Privacy Act

Published 7 May 2024
Read the keynote address prepared for delivery by Privacy Commissioner Carly Kind for the Office of the Information Commissioner Queensland Privacy Awareness Week launch event on Tuesday 7 May 2024.

Introduction

• This shaped fundamentally how I came to understand abuses of state power and the importance of human rights law.
• Over time, I came to understand that the right to privacy is a key means by which power is mediated, limited and expressed.
• Infringements into privacy were one way in which power was exercised over individual journalists, activists and advocates.

Privacy is about power

• Notions of power cut in every direction in the digital ecosystem – the power wielded by tech monopolies and duopolies; the power concealed in political microtargeting and misinformation campaigns; the lack of power and agency consumers feel when they’re using digital technologies.
• The result is that today we see increasingly high levels of interest in and value placed on personal and data privacy.
• ‘You have zero privacy anyway’, said Scott McNeally, ‘Get over it.’ In the same year, Pew Research surveys showed that only 16% of online users were worried about privacy.
• If we compare that to today, a study also by Pew Research shows much, much higher levels both of privacy literacy and privacy concerns.
• Of course, there is even now draft privacy legislation under contemplation in the US, a jurisdiction historically adverse to federal privacy legislation, and it seems possible that the country will enact a privacy law before the end of the year.

Privacy Awareness Week

• It is against this backdrop, then, that we celebrate Privacy Awareness Week.
• This year, awareness of privacy is higher than ever before, arguably.
• We would also like to see government power up privacy Australia-wide by introducing the reforms to the Privacy Act that are so overdue.

Law reform

• It is an especially ideal time for businesses and government agencies covered by the Commonwealth Privacy Act and Queensland public sector agencies to power up existing privacy practices and culture, in advance of privacy law reform.
• The Australian Government responded in September, agreeing or agreeing in principle to all but 10 of the 116 proposals for reform.
• The federal Attorney-General shared last week that at the request of the Prime Minister, he will bring forward legislation in August to overhaul the Privacy Act.
• We see the positive obligation that personal information handling is fair and reasonable as a new keystone of the Australian privacy framework.

Privacy and technology

• In that role, I thought a lot about the role of data privacy regulation and regulators in grappling with new and emerging technologies, particularly AI.
• Online privacy and high privacy impact technologies, including practices involving the use of generative AI, facial recognition and the use of other biometric information, are also high on our regulatory priorities.
• The OAIC also has ongoing investigations into the use of facial recognition technology by Bunnings Group Limited and Kmart Australia Limited.
• We’ve also begun scoping what other new and emerging technologies might create privacy risks and harms that warrant our intervention.
• These all go to accountability – and there’s good reason to do them and show privacy leadership.

Data breaches and security

• Since the Commonwealth’s Notifiable Data Breaches scheme began in 2018, the OAIC has been notified of around 5,800 data breaches.
• There are high levels of public concern about data security as a result of the number and scale of recent breaches, and a strong appetite in the community for organisations and agencies to be held accountable.
• Mandatory reporting of breaches strengthens the protections afforded to everyone’s personal information and improves accountability and transparency in the way organisations respond to serious data breaches.
• Around 40% of data breaches notified to the OAIC have been the result of cyber security incidents.

Conclusion

Published 22 May 2024
Read the keynote address prepared for delivery by Privacy Commissioner Carly Kind for the Biometrics Institute Asia-Pacific Conference on Wednesday 22 May 2024.

Introduction

• I have known the Biometrics Institute for some time, and appreciate the invitation to speak.
• I have seen first-hand how biometrics registration and identity systems can be used to great effect, for example, to assist in the registration of refugees who have had to flee their homes without paper identity documents.

The risks of biometrics

• However, I have also observed the range of risks and harms that can happen in the context of the use of biometrics systems, and heard first-hand from the public their concerns in this regard.
• Prior to taking on the role of Privacy Commissioner, I was the director of the Ada Lovelace Institute, and we undertook a large-scale public deliberation on biometrics technologies.
• Because, as we all know, there is something different about biometrics.

Intersection with the Privacy Act

• In Australia, we have an emerging picture of how biometric technologies can be used consistently with the Privacy Act.
• Facial recognition technologies and other automatic biometric identification technologies should only be used when it is reasonably necessary for, and the risks to privacy are proportional to, the functions or activity.
• The OAIC found that Clearview AI breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool.
• The Australian Information Commissioner determined that the Australian Federal Police (AFP) failed to comply with its privacy obligations in using the Clearview AI facial recognition tool.
• Commissioner Falk found the AFP failed to complete a privacy impact assessment before using the tool, in breach of the Australian Government Agencies Privacy Code, which requires a privacy impact assessment for all high privacy risk projects.

Looking ahead – Privacy Act reforms

• The federal Attorney-General shared earlier this month that at the request of the Prime Minister, he will bring forward legislation in August to overhaul the Privacy Act.
• Privacy law reform will up the standards for consent, bring into scope a larger subset of the Australian economy, and expands the powers of the OAIC to enforce privacy law.
• Also of note for the biometrics sector are reforms around consent management and data deletion and retention.

Privacy at the forefront of Digital ID scheme

• While we wait for Privacy Act reforms, we will begin applying higher legislated standard to biometric information immediately, with the passage of the Digital ID Bill last week
  The OAIC will be the privacy regulator for the Digital ID scheme and will use a range of regulatory powers to ensure that individuals’ privacy is protected when using the system.
• The ‘additional privacy safeguards’ in the Digital ID legislation will operate in addition to the general protections under the Privacy Act (or equivalent state or territory privacy legislation).
• The OAIC’s regulatory role under the Digital ID legislation will include oversight of breaches of the additional privacy safeguards by all accredited entities, including state and territory agencies.

Conclusion

• As of year-end 2023, PowerSchool reported $697.7 million and $231.9 million of revenues and Adjusted EBITDA, respectively.
• The concerns we outline in our report include:
  We believe K-12 school districts across the U.S. are staring down an impending fiscal cliff.
• We believe this will significantly pressure contract renewals for K-12 vendors such as PowerSchool.
• As a reminder, our full report, along with its investment disclaimers, can be downloaded and viewed at www.SprucePointCap.com .