Inside Story

The price of privacy

A case that began in the Irish courts is shaping Australia’s efforts to update its 1980s privacy laws

James Panichi 30 July 2021 2586 words

Austrian activist Max Schrems leaving the High Court in Dublin after a hearing in October 2017. Brian Lawless/PA Images via Getty Images

If you’re old enough, try to remember life in 1988. Kylie Minogue’s “I Should Be So Lucky” is in the charts; Crocodile Dundee II is on the big screen; tall ships are in Sydney Harbour to mark the bicentenary of European settlement; the Queen is opening the new Parliament House in Canberra; and Saturday newspapers are still fat with classified ads.

Now imagine checking your pockets. Where’s your mobile phone? You don’t have one. There’s no connected personal computer on your desk, no social media hoovering up data about your spending habits, and not much need for businesses to import or export elaborate datasets. Facial recognition technology is still the stuff of science fiction and your car isn’t sending valuable information back to its manufacturer.

Nineteen eighty-eight was the year Australia’s privacy legislation was implemented with the worthy goal of protecting your personal information. It seemed a realistic ambition back then, because that information was probably stored in a filing cabinet rather than on the server of a tech giant in the Santa Clara Valley. Getting your name struck off a mailing list or making sure your medical records didn’t fall into the wrong hands was still within the powers of domestic legislation.

Even the right to be forgotten needed no articulation: if you kept out of the news for long enough, your past misdemeanours would fade into oblivion — a secret between you and the rare person spooling through old newspapers on dusty microfiche at the local library.

What we didn’t know at the time was that 1988’s Privacy Act was a snapshot of a society on the cusp of a technological revolution. Think of it as one of those moments captured in a photo taken just minutes before a natural calamity — the tourists are all smiling at the camera, blissfully unaware of the avalanche that’s about to engulf them.

Since then, Australian legislators have done their best to keep pace with technological change. The most recent and perhaps most significant amendment to the 1988 legislation created the 2018 Notifiable Data Breaches scheme, which details what must happen if personal data hosted by a company goes missing or is hacked.

But the technological advances of the past thirty years are so great that mere amendments will no longer suffice. The Privacy Act doesn’t need tweaking; it needs a root-and-branch rethink. And it’s not just a question of individual privacy; the challenge we’re facing is how to apply economy-wide privacy protections that will allow Australian companies to safeguard data without stopping them from competing globally.

Privacy mightn’t have been the main focus of the Australian Competition and Consumer Commission’s 2019 digital platforms report, but it highlighted what was already clear to informed observers: the Privacy Act was out of date. The wheels of government ground slowly for another year or so before attorney-general Christian Porter launched a review of the legislation. It would focus, according to his no-nonsense press release, on “technical data and other online identifiers.”

Oddly, given Australia was lagging behind the rest of the Western world, the announcement betrayed no sense of urgency. The European Union had adopted its General Data Protection Regulation, or GDPR, two years earlier, after years of debate and horsetrading. California’s Consumer Privacy Act, covering Silicon Valley, was being finalised. Legislators in New Zealand had already put the final touches on their revamp of the country’s 1993 Privacy Act. South Korea’s Personal Information Protection Act was by then one of the sharpest pieces of privacy legislation in the world. To use a Morrisonian euphemism, Australia’s policymakers obviously didn’t see protecting privacy as a race.

Information commissioner Angelene Falk at Senate estimates in March this year. Sitthixay Ditthavong/Canberra Times

Still, the review’s riding instructions did focus on the key issues, starting with the relationship between any future legislation and the West’s toughest privacy regime, the GDPR, which guards access to the second-largest consumer market. Should Australia’s new rules be immediately compatible with the GDPR — thus granting Australian digital businesses the protections they need to do business in the bloc? Or should Canberra apply for what’s referred to as adequacy status with the GDPR, once the new legislation is in place (as South Korea has done)? Or, indeed, should Australia go its own way and try to lock in data-transfer agreements with other jurisdictions, including the American states following California’s lead, or post-Brexit Britain, which is facing its own struggles dealing with the GDPR’s stringencies?

The attorney-general also appeared to acknowledge that any new system would depend on tough enforcement — which would place the Office of the Australian Information Commissioner, Australia’s underfunded and overworked privacy watchdog, at its centre. Will the agency be given the resources it needs to ensure that privacy safeguards are adhered to? How will the low-profile information commissioner, Angelene Falk, manage the challenge parliament sets her and her office?

There’s nothing academic about these questions. If the European experience tells us anything, it’s that unenforced privacy laws are more or less useless. In fact, you could argue Australia is better off sticking to its pre-digital, Hawke-era legislation than drafting rules that don’t beef up a regulator that today oversees both the 1988 Privacy Act and the 1982 Freedom of Information Act. The stakes are unusually high.

Europe’s enforcement gap is best illustrated by the legendary story of Max Schrems, who took on Facebook and won. The Big Tech giant might have emerged as the villain of the piece, but the public utterances of the Austrian privacy activist, whose journey culminated in all transatlantic data transfers being shut down, portray Europe’s privacy regulators as part of the problem.

Schrems had been a student on exchange at a university in California’s Silicon Valley. In one class, a Facebook lawyer revealed that the company saw the European Union’s pre-GDPR privacy rules as something of a joke. The company was exporting European data without any ethical soul-searching or legal concern.

Although Schrems wasn’t an avid Facebook user — he says he had typically logged on once a week over three years — he decided to request all the information the company had accumulated about him. Because Facebook had, and still has, EU headquarters in Dublin, he was able to use EU right-of-access laws to obtain the data. And he got it — all 1200 pages’ worth. It even included information that Facebook had described as “deleted.” He uploaded the information to his website and soon attracted media attention from across Europe.

The campaign eventually made its way to the European Court of Justice, with Schrems arguing that the EU’s “safe harbour” arrangement with the United States — now known as the EU–US Privacy Shield — didn’t protect EU users. His claims piggybacked on revelations by US National Security Agency whistleblower Edward Snowden, which pointed to a network of global surveillance programs run by the NSA and the Central Intelligence Agency.

The European Union had allowed for the free flow of data between the EU and the US because it assumed that both sides had equivalent standards of data protection — what’s now called equivalency. In two decisions since 2015, prompted by Schrems, the European Court of Justice rejected that premise, putting the future of data exchanges across the Atlantic under a cloud. It’s a cautionary tale for any jurisdiction — including Australia — facing the prospect of interacting with the GDPR. Like it or not, the EU’s privacy rules have set the global standard for privacy legislation.

And this is where the role of national data-protection agencies comes into play. To get to the European courts, Schrems had to pass through Ireland’s privacy regulator, the Data Protection Commission. The reason is simple: Ireland’s generous tax arrangements are so appealing to Big Tech that many of them — Google, Twitter, LinkedIn, Amazon, PayPal, Airbnb, Uber and, yes, Facebook — have based their European headquarters in Dublin’s Silicon Docks. Anyone lodging a complaint against these companies must therefore turn to the Data Protection Commission.

In Schrems’s case, it didn’t go well. The Irish regulator dismissed his claims, prompting him to take action in Ireland’s courts. The case shone a spotlight on the regulator’s ability to manage the massive workload created by the tech giants’ Dublin addresses. Earlier this year, the Irish Council for Civil Liberties found that the regulator decided just four of 196 cases it had been required to take on — suggesting it had become the bottleneck of EU privacy enforcement. That failure, said the council, exposes 448 million people across the European Union to “electoral manipulation and predatory profiling.”

Schrems’s vicissitudes showed that an enforcer that can’t or doesn’t do its job fosters an environment in which the misuse of personal data goes unchallenged.

That Australia’s information commissioner is overworked and underfunded is now widely accepted. Her office received $25.5 million for the 2021–22 financial year, up marginally from last year’s $23.2 million. This increase included funds for a new freedom-of-information commissioner, a slight increase in staffing levels, and an earmarked amount for participating in Australia’s growing data-portability initiative, the Consumer Data Right.

This funding doesn’t reflect the size of the challenge — and the information commissioner knows it. Documents released under FOI earlier this year reveal a deficit of $121,000 last financial year as the watchdog struggled with managing the Notifiable Data Breaches scheme and overseeing the ill-fated COVIDSafe app. The document noted the agency’s “static resourcing and staffing levels” and went on to say that the information commissioner had experienced a “steady increase in the number of complaints received,” partly as a result of the pandemic.

Taking on Big Tech requires time, strong international contacts and a high level of expertise — all of which cost money. The information commissioner is already fighting Facebook in the Federal Court of Australia over the Cambridge Analytica data breach — a lawsuit almost identical to one that came unstuck in Canada in February because of a lack of evidence. Other investigations have involved time-consuming and resource-intensive international probes. Last week’s determination that Uber had failed to protect its clients and its drivers following a 2016 cyber attack saw the commissioner delve into what her office described as “significant jurisdictional matters and complex corporate arrangements and information flows.”

Once Australia’s new privacy legislation comes into operation, the resourcing of the commissioner’s office — or the agency that will replace it — is likely to be the key to success. Max Schrems managed to overturn the Privacy Shield by claiming his individual privacy rights in both Irish and EU courts, but it’s unrealistic to expect an individual to take on the burden of challenging Big Tech on privacy.

Given the pressure she is under, Angelene Falk may have good reason to keep a low media profile. With a background in law, she came to the job in 2018 after serving as deputy commissioner for two years. Her public appearances are usually limited to comments in Senate estimates, where she’s quizzed by parliamentarians who are often ill at ease with the principles of privacy and data protection and have little understanding of global policy trends.

Compare this with New Zealand’s privacy commissioner, John Edwards, who rarely misses a chance to publicly castigate Big Tech and wasn’t afraid to throw his weight around as the country approached its ambitious reimagining of the 1993 Privacy Act. Under the reforms, Edwards has the power to issue compliance notices, can make binding decisions on requests for access, and will oversee legislation that contains criminal offences for businesses that misuse personal data. Reportedly being considered for the top privacy-enforcement role in Britain, Edwards has become the public face of data protection in New Zealand — an outreach and educational role that has no equivalent in Australia.

The impasse over the EU–US Privacy Shield isn’t likely to be resolved soon. At the heart of the European judges’ objections is the fear that data exported to the US could fall into the hands of law-enforcement agencies. This is a tricky problem to manage — the US has no federal data-protection legislation or enforcer. With little appetite for privacy policy in Washington, the states have been left to take the lead.

More importantly, though, the clash with the EU over privacy has created a political problem for the Biden administration. The White House doesn’t want to be seen as soft on law and order — particularly when it comes to the crunching of data and the gathering of personal information that could, say, prevent terrorist attacks. Significant concessions to the Europeans could leave Biden politically exposed.

Any new Australian privacy legislation will face the same political predicament. Equivalency with the GDPR simply can’t be ignored — the European Union is too significant a market for Australia to deal itself out of the game. But Australian policymakers will also be mindful of the European Court of Justice’s low tolerance of loose regulation in countries gaining access to the personal data of EU citizens.

One cause for concern is Australia’s controversial 2018 Telecommunications and Other Legislation Amendment (Assistance and Access) Act. That legislation is what you’d expect from a home affairs minister — Peter Dutton at the time — unconstrained by worries about the economic impact of Australia’s data-protection reputation. The act, which includes no judicial oversight, gives the Australian government the right to demand a “back door” into encrypted communications — including those sent via popular apps including WhatsApp, Signal and Telegram. It was designed to help federal police and intelligence agencies track suspected criminals and terrorists.

Australia’s tech community opposed the legislation, and broadly still does, arguing that it undermines the country’s data-protection credibility. In a parliamentary hearing last year, the head of government affairs for the hugely successful Sydney-based software company Atlassian, Patrick Zhang, said that international tech companies were now afraid of using Australian products because of the possibility of receiving access orders from Australian law-enforcement agencies. This fear was particularly acute in Europe, Zhang suggested, where worries about tripping over the GDPR’s data-protection provisions mean that businesses may steer clear of Australian products. Those fears might even spill over into third countries that don’t want to compromise their deals with the European Union.

The passing of that legislation suggests that Australia’s political priorities may ultimately trump the privacy concerns of the local tech industry. While a survey by the information commissioner revealed that Australians are keenly aware of the need to protect privacy, that attitude doesn’t translate into a broader understanding of how data-protection measures could affect Australian technology companies’ ability to compete.

Part of the problem could be the lack of a strong public voice promoting privacy in Australia. But decisions about new laws will ultimately come down to politics. Not everyone will understand the complexities of data-transfer rules, but you don’t need an information campaign to tell people that strong laws are needed to fight terrorism, international drug cartels and paedophile networks. If that means compromising WhatsApp’s encryption and ruling Australia out of international data transfers — so be it. If securing Australia’s digital sovereignty will get the nose of a few tech entrepreneurs out of joint, that’s a price that politicians of all persuasions may be willing to pay. •

The publication of this article was supported by a grant from the Judith Neilson Institute for Journalism and Ideas.