past a scanner) have been met with First Amendment challenges. As a result, the most potentially unsettling implication of new technologies — generally speaking, the creation of a digital record of your precise location and activities in minute detail at all times — is surprisingly unaddressed by proposed privacy laws.
Australia, in contrast, has tackled the issue head-on. The Privacy Act (of 1988) defines “personal information” as “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.” Using this broad definition, APP 3.2 provides that “If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information)[which is subject to additional restrictions] unless the information is reasonably necessary for one or more of the entity’s functions or activities.”
Whereas the trend in the United States has been to extirpate the reasonable person from privacy regulation (as discussed last month), the PAA thus places her in a central position; “the ‘reasonably necessary’ test is an objective test: whether a reasonable person who is properly informed would agree that the collection is necessary.” In a similar vein, APP 3.5 limits APP entities to “lawful and fair means” in collecting personal information, andAPP 3.6 requires that APP entities collect personal information about an individual only from the individual unless authorize by law or “it is unreasonable or impracticable to do so.” A “fair” means of collection is one that is (among other things) “not unreasonably intrusive;” covert collection of information will “usually” be considered unfair.
Finally, and of particular note, APP 5.1 requires that “at or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances” to notify the individual about the collection, its purpose, the proposed use of the data, and a host of other information (including how to object to the collection).
Taken together, the APPs almost certainly prohibit the accumulation of customer preference data for marketing purposes and other forms of consumer profiling. Because the definition of “personal information” extends to information that reasonably could be related to a particular individual, even “anonymized” data is prohibited unless it cannot reasonably be used to re-identify an individual — a challenge given the increasing sophistication of profiling algorithms. Companies that do significant business in or with Australia should take immediate action to insure compliance with the PAA (if they haven’t already); others should take not that the U.S. move toward “big data” in consumer marketing (and everything else) may not have much traction globally.