Episode image for The Privacy Parables: Understanding Australia’s Privacy Act in the GDPR Age
LOADING ...
Preview of episode

Want to listen to the full episode and all our other episodes?

Hearsay allows you to fulfill your legal CPD requirements every year.

Our yearly subscription is only $299/year.

With a yearly subscription, you can access all of our episodes AND every episode we release over the next year.

Episode 83 Buy Episode

The Privacy Parables: Understanding Australia’s Privacy Act in the GDPR Age

Law as stated: 17 March 2023 What is this? This episode was published and is accurate as at this date.
Join Clyde & Co. Partner Alec Christie as he instructs David Turner in the tenets of Australia's privacy regime - including the "3 Cannots" of privacy law.
Substantive Law Substantive Law
17 March 2023
Alec Christie
Clyde & Co
1 hour = 1 CPD point
How does it work?
What area(s) of law does this episode consider?The GDPR, Australia, and the Privacy Act 1988 (Cth) (Privacy Act).
Why is this topic relevant?With multiple high-profile data breaches occurring in 2022, Australia’s privacy regime came under the spotlight once more.

Grounded in the Privacy Act and the Australian Privacy Principles (APPs) contained in Schedule 1, the Australian approach to privacy and data retention is a nuanced legislative behemoth. However, at the same time many locals are wrestling with Australia’s regime, they also have to contend with the EU’s General Data Protection Regulation (GDPR).

The globally renowned GDPR entered into force in 2018, with great fanfare and mild international panic over its extraterritorial reach – and did you know the EU’s perspective on Australia’s privacy regime is that it’s inadequate because of exemptions for small business and employee records?

Keeping up to date with moves in the privacy law space is a key skill for many Australian lawyers in private practice and in-house.

What legislation is considered in this episode?Privacy Act 1988 (Cth)

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth)

What cases are considered in this episode?Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (C-311/18) (Schrems II) (Eur-Lex link)

  • In issue was the transfer of data between Facebook Ireland and Facebook Inc. based in the United States. The Court of Justice of the European Union declared the EU-US Privacy Shield – the framework assisting with the transfer of personal data between the EU and the US – invalid, but upheld the Standard Contractual Clauses (SCCs).
What are the main points?
  • In 2000 the Privacy Act was extended to the private sector.
  • When this extension happened there was a real fear that the regime would be overly burdensome on some smaller pre-internet local businesses and that there were already protections around employee/employer confidentiality.
  • This thinking led to the small business exemption and the employee records exemption. These were intended to be temporary – 23 years later they are still in place.
  • The employee records exemption applies to all past and present employees. The groups of people not included under the employee exemption are:
    • Future employees.
    • Contractors.
    • Volunteers.
  • Additional programs such as optional fitness programs run by an employer are not included under the employee records exemption.
  • By the nature of the contracts that many smaller enterprises have with larger corporates or the government, many are already “falling backwards” into compliance with the Privacy Act.
  • In Alec’s view, there is a general lack of implementation of the Privacy Act and a lack of understanding of what is required. He refutes the criticism that the Privacy Act is pre-internet or “predates” this or that.
  • This is, in Alec’s view, not a total lack of implementation – just particular areas in which people seem to have “lost the plot”.
  • Because of the small business and employee record exemptions, the EU does not consider Australia’s privacy regime to be adequate for the purposes of the GDPR.
  • An Australian business receiving data that is subject to the GDPR has various obligations to otherwise comply with or agree to the SCCs – this includes related corporate entities.
  • This restriction, however, does not apply where an Australian entity sends data to somewhere covered by the GDPR.
  • Getting Australian data sent overseas – and infected by compliance with the GDPR – returned to Australia can be difficult. An example of this situation is sending information to a foreign data analytics entity for processing.
  • In Alec’s view, an entity’s core obligations under the Privacy Act can be simplified to “the 3 cannots”:
    • You cannot collect whatever personal information you like.
    • You cannot use it for whatever purpose you want.
    • You cannot keep it forever.
  • APP 11.2 says that once personal information has been used for the purposes that the user was notified for, there is a positive mandatory obligation to delete or de-identify it.
  • It is very unlikely there will be a reasonable excuse that will waive this obligation.
  • Complying with privacy obligations significantly reduces risk of potential breaches, the cost of notifying and rectifying a breach if it were to occur, and the ongoing costs of data storage.
  • The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) raised the maximum penalty from $2.2 million to $50 million or 30% of adjusted turnover.
  • The principle of “least data”, or “data minimisation”, is a principle highlighted in decisions and guidance by the Privacy Commissioner.
  • The idea is that companies should collect the least amount of personal and sensitive information that they possibly can to do their function.
What are the practical takeaways?
  • Privacy lawyers need to stay abreast of not only the changing legislation but changes in technology that will affect privacy.
  • It is likely more cost-effective for companies to treat employee records as if it were customer data rather than distinguishing between the two.
  • For lawyers wishing to get into the area of privacy law, keep up to date with regulations, decisions, and technology.
  • Understand the wider way the law and APPs are implemented, and look at the law in a wider commercial context. Most of a privacy lawyer’s job is interpreting, applying, and using past experience to find solutions – ChatGPT is not up to this task!
  • The privacy practice space is a small, collegiate – and in Alec’s words – “nerdy” niche. Reach out to those in the space.
Show notesAustralian Government Attorney-General’s Department, Privacy Act Review Report (2023)
Hearsay Sidebar, We Interview ChatGPT about… Itself

* Sadly, Hearsay was unable to locate the relevant student publication Alec mentions in the podcast. 
David Turner:

 

 

 

 

 

1:00

 

 

 

 

 

 

 

 

 

2:00

Hello and welcome to Hearsay the Legal Podcast, a CPD podcast that allows Australian lawyers to earn their CPD points on the go and at a time that suits them. I’m your host David Turner. Hearsay the Legal Podcast is proudly supported by Lext Australia. Lext’s mission is to improve user experiences in the law and legal services and Hearsay the Legal Podcast is how we’re improving the experience of CPD.

Now, if you were to strike up a conversation with our old friend from law school, the man on the Clapham omnibus, about data privacy, you might – by virtue of its ubiquity in our daily lives – stumble on the mention of the EU GDPR. That’s the General Data Protection Regulation. We see it whenever our favourite website updates its privacy policy. Whenever our preferred news outlet helpfully informs us that it uses cookies on its website. The globally renowned GDPR entered into force in the EU in 2018 with great fanfare and maybe a little international panic about its extraterritorial reach. The GDPR covers processing of personal data, defined as any data which refers to an identifiable natural person – a little bit like the Privacy Act – by any EU located entity, any overseas entity offering goods or services to EU citizens, or generally where any behaviour of EU subjects is being monitored. However, it’s foreseeable that same knowledgeable commuter has little to no understanding of Australia’s own privacy and data retention regime, nor of their rights and possible responsibilities under it. Did you know, for example, that the European Union’s perspective on Australia’s privacy regime is that it’s inadequate because of exemptions for small businesses and employee records? Centered around the Privacy Act 1988 and the Australian Privacy Principles contained in Schedule 1, the Australian approach to privacy and data retention is a pre-internet legislative behemoth. Joining me today to discuss Australia’s approach to privacy, the impact of the GDPR in Australia, and the future of Australian privacy laws is Alec Christie from Clyde & Co. Alec is a partner at the Sydney office of Clyde & Co., and an expert on digital transformation blockchain, AI, and privacy – to name just a few of his interest areas. Alec, thank you so much for joining me today on Hearsay!

Alec Christie:Pleasure.
DT:Now, Alec, before we get right into it, tell us a little bit about your path to privacy and data law. How did you get into it?
AC:

 

 

 

 

3:00

Okay, now I’m going to show my age. People can’t see me, but this’ll let them know how old I am. So the first privacy law was introduced in 88  – the Privacy Act – and it only applied to Commonwealth government agencies and organisations. And so I was very fresh faced and new in the technology team at Baker McKenzie in Sydney. Because of their US heritage they had most, if not all, of the then big US tech behemoths who were operating in Australia – in particular contracting with government. That was a real big thing back then, hardware and software. So as the newest, youngest member I got thrown; “hey Christie, look at this stuff and tell me what’s going on“. And over time, more and more of those obligations imposed on Commonwealth agencies got factored into the contracts. And so more and more my specialist, quirky little knowledge became important. Now, it was in those early nineties. Since then it’s always been a part of what I do and I loved it, but it was only ever a small part until about 2000, and that’s when it was extended to the private sector. Lo and behold, here I am one of two people in Australia – I’m suspecting – that knew anything about it. And suddenly the private sector were clamoring. Every year since 2000, my practice in this space and related to privacy, information, innovation, AI et cetera, has expanded. Whereas today I’m probably covering all the guises of it, including in financial services. It’s about 75, 80% of my practice.
DT: 4:00Wow. So going from that really specialist niche to probably one of the fastest growing areas…
AC:Yeah.
DT:… in Australian legal practice, maybe one of the biggest!
AC:I’m sure my partner thought at the time that this will never fly. This will never work, they’ll put things in contracts and leave it for 50 years, so let’s get the newbie onto it. But it just got more and more back then, and of course was extended to the private sector in 2000. Slowly but surely it’s been growing ever since in terms of interest and importance.
DT:And so from the early nineties to now – the early 2020s – you’ve given us a little bit of a taste, but what does day-to-day practice look like for you? What are the matters that really occupy your time?
AC:

 

 

5:00

Yeah, look, it’s really interesting. In the early days it was privacy policies and really basic sort of stuff getting to grips for clients with very simplistic issues. And then – I’d even say since the dawn of the internet – but certainly looking at things like big data, looking at things like AI, looking at the obligations in and around financial services organisations, which also relate to information, it’s exploded into some really more sophisticated jobs that we’ve had to do. Looking at global data pulling, big data analytics, application of innovation and AI to information, and what the privacy consequences of those sort of things are. Plus still some good old fashioned reviews of what clients are doing. Are they compliant? And every time there’s a tweak or a change. So classic example, when the mandatory data breach notification came in, it actually uplifted significantly where we were not just in terms of meeting the data breach requirements, but also general privacy compliance. So there was a focus on that. There’s no doubt that the last year – a horror year for some companies – is going to do the same. It is certainly going to focus attention of corporates on this area. And again, this year the AG’s review is going to do that.
DT:

6:00

Absolutely.

TIP: At the time of recording of this episode in January, the Attorney General’s Privacy Act Review Report was yet to be published so throughout this podcast you’ll hear Alec and David refer to that report in future tense.

It was published on 16 February. We’ll leave a link to it in the show notes and we’ll give Alec a bit of time to digest the Report and then we hope to have him return to the Curiosity Recording Room to discuss the proposals and changes.

I was going to say the past year has really brought the importance of having this right into sharp focus and I imagine a big part of your time as well as doing client work is keeping up to date…

AC:Yeah.
DT:… with all of the amendments because there is so much legislative reform in this area.
AC:

 

 

 

7:00

Yeah. And there will be this year when the government responds to the AG’s review. Absolutely right. Yeah I think – this is probably the same for all areas of law, but I suppose a little more for ours – because it seems to be so fast moving. If it’s not the legislation, it’s the technology. I mean AI has come out of the clouds. For those of us who have been following this it’s been around for a while, but it’s only really gone into a commercial sort of focus area for a lot of clients in the last two or three years. Facial recognition had that same sort of blip until the Privacy Commissioner swatted it down. We’ve got to stay abreast of not just the changes and the interpretations and the decisions of the Privacy Commissioner, but also what’s happening in the tech, what’s happening in innovation, what’s happening in information.
DT:Absolutely. At the time of recording we’re just two months after the release of the latest model of ChatGPT which has taken the news world by storm. I think everyone’s talking about ChatGPT.
AC:Yeah.
DT:Everyone’s feeding prompts in and getting their responses and being astounded by the quality of them. That’s probably a story for another time!
AC:

 

 

 

8:00

 

 

 

 

 

 

 

 

 

9:00

Let me just say this though, David. It’s really interesting because – my fabulous team and I – we decided; “is this going to replace us?”.

TIP: If you’re a keen listener of the podcast, you’ll probably know that David has a bit of a passion for creative machines such as the generative AI ChatGPT.

It’s been a huge theme for the podcast this season, and many of our guests have been happy to share their perspectives on whether it will change their practice. David even interviewed the machine on Hearsay’s Sidebar podcast; including asking it to generate a teleplay about a lawyer who solves crime in a cyberpunk futuristic setting – featuring yours truly as a cranky police officer.

For that strangeness and the rest – check out Sidebar by Hearsay The Legal Podcast on your podcast platform of choice. The episode is called “We Interview ChatGPT About… Itself”.

Back to you Alec.

So we’ve asked it privacy questions and I’ve got to say – and it’s awful to admit this – the first few questions we’re getting responses going; “hooly dooly, these are awesome!“. And then – thank goodness – at a certain point of sophistication it started to fall away and give garbage and meaningless advice. But a couple of the early things that we were asking it – we probably would’ve answered the same. Or if not, we respected where the answer came from and understood that it was a possible answer. But yeah, thank goodness we started to get more and more sophisticated with our questioning. And it’s that practical aspect. It’s not black letter law. You’ve got to have the experience, you’ve got to have a different mindset. It’s not a “no” situation. You never tell a client no. You’ve got to work out a way within the bounds of the law and your experience in a number of projects to actually focus on; “what is the solution for the client“. I’ve only ever said no once, and that’s because the law actually said, and still says, you can’t put CCTV cameras in change rooms, which is not a bad thing to say no to.

DT:Yeah. That’s a good hard line to draw! I have to say I had the same experience playing around with ChatGPT on the corporate advisory, fundraising, turnaround space. There’s some basic answers, which it can occasionally get right…
AC:A bit scary, isn’t it?
DT:

 

 

10:00

… which is fantastic in terms of that sort of general legal information accessibility. But yeah, I think we’re safe when it comes to specific questions and implementation. I think without going too far down this particular rabbit hole, its amazing powers are really in the expression of ideas rather than in the source of knowledge or the source of truth. It recognises patterns in language and if those patterns in language happen to reveal something factually accurate, then it might uncover that. But that’s not its purpose. But it’s still amazing at that expression of ideas in natural language. And I think maybe for some of the lawyers who have that great black letter law knowledge but aren’t so good at expressing it in plain language, it might be quite a useful tool.
AC:Yeah, absolutely. And look, we also now are probably giving away some trade secrets. We’re probably now going to use it. We do a lot of scenario testing with clients and it’s a little bit hard to avoid breaching client confidentiality to come up with a scenario that doesn’t drop another client in it. So actually we’ve given it some parameters and it’s come up with some pretty good scenarios that we would then tweak and modify for the particular client. But yeah, that was interesting. Really interesting.
DT:

11:00

Yeah. Fascinating. Alright, enough ChatGPT, let’s get into it. So I mentioned at the top of the episode that we’re talking about GDPR today and that the EU considers Australia’s privacy legislation inadequate – at least from the perspective of it being a substitute for GDPR compliance, that is. Largely because of exemptions for small businesses and exemptions for the keeping of employee records. So tell us a little bit about what those exemptions mean practically for Australian businesses and why is that position different in the EU?
AC:Yeah. Can I start with the history?
DT:Sure.
AC:

 

 

 

 

12:00

I think that then covers the thinking on this. So remember I said that in 2000 that’s when the Privacy Act was extended to the private sector? So I th… well, I remember it, I don’t have to think. I know that there was a lot of fear about what that was going to impose on private sector companies, especially smaller companies, pre-internet. And so there was a real feel that this would be too burdensome. And so what they wanted to do was, in the case of the smaller enterprises, temporarily exclude them from the operation so that once everything had settled down with the larger organisations and we all knew how to do it in the private sector, it would be a much easier task for them to do it. Similarly with the employee exemption. The thinking there was that A; there was already some sort of employer/employee confidentiality that sort of covered it. Not really, but it sort of covered it. And B; even with the bigger enterprises – let them focus on the external, on their customers and the people they collect information from outside and temporarily let’s give them a free pass on employees. 23 years later we’re still temporarily waiting for those to be lifted. And again, I don’t see a reason now, and I struggle to come up with an answer to this question, to justify why they’re still in there. Every business now, no matter how small or large – is whatever they do, plus an information business.
DT:Yeah.
AC:

13:00

 

 

 

 

 

 

 

 

14:00

 

 

 

 

 

 

 

 

15:00

Everybody uses the digital economy. Everybody collects information. I’ve really only come across in the last few years, one or two, and they were thinking about or transitioning to the digital economy. So it’s not fit for purpose anymore, that exemption. And it’s not relevant. And indeed, let me say this, many of the smaller enterprises that deal with the bigger corporates, or deal with government, are forced by contract to comply with the privacy law already anyway. So it’s not going to be such a big impost. Employees – look, federal employees were always covered by the act from 1988. This is very anachronistic and out of place and out of time. And a lot of the medium to larger companies already apply the Privacy Act to their employees in one way or another. They have a bit of a bet each way. They like the employee records exemption on occasion, but even that’s being watered down how far that goes by the Privacy Commissioner and the decisions. So yeah, both of these I can’t see a justification. Now the EU doesn’t like them, David, because it means that our law doesn’t cover everybody either in terms of the businesses because the small businesses are cut out. So it’s not sectorial in the sense of only applying to one sector, but it’s not a wholly comprehensive, fully coverage type privacy law. And in addition, it then doesn’t cover all individuals because you are carving out employees of the corporates that are subject to the Privacy Act. So look, you can see why from an EU-purest point of view they don’t accept the argument that its employee/employer relationship covers that. They don’t accept that, and they’ve got no understanding of why in 2023 – or for the last 10 years, in fact, why we’ve had this carve out for smaller businesses who post-internet, let’s be honest, are probably dealing with as much personal information proportionally as our banks.

TIP: When talking about information it’s worth noting that there are different categories of information relating to people under the Privacy Act – and they can be treated by the Act differently.

So let’s take a look at personal information and sensitive information. The former is any information, or opinion, about an identified individual, regardless of whether the information is true or not.

Sensitive information is a little more complex, it variously covers things like racial or ethnic origins, political beliefs and health information – rather dystopically it also covers biometric information. Probably best not to think about that one too hard.

If you want the full list of what constitutes “sensitive information” check out the definition in the Privacy Act – that’s section 6.

DT:

 

 

 

16:00

And I think you’re right; are probably complying if not because of an awareness that they must comply under the Privacy Act. But then because they’re obliged to do so by their institutional suppliers or institutional customers, because they’re doing it because when they set up their website it suggested they have a privacy policy and so they put one together. There are many reasons why small businesses in Australia might fall backwards into compliance with the Privacy Act, but returning to that comparative exercise with the GDPR, I guess the takeaway as a consequence of that inadequacy of the Privacy Act vis-a-vis the GDPR…
AC:… well, let’s say lack of adequacy. Because our Act is not inadequate. I’d argue it may be in implementation, but this is where I diverge from a lot. My team and I have been doing so much of this. We know that the law is there and the decisions to tell you how to apply it. But the problem is there is a general lack of implementation. And it’s not necessarily all smaller enterprises, and it’s not a particular sector. It’s across various sizes and various sectors. And again, it’s not a total lack of implementation of the Privacy Act. And I think we might get a chance to talk about it later. It’s particular areas where people just seem to have lost the plot. Just not understand at all what they’re supposed to be doing.
DT:

17:00

I think I know what you’re talking about, maybe we’re going to come onto it later. But you’re right. Poor choice of words. Not inadequacy in itself. But regarded as inadequate as a substitute for GDPR compliance.
AC:Exactly.
DT:Because of that decision in the European Union, what does that mean as a practical takeaway for an Australian business that might be providing its services to European consumers?
AC:First of all, our cousins in New Zealand have it. So first of all, apart from any good practical reasons – come on Australia! Seriously.
DT:I know it’s embarrassing, isn’t it?
AC:New Zealand have it. It’s another thing they can say that they were first to do or first to get over us. But anyway…
DT:They do punch above their weight though.
AC:

 

 

 

18:00

 

 

 

 

 

 

 

19:00

They do. And we can argue whether they should have got it or not, that’s a different story. But they have it and it’s very effective. And we have a lot of New Zealand company clients and it’s just genius what you can do in structure when there’s none of what I’m about to talk about. Because if you’re an Australian business, and even if you’re receiving it from a related entity or a parent or a subsidiary or part of the group, it doesn’t matter. If it’s coming to you as a separate legal entity in Australia, then there is a whole lot more that you have to do in order to permit that. So we’ve gone through various iterations, but the current standard contractual clauses have been “improved” in inverted commas. They are shockers. They are really tough and difficult. And that means any EU company including a related – unless it uses binding corporate rules. And they’re similar to the SCCs, but these standard contractual clauses basically bind the entity in Australia to comply with GDPR in many respects with respect to the data that is subject to GDPR. And that was bad enough David. And we worked out how to deal with that and we worked out how to help clients isolate and look at different systems so that they didn’t get infected. And we can talk about infection or the viral impact of GDPR later, but certainly that was manageable. And then of course, just recently, the EU Commission did another failed attempt with the US  – a Schrems II case knocked down the harbour as it knocked down the safeguard. And out of that came now the obligation; “it’s not good enough just to bind the individual company. You now, as an EU company, have to look at Australia and take a view irrespective of the standard contractual clauses. What’s that country like? Does its government obey rule of law?”
DT: Wow.
AC:

 

 

 

 

 

 

20:00

 

 

 

 

 

 

 

21:00

“What sort of access does it have? Does it have to go through a proper warrant or court approved process, or can it just ask for the information?”.

TIP: The decision Alec just mentioned is Schrems II – that’s S, C, H, R, E, M, S. That colloquial moniker is in reference to lawyer and activist Maximillian Schrems.

The full name of the decision is Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (C-311/18). It’s a decision of the Court of Justice of the European Union (CJEU).

In issue was the transfer of user data between Facebook Ireland and Facebook Inc based in the United States, particularly where it was legally required to be made available to government agencies for ongoing monitoring.

In its judgement, the CJEU rendered the EU-US Privacy Shield, the framework assisting with the transfer of personal data between the EU and the US, invalid, but upheld the Standard Contractual Clauses or SCCs.

And so you are now getting more and more obligations, which means more and more cost to get information from the EU. The only good news is; EU is an acceptable country for us – or anyone under GDPR or UK GDPR, and I use those interchangeably. We can send it no problem at all because it is recognised as not an issue. The problem is getting it back. So even if you use – and this happened to a client of ours – all Australian information, used a processor, just a processor in the EU, who won a bid. And then they were faced that when it was time for that information and the analytics based on it to come back, the processor said; “well, I’m sorry I can’t send it back unless you sign standard contractual clauses“.

DT:Oh, geez. Even though it was Australian data?
AC:Of an Australian entity that was just sent over there for basically data analytics. So yeah, there are tricks and traps and all that, but the problem is without adequacy it just imposes a whole lot more obligations and costs on our businesses.
DT:Absolutely. And I think before the election, the Coalition government as part of a response to the ACCCs Digital Platforms Inquiry announced a review of the Privacy Act. And there was a discussion paper released in relation to that review that said; “the small business exemption is a barrier to GDPR adequacy, which could lead to a loss of trade and collaboration with the EU and that it was an international anomaly“.
AC:I’d agree with that.
DT:Do you agree?
AC:

 

22:00

Oh, absolutely. Of course it is. And as I said before, these were temporary measures back in 2000 to ease the burden of introducing this very new – although it had been in the public sector – very new privacy obligations on business. The need for them is long gone. And we are holding ourselves back in that sense. And I argue till I’m blue in the face that we’ve got other things and, you know, we are closer to adequacy than people… but it’s just, it’s an argument I never win with EU colleagues.
DT:I think your story raises an interesting point, which is that it’s not just a barrier to trade with the EU, but it’s actually a barrier to the sort of service providers that Australian companies can use in an increasingly globalised digital economy. That a data processor, that a data analytics firm based in the UK or the EU, might not be able to work with an Australian company.
AC:

 

 

23:00

Exactly. And in this case, they were as I understand – without giving too many details away – they were something like a third cheaper than any Australian competitor who could provide the same service. And in fact, I was also told that this particular entity was one of the few that did exactly what the client wanted, that there was some technology and some process methodology that they really wanted. So yeah, they stuck with them and we ended up doing bizarrely a standard contractual clauses agreement to get their data back.
DT: They must have been worth it then.
AC: Yes.
DT:Now let’s talk about the employee records exemption. The Office of the Australian Information Commissioner has expressed concern about this exemption itself quite apart from any GDPR issues. They’ve said it fails to adequately protect the personal information of private sector employees. So what is the employee records exemption? How are employee records actually dealt with any differently to other personal information?
AC:

 

 

 

24:00

 

 

 

 

 

 

 

25:00

Yeah, let me just say before I go into this, and I’ll give the standard sort of answer in terms of the thinking, but it’s being eroded by the Privacy Commissioner. Not only are they saying things in reports and responding to the AG review, but case by case, decision by decision, wherever they get the opportunity, they are putting their view forward as to how they see the employee records exemption. And they’ve already said in a number of cases, for instance, that it doesn’t apply to mandatory data breach notification where there is a mixed database. So for example, you’ve got customer information and employee. So, look, the way the law is at the moment I would still argue that there is a very good argument that’s not the case, but that’s the practice. So you’re fighting against the practice. So they are already preparing for the day when this has disappeared, and in the meantime they’re nibbling away at the edges of it. But essentially what it means is that any personal information in an employee record, which is a record relating to the employment relationship pastor current – so not future. So a candidate is “not an employee”; you don’t get the benefit of the exemption. Contractors are not employees. No exemption. Volunteers, not employees, no exemption. So it’s that employment relationship. So it’s things like your detailed tax file number for tax. And arguably that’s been carved out now too by decisions of the Commissioner. But certainly, information about your salary, your bank account, your disciplinary actions, et cetera. But it’s always been subject to limits. So for example, when you sign up to the optional fitness program run by an employer, is that employee records? Probably not.
DT:Oh right.
AC:

 

 

 

 

26:00

Because it’s not to do with your employment relationship. It’s a voluntary thing, which is outside. It’s; “thank you employer. It’s been provided to us. it’s a fabulous opportunity.” Cooking classes. That was the problem with a lot of the stuff that was going on in the COVID years. People were providing this and thinking that it was in employee records exemption. Additional beneficial programs to keep people from going insane were not really part of the strict employee records relationship. So when you’ve got that, the argument is that they’re exempted from the Privacy Act. But as I said, it’s been eaten away and I just can’t see it’s relevant. It’s only private sector employees that get this exemption. And it’s not their exemption, it’s the employer’s exemption, of course.
DT:I have to imagine that these edge situations you’re describing – volunteering, potential employees, and form of candidacy services provided to employees. You must see companies getting that wrong all the time.
AC:

 

 

 

 

27:00

Oh, yeah. And look, to be quite frank, I’m being a little bit flippant here, but it’s probably costing them more to work out what’s in or out than just getting rid of it and getting a program where, just like with their customers and third party individuals, that they treat the information – because they’ve got programs already for the external facing – it’s probably cost effective just to roll that out to employees. And a lot of businesses at the moment do, I’ve got to be honest. They’re not perfect in the sense of running out all of it across. Although it’s interesting, all of our overseas clients with subsidiaries here from the US and Europe, just automatically apply privacy because they have to in Europe and the US. And so they don’t want to have two different classes of employees within their global organisation.
DT:Of course.
AC:So they roll out the program to their employees. And I think other businesses, Australian based businesses, are doing the same because it is starting to be obvious that the writing’s on the wall for this.
DT:Yeah, absolutely. And I guess when you’re talking about mixed databases, in terms of that mandatory data breach notification decision, if that data’s being stored in a similar way then in terms of securing, destroying, or all of those obligations, you’re likely to be complying as a matter of course, or as you say, it’s easier to comply than not.
AC:

 

 

28:00

Yeah. Rather than – well, actually I shouldn’t say this –  rather than spend a lot of money with people like me saying whether it’s part of the employee records exemption or not – I’ve just done myself out of a job. But no, in all seriousness, I think the writing is on the wall. I will be astounded if this is not removed after the AG’s review, I will be absolutely shocked. The small business is a tougher fight. Certainly was under the previous government. I don’t think it’s as tough a fight under this government…
DT:… more appetite after the election, I’d say.
AC:… because of the political ideology and the small business concept. But I really do think you know that will go. But I think it’s odds on that the employee record exemption. I can’t see a reason to justify it.
DT:Sounds like a safe bet.
AC:Yeah, hope so.
DT:

 

 

 

 

29:00

Now, you were saying that earlier in your career when the Privacy Act started to apply to private enterprises – privacy policies, big part of the job and I think it wasn’t so long ago that you’d see a privacy policy describing the kind of information collected by the organisation and it would say we collect your name, your IP address, your tax file number, your health information, your dog’s name, your dog’s health information. Collect everything – just include everything as a category that you would collect. Keep it all for as long as you possibly can. The “keep everything” culture, but we’ve really seen that blow up in the faces of those sorts of organisations in a big way over the last two years. And I think a lot of customers of those organisations – I think our listeners know the ones we’re talking about – were surprised to learn that some of the information that was disclosed…
AC:Yep.
DT:… in those data breaches was retained.
AC:Horrified is probably more the word.
DT:Horrified might be correct. I was a customer of one of those organisations. My driver’s license number was disclosed. And I thought; “why is that retained after my identification has been verified?”. If it’s used to identify me as a customer, you can destroy it as soon as that use has passed. Now that “keep everything”culture. I think at the surface level people were saying; “oh it’s because these companies find data so valuable and they just want so much of it“. But others have said that that “keep everything” culture is a product of some confusing data retention obligations under the Privacy Act. So which do you agree with? Do you think that there’s some data retention obligations under our current regime that are confusing, that may be contributed to this “keep everything” culture?
AC: 30:00

 

 

 

 

 

 

31:00

 

 

 

 

 

 

 

32:00

 

 

 

 

 

 

33:00

 

 

 

 

 

 

 

34:00

Okay, David, apologies in advance. This is one of the areas – in fact, one of many my team would say that I get a little bit annoyed with. And again, I must admit that it’s because I’ve been doing this and my team have been doing this for so long that maybe I have that level of knowledge just because I’ve done this for a very long time – way back since ‘89 – that I understand how it works. So we’ll get to the confusing part in a minute. But my basic tenet is that it is covered by the Privacy Act. It may be a little bit confusing, but honestly, we’ve had 23 years of decisions – comments, decisions in the AAT, and in a relevant state. Because Victoria, New South Wales, have similar laws at various different times with tribunals that make decisions when people complain about things. Decisions of the privacy regulator. And it’s really, in my view, pretty clear. And look, I know you asked about the data retention, but let me just start with – I very simplistically boil down the privacy law, the main core obligations as what we call “three cannots“. You cannot collect whatever personal information you like. You cannot use it for whatever purpose you want. And you cannot keep it forever. They’re the cannots and there’s a lot behind that. But that is essentially the area. And then of course things like mandatory data breach notification came in, so you have to add something for that. But the “three cannots” – it’s a nice sort of ring. And look, going to that third one, you can’t keep it forever. It’s pretty clear, and I don’t want to nerd out on people, but APP 11.2. So Australian Privacy Principle, which I always call as part of the privacy law, because it is a part of the Act, is very clear. That you have an obligation once you’ve used the information, the personal information, for the purpose that you’ve notified that you’re going tocollect it for. So in my privacy policy and my privacy notice, I’ve said to you; “David, I’m collecting it for this reason to supply you with a widget or to sell you something online”. Once I’ve used it for that purpose, that notified purpose – which I’ve got to notify you of – and there is no legal obligation for me to keep it right. So a law, for example, tax records or corporate records, or because there’s a current claim between us and there’s litigation that we’ve got to keep that information. But once that expires, let me be clear, there is a positive, mandatory legal obligation to delete or de-identify that personal information. Not a guideline, not a possibility, not a; “gee whiz if you think about it, why don’t you do it?”You’ve got to take reasonable steps, and I have only ever in the last 23 years come across a couple of reasonable excuses that meant it was unreasonable not to delete or de-identify, and that was around legacy systems in the ‘10s. No longer will that really be tolerated. We should have moved on with our technology. If you are still running tech that’s pre-2010 then come and see us. We can help you with an argument. But realistically, that is off the table now. And so it’s a high bar to me to say that it’s unreasonable to delete or de-identify it. Now, the problem is that those words, “reasonable steps”, I think have been misunderstood. But that’s a little bit cute because there’s been a lot of commentary, been a lot of decisions, been a lot of guidance. The Privacy commissioner’s office – the OAIC – and its predecessor have put out a 53 page guidance on security, which is APP 11 and APP 2. What you’ve got to do to delete or de-identify. So look, I think it’s sometimes ignorance, but sometimes it’s a convenient gray area or “we don’t really know what we’re up to“. To me it’s clear that there is that obligation, however, you are absolutely right. It’s not implemented the way it should be. It is one of the massive black holes in our legislation. It should not be the case that people have this amount of information about us from 10, 15, 20, and in one case 80 years ago, because they digitised their paper records as well.
DT:Wow. That’s got to be a record.
AC:

 

 

 

 

35:00

Yeah. But look I just also say I don’t get why this is not implemented the way it should be, because if I can just digress a little bit. It’s a win-win for business. You comply; you massively reduce, significantly reduce, the risk of harm. If there is a data breach – a malicious actor gets in there, they’ve got a lot less to take. So the size of it is less, which means the cost of notifying everyone and dealing with it is less you reduce the cost of a potential complaint and damages for doing the wrong thing, because automatically, if you’re holding information you shouldn’t have based on APP 11.2 – you’ve breached the Act. And we might come to this about what’s been happening. It’s now effectively $50 million or 30% of revenue. And I’m not saying that this failure would be a serious or repeated breach, but you’re in that territory now. And so you can significantly reduce your potential risk, but you can also reduce your ongoing costs. We still get Christmas cards from some major bank IT departments because we reduced what they had to hold by about 50%. So all of a sudden, especially their legacy systems, they can turn them off and throw them away. They don’t need those two people that they hired just to look after that data in case they don’t need the extra storage capacity. They save operating costs. So for me, as I said, win-win, I just don’t get why everyone thinks it’s so hard.
DT:Yeah, absolutely. And I think it’s that self-interested aspect that it’s good for the business too…
AC:Absolutely.
DT:

36:00

… is something that’s really ringing true after the really high profile data breaches we’ve seen in the last 12 months. Because that exposure to liability, and we’re not just talking about the penalties that you described that we’ll talk about a bit later, but we’re talking about class actions in both of those cases as well.
AC:

 

 

 

 

 

37:00

Yeah. Class complaints, because we may talk about what the AG might do with a direct action, but at the moment there’s no – I don’t want to say “no” because someone could get very creative – but there’s no direct action. You’ve got tomake a complaint to the Privacy Commissioner in respect to the Federal Privacy Act, who then decides. But again, if you look at those decisions, if the complainant wins against the company, the Privacy Commissioner has not been shy in all of their iterations, the previous few, and the current one in awarding damages. And damages as well as the actual costs, but that sort of non-economic loss concept. Just for winning. Just for the harassment, just for the problems that this has put you through. Again, a class complaint, like some that are out there at the moment, we haven’t really explored in Australia, but they could be significant. A class of 10,000 people if they average what is awarded for non-sensitive, around eight to $12,000. That’s a bit of money. And for sensitive; we’re looking at 15 to 20. And these are, again, these are rolling averages and they change. But – and again, not every case is the same – but just applying that lore of averages, a class of 10,000 or more is a pretty big blow.
DT:

 

 

 

 

38:00

Yeah. How about a class that’s a third of the Australian population for some of these companies? Now you mentioned that to you – and I suppose to a lot of privacy professionals – that obligation to destroy or de-identify that data once that purpose for which it’s been collected, has passed, is clear. What about some of the purposes that we see in privacy policies that are interminable, that are uncertain in their ending? For example, to provide you with information about our products and services, to improve our products and services, to analyze trends in our sales and marketing activity. What about those sorts of ongoing activities? They’re legitimate purposes for collecting data, but what kind of risk does that create? And even if there’s no hard obligation to destroy data or de-identify data that’s been collected for that purpose, what practically should companies be doing with data that’s being retained for that purpose?
AC:

 

 

 

 

 

39:00

 

 

 

 

 

 

 

40:00

Yeah. So let me nerd out on you again and remember that first cannot; you cannot collect whatever you want. And look, we call those sort of privacy policies the “wishlist” or the “Santa letter“. Because it’s this grab bag of everything we’d love to collect, we’d love to actually know in case we move into making ice creams what flavour you’d like – even though we’re financial services or we’re online shopping or whatever it may be. Look the problem is that was – and look, I was guilty of it just as much in the early days – but we’ve moved away from that. And you’ve got to look at the law which says that you can only collect personal information that is reasonably necessary to perform a function or activity of your business. Now, this is where some more gray area comes in; “oh we are going to do gelato. So we can ask the flavour“. Or in one case of a very large loyalty program – and there are a few, so this won’t dob them in – where a very dear friend of mine is in-house counsel said; “we want to collect sexual orientation“. I said; “really? And why is that important for which seat you get when you cash in your points to do whatever or your particular prize or whatever it may be?”. So again, there’s best of intentions sometimes, but there’s a lack of understanding. You can’t do that. So it’s your day-to-day business and you’ve got to look – and we might talk about minimisation later – but just for now, let’s just say, you’ve got to look at whether you are entitled to collect it and you are, by law, not entitled to collect whatever personal information you like. It’s got to be tied to and reasonably necessary for a relevant business activity or function. So all those things about “we might do” are out. Some of the other things you mentioned are possible because they’re related or associated functions and they help deliver a service. But I think that will be another thing out of the AGs review. I think this is an area that people get most confused about and I think this is an area they might tighten up. So I would argue it’s there and if you read all the decisions and all the commentary, you can understand what it means. But again, people in a business may not have the time to do that. So I think they’re going to try and proscribe in the law or in regulations and make this a little bit clearer. Now that’s good for understanding what it means. But for people like me and my clients, it means less wiggle room to be quite frank. So again, it was there and there was guidance, but I think because they are thinking about it and proscribing it, they were probably limited more than where we’re at the moment.
DT: 41:00Now you mentioned the $50 million or 30% of revenue fine. That came through in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill in 2022. Very quickly passed.
AC:Oh, three and a half minutes…
DT:Tell us a little bit more about that amendment as the most recent sort of amendment to the Act, because it does some other things. I think the penalties was really the headline item there…
AC:Yep.
DT:… in the wake of those large scale hacks. But there are a couple of other things in there around the Office of the Information Commissioner as well.
AC:Yeah. You’ve done your homework, David. Exactly. So headline; let me just say is, we’ve gone from – because it is inflation adjusted – we’ve gone from a maximum penalty of 2.2 million. You heard me – 2.2 million…
DT:Cost of doing business!
AC:

 

42:00

 

 

 

 

 

 

 

43:00

 

 

 

 

 

 

 

44:00

Overnight in December 2022, before Parliament finished, to the greater of $50 million or 30% of adjusted turnover. Effectively revenue, for the minimum of 12 months or the length of the breach. Now this is not a data breach because you could have an incident, a cyber incident, a malicious actor, a data breach, where you’ve done everything according to the law. And that would not trigger these fines. It’s only where – whether it’s a data breach or some other reason, a complaint – that you have breached or invaded someone’s privacy. And effectively that means you’ve breached one of the APPs or the provisions of the Privacy Act. So in that circumstance we are now – and I’ve argued this a bit with colleagues over a few drinks, you know, because the GDPR fines can be very significant but on paper, and may not happen in practice – but that’s the largest privacy fine on the planet by a significant way. Now again, they don’t have to fine you $50 million or 30%. It’s “up to“. But obviously the more egregious, the more repetition there is, in breaches after being warned, the more likely you are. But the little hidden things in that law, not hidden, but we all got dazzled by the $50 million, is that there’s a few more powers for the Privacy Commissioner to investigate. They’ve always had reasonable powers to ask the company that’s had an allegation or a claim against it information. Now they can go and ask your competitors. They can go and ask other companies, they can go elsewhere and find out more information. Plus my particular favorite – he says, being sarcastic – is there were a couple of avenues where they published their decisions and journos used to look at them and nerds like myself and my team obviously needed to keep up to date. But people weren’t sitting around the dining room table talking about the latest decision from the Privacy Commissioner. Now they’re not limited to that. They could go and brief the press. They could go and publish this on their website. They could put it in the newspaper. Whether they will or not. But it gives them more powers to actually tell people what’s been going on. And the final one, probably the most cringeworthy for all companies is; they can ask the company to do that. So that not even the Privacy Commissioner, they can say; “David Co., we want you to put on your website and maybe publish here and here what you’ve done, why you’ve been naughty, and how you’re fixing it. And throw in how fabulous we are as well.” I mean, I’ve just added that! But no, seriously, that’s the point. It’s that information gathering and information disclosure, and again, to other agencies as well that means, there’s truly nowhere to hide.
DT:

 

 

 

 

45:00

We’ve talked about how quickly this area moves and where we think this area might go after the legislative review. We’ve talked about the employee records exemption, small business exemption, what might happen in terms of some of these ongoing purposes for collection of data. Just in the last week or so – at the time of recording anyway – we’ve seen the Attorney General kind of moot in some media articles, the possibility of a tort of breach of privacy – which we referred to a bit earlier – possibly opening up the door to class actions in the future. And also something that exists in the EU, but not here presently. But that “right of erasure” or the “right to be forgotten”. We’ve been talking about these two concepts – tort of breach of privacy I think we were talking about when I was in law school, which is a while now. But they haven’t been part of the body of Australian law.
AC:No.
DT:Until potentially very soon. So let’s talk about both of these things. What are they, Alec? Let’s start with the right to be forgotten.
AC:Okay. So look, that’s a really interesting one. Now remember that I said there is the obligation on companies to not hold everything forever. So forget the right to be forgotten just for a second. There is that obligation to do that. And if that works well then I’d argue maybe the right to be forgotten isn’t that essential…
DT:… or exists in some form?
AC:Exactly. Exactly. In a sort of a way. And then the younger members of my team would say; “come on, that was pre-internet! Nowadays you need a positive right, to go in and say to someone I did stupid things at university. I’m sure you did“. And it got in the local paper, but no one knows.
DT:Which paper, Alex? So that I know for the show notes.
AC:

46:00

 

 

 

 

 

 

 

47:00

No one finds that stuff. But, you know, when it’s on the internet it’s always there. It’s always searchable. So this concept grew up when they were looking at bringing in the GDPR which is this concept that it’s unfair because the technology has changed. That old; “it will be forgotten in a year or two years” – doesn’t work anymore. So that’s the idea behind that right to be forgotten. And it did cause a lot of issues, because of course you’ve got to know where everything is for someone to be forgotten. And again, it is subject to legal obligations to retain the information, et cetera, et cetera. But it’s really designed at those sort of large internet search companies, social media, where it’s unfair for it to be there forever. And it never used to be in the local paper and everyone forgot about it after six or 12 months. So that’s not a bad thing. But I think that the problems from GDPR should be learned so that they should be very clear as to where it applies. Does it really apply everywhere? And obviously they’ve got to make it very clear that you don’t get a right to be forgotten if it’s your tax file number for paying tax or if it’s your mortgage details. So you know it’s got to be looked at and maybe it could be narrower in focus in terms of those things where it was originally intended in the GDPR, that idea that the collective memory should move on and people forget that you did really stupid things at university, et cetera. The second one…
DT:… tort of breach of privacy. Because there is presently no way for a private individual, or a company, to bring an action in the District or the Supreme Court, for example, seeking damages for a breach of the Privacy Act.
AC:

 

 

 

48:00

 

 

 

 

 

 

 

49:00

No, there is a couple of alternatives, but because we are not plaintiff lawyers, I’m not going to tell you and tell everyone how to do it. There are a couple of little ways and we are helping companies to protect themselves against those sort of things, but they’ve not really been explored. But you’re absolutely right. You and I as individuals can’t go and take our bank or insurer directly to court at the moment for a breach of privacy because privacy is not a general right to privacy. It’s contained within the Privacy Act, which is a right to certain obligations that look like privacy for our information that’s being collected by an organisation or a federal government agency. So that’s the right, and that’s the four corners of it. So the tort of privacy is either going to be A; still within those four corners, but the right to have a direct action. Or as it implies, the tort more widely spoken about when you were in law school – and it’s been around for many years – is some conceptualisation of a more general right to privacy. And the tort would be for the interference of that. Look, I think that latter one is a bit too far to go until we have actually had a few more court cases. And then we have had a couple that have touched on this at times, that’s a big step, but some sort of direct action rather than a tort of privacy per se. And again in New South Wales for instance, and Victoria, you do have that right. If a government agency under the New South Wales privacy law does the wrong thing or under the Health Records Information Privacy Act, then you have a right to ask them for an internal review. And if you don’t like what their decision is, you can go off to NCAT – the New South Wales Civil and Administrative Appeals Tribunal. And you do have that right in some jurisdictions. So I’m thinking that’s more likely to be quite honest, rather than a whole scale tort of privacy, which I think would probably need a law reform commission report and a few more cases and a few more people. And again, the cases are only going to happen if someone has deep pockets and wants to challenge it.
DT:

 

 

 

50:00

Absolutely. Having that discreet cause of action under a separate right to privacy rather than the already extent body of law that surrounds the statutory obligations we’ve been describing today I think that would create a really confusing regulatory landscape for organisations that are collecting data. It’s likely to be within the four corners of the Privacy Act and a kind of private action available there. Don’t have to say if you don’t want to, Alec, but is that kind of work around you’re describing there a bit of a tort of breach of statutory duty? Is that kind of…
AC:Yep. Yeah. Yep. No comment! No, no, look, in all seriousness, there are ways out there. But again, we are looking at it in terms of helping our clients defend themselves against that possibility. And again, to be honest, if they aren’t doing the right things and they are breaching those statutory duties, then they’re just opening themselves up for that. And the way that they can avoid that is to look back at their privacy obligations and tick that one off; “that’s not going to be something that causes that breach of statutory duties”.
DT:

 

 

51:00

Now I’ve been thinking about something you’ve said earlier in the episode and it’s really been occupying my mind and it’s about implementation. That we have these obligations. We have a pretty robust privacy regime in Australia, but it’s the implementation of that regime that’s the real issue. And implementation is as much about compliance as it is about culture. And culture starts at the top with senior managers and boards. So tell me as someone who’s probably speaking to senior managers and boards about their implementation of privacy compliance all the time, has the last 12 months of privacy and data breaches, news, amendments to legislation affected the culture on boards, affected the culture in organisations? Are organisations thinking differently about these obligations?
AC:

 

 

 

52:00

 

 

 

 

 

 

 

53:00

That’s a good one. It’s too soon to say that it’s a permanent change to culture but it has frightened a lot of companies. Seeing companies named in Parliament and some really negative stuff. Seeing front page of the newspaper and seeing them in TV news reports for weeks on end. It does stir people to think about; “what are we doing?“. So we have seen a significant increase in interest from boards and the C level to understand – again, because they should have already- what their companies are doing in terms of privacy. And in particular the issues that have come out about, for example, you mentioned how much data is being held and the uses we use it for and all that sort of stuff. So, hard to say that it’s been a cultural shift at the moment, but it certainly is more talked about. So if I could phrase it this way, rather than the 15th page of the CEO’s to-do list – it’s probably not at the top – but it’s now got to the first page, at least certain issues under it. And I think it’s important to understand that those are the issues that have come out of this. But privacy law has a lot more issues and there are a lot more failures in other areas. So we’ve always suggested when clients talk to us; “do you actually know?”. And if they don’t know, if a board doesn’t know, or the C level don’t know what’s happening in terms of privacy compliance and cyber security compliance, do a review. Get that line in the sand; “what do we do right?”. You get an expert in, you talk about what the business does, you look at what their policies are, you look at the implementation in practice, becausesometimes you can have fantastic policies and no implementation in a business.
DT:That’s true.
AC:

 

 

 

 

 

 

 

54:00

 

 

 

 

 

 

55:00

Other times the policies are horrific. And we go; “oh my goodness“. And we start talking to stakeholders. And they’re doing it. Despite the crappy policies, they’re actually doing what they need to do because they’ve all come from other businesses that had better policies or what have you. So then it’s a fact of just backfilling and making sure the policies reflect and picking up any areas that aren’t covered by actual practice. But once you know that and you get suggestions as to where the areas of uplift, and hopefully if your expert’s any good, they should also be telling you; “here’s some suggestions in your circumstance, the way we think you could best fix this for the minimum effort and the minimum disruption”. And then from there the boards have to build in, or the C level reporting to the board, have to then build in the ongoing sort of overview of this; “So what processes do we have for new projects? What do we consider? We’ve got to have someone in there thinking about privacy from the beginning. We’ve got to have a process – talking about minimisation – that asks that other question. Okay. We’ve ticked it all off. It’s a new business, it’s new PI, it’s a change process. Different PI and everything else looks fine. But is there another way? Do we really need personal information? It’s easier. Sure. But do we really need it? And if we do need it, is what we are doing perfect? It’s probably easiest; could we do it a different way which is more privacy compliant or less privacy invasive, et cetera”. I’ll give you an example. This ID thing, it just drives me insane. Even the laws that require a company to establish the identity of its clients or its customers. Not all of them, but most of them don’t say; “and take a copy of a driver’s license“. Or they don’t say; “write down a driver’s license number“. They say; “you must establish that you are dealing with David“. So when you think about that, and we’ve helped a lot of clients through this through COVID, where they of course wanted to know immunisation status and all sorts of things. So you can work a process a little bit trickier, a little bit more costly, but where someone sights David’s ID, has a look at it, looks at the photo on the driver’s license, looks at David says; “yes, that’s David“. And then in the system notes that Alec has sighted David’s ID. It was a driver’s license; tick. And off you go, hands back your driver’s license, no record of number. And again, if the law doesn’t expressly require you to do it, then arguably the privacy law says you should not be collecting that information because there is another way of doing it.
DT:What we’re describing here is kind of what you’ve been referring to throughout the episode as minimisation. And a term that we heard a lot in the last 12 months was the principle of least data.
AC:Yes.
DT:At least I heard it a lot more in the last 12 months than I did in the 12 months before that. What is the principle of least data?
AC: 56:00

 

 

 

 

 

 

 

 

57:00

Yeah. We often refer to it in Australia as data minimisation. It’s got various guises and it’s the concept I just mentioned around the ID. Our law, our APPs actually state that you can only collect information that’s reasonably necessary for the activity that you do. But that’s not the whole thing. Minimisation means that you actively – and there are cool names like privacy by design and privacy by default, but I won’t bore the listeners with that – what it means is you’ve actively got to look at, is there another way of doing this? Do we really need the PI? Do we need all of the PI we’re collecting? Is there a better way? And the principle should be that you should always be driven as a business – and this is going to sound really counterintuitive – to collect the least amount of personal and sensitive information that you possibly can to do the function. And that doesn’t mean; “oh, it’s cheaper. Oh, it’s easier“. It means; “no, no, think it through, what could you do differently?”. And I gave the example of the ID checking for instance. And that runs across a whole gamut of things. So we don’t have that emblazoned in the privacy principles, but it’s no doubt underpinning it, it’s in all of the decisions of the Privacy Commissioner on topic. It’s in all of the guidance of the Privacy Commissioner and it’s a sort of an understood corner principle. But talking about the AG’s review, again, nerds like myself and my team get that and our clients get it, because we explain it to them. But if that’s an area that’s not really getting cut through then obviously you’ll see that, along with the purposes for collection. This idea of reasonably necessary for your functions, you’re going to see these actually coalesce together. And I think you might get more prescriptive rules rather than guidance from the Commissioner. So it’ll be in the law in regulations.
DT:

 

58:00

And again, this principle of least data or minimisation or privacy by design or privacy by default, even if you’re not doing this out of the goodness of your heart or your love for your customer, it’s in the interest of the organisation. There’s infrastructure costs. You’re mitigating the risk of a data breach. There are many good reasons why this might be a good investment to make.
AC:

 

 

 

 

 

 

59:00

 

 

 

 

 

 

 

1:00:00

Yeah, absolutely. And look, again, there are some businesses that are focused on data. Purely, that’s their job. They’re data analytics companies. Again, you can help those people get more privacy compliant, but your everyday data is important and I’m not denying that. And there are ways of actually maximising how you use data through compliance. You can actually get more benefits out of your data and that’s another for another day perhaps. But you’re absolutely right, by minimising the data, you are minimising not just your ongoing costs but the risks of a $50 million fine. The risks of damages on a class complaint or if it turns out to be a direct action in the future after the AG’s review. So there’s a lot of positives in doing it. And it goes hand in glove with that deletion principle and that only collect what’s reasonably necessary to do your business. And I think that’s been lost in the wash, but it’s there in the law. But maybe the AG’s review will tweak it to help us to say; “look people, this is what you must do”. And of course the problem with that is there’s always a complaint about the privacy law that their pre-internet. Sorry because of your intro! But; “it’s pre-internet. It predates this. It predates that”. But the whole purpose was – and I’ve got to be honest, it’s a masterful bit of drafting the principles, because they’re so vague that they can fit any technology that ever comes along. Almost. I do think it needs a review – you mentioned the AG’s review came out of the Commissioner’s report, but it also came out because it’s due. And again, you don’t want to be so technology specific that in five years it’s totally redundant. But the problem with making it fit ongoing technology improvements and innovations is, I admit, there is a bit of vagueness there. But again, I would say, look at the commentary, look at the decisions. Look at the guidance and you get a better handle. But when you first read it off the page, you can be forgiven for saying; “what the hell do reasonable steps mean? What do I have to do there?”.So again, I get that, but it is something that we don’t want to make too tech specific, because we all know that in – I’ve said five, probably three years – it’ll be out of date.
DT:Absolutely. Look, we’re nearly out of time, Alec, but before we go, if one of our listeners is just starting to provide advice in this area – maybe a journeyman privacy and data lawyer – coming from the master, what’s one thing you’d like them to take away from this episode?
AC:

 

 

 

1:01:00

 

 

 

 

 

 

1:02:00

Okay. We all start as journeymen or journeywomen. You got to start somewhere. Look, I love this area. My team love this area; at least that’s what they tell me! And their performance says that they do as well. It’s a continually evolving and changing area, so it’s not set and forget. So I love that because it’s continually challenging me. You said you’ve got to keep up to date and you do. You’ve got to keep up to date with regulation, decisions. You’ve got to keep up to date with the technology and how that’s evolving. You’ve just got to understand that it’s not black letter. Yes, there is law and we do at the base start from looking at what the law says, but as I’ve said, the APPs are often very vague. So you’ve got tounderstand the wider way that is implemented. And, you’ve got to look at the law in terms of a wider commercial context. You need to get experience. I know, starting out you say; “hang on, catch 22!“. You need to join a team that does this sort of work and a lot of it, and get the experience and build it up. Because 60% of what we do at the end is interpreting, applying, using past experience to mold, to never say no – except in one or two rare cases – to find a solution. That’s what you do here. And so it’s a combination of an educative role, a consultative role, a solutions role, as well as that underlying legal basis that I think quite frankly is very necessary. But I’d say stay up to date with the regs, stay on top of the tech and the information changes. And look, the last thing is, we are a small little community. It’s not just lawyers, it’s consultants, it’s people doing it in-house. We’re still a pretty small community in Australia. Reach out. They’re a wonderful bunch. We are friendly, we are collaborative. And that’s where you pick up a lot of the experiences as well. Even if we haven’t worked on a matter, talking to people generically about the issues they’re facing and what some of our clients have faced adds to the general overall understanding and knowledge. It’s a really nice little group because we do get a bit nerdy, I admit, but it’s usually over a lot of drinks.
DT:And before we go; what were those “three cannots” again? I think those are a great one to leave our listeners with.
AC:Okay. You cannot collect any personal information you want. You cannot use it for whatever you want. And you cannot keep it forever.
DT:There we go. Who needs the APPs?
AC:There’s a lot of nuance in that, David!
DT:… we’ve got three cannots!
AC: 1:03:00No, but that’s where you start. But there’s a lot of nuance, a lot of guidance, et cetera but that is a pretty good overview. I hate to be negative, but that is what I’ve found works with clients.
DT:No, I think so too. Alec, thank you so much for joining me on Hearsay the Legal Podcast!
AC:Pleasure.

 

Ross Davis:

 

 

 

 

 

 

1:04:00

 

 

 

 

 

 

 

 

 

 

 

 

 

 

As always, you’ve been listening to Hearsay the Legal Podcast. I’d like to thank our guest Alec Christie from Clyde & Co for coming on the show.

As you well know, if you’re an Australian legal practitioner, you can claim one Continuing Professional Development point for listening to this episode. Whether an activity entitles you to claim a CPD unit is self-assessed, but we suggest this episode entitles you to claim a substantive law. More information on claiming and tracking your points on Hearsay can be found on our website.

Hearsay the Legal Podcast is, as always, brought to you by Lext Australia, a legal innovation company that makes the law easier to access and easier to practice, and that includes your CPD.

Finally, before you go, I’d like to ask you a favour. If you like this episode and the other episodes that you’ve listened to, please leave us a Google Review. It helps other listeners find us and that means that we can keep making the great content that you love. Thanks for listening and we’ll see you on the next episode of Hearsay.