No Say, No Knowledge, No Control: Personal Data in Australia

shopping, online shopping, shopping cart-4694470.jpg
Online Shopping

When was the last time you were certain that your data wasn’t being collected, shared, tracked or used in unfair business practices?

A recently released joint research report from the Consumer Policy Research Centre (CPRC) and the University of New South Wales (UNSW) ‘Singled Out: Consumer understanding – and misunderstanding – of data broking, data privacy, and what it means for them‘, has highlighted both the extent to which Australian consumers don’t know about or understand common personal information terms and how Australian law is failing to protect identifiable information.

From the responses about self-perceived knowledge of common terms used in privacy policies where most terms (8 out of 13) were unrecognisable or unknown to the majority of people – only 16% self-reporting that they knew a lot about the term ‘anonymised information’ and only 8% reporting the same for ‘pseudonymised information’ – the importance of educating consumers on basic information and privacy terms is difficult to understate. But even more damningly for the current state of affairs is the overwhelming uncertainty about or lack of acceptance for the use by business of personal information from browser type to audience data to full names or driver’s licenses. At the same time as these practices are widely unaccepted by Australian consumers, personal information can be linked back to individual’s or individual digital footprints – or be used to influence what is shown online.

The report rejects educational solutions as (1) proficiency in data terminology should not be requirement for consumers to be able to confidently navigate digitally, (2) not all consumers have the time or resources necessary, and (3) the terminology has no fixed meaning or use either in practice or under Australian law. Instead ‘Singled Out‘ recommends:

(1) Modernising the definitions of ‘personal information’ and ‘de-identified information’ in the Privacy Act;

(2) Enforcing the Privacy Act’s requirement that organisations collect personal information from the respective individuals themselves (unless unreasonable or impracticable) in the context of consumer tracking, profiling and targeting;

(3) Put the onus on entities collecting this information that data is kept safe and used reasonably, by adding a ‘fair and reasonable’ requirement to the Privacy Act;

(4) Consider the addition of a best interests or duty of care obligation for data use;

(5) Make unfair data practices such as data broking illegal by making unfair business practices illegal;

(6) Enable strong, broad and proactive enforcement of regulation.

For more about the report please see The Conversation’s article, CPRC’s summary and of course the report itself, available for download here.