Founder & Lead Privacy Advisor, Information Integrity Solutions
Former Australia Privacy Commissioner
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
The problem we are faced with is this astonishing new data-driven business model is being regulated, in large part, by legacy privacy laws. Many such laws were either developed pre-internet or are based on laws that were. This includes the EU General Data Protection Regulation( GDPR). The result is a serious disconnect. Traditional privacy principles such as data minimisation and purpose limitation clash with new business imperatives that demand maximal data and unfettered data use and reuse.
And yet – with the usual lag between business innovation and regulatory reaction – we are beginning to see some changes in the regulatory landscape that demonstrate, if nothing else, that regulators and governments are actively grappling with this changed state of play.
First, there has been a conscious effort in more jurisdictions to expand the extra-territorial reach of privacy legislation, which Australia did 20 years ago. The trans-border operation of so many data-driven organisations has meant that data protection authorities have at times struggled to hold such organisations to account.
Second, there has been a trend for broadening the legal definition of personal data’. This enables privacy laws to regulate data (used in online tracking, profiling and targeted advertising) which might otherwise fall outside traditional definitions of personal data. The GDPR and California Consumer Privacy Act (CCPA) both offer examples of this.
Third, new and reformed privacy laws have strengthened regulator powers and increased the size of the penalties available to them. Several recent high-profile privacy cases have involved record-breaking fines. New laws – most notably the GDPR – have sought to enable imposition of fines that reflect the size and revenue of the tech giants and therefore better incentivise compliance. In other cases, particularly those involving the US Federal Trade Commission (FTC), we see record fines being imposed under existing laws.
Fourth, a number of jurisdictions have expanded the rights available to individuals under privacy law. The EU introduced a range of rights into the GDPR including the right to erasure (also known as the ‘right to be forgotten’), the right to restrict processing, the right to object and rights associated with automated decision-making. The GDPR also gives individuals the right to withdraw consent at any time. Other jurisdictions have joined the EU in legislating the ‘right to be forgotten’, while California has given its consumers the right to demand that an organisation not sell their personal information.
Foundationally, such changes – the wider remit of privacy law, stronger regulator powers, and expanded individual rights – attempt to correct some of the power asymmetry between individuals on one hand, and tech giants and other data-driven organisations on the other. Nevertheless, the same intractable problems persist – the failure of the ‘Notice and Consent’ model wherever it is available, including in GDPR, limits of traditional privacy principles, the conundrum of data sovereignty, the inadequacy of consent buckling under the weight of overuse, and others. The recent developments outlined here are just a start and not enough.
In addition and notwithstanding the few significant examples of enforcement, the funding of privacy and data protection authorities worldwide is woefully inadequate almost without exception. Most organisations are ‘getting away with it’ most of the time including in Australia, Europe, the USA and elsewhere.
I believe that we are at a tipping point, by which I mean that we are at the point of engaging with those issues in new ways. We are already seeing how the lines are blurring between conversations about privacy, data sovereignty, AI, anti-trust and even democracy which creates fertile conditions for innovation in how we approach privacy.
My final observation is that there is nothing inevitable about the data-driven business model we are confronted with in 2021. This approach has been powered by two factors: obfuscation of how personal information is actually used (as so pungently described by the Australian Competition and Consumer Commission in its final report on its Digital Platforms Inquiry) and the innate human inability to assess, even in their own interests, short term gain versus long term loss. At last, the scale and impact of the long term losses such as insidious adverse discrimination and damage to democracy are becoming clear in the public mind.
In the same way as the world eventually learnt that the impact of ozone and now carbon emissions could actually endanger the planet, I am confident that the combination of economic pressure and regulation will develop the alternative for personal information and privacy. It will not be fast and it will not be easy, but it will happen.