Trust, transparency, data ethics, regulatory frameworks and empowering people to manage their data all feature in discussions about the online privacy and data management landscape.
In the third of a four part series, The Mandarin canvasses these issues from three different perspectives: government, a digital media platform and consumer policy.
Elizabeth Tydd – CEO, Information and Privacy Commission NSW and Open Data Advocate
The Information and Privacy Commission NSW (IPC) is an independent statutory authority that administers legislation dealing with privacy and access to government held information in NSW.
Elizabeth’s role has dual objectives. It encompasses not only regulation but also advocacy given her appointment as Open Data Advocate in 2016. NSW is the only state with this position and as Open Data Advocate, Elizabeth’s role is to encourage the release of data by NSW government agencies in ways that are respectful of data sharing safeguards.
This is underpinned by compliance with the Government Information (Public Access) Act 2009 (GIPA Act). In Elizabeth’s view, the NSW public sector has applied a robust legal framework in determining the release of information. The public interest test particularly as enshrined under the GIPA Act ensures that public servants’ decisions balance a range of factors and rights in determining how information should be managed.
“This legislated approach, like the balancing of factors required under ethical frameworks effectively promote the public interest.”
While legislation is important, decision making frameworks can’t rely on a rules based approach alone and need to incorporate new developments in data ethics. Elizabeth points to two examples. One is New Zealand and the Data Futures Partnership, an independent group created by government to drive trusted data use and strengthen New Zealand’s data ecosystem. The Partnership was tasked with developing guidelines that public and private organisations can use to develop social licence for data use.
The Partnership engaged with thousands of New Zealanders to understand how they felt about their data being used and shared in different situations, including an online tool (Our Data, Our Way). Elizabeth saw this engagement as a way of developing a social compact.
Join the editor of The Mandarin, Harley Dennett as he facilitates a panel discussion on privacy and consent with Facebook’s associate general counsel on data protection, a privacy lawyer and a business consultant.
“When people trust how their data is being used, they are buying into value creation.”
Elizabeth’s second example is the Markkula Center for Applied Ethics at the University of Santa Clara in the US. The Center has a focus on internet ethics, exploring ethical issues in privacy, big data, social media and cybersecurity. Available resources include a teaching module on data ethics and a framework for ethical decision making which is also available as an app.
Rob Sherman – Deputy Chief Privacy Officer, Facebook
As Deputy Chief Privacy Officer, Rob is responsible for managing Facebook’s global engagement on public policy issues around privacy, security, and online trust. Given the scope of his role, Rob is in a unique position to observe data use and privacy protection through a global lens.
There is no doubt the European Union’s new data privacy law, the General Data Protection Regulation (GDPR), is reshaping how organisations are approaching privacy. Rob sees the development of the EU’s GDPR as a positive development.
“Everyone has a right to privacy. GDPR has been a good stepping stone to have a broader global conversation about people’s information and how it is being used. In thinking about GDPR and privacy more broadly, we have been exploring how we can most effectively communicate with people about their information and empower them to make the choices that are right for them.”
“As we think about GDPR in Australia and privacy regulation globally, the big questions are what are the basic rights everyone should have with their data, how is this translated in practice and how do we make sure it is communicated in a way that is understandable and accessible.”
“For services like Facebook, our responsibility is to work with governments, experts and users to communicate more about how their information is used and what choices they have.”
“People then have the ability to take action on whatever is important to them.”
He cites the example of changes made to the privacy shortcuts feature on Facebook. These centralise Facebook main privacy controls with clearer explanations of how the controls work. The user experience is now more accessible and easy-to-find.
When it comes to data ethics, Rob says, “Making sure we are complying with the law is always going to be important and essential to what we do. But if that’s all we are doing, it is not enough. We need to think more broadly about the implications of the services we are providing and how those services are being used in the world.” Rob points to the example of the application of machine learning in Facebook and addressing bias so there are no unintended consequences.
“This requires a more nuanced and sophisticated conversation, both internally and with experts outside the company.”
Rob sees two key issues dominating the privacy horizon over the next 12 months –communicating with users about their privacy and empowering people with their data. On the first issue of communication, Rob points to the development of layered privacy notices. Rather than lengthy disclosure statements that are difficult to understand, information is provided in clear and discrete bite sized notices. This approach helps facilitate increased understanding.
“When we think about the policy debate, there’s this tension between making sure people understand what’s going on and providing exhaustive detail about data use.”
Empowering people to control their data includes letting people take their data with them. Facebook is investing significantly in data portability, including the Data Transfer Project. This is a collaboration between Facebook and other technology companies which is building a common way for people to transfer their data into and out of online services.
“Giving people access to their information so that if they want to take it with them they have the ability to do so is important. One of the policy challenges in providing this portability is the issue of oversight. How much does one company need to oversee the information when it’s going to another company and how much should that be a consumer choice? These are challenging questions.”
No matter what looms on the horizon, Rob says, “People are looking for their privacy to be protected whether it’s by a bank, by an online service or by a retailer. All of these organisations collect data and making sure people have a baseline level of protection is essential.”
Lauren Solomon – CEO, Consumer Policy Research Centre
In 2018, the Consumer Policy Research Centre (CPRC) released a report on Consumer Data and the Digital Economy. This included research which explored Australian consumers’ understanding of consent to data collection, use and sharing when accessing online products and services. The research found consumers experienced a lack of transparency and choice, exacerbated by the nature of privacy policies which are complex, lengthy and difficult to understand.
In considering the privacy and regulatory landscape in Australia, Lauren’s observation is that Australia has not had the same robust policy discussions which occurred in Europe over a seven year period in the lead up to GDPR. In Lauren’s view, “This allowed policy makers, the community sector and industry to drill down into the issues and flesh out what an appropriate policy framework looks like.”
“While we’ve had the Productivity Commission inquiry into data availability and use, it hasn’t covered the full gamut of issues we’re seeing in the ACCC Digital Platforms Inquiry.” Lauren describes these issues as being at the intersection of privacy, consumer protection and competition laws. “This is quite critical as it’s the same intersection which is being identified in international policy development and regulation.”
The CPRC research found there is significant market and regulatory failure which has resulted in consumers being unable to make informed choices about their data. Lauren attributes this market failure to the significant information asymmetries between companies and consumers; the lack of specificity in the Privacy Act around disclosure and consent; and the lack of agency and control for consumers such as not having the right to delete their data.
“Those fundamental levers we see in other jurisdiction are yet to be seen in Australian legislation.”
From the CPRC’s perspective, issues of comprehension, transparency and agency are critical for all policy reforms relating to data and consumers so as to enable people to make informed choices in the digital economy.
Building a trusted environment is the first plank of any policy reform. In Lauren’s view, “Trust is critical. We want a protection framework so that consumers can feel confident and comfortable entering into arrangements where their data is being shared with companies. The next step is then to open up data through data portability and the Consumer Data Right. If we don’t have trust and transparency then it undermines the benefits that can flow from data driven practices.”
“The data ecosystem is incredibly complex, the technology is moving incredibly fast.”
In this environment, Lauren says, “We need to invite different people to the table. We need people with a data ethics background, human rights experts, privacy experts, consumer protection experts, competition lawyers and industry. Privacy and data management cuts across different areas.”
Lauren sees a need to come together to develop a common language for dealing with the emerging risks and opportunities. “We might not be doing ourselves justice if take the tools and resources of the 19th century and apply them to a 21st century problem. It is a conversation that needs to be inclusive.”
The conversation also needs to be inclusive of the different parts of the community who are being impacted by technology in different ways. This includes marginalised and vulnerable members of the community who may not be experiencing the same benefits as people with higher levels of digital literacy. This brings into play the role of other policy areas such as social policy.
“We need an integrated and joined up approach in dealing with the fuel and technology of the fourth industrial revolution. We don’t currently see that in the Australian policy landscape. This needs to be the next step if Australia is to benefit from the technology and innovation underway in other cities around the world.”